From the Hunton Insurance Recovery Blog:
In the rarely litigated space of cyber insurance, the Northern District of Texas issued a win for cyber policyholders this week, offering a clear reminder to insurers that if they want to restrict coverage, they must draft the policy to clearly do so.
In CiCi Enterprises, LP v. HSB Specialty Insurance Company, the court held that a Ransomware Event Sublimit Endorsement did not cap CiCi’s recovery to $250,000. The court concluded that HSB failed to draft the endorsement with the necessary clarity to limit the coverage as it supposedly intended.
The Incident
CiCi suffered a cyber event in May 2022, after a threat actor encrypted its computer systems and threatened to release exfiltrated data unless a ransom was paid. CiCi notified its insurer, HSB, retained the appropriate vendors, and eventually incurred around $1.2 million in costs, including a $400,000 ransom payment.
HSB issued a coverage letter to CiCi, acknowledging that the event triggered several insuring agreements, including Information Privacy, Network Security, Business Interruption, and Cyber Extortion. The policy had a $3 million aggregate limit.
HSB then attempted to apply a Ransomware Event Sublimit Endorsement in the policy, which capped all losses arising from a Ransomware Event at $250,000. HSB took the position that the endorsement applied to the attack on CiCi’s systems and capped recovery at $250,000.
Read more about the case and the court’s opinion on Hunton.
