2025 IL App (1st) 241909-U NOTICE: This order was filed under Supreme Court Rule 23 and is not precedent except in the limited circumstances allowed under Rule 23(e)(1).

FIRST DIVISION July 28, 2025 No. 1-24-1909 ______________________________________________________________________________ IN THE APPELLATE COURT OF ILLINOIS FIRST DISTRICT ______________________________________________________________________________ CERTAIN UNDERWRITERS AT LLOYD’S, LONDON ) Subscribing to Policy No. PSK0139439706, ) ) Plaintiffs/Counterdefendants- ) Appeal from the Appellees, ) Circuit Court of ) Cook County v. ) ) No. 22 CH 7483 GALEY CONSULTING, LLC, BRIAN GALEY, and ) MONROE INFRASTRUCTURE, LLC, ) The Honorable ) Cecelia A. Horan, Defendants ) Judge Presiding. ) (Monroe Infrastructure, LLC, Defendant/Counterplaintiff- ) Appellant). )

PRESIDING JUSTICE FITZGERALD SMITH delivered the judgment of the court.

Justice Cobbs concurred in the judgment.

Justice Pucinski dissented.

ORDER ¶1 Held: Insured’s summary to insurer notifying it of a potential claim stemming from an incident of e-mail hacking and wire fraud was properly considered on the question of whether the policy’s “cyber events” exclusion negated insurer’s duty to defend, even though the underlying complaint did not mention these events.

¶2 The defendant/counter-plaintiff, Monroe Infrastructure, LLC (hereinafter Monroe), appeals No. 1-24-1909 from the trial court’s entry of summary judgment in favor of the plaintiffs/counter-defendants, the Certain Underwriters at Lloyd’s, London Subscribing to Policy No. PSK0139439706 (hereinafter the Underwriters), in which the trial court found that the Underwriters had no duty to defend their insureds, Brian Galey and Galey Consulting, LLC, in an underlying lawsuit that Monroe had filed against Galey Consulting. Monroe’s primary contention on appeal is that the trial court improperly looked to evidence extrinsic to the allegations of the underlying complaint to determine that Monroe’s claim was for losses that arose out of a “cyber event” that was excluded from coverage under the policy. We affirm the judgment of the trial court.

¶3 BACKGROUND ¶4 In 2021, Monroe became engaged in a project to construct roads and other infrastructure improvements within a development in Nashville, Tennessee. Thereafter, Monroe engaged the services of Galey Consulting, which provides professional construction management services to builders, developers, and others. The parties entered into a contract dated February 22, 2021. In summary, Galey Consulting had broad oversight responsibilities under this contract to effectuate decisions made by Monroe in implementing the project. These responsibilities included, inter alia, overseeing and managing all construction activities as well as “pay application management.”

Generally speaking, pay application management included reviewing and approving requests by subcontractors and others to receive payment by Monroe for work done on the project.

¶5 Galey Consulting and its principal Brian Galey are the named insureds under a policy of architects and engineers’ insurance to which the Underwriters subscribe. On March 23, 2022, an agent on the insureds’ behalf gave notice to the Underwriters’ claims manager, CFC Underwriting Limited, that an incident had occurred which had the potential to give rise to a claim under the policy. Included with that notice was a summary of the incident written by Brian Galey.

-2- No. 1-24-1909 ¶6 Galey’s summary explained that around approximately November 2021, his work e-mail account had been hacked. After he ultimately engaged an information technology professional, it was discovered that the hackers had added a mechanism within his e-mail account to divert e-mails that he received from accounts associated with Nashville Electric Service (NES) so that he would not see them. Following Galey’s receipt of a legitimate invoice from NES on November 12, 2021, the hackers sent him an e-mail from a fraudulent account, purporting to be from NES, stating that NES had changed its procedures to require payments through electronic funds transfer only and that checks would no longer be accepted. Galey attempted to verify this fact by sending an e-mail to Josh Pike, who was his contact at NES. A few days later, Galey received a fraudulent e-mail purporting to be from Josh Pike confirming the accuracy of the change by NES to requiring electronic payments.

¶7 Galey’s summary continued that on December 29, 2021, Galey informed Don Allen, who is the owner of Monroe, that it was an appropriate time to for the above invoice to be paid but that NES was now requiring that all payments be made by electronic transfer. Allen thereafter contacted his banker at CIBC to send an electronic payment, but his banker responded that a wire transfer was necessary given the payment’s size. Galey then sent an e-mail to Ron Russell of NES asking for its wire transfer information. A few hours later, Galey received a fraudulent e-mail response purporting to be from Ron Russell containing instructions to wire the funds to an account at Chase Bank. Allen then sent an e-mail telling Galey and the CIBC banker to “verify wire info over phone to avoid fraud please.” Galey responded to Allen by e-mail, stating that he had already confirmed with his contact at NES that “this was a legit request.” Galey’s summary also stated that the CIBC banker had left a voicemail for Ron Russell and followed up with an e-mail asking him to call back and verify the wire information. The summary contains no information that Russell

-3- No. 1-24-1909 ever returned the banker’s call. On January 3, 2022, Galey received a fraudulent email purporting to be from Ron Russell stating that the wire transfer had been received.

¶8 The above-described incident apparently led to $673,384.18 being wire-transferred out of Monroe’s account to a fraudulent account at Chase Bank. That money was never recovered. The fraudulent nature of this transaction was not discovered until March 18, 2022, when Josh Pike contacted Galey to ask about the unpaid invoice. This led to the above investigation by the information technology professional, at which time the incident of e-mail hacking was discovered and CFC Underwriting was informed of the incident.

¶9 On March 28, 2022, a claims adjustor with CFC Underwriting issued an initial coverage determination to Galey, which stated that the policy at issue “does not carry any cyber and privacy cover which would respond to the funds loss.” On April 27, 2022, an agent working on behalf of Galey asked the claims adjustor from CFC Underwriting to have coverage evaluated under the errors and omissions portion of the policy and to provide a formal coverage opinion. On May 3, 2022, a different claims adjustor from CFC Underwriting responded that the errors and omissions policy would not apply unless a claim was made against the insured arising out of an alleged negligent act or breach of contract, and no such claim had been made as of that time.

¶ 10 On June 6, 2022, Don Allen of Monroe sent an e-mail to Brian Galey, demanding that Galey Consulting reimburse Monroe the amount of $673,384.17, plus its incurred costs.

¶ 11 On August 2, 2022, the Underwriters sent a letter denying coverage and filed the present insurance coverage action, naming as defendants Galey Consulting, Brian Galey, and Monroe. The Underwriters’ complaint sought a declaratory judgment that no coverage was available under the policy at issue for the reimbursement demand that Monroe had made against Galey Consulting, due to an exclusion in the policy that precluded coverage for any claim “arising directly or

-4- No. 1-24-1909 indirectly out of any cyber event.” Relevant here and stripped of its excess verbiage, the policy’s definition of “cyber event” includes “any actual or suspected unauthorized access to *** any computer systems *** including a *** hacking attack.” 1 The policy’s definition of “computer systems” means “all electronic computers including operating systems, software, hardware, microcontrollers and all communication and open system networks and any data or websites wheresoever hosted, off-line media libraries and data back-ups and mobile devices including but not limited to smartphones, iPhones, tablets or personal digital assistants.” The Underwriters’ complaint asserted that the summary of events that had been provided by Brian Galey demonstrated that Monroe’s demand for reimbursement arose out of a “cyber event,” that being the unauthorized accessing of Galey Consulting’s e-mail system by a fraudster, who then used Galey Consulting’s impaired e-mail system to intercept and redirect real e-mails from NES and who sent a series of fraudulent e-mails that directed payment of the NES invoice to be made to the fraudster’s account. Because of this, the Underwriters asserted, coverage for the claim by Monroe was excluded under the policy.

Monroe’s argument on appeal does not challenge whether the incident described in Brian Galey’s summary qualifies as a “cyber event” under the policy’s definition. The full definition is as follows: “ ‘Cyber event’ means any actual or suspected: a. unauthorized access to or electronic attack designed to damage, destroy, corrupt, overload, circumvent or otherwise impair the functionality of: i. in respect of INSURING CLAUSE 2, computer systems used directly by you; and ii. in respect of all other INSURING CLAUSES, any computer systems; including a denial of service attack, cyber terrorism, hacking attack, Trojan horse, phishing attack, man-in-the-middle attack, application-layer attack, compromised key attack, malware infection (including spyware or ransomware) or computer virus; or b. privacy breach. ‘Cyber event’ does not mean technology error.”

We add also that this case involves an insuring clause other than “INSURING CLAUSE 2,” which provides coverage for claims that do arise out of “cyber events” under certain terms and conditions.

-5- No. 1-24-1909 ¶ 12 On November 9, 2022, Monroe’s counsel sent a letter to the Underwriters’ counsel asserting that coverage under the policy was available for the negligent acts, errors and omissions of Galey Consulting, which existed in at least two forms. First, as part of its responsibilities for providing “pay application management” services to Monroe, Galey Consulting had acted unreasonably by failing to have in place a protocol and system to ensure that invoices presented were properly paid.

