A United States District Court ruled that an insurer owes one cybercrime limit for a loss in spite of the insured claiming there were two separate transactions. The case is Perry v. Cowbell Cyber, Inc., 2026 U.S. Dist. LEXIS 49409 (W.D. Tex. 2026).

Background

On December 19, 2023, Perry & Perry Builders received an email that they believed was from their steel vendor, Alamo Structural Steel. The email requested Perry to pay its outstanding invoices into a Chase bank account. Unbeknownst to them at the time, the email was sent by fraudsters, not Alamo Steel.

The following day, Perry's business manager complied with the fraudulent instructions, sending $874,863.70 to the Chase account. The manager sent two separate electronic transfers within one minute of each other for the total amount. The first was for $272,997.45 and the second for $601,866.25.

Perry filed a claim with its insurers, Cowbell Cyber and Obsidian Specialty Insurance. The insurers paid out $250,000, which was the policy limit for a cybercrime loss. Perry sