Ensuring Ransomware Sublimits Hold Up: Key Drafting Takeaways from CiCi Enterprises

Ransomware sublimits are a common tool cyber insurers use to manage exposure arising from ransomware attacks. When ransomware infiltrates an insured’s system, the insured is typically faced with two costly options: pay a ransom to regain access to their data and resume operations quickly, or rebuild systems from scratch, incurring significant IT costs and extended business interruption losses. To contain this risk, cyber insurers increasingly rely on ransomware sublimits to cap coverage for ransomware-related losses. 

As a recent decision illustrates, the application of ransomware sublimits turns on how they are drafted and incorporated into the policy. In CiCi Enterprises v. HSB Specialty Insurance Co., the court concluded that a ransomware sublimit endorsement did not apply to limit coverage under the other provisions of the policy.

The Dispute

CiCi Enterprises suffered a ransomware attack resulting in approximately $1.2 million in losses, including a $400,000 ransom payment. Its cyber policy contained an endorsement with a $250,000 ransomware sublimit. Its insurer, HSB, paid the $250,000 amount identified in the endorsement but denied coverage for the remaining loss, asserting that all ransomware-related loss was subject to the sublimit. CiCi challenged that position, and the court ultimately agreed with the insured, holding that the ransomware sublimit did not limit coverage under the broader policy.

Where the Ransomware Sublimit Did Not Apply

In holding that the ransomware sublimit did not extend to other insuring agreements, the court focused on several aspects of the endorsement’s wording and structure. 

• Limited Scope: The endorsement stated that, “[s]olely with respect to the coverage afforded under this endorsement,” HSB’s maximum liability for any single “Ransomware Event” was $250,000. The court interpreted this language to mean that the sublimit applied only to coverage created by the endorsement itself, not to coverage provided elsewhere in the policy under separate insuring agreements.
• Relationship to Existing Insuring Agreements: Unlike other endorsements in the policy, the ransomware sublimit did not expressly state that it applied to or modified any specific insuring agreement. The court declined to read the endorsement as limiting coverage otherwise available under the policy’s extortion or business interruption provisions.
• Use of Defined Terms: The cyber policy’s extortion coverage relied on defined terms such as “Cyber Extortion” and “Extortion Loss.” The ransomware endorsement did not reference or incorporate those terms. Instead, it introduced a new definition — “Ransomware Event” — and amended the definition of “Cyber Event” to include ransomware. The court concluded that these changes did not establish that a “Ransomware Event” was equivalent to an “Extortion Event” for purposes of applying the extortion coverage sublimit.

Based on these considerations, the court held that the ransomware sublimit did not cap the insured’s recovery for losses otherwise covered under the policy.

Key Takeaways

This decision illustrates how courts analyze ransomware sublimit endorsements by examining their text and how they interact with existing insuring agreements and defined terms. Where an endorsement does not expressly address its relationship to other coverage grants, courts may decline to apply it beyond its stated scope.

Please contact Caroline Crosby, Gabriel Crane or any member of the Phelps insurance team with questions or for advice or guidance.