A federal court has sent a clear message to cyber insurers: when an endorsement does not say what it means, courts will not fill in the gaps on the insurer's behalf.
In a ruling issued February 23, 2026, Judge Sam A. Lindsay of the United States District Court for the Northern District of Texas sided with CiCi Enterprises, LP in a coverage dispute against HSB Specialty Insurance Company, finding that a ransomware sub-limit endorsement did not cap the insurer's liability under the policy's cyber extortion coverage. The decision carries meaningful implications for how cyber insurers draft and apply ransomware sub-limits, particularly in policies with multiple insuring agreements.
The case began with a ransomware attack on May 21, 2022, in which a threat actor encrypted CiCi's computer systems and threatened to publish exfiltrated data unless a ransom was paid. CiCi held a cyber insurance policy issued by HSB with a $3,000,000 aggregate limit, subject to a $50,000 retention. Following the attack, CiCi notified At-Bay Insurance Services – HSB's agent for receiving notice of claims – and, with At-Bay's approval, retained a law firm and incident response firm, Arete Advisors, to conduct a breach investigation, manage the response, and negotiate with the threat actor. The original ransom demand of $2,000,000 was negotiated down to $400,000. CiCi ultimately alleged total losses exceeding $1,200,000 as a result of the cyber event.
HSB acknowledged coverage under four insuring agreements – Information Privacy, Network Security, Business Interruption, and Cyber Extortion – but invoked a Ransomware Event Sub-Limit Endorsement to cap its total payout at $250,000. It paid that amount and considered its contractual obligations fulfilled.
CiCi disagreed and sued.
The central question before the court was whether the ransomware sub-limit endorsement applied to the cyber extortion coverage, effectively reducing HSB's maximum liability from $3,000,000 to $250,000. The court concluded it did not.
The endorsement limited liability "solely with respect to the coverage afforded under this endorsement." The court found this language to be a problem for HSB – because nowhere in the endorsement did it specify what coverage it actually afforded. The court noted that the word "solely" means "to the exclusion of all else," and that on a plain reading, the endorsement could only limit whatever coverage it granted, which it never actually defined.
The court also found that the endorsement, while adding a provision to the policy's limits section, made no reference to the insuring agreements section – the part of the policy where coverage is actually granted. Critically, the endorsement did not contain the words "Cyber Extortion" or "Extortion Loss" anywhere in its text. It closed, instead, with a clause stating that "all other terms, conditions, and exclusions of the Policy shall remain unchanged."
What strengthened the court's reasoning was a comparison between the ransomware endorsement and two other endorsements in the same policy, both also drafted by HSB. One covering cryptojacking and another covering funds transfer fraud each explicitly identified the specific insuring agreements they modified. The ransomware endorsement contained no such language. If HSB intended the sub-limit to apply across all insuring agreements, the court found, it was incumbent upon HSB to say so expressly. Having not done so, it could not now rely on that reading.
HSB had argued that a ransomware event is simply a narrower version of an extortion threat – distinguished by the use of malicious software and the requirement that the threat originate from a third party rather than a rogue employee. The court rejected that argument, pointing to the endorsement's own amended definition of "cyber event," which listed ransomware event as a separate and independent category alongside – not within – extortion threat. The policy's structure, the court found, treated the two as distinct types of events, and the endorsement gave no indication that was meant to change.
The court noted that neither party had cited any prior rulings interpreting a ransomware sub-limit endorsement, and that its own extensive research turned up none. The decision appears to be among the first of its kind on this specific policy language.
The ruling does not close the case entirely. CiCi's breach of contract claim and its allegations that HSB violated the Texas Insurance Code's provisions on unfair practices and prompt payment of claims remain pending and are headed for trial, likely no earlier than the fall of 2026. The court declined to dismiss those claims, finding that CiCi had raised genuine factual disputes sufficient to put them before a jury – including evidence that HSB's conduct, and that of its managing general agent, At-Bay, may have risen to the level of bad faith through misrepresentations and failures to disclose information material to CiCi's coverage.
Judge Lindsay closed his opinion by strongly encouraging both parties to seek resolution before trial, offering the services of a magistrate judge for a settlement conference or mediation at no cost, and directing the parties to report to the court no later than March 6, 2026, whether they wish to proceed in that direction. The judge noted plainly that the remaining issues are not certain for either side, and that continued litigation through trial and a possible appeal would come at significant cost to both.
For insurers writing cyber policies, the ruling is a practical lesson in drafting precision – a reminder that a sub-limit endorsement which does not explicitly identify the coverage it modifies may ultimately be found not to modify anything at all.
