Court Rejects Insurer’s Attempt to Cap Cyber Extortion Coverage Based on Ransomware Sub-Limit
A recurring question in coverage disputes is whether a sub-limit expands coverage by creating a new, defined grant, or instead operates to restrict coverage that would otherwise be available under the policy.
In CiCi Enters., LP v. HSB Specialty Ins. Co., No. 3:23-CV-2155-L (N.D. Tex. 2026), the court held that a ransomware sub-limit endorsement in a cyber insurance policy did not cap the insured’s recovery at $250,000.
Following a ransomware attack, the insured incurred more than $1.2 million in losses, including a ransom payment and incident response costs. The insurer acknowledged coverage under multiple insuring agreements, including cyber extortion, but asserted that the pizzeria's coverage was limited to $250,000 based on a ransomware sub-limit endorsement. The insurer argued that the ransomware sub-limit applied because the event qualified as a “Ransomware Event” and, in its view, functioned as a subset of an extortion threat subject to the endorsement cap.
The court rejected that position, emphasizing that the endorsement “contains no explicit language subjecting Insuring Agreement D. Cyber Extortion to the sub-limit” and instead states that it applies “[s]olely with respect to the coverage afforded under this endorsement,” without identifying any such coverage. The court further explained that if the insurer “intended for the Ransomware Endorsement to modify ‘Cyber Extortion’ coverage, [it] should have included language in the endorsement to that effect,” particularly where other endorsements in the same policy expressly modified specific insuring agreements.
Insurers increasingly argue that sublimits operate to restrict coverage across multiple grants, but this decision provides a clear roadmap for pushing back. Policyholders should emphasize that unless a sublimit expressly states it limits coverage, they should not be read that way.
