By: Julie Shehane and Daniel Alvarado
The Insurance Coverage team of Brent Cooper, Julie Shehane, and Daniel Alvarado at Cooper & Scully secured a favorable ruling on its client’s Motion for Partial Summary Judgment in federal court, providing cyber insurance policyholders with greater clarity of their rights.
On February 23, 2026, the Northern District of Texas ruled in favor of CiCi Enterprises, LP (“CiCi”) in a dispute with CiCi’s cyber insurance carrier, HSB Specialty Insurance Company (“HSB”). The Northern District held that, under the plain language of a Ransomware Event Sub-Limit Endorsement (“Ransomware Endorsement”), the endorsement did not apply to cap CiCi’s recovery to $250,000.
The dispute stemmed from a malware attack in May 2022 in which a threat actor encrypted CiCi’s computer systems and threatened to publish sensitive data if CiCi did not pay a ransom. CiCi subsequently reported the malware attack to its cyber insurance carrier, HSB. CiCi then retained incident response services before paying a $400,000 ransom. In total, CiCi incurred roughly $1.2 million in costs.
In response, HSB issued a coverage letter acknowledging that the malware attack triggered coverage under several insuring provisions of the cyber insurance policy, including Information Privacy, Network Security, Business Interruption, and Cyber Extortion. HSB elaborated that the malware event constituted an “Extortion Threat,” a type of event that triggered coverage under the Cyber Extortion insuring agreement. The cyber insurance policy’s aggregate limit was $3 million.
HSB also stated, however, that the malware event constituted a “Ransomware Event” subject to the policy’s Ransomware Endorsement (Form AB-CYB-092 11/2020), which had a significantly lower $250,000 limit of liability. HSB contended that all of CiCi’s damages were thus capped at $250,000.
In the declaratory judgment action that followed, CiCi and HSB filed cross-motions for summary judgment regarding whether the $3 million or the $250,000 limit of liability applied to cover CiCi’s damages from the malware attack.
HSB argued that the Ransomware Endorsement unambiguously applied to Cici’s claim because the endorsement “clearly defines a ‘Ransomware Event’ as a type or subset of ‘Extortion Threat.’” HSB claimed that, if CiCi could avoid the Ransomware Endorsement by characterizing the malware event as “Cyber Extortion” rather than a “Ransomware Event,” then the Ransomware Endorsement would be written out of the policy entirely.
CiCi countered that, under the plain language of the Ransomware Endorsement, the endorsement did not apply to the malware event. CiCi argued that HSB, as the drafter of the Ransomware Endorsement, could have explicitly chosen to designate a “Ransomware Event” as a subset of “Extortion Threat” but chose not to do so. The court ultimately agreed with CiCi’s interpretation that the Ransomware Endorsement did not apply to limit CiCi’s claim for Cyber Extortion.
As with almost all insurance coverage disputes, the court began with the plain language of the Ransomware Endorsement. The court noted that the Ransomware Endorsement states, “solely with respect to the coverage afforded under this endorsement, our maximum liability … resulting from any single Ransomware Event” shall be $250,000. Focusing on the word “solely,” the court noted the endorsement, on its face, only applied to the “coverage afforded” under the endorsement. However, the endorsement did not state what coverage it afforded.
Rather, the endorsement merely stated that it was “added to Section II. Limits of Insurance,” without referencing any modifications to Section I. Insuring Agreements. More specifically, it contained no modifying language to Insuring Agreement D. Cyber Extortion.
Importantly, Section II. Limits of Insurance did not afford any coverage, but only established HSB’s maximum liability as to each insuring agreement. Also, the Ransomware Endorsement explicitly stated that “[a]ll other terms, conditions, and exclusions of the Policy shall remain unchanged.”
The court also looked at HSB’s other policy endorsements, which expressly modified a type of afforded coverage under Section I. Insuring Agreements. Specifically, these other endorsements contained language stating, “[t]he following is added to Section I. Insuring Agreements…” and “Section I. Insuring Agreements … is deleted and replaced with the following. …”
Finding HSB did not include such explicit terms in the Ransomware Endorsement, the court determined that HSB cannot now complain given its failure to expressly state its intent that the endorsement would apply to all the policy’s insuring agreements. Regarding Insuring Agreement D. Cyber Extortion, the court highlighted that the Ransomware Endorsement contained no language subjecting this insuring agreement to the endorsement’s sub-limit, despite other endorsements having language to that effect.
Lastly, the court rejected HSB’s argument that “Ransomware Event” is a “type or subset” of “Extortion Threat” based on the language of the definition for “Ransomware Event” and the structure of the Policy’s other defined terms. First, the definition of “Ransomware Event” did not state that it was revising the term “Extortion Threat” to include “Ransomware Event” as a type of “Extortion Threat.” It merely explained what constituted a “Ransomware Event.”
Second, both “Ransomware Event” and “Extortion Threat” were types of a broader category, “Cyber Event,” along with other types of “Cyber Event” such as Information Privacy Event, Network Security Event, and Extortion Threat. Based on the lateral relationship of “Ransomware Event” and “Extortion Threat” within the definition of “Cyber Event,” the court determined these terms were meant to be treated as separate and distinct from each other.
In the same way that an “Information Privacy Event” was not a subset of a “Network Security Event,” a “Ransomware Event” could not be considered a subset of an “Extortion Threat.” Again, the court noted that HSB could have drafted the endorsement to make a “Ransomware Event” a subset of “Extortion Threat” but failed to do so here.
After determining that the Ransomware Endorsement did not apply to reduce CiCi’s coverage from $3 million to $250,000, the court determined CiCi’s presented sufficient evidence to raise a genuine dispute of material fact regarding CiCi’s claims for violations of the Texas Insurance Code.
The CiCi decision demonstrates that Texas courts will focus on the policy’s words as written in determining a carrier’s intent, and not a carrier’s later arguments regarding its intent. In CiCi, the words “solely with respect to the coverage afforded under this endorsement” acted to demonstrate HSB’s intent regarding how the Ransomware Endorsement would interact with the policy at-large. Accordingly, insurers should work diligently to review their policies and draft their terms, conditions, exclusions, and sublimits in such a way that these items will apply in practice as intended.
Policyholders facing coverage limitations and reductions of limits should pay careful attention to the language used in their policies, and, if necessary, hire coverage counsel to assess the carrier’s position. The Ransomware Endorsement at issue in the CiCi decision was drafted by HSB’s cyber managing general agent at the time, At-Bay. At-Bay has since created its own insurance carrier, At-Bay Specialty Insurance Company, which issues cyber policies and still attaches the same Ransomware Endorsement to those cyber policies. It is unknown whether HSB still uses the same Ransomware Endorsement form in its cyber policies. Cyber policyholders should review their policies, determine if this Ransomware Endorsement is attached, and be prepared to argue against its application for cyber extortion claims.