Hunton Insurance Recovery Blog

In the rarely litigated space of cyber insurance, the Northern District of Texas issued a win for cyber policyholders this week, offering a clear reminder to insurers that if they want to restrict coverage, they must draft the policy to clearly do so.

In CiCi Enterprises, LP v. HSB Specialty Insurance Company, the court held that a Ransomware Event Sublimit Endorsement did not cap CiCi’s recovery to $250,000. The court concluded that HSB failed to draft the endorsement with the necessary clarity to limit the coverage as it supposedly intended.

The Incident

CiCi suffered a cyber event in May 2022, after a threat actor encrypted its computer systems and threatened to release exfiltrated data unless a ransom was paid. CiCi notified its insurer, HSB, retained the appropriate vendors, and eventually incurred around $1.2 million in costs, including a $400,000 ransom payment.

HSB issued a coverage letter to CiCi, acknowledging that the event triggered several insuring agreements, including Information Privacy, Network Security, Business Interruption, and Cyber Extortion. The policy had a $3 million aggregate limit.

HSB then attempted to apply a Ransomware Event Sublimit Endorsement in the policy, which capped all losses arising from a Ransomware Event at $250,000. HSB took the position that the endorsement applied to the attack on CiCi’s systems and capped recovery at $250,000.

The Litigation

The parties filed cross-motions for summary judgment as to the coverage owed by HSB. HSB argued that the Ransomware Event Sublimit Endorsement applied to limit coverage to $250,000 as, per HSB, it “clearly defines a ‘Ransomware Event’ as a type or subset of ‘Extortion Threat,’” effectively limiting the Cyber Extortion coverage from $3 million to $250,000. The court was not convinced that the endorsement was “clearly” drafted to this effect.

The ransomware endorsement stated that it applied “solely with respect to the coverage afforded under this endorsement,” and, importantly, did not specify which insuring agreements it purported to modify. In fact, it lacked any explicit language suggesting that it would apply to any Section I Insuring Agreements, such as Cyber Extortion. Rather, the endorsement stated that it was “added to Section II. Limits of Insurance.” The court emphasized that the Limits provision did not grant coverage, it established HSB’s maximum liability for coverages that were granted elsewhere in the policy.

The court looked to HSB’s own drafting in other endorsements in the policy, many of which explicitly stated when they modified specific insuring agreements. To the court, this demonstrated that HSB knew how to draft endorsements that clearly altered coverage and simply did not do so in this instance.

The court also emphasized that HSB itself recognized in its coverage letters that CiCi’s loss triggered coverage under four separate insuring agreements: Information Privacy, Network Security, Business Interruption, and Cyber Extortion. Yet, the Ransomware Sub‑Limit Endorsement nowhere stated that it modified or limited coverage under the Cyber Extortion insuring agreement—or any other insuring agreement. Indeed, the Ransomware Sub-Limit Endorsement stated that “[a]ll other terms, conditions, and exclusions of the Policy shall remain unchanged.” The court concluded that if HSB intended the $250,000 sublimit to apply across the policy—regardless of which insuring agreement was triggered—it was incumbent on HSB to say so expressly.

Finally, the court rejected HSB’s argument that a “Ransomware Event” is merely a subset of an “Extortion Threat.” The policy’s definition of “Ransomware Event” did not state that it was a subset of extortion. Nor did the endorsement revise the definition of “Extortion Threat” to incorporate ransomware. To the contrary, the amended definition of “Cyber Event” listed “Ransomware Event” alongside, rather than within, other categories such as Information Privacy Event, Network Security Event, and Extortion Threat. That structure reinforced the court’s conclusion that Ransomware Events were intended to be treated as a separate and distinct category of loss, in addition to an Extortion Threat. If HSB intended ransomware to be only a subset of extortion, the court noted, it could have made that intent clear—but did not.

After ruling on the policy language, the court noted that CiCi had provided sufficient evidence for its bad faith claims to survive HSB’s motion for summary judgment and proceed to trial.

*          *          *

The CiCi decision is an important reminder that sublimits and endorsements will be enforced as written, not as insurers may later wish they had written them. It behooves both the policyholder and insurer to have clarity as to what terms, conditions, and sublimits mean at the time of purchasing the policy, rather than arguing over policy interpretation in a later coverage suit. Policyholders should work with their brokers to seek clarifying endorsements at renewal. Insurers, meanwhile, must carefully review their policy language and work to minimize ambiguities. Discussions during underwriting should not be about how the policy should respond, but how it will respond in the event of a cyber incident.