When an insurer attempts to limit its exposure, it must keep all of the policy in mind—not just a few discrete parts. Recently, the United States District Court for the Northern District of Texas determined that a ransomware attack did not fall within the cyber insurance policy’s “Ransomware Sub-Limit Endorsement,” and the insurer was unable to apply to the Endorsement’s sublimit. CiCi Enters., LP v. HSB Specialty Ins. Co., No. 3:23-CV-2155-L, 2026 WL 502954 (N.D. Tex. Feb. 23, 2026).

In Cici Enterprises, an insured sought coverage for a malware attack wherein the threat actor demanded a $2,000,000 ransom to decrypt the insured’s data. The insurer sent a coverage letter indicating its position that the cyber event implicated four of the policy’s seven separate coverages: Information Privacy, Network Security, Business Interruption, and Cyber Extortion. The insurer informed the insured that it considered the attack an “Extortion Threat” under the Cyber Extortion coverage as well as a “Ransomware Event” as defined in the Ransomware Sub-Limit Endorsement. Coverage for a “Ransomware Event” was capped at $250,000. Id. at *2.

The insured alleged it incurred over $1,200,000 in losses as a result of the attack. It sought, among other things, a declaratory judgment that the Ransomware Sub-Limit Endorsement did not modify the Cyber Extortion coverage, such that the $250,000 sublimit did not apply.

The court first determined that the Ransomware Sub-Limit Endorsement was not unambiguous, as the Endorsement applied to the “coverage afforded under this endorsement” without indicating which coverages were included within the “coverage afforded.” Id. at *11.

The court then noted the Ransomware Sub-Limit Endorsement did not modify coverage under each of the seven separate insuring agreements. Ransomware Sub-Limit Endorsement did not include “Cyber Extortion” or “Extortion Loss” related to “Cyber Extortion.” Id. at *12. Rather, the Ransomware Sub-Limit Endorsement stated that all other terms of the Policy remained unchanged. Id. The court also compared the Ransomware Sub-Limit Endorsement to other endorsements that modified all insuring agreements and found the insurer explicitly stated it modified all insuring agreements. Id. Because the insurer failed to use explicit terms to specify the Ransomware Sub-Limit Endorsement applied across each of the seven insuring agreements, the court determined the $3,000,000 aggregate limit was available to the insured.

The court also pointed out that a “Ransomware Event” as defined by the policy was not included as a subset of “Extortion Threat.” The court noted that the Ransomware Sub-Limit Endorsement did not revise the term “Extortion Threat” to include “Ransomware Event” as a type of “Extortion Threat.” Rather, the Endorsement added “Ransomware Event” as a type of “Cyber Event”, “Information Privacy Event”, Network Security Event”, and “Extortion Threat.” Thus, the court determined the plain language of the Policy showed that “Ransomware Event” and “Extortion Threat” were two separate terms, and thus should be construed in favor of the insured. Id. at *13.

In sum, if an insurer intends for a sub-limit to apply to all coverages contained within a policy, it must state so clearly and craft its definitions carefully.