Drafting Ransomware Sublimits That Hold Up: What Insurers Can Learn From CiCi Enterprises

Ransomware sublimits are a common tool cyber insurers use to manage exposure stemming from ransomware attacks. When ransomware infiltrates an insured’s system, the insured is typically faced with two costly options: pay a ransom to regain access to their data and resume operations quickly, or rebuild systems from scratch, incurring significant IT costs and extended business interruption losses. To contain this risk, cyber insurers increasingly rely on ransomware sublimits to cap coverage for ransomware-related losses. 

As a recent decision illustrates, however, ransomware sublimits are only effective if they are carefully drafted and properly integrated into the policy. In CiCi Enterprises v. HSB Specialty Insurance Co., the court concluded that a ransomware sublimit endorsement did not operate as the insurer intended.

The Dispute

CiCi Enterprises suffered a ransomware attack resulting in approximately $1.2 million in losses, including a $400,000 ransom payment. Its cyber policy contained an endorsement with a $250,000 ransomware sublimit. Its insurer, HSB, paid the $250,000 sublimit but denied coverage for the remaining loss, asserting that all ransomware-related loss was capped by the endorsement. CiCi challenged the denial, and the court ultimately agreed with the insured, holding that the ransomware sublimit did not limit coverage under the broader policy.

Where the Ransomware Sublimit Fell Short

In holding that the ransomware sublimit was narrow and did not apply to other insuring agreements, the court identified several issues with the wording of HSB’s ransomware sublimit endorsement. 

• Limited Scope: The endorsement stated that, “[s]olely with respect to the coverage afforded under this endorsement,” HSB’s maximum liability for any single “Ransomware Event” was $250,000. The court interpreted this language to mean that the sublimit applied only to coverage created by the endorsement itself, not to coverage provided elsewhere in the policy under separate insuring agreements.
• Failure to Modify Existing Insuring Agreements: Unlike other endorsements in the policy, the ransomware sublimit did not expressly state that it applied to or modified any specific insuring agreement. As a result, the court declined to read the endorsement as limiting coverage otherwise available under the policy’s extortion or business interruption provisions.
• Inconsistent or Incomplete Use of Defined Terms: The cyber policy’s extortion coverage relied on defined terms such as “Cyber Extortion” and “Extortion Loss.” The ransomware endorsement did not reference or incorporate those terms. Instead, it introduced a new definition — “Ransomware Event” — and amended the definition of “Cyber Event” to include ransomware. The court found these changes insufficient to establish that a “Ransomware Event” was equivalent to an “Extortion Event” for purposes of applying the extortion coverage sublimit.

Because of these issues, the court concluded that the ransomware sublimit did not cap the insured’s recovery for losses otherwise covered under the policy.

Key Takeaways for Insurers

This decision underscores that ransomware sublimits must be tightly and expressly linked to the relevant insuring agreements and definitions to be effective. Insurers seeking to sublimit ransomware-related losses should consider:

• Explicitly stating that the ransomware sublimit applies to, and modifies, specific insuring agreements.
• Ensuring that the sublimit clearly encompasses all categories of loss the insurer intends to sublimit, including extortion payments, vendor costs, and business interruption losses.
• Avoiding the introduction of new, stand-alone definitions that are not clearly tied to existing policy terms.
• Clearly stating that ransomware-related losses are covered exclusively under the sublimited insuring agreement and are not recoverable under any other coverage part of the policy.

The CiCi Enterprises decision serves as a reminder that ransomware sublimits are only as effective as their drafting. Courts will closely scrutinize whether a sublimit endorsement clearly and unambiguously modifies the insuring agreements it is intended to restrict. Absent explicit tie-ins to those insuring agreements and their defined terms, insurers risk having ransomware losses covered under broader policy provisions even if there is a stated sublimit. Insurers should be careful to align endorsements, definitions and coverage grants to draft ransomware sublimits that operate as intended.

Please contact Caroline Crosby, Gabriel Crane or any member of the Phelps insurance team with questions or for advice or guidance.