Second, Galey had acted negligently by failing to “utilize telephonic conformation” prior to making electronic payment of the NEC invoice.

¶ 13 On February 22, 2023, Monroe filed a lawsuit against Galey Consulting, seeking to recover “the diverted payment of $673,384.17, that was erroneously and at the instruction of Galey sent to an improper wire account that was not owned or in the control of NES.” Monroe’s complaint does not allege that an e-mail hacking or wire fraud incident played any role in causing the loss it suffered. Instead, its allegations are that, pursuant to the parties’ agreement, Galey Consulting was to provide Monroe with “construction management” and “pay application” services. Construction management services included project phasing, logistical planning, schedule oversight, subcontractor selection oversight, review of materials procurement, quality control oversight, and cost management. Pay application services included reviewing and approving contractor pay applications, forwarding pay applications to Monroe for processing, and providing cost tracking of applications. The complaint alleged that the parties understood that “pay applications” referred to the detailed documents used by subcontractors and others to request payment on the project.

The complaint alleged that the parties’ contract required Galey Consulting to provide its professional services in a “commercially responsible” manner and to serve Monroe’s interests in the performance of its services.

¶ 14 Monroe’s complaint went on to allege that on December 29, 2021, pursuant to instructions

-6- No. 1-24-1909 and information provided to it by Galey Consulting in the performance of the above-described services, Monroe caused $673,384.17 to be wired to an account that Galey Consulting had represented to be that of NES, which had done work for Monroe on the project. It alleged that in March 2022, the parties had discovered that the account information that Galey Consulting had provided to Monroe for the payment of this invoice was not in fact the account of NES and that the money had therefore not reached NES as intended. It alleged that Monroe then had to make a new payment of $673,384.17 to NES, and the first diverted payment had never been recovered.

¶ 15 Monroe’s complaint sought recovery under three theories of liability: professional negligence, errors and omissions; breach of contract; and breach of fiduciary duty. Each theory of liability is premised on the following factual allegations of wrongdoing by Galey Consulting: “a) Improperly and erroneously providing Monroe with the improper bank account information for NES for purposes of making payment to NES; b) Improperly and erroneously instructing Monroe to wire payment to NES to a bank account not owned or in the control of NES; c) Failing to put into place a risk management policy designed to prevent the misdirected payment of invoices to contractors, sub-contractors and other vendors who were owed money for their work on the Project; d) Failing to implement a protocol or management system for the Project that ensured that contractors, sub-contractors and vendors who had performed work on the Project were properly and accurately paid; e) Failing to implement a protocol or management system designed to ensure that payments it approved were being safely and securely made to the proper recipients who had presented invoices approved by Galey;

-7- No. 1-24-1909 f) Failing to implement a protocol or management system that ensured the matching of approved invoices to the payees presented to Monroe for transfer of funds; g) Failing to utilize telephonic confirmation of wire instructions to known individuals at NES before instructing Monroe to transfer funds; h) Failing to exercise commercially reasonable checks on purported instructions received for pay applications and payment of invoices; i) Failing to carefully read and review correspondence detailing purported instructions for pay applications and payment of invoices; j) Improperly and erroneously approving payment of an invoice to an improper and unapproved recipient.”

¶ 16 After Monroe filed its lawsuit against Galey Consulting, the Underwriters filed an amended complaint for declaratory judgment in the present action. The amended complaint includes greater detail than the initial complaint, but its material allegations remain that it was clear from Brian Galey’s initial summary of events that Monroe’s demand for reimbursement and underlying lawsuit arose out of an event of e-mail hacking and wire fraud that constitutes a “cyber event” excluded from coverage under the terms of the policy. It characterized the omission in Monroe’s underlying complaint of any reference to wire fraud as “an improper and transparent attempt to plead into coverage.”

¶ 17 On July 20, 2023, in the underlying litigation between Monroe and Galey Consulting, the trial court granted a motion for entry of a consent judgment pursuant to settlement. By its order, the trial court entered a consent judgment in favor of Monroe and against Galey Consulting in the amount of $725,000. The trial court’s order also included findings that Galey Consulting had agreed to the consent judgment in reasonable anticipation of liability, to settle a disputed claim

-8- No. 1-24-1909 and avoid the possibility of a default judgment being entered against it in a larger amount; that the consent judgment was fair and reasonable; that the decision of Galey Consulting to end this litigation pursuant to a consent judgment was reasonable and conformed to the standard of a prudent uninsured; and that $725,000 was consistent with what a reasonably prudent uninsured in Galey Consulting’s position would settle for, given the facts and merits of the claims in the case.

