When is a ransomware limit not a limit: Lessons from CiCi Enterprises v HSB

A US court has ruled that a clause added to a cyber insurance policy to limit how much an insurer pays out following a ransomware attack did not work as the insurer had intended, with important lessons for insurers reviewing their policy wording.

Background

CiCi Enterprises, a US restaurant franchise, suffered a ransomware attack in May 2022. A threat actor encrypted its systems and threatened to publish stolen data unless a ransom was paid. CiCi incurred around $1.2m in costs, including a $400,000 ransom payment.

HSB acknowledged that the attack triggered cover under several insuring agreements, including Cyber Extortion, under a policy with a $3m aggregate limit. It then relied on a Ransomware Event Sublimit Endorsement to cap its liability at $250,000, paid that sum, and considered the matter closed.

CiCi disagreed. On 23 February 2026, the US District Court for the Northern District of Texas found in CiCi's favour, holding that HSB had not drafted the endorsement clearly enough to achieve the result it intended.

Why the endorsement failed

The court identified four drafting problems.

1. It did not say what it covered: The endorsement applied "solely with respect to the coverage afforded under this endorsement" but never identified which insuring agreements it modified. It sat in the Limits of Insurance section, not the Insuring Agreements section where cover is granted. That location alone was insufficient to restrict cover granted elsewhere.
2. Other endorsements in the same policy were drafted differently: Endorsements relating to cryptojacking and funds transfer fraud each explicitly named the insuring agreements they modified. The ransomware endorsement did not. 
3. The policy structure did not support HSB's argument: HSB argued that a ransomware event was a subset of an extortion threat, bringing it within the Cyber Extortion cover. The court disagreed. The policy listed the two as separate categories. 
4. The preservation clause did not assist the insurer: The standard closing line, that "all other terms, conditions, and exclusions remain unchanged," reinforced the conclusion that the endorsement had not altered the existing Cyber Extortion cover. Boilerplate language does not fill a drafting gap.

Why this matters for insurers

English courts apply the same fundamental approach to policy construction. Under Arnold v Britton [2015] UKSC 36 and Wood v Capita Insurance Services [2017] UKSC 24, courts will generally give words their natural meaning in the context of the policy as a whole. Provisions that limit or restrict cover are construed carefully, and courts will not rewrite a policy to reflect what an insurer intended but failed to express.

Ransomware sub-limits are a standard feature of cyber policies. The CiCi case is a reminder that a sub-limit which is not clearly connected to the insuring agreements it is intended to restrict may not operate as intended when a claim is made.

Insurers should consider four practical steps

1. Check that sub-limits clearly state which parts of the policy they apply to. If they do not, a court may find that broader policy limits remain available to the policyholder.
2. If an endorsement introduces a new term, make sure that term is clearly linked to the existing language used in the operative sections of the policy.
3. Review all endorsements together and check for inconsistencies. If some endorsements cross-reference specific coverage sections and others do not, a court will notice.
4. If a sub-limit is intended to cap all losses from a particular event or peril, including the cost of responding to the incident or peril, lost revenue, and system restoration, say so explicitly in the endorsement rather than leaving it to be implied.