Finally, the order approved the assignment to Monroe from Galey Consulting of all of its rights against its insurance carriers with respect to the claims at issue, and it limited Monroe to collecting the consent judgment only from those insurers and not from Galey Consulting or its principals.

¶ 18 On July 24, 2023, in the present action, Monroe filed on behalf of itself and as assignee of Galey Consulting and Brian Galey, an answer to the amended complaint and a counterclaim against the Underwriters. In its answer, Monroe denied the material allegations of the amended complaint and denied that the Underwriters were entitled to the declaratory judgment sought.

¶ 19 In its counterclaim, Monroe alleged that the Underwriters had breached the terms of the policy by refusing to defend Galey Consulting in the underlying litigation. It alleged that for the policy’s cyber events exclusion to apply, a loss must “arise” out the cyber event; however, Monroe’s allegations against Galey Consulting in the underlying lawsuit involved various acts of negligence, breaches of contract, and breaches of fiduciary duty that caused Monroe’s loss, and these are outside the limited scope of causation in the policy’s cyber events exclusion. Its counterclaim also sought a declaratory judgment that the policy’s “cyber events” exclusion was ambiguous and unenforceable. It also sought attorney fees and a statutory penalty under section of the Illinois Insurance Code (215 ILCS 5/155 (West 2022)). The Underwriters filed an answer and affirmative defenses to the counterclaim, denying its material allegations.

¶ 20 On October 20, 2023, Monroe filed a motion for summary judgment as to all counts of the

-9- No. 1-24-1909 amended complaint and the counterclaim. On December 7, 2023, the Underwriters filed a combined cross-motion for summary judgment and response to the motion by Monroe. The parties’ arguments largely turned on the effect of the policy’s “cyber events” exclusion on the duty to defend and whether Brian Galey’s summary of events could be considered given that no e-mail hacking or wire fraud incident is referenced in the underlying complaint. Monroe’s motion further raised the argument that the Underwriters’ breach of the duty to defend the insureds meant that they were liable as a matter of law for the amount of the consent judgment in the underlying litigation plus a penalty under section 155 of the Insurance Code (id.). Both motions were fully briefed, and the trial court conducted oral argument on June 13, 2024.

¶ 21 On September 3, 2024, the trial court entered an order denying Monroe’s motion for summary judgment and granting the Underwriters’ motion for summary judgment. In so doing, the trial court found that the Underwriters had no duty to defend either Galey Consulting or Brian Galey in relation to the underlying lawsuit filed by Monroe. It further found that the Underwriters did not have a duty to indemnify Monroe with regard to the consent judgment that was entered in the underlying lawsuit. No transcript further articulating the trial court’s reasoning is included in the record on appeal. Monroe thereafter filed a timely notice of appeal.

¶ 22 ANALYSIS ¶ 23 On appeal, Monroe’s primary argument is that the duty-to-defend analysis in this case cannot include consideration of Brian Galey’s summary of events, whereby he explained that an incident had occurred in which his work e-mail had been hacked in a way that caused him to believe that he was acting pursuant to a legitimate instruction from NES when he directed Monroe to authorize a wire transfer of $673,384.17 to a bank account that turned out to be fraudulent. Monroe’s position is that the Underwriters’ duty to defend Galey Consulting and Brian Galey in the underlying

- 10 - No. 1-24-1909 litigation must be determined exclusively by comparing the allegations of the underlying complaint against the terms of the policy at issue. When this correct approach is followed, Monroe contends, the allegations of its underlying complaint against Galey Consulting raised allegations of negligence, breach of contract, and breach of fiduciary duty that triggered coverage under the policy’s errors and omissions coverage. Monroe contends that, because its underlying complaint contains no factual allegations along the lines of the information contained in Brian Galey’s summary, that summary is extrinsic evidence that cannot be considered on the question of whether the policy’s exclusion for “cyber events” negates the duty to defend.

¶ 24 Where a trial court has granted summary judgment in favor of an insurer based upon the determination that it owes no duty to defend its insured in underlying litigation, this presents a question of law that we review de novo. Pekin Insurance Co. v. McKeown Classic Homes, Inc., 2020 IL App (2d) 190631, ¶ 15. Summary judgment is properly granted where the pleadings, depositions, and admissions on file, together with any affidavits, show that there is no genuine issue as to any material fact and that the moving party is entitled to a judgment as a matter of law.

735 ILCS 5/2-1005(c) (West 2024). The filing of cross-motions for summary judgment indicates the parties’ agreement that only questions of law are presented, which the court can decide based upon the record. Pielet v. Pielet, 2012 IL 112064, ¶ 28.

¶ 25 “In a declaratory judgment action such as that presented here, where the issue is whether the insurer has a duty to defend, a court ordinarily looks first to the allegations in the underlying complaint and compares those allegations to the relevant portions of the insurance policy.” Pekin Insurance Co. v. Wilson, 237 Ill. 2d 446, 455 (2010). “If the facts alleged in the underlying complaint fall within, or potentially within, the policy’s coverage, the insurer’s duty to defend arises.” Id. This is true even if the allegations are groundless, false, or fraudulent, and even if only

- 11 - No. 1-24-1909 one of multiple theories of recovery alleged in the complaint falls within the potential coverage of the policy. Valley Forge Insurance Co. v. Swiderski Electronics, Inc., 223 Ill. 2d 352, 363 (2006).

Thus, an insurer may not justifiably refuse to defend a lawsuit against its insured unless it is clear from the face of the underlying complaint that the allegations set forth in it fail to state facts that bring the case within, or potentially within, the coverage of the policy. Id. ¶ 26 While the statements above constitute the general rule, circumstances exist in which courts may appropriately look beyond the allegations of an underlying complaint when determining whether an insurer has a duty to defend. See Wilson, 237 Ill. 2d at 459-62; Pekin Insurance Co. v. St. Paul Lutheran Church, 2016 IL App (4th) 150966, ¶ 64. An insurer in a declaratory judgment proceeding may challenge the existence of a duty to defend “ ‘by offering evidence to prove that the insured’s actions fell within the limitations of one of the policy’s exclusions,’ ” provided that the evidence offered for this purpose is not evidence that “ ‘tends to determine an issue crucial to the determination of the underlying lawsuit.’ ” Wilson, 237 Ill. 2d at 461-62 (quoting Fidelity & Casualty Co. of New York v. Envirodyne Engineers, Inc., 122 Ill. App. 3d 301, 304-05 (1983)); accord Bartkowiak v. Underwriters at Lloyd’s, London, 2015 IL App (1st) 133549, ¶¶ 20-21 (“provided that the trial court is not, in effect, adjudicating a critical issue in the underlying case, there is no reason why the trial court could not consider relevant, objective, undisputed facts in deciding the duty to defend, even if those facts fall outside the pleadings of the underlying lawsuit”); St. Paul Lutheran Church, 2016 IL App (4th) 150966, ¶ 64.

¶ 27 In its brief, Monroe acknowledges the principles above. However, Monroe points out that the exception is typically invoked by an insured to show that a duty to defend is created through extraneous facts that are known to an insurer but unpled in the underlying complaint. Monroe argues that this court has never recognized that an insurer can use extrinsic evidence provided by

- 12 - No. 1-24-1909 its insured to deny the duty to defend otherwise triggered by an underlying complaint.

¶ 28 Although neither party draws our attention to a case directly on point to this one, we believe that Monroe reads the cases far too narrowly when it argues that this exception works only to the benefit of an insured. See, e.g., Bartkowiak, 2015 IL App (1st) 133549, ¶ 22 (in finding no duty to defend, trial court properly considered whether insured had primary automobile liability coverage from a different insurer, even though nothing about insurance was pled in the underlying complaint for wrongful death); Millers Mutual Insurance Ass’n of Illinois v. Ainsworth Seed Co., 194 Ill. App. 3d 888, 893 (1989) (in finding no duty to defend in product liability case, appellate court approved insurer’s reliance upon statements insured had made in an affidavit that demonstrated policy’s completed-operations hazard exclusion applied and barred coverage).

¶ 29 In the seminal case of Envirodyne Engineers, the insured was an engineering firm that had been sued for injuries sustained by a construction worker on a project for which it served as the consulting engineer. Envirodyne Engineers, 122 Ill. App. 3d at 302. Its insurer argued that no duty to defend existed due to an exclusion in the policy for bodily injury arising out of the provision of professional engineering services. Id. at 302-03. In support of its argument that all work that the insured had performed on the project came within the scope of that exclusion, the insurer offered evidence of the contract between the insured and its client and the deposition testimony of the insured’s assistant vice president that he was unaware of any functions performed by the insured at the job site other than those that were architectural or engineering in nature. Id. at 303-04. On appeal, the appellate court held that the trial court had properly considered this evidence tending to show that all the insured’s actions on the job site constituted professional engineering services in determining that the exclusion applied and negated any duty to defend. Id. at 307-08.

¶ 30 In this case we hold that, consistent with Envirodyne Engineers and the other authority cited

- 13 - No. 1-24-1909 above, Brian Galey’s summary describing the incident of e-mail hacking and wire fraud was appropriate for consideration on the question of the Underwriters’ duty to defend. Preliminarily, we accept the premise that, if only the allegations of the underlying complaint are considered without also looking to Galey’s summary, its allegations would bring the case within the policy’s grant of professional errors and omissions coverage. As set forth in the background above, the underlying complaint pleads various acts and omissions by Galey Consulting amounting to negligence, breach of contract, and breach of fiduciary duty. But it is equally clear from the underlying complaint that Monroe’s alleged loss stems entirely from the events of December 29, 2021, when $673,384.17 was wired from its bank account to an account that Galey had represented as belonging to NES when this was not in fact the case.

¶ 31 As stated, nothing in the underlying complaint alleges that the hacking of Galey’s e-mail account or wire fraud played any role in causing Monroe’s losses. However, we also find nothing in the summary judgment record that tends to raise any factual dispute as to whether the loss at issue originated from an incident of e-mail hacking and wire fraud. We do not believe in this instance that the absence of such allegations from the underlying complaint requires the courts to “ ‘wear judicial blinders’ ” to the role that an e-mail hacking incident played in causing this loss when determining whether a policy exclusion applies. See Wilson, 237 Ill. 2d at 460 (quoting American Economy Insurance Co. v. Holabird & Root, 382 Ill. App. 3d 1017, 1032 (2008)). We note that the Underwriters’ declaratory judgment action had been filed six months before the time when Monroe filed the underlying complaint. It is thus clear that Monroe’s counsel was well aware by that time of the Underwriters’ position that the cyber events exclusion precluded coverage because the loss arose out of the unauthorized accessing of Galey’s e-mail account by a hacker attempting to commit wire fraud. Accordingly, it would appear that the failure to allege anything

- 14 - No. 1-24-1909 about e-mail hacking or wire fraud in the underlying complaint was an attempt to avoid pleading directly into the policy’s cyber events exclusion.

¶ 32 Furthermore, we reject Monroe’s assertion that the question of whether Galey’s liability to Monroe arose directly or indirectly from an alleged cyber event was a crucial issue of fact in the underlying case. Monroe does not explain this argument in any detail, and we fail to see how the trial court would have adjudicated an issue of fact critical to the underlying litigation by determining that Monroe’s losses originated from an incident in which Galey’s e-mail was hacked by someone intent on committing wire fraud. Based upon our review of the underlying complaint, the critical issues were whether Galey Consulting was negligent or breached a contractual or fiduciary duty by failing to have protocols or systems in place that would have prevented Monroe’s funds from being misdirected to the wrong account (i.e., that would have prevented the wire fraud attempt from succeeding). Nothing in the record suggests to us that the fact that an e-mail hacking or wire fraud incident had occurred was itself an issue of dispute in the underlying case. Also, the fact that the underlying litigation was no longer pending by the time of the trial court’s entry of summary judgment in this case is an additional reason why it was not adjudicating any fact critical to the underlying litigation by determining that an e-mail hacking or wire fraud incident had occurred. See Maryland Casualty Co. v. Peppers, 64 Ill. 2d 187, 197 (1976) (declaratory judgment that requires resolution of fact issue crucial to underlying litigation is “premature” prior to resolution of underlying case); St. Paul Lutheran Church, 2016 IL App (4th) 150966, ¶ 64 (same).

¶ 33 We also reject Monroe’s reliance upon Clemmons v. Travelers Insurance Co., 88 Ill. 2d 469 (1981), which it cites for the proposition that an insurer may not rely on unsworn statements made by an insured in determining the duty to defend. We find Clemmons distinguishable from the present case. There, a plaintiff who had been injured in an automobile collision obtained a default

- 15 - No. 1-24-1909 judgment against the underlying defendant and thereafter sued Travelers to collect it on the basis that Travelers’ refusal to defend had been wrongful. Id. at 473-74. Travelers’ position was that it had owed no defense because the underlying defendant was driving without permission of his employer, who was the named insured. Id. Relevant here, Travelers relied in part upon an unsworn accident report in which the defendant driver had stated that he did not have permission to drive his employer’s car at the time of the collision. Id. at 476. The supreme court held that Travelers was not justified in relying upon that report to deny a defense. Id. It held that as a layman, the defendant driver was likely unaware of how expansively Illinois law viewed the concept of “permission.” Id. It held that the statement in the accident report was not sufficient to dispel the potential for coverage that was raised in the underlying complaint. Id. ¶ 34 In this case, we do not find Brian Galey’s summary detailing the e-mail hacking and wire fraud incident to be analogous to the driver’s statement in Clemmons that he did not have permission to drive the car. First, Galey’s statement is a factual description of the incident at issue.

It does not present problems similar to the concept of “permission” in Clemmons, where the statement essentially involved a layperson drawing a legal conclusion or possibly having an inaccurate understanding of the definition of a legal term of art. Second, we believe it is significant that Clemmons was a case in which Travelers had denied a defense without seeking a declaratory judgment or defending under a reservation of rights, which an insurer is generally unjustified in doing when faced with a complaint that alleges facts potentially within the scope of coverage. See id. at 475; see also Employers Insurance of Wausau v. Ehlco Liquidating Trust, 186 Ill. 2d 127, 150 (1999). In this case, by contrast, the Underwriters followed the proper approach of filing a declaratory judgment to determine its coverage obligations. Our supreme court has recognized that “ ‘if an insurer opts to file a declaratory proceeding, we believe that it may properly challenge the

- 16 - No. 1-24-1909 existence of such a duty [to defend] by offering evidence to prove that the insured’s actions fell within the limitations of one of the policy’s exclusions.’ ” Wilson, 237 Ill. 2d at 461 (quoting Envirodyne Engineers, 122 Ill. App. 3d at 304). For the reasons explained above, we find that consideration of Brian Galey’s summary was appropriate under the principle stated in Wilson, and it was not barred by the holding of Clemmons.

¶ 35 Monroe’s second principal argument is that, even if Brian Galey’s summary is considered, the policy’s cyber events exclusion does not preclude coverage for losses that have other concurrent causes. Based upon this interpretation, Monroe asserts that the cyber events exclusion does not bar coverage in this case because the allegations of the underlying complaint attribute Monroe’s loss to various acts, errors, omissions, and misrepresentations by Galey that resulted in his failure to properly manage Monroe’s pay application with respect to the project.

¶ 36 This argument calls upon us to interpret the relevant language of the policy’s cyber events exclusion, which provides that the Underwriters will not make any payment under the policy “arising directly or indirectly out of any cyber event.” Monroe urges us to interpret this language as constituting “a limited ‘causation’ model for determining whether or not the exclusion applies— meaning that, for the exclusion to apply, the loss in question must ‘arise’ out of the defined ‘cyber event.’ ” Monroe contrasts this exclusion’s language with broader causation language used in other standard policy forms, e.g., provisions that exclude certain losses “ ‘regardless of any other cause or event contributing concurrently or in any other sequence thereto.’ ” Monroe argues that the relevant policy language is at least ambiguous as to its exclusion of concurrently caused loss.

¶ 37 When interpreting the language of an insurance policy, the court’s role is to ascertain and give effect to the intentions of the parties as expressed by the words of the policy. Country Mutual Insurance Co. v. Livorsi Marine, Inc., 222 Ill. 2d 303, 311 (2006). To ascertain the intent of the

- 17 - No. 1-24-1909 parties and the meaning of the words used in the policy, the court interprets the policy as a whole, taking into account the type of insurance for which the parties have contracted, the risks undertaken and purchased, the subject matter that is insured, and the purposes of the entire contract. Crum & Forster Managers Corp. v. Resolution Trust Corp., 156 Ill. 2d 384, 391 (1993). If the words used in the policy are clear and unambiguous, they must be given their plain, ordinary, and popular meaning. Central Illinois Light Co. v. Home Insurance Co., 213 Ill. 2d 141, 153 (2004). However, if the language used in the policy is reasonably susceptible to more than one meaning, it will be considered ambiguous and strictly construed against the drafter. Id. A contract term is not ambiguous merely because the parties disagree on its meaning, nor is a term unambiguous where each party insists that the language unambiguously supports its position. Id. at 153-54.

¶ 38 We reject Monroe’s argument that any acts or omissions alleged in the underlying complaint are concurrent causes of its loss, such that its loss cannot be characterized as “arising directly or indirectly out of any cyber event.” Our supreme court has recognized that “[t]he phrase ‘arising out of’ has a set meaning in the law.” Brucker v. Mercola, 227 Ill. 2d 502, 521 (2007). “In any context in which it is used, the phrase has been defined broadly and refers to a causal connection.”

Id. The definition of the phrase is generally recognized to mean “originating from,” “growing out of,” or “flowing from.” Id. at 521-22. This is the recognized definition of the phrase as applied in the insurance context. See Maryland Casualty Co. v. Chicago & North Western Transportation Co., 126 Ill. App. 3d 150, 154 (1984); Holabird & Root, 382 Ill. App. 3d at 1023. We note, however, that the phrase is given a more limited interpretation in favor of the insured when it is used in an exclusion than when used in a grant of coverage. Allstate Insurance Co. v. Smiley, 276 Ill. App. 3d 971, 978 (1995); see United Services Automobile Ass’n v. Dare, 357 Ill. App. 3d 955, 969-70 (2005).

- 18 - No. 1-24-1909 ¶ 39 We find it clear from Brian Galey’s summary of events that Monroe’s loss can only be characterized as “arising directly or indirectly out of” a cyber event, even if other potential causes of the loss can also be identified. The hacking of Galey’s e-mail account and resulting efforts at wire fraud were the originating events that ultimately led to Monroe’s funds being sent to a bank account not owned by NES. These were the events from which all other causes of the loss flowed.

Had they not occurred, Galey would not have received fraudulent bank account information or believed he was acting upon legitimate instructions from NES when he instructed the wire transfer of Monroe’s funds to that account. In other words, none of the other allegedly negligent or wrongful acts by Galey would have resulted in the diversion of Monroe’s funds if the e-mail hacking and wire fraud incident had not occurred. Accordingly, we hold that the cyber events exclusion is applicable under its plain language and negates any duty to defend on the part of the Underwriters in the present case.

¶ 40 Based upon our holding that the Underwriters did not breach the duty to defend, we have no basis to consider Monroe’s final argument that the Underwriters are liable as a matter of law for the amount of the consent judgment or for a statutory penalty under section 155 of the Insurance Code (215 ILCS 5/155 (West 2022)).

¶ 41 CONCLUSION ¶ 42 For the foregoing reasons, the judgment of the trial court is affirmed.

¶ 43 Affirmed.

¶ 44 JUSTICE PUCINSKI, dissenting.

¶ 45 I do not argue with my colleagues’ analysis because it is fine for what it is. My quarrel is with the starting point. Every problem has a beginning, a middle and an end point. My colleagues

- 19 - No. 1-24-1909 have chosen to start with the hack on Galey’s computer as the beginning of this problem, when in fact, it is the middle.

¶ 46 The origin of this problem, at an unknown point in time, was Galey’s failure to implement the necessary protections that any competent and reasonable manager/consultant would have put in place to prevent the hack from getting onto his computer.

¶ 47 That failure was negligent, an error and omission, and a breach of fiduciary duty that created the cascade of trouble.

¶ 48 And, since we cannot know, from this record, if Galey ever contemplated such a protective measure or, if he did, what steps it included, I believe there is a genuine issue of fact that prevents summary judgment from being properly entered in favor of Certain Underwriters.

¶ 49 Galey was hired by Monroe to, among other things, “oversee and manage all construction activities, cost management, pay application management, and provide documentation as required by Metro” and “act in a commercially responsible capacity ***.”

¶ 50 If he had taken reasonable steps to protect his computers and emails from hacking, with the correct software, this hack could have been prevented.

¶ 51 Failure by a sophisticated consultant/manager to do so is unreasonable by any standard.

¶ 52 That failure is compounded by Galey’s reliance on the email chain that he already knew was being questioned by Monroe. His memo relates that on 12/29/21 at “1:04 Don emailed ‘Let’s verify wire info over phone to avoid fraud please. Burke and Brian please talk.’” Then, Galey’s memo states that at “1:07 [he] replied all: ‘Good idea. When the initial request from NES was put thru, I emailed the NES PM to verify that this was a legit request and he confirmed. May check with Chase Bank to confirm though?’”

- 20 - No. 1-24-1909 ¶ 53 No reasonable consultant/business manager, seeing the remarkable request in the email chain to change the method of payment for such a large amount of money, would rely solely on contact from the same email that was suspicious to begin with to confirm itself. Certainly, a simple phone call to a number not associated with the email would have been a very short investment of time and energy to be certain Galey was properly communicating with NES.

¶ 54 I find it shocking that Galey was not alert to mischief and more shocking that he didn’t aggressively work to protect his client’s interest. That is the middle of the problem—a $1,346,768.34 problem for Monroe and NES that started when Galey negligently failed to protect his computers and emails.

¶ 55 The insurance company chose to start at the wrong place. The Chancery court started in the wrong place and my colleagues started at the wrong place.

¶ 56 Unwind this mess and you find a negligent consultant/manager who did not perform according to the terms of his contract with Monroe at some point in time before the hack. This problem did not arise from the hack. It arose before the hack. It arose from Galey’s negligence, error and omission, and breach of fiduciary duty to Monroe. The claim for that misbehavior was made during the policy period.

¶ 57 There is nothing in Galey’s memo of the events to demonstrate if he did or did not take basic precautions. If such precautions were not taken, Certain Underwriters should defend and indemnify Galey. Summary judgment for Certain Underwriters is premature until that question of fact can be determined.

- 21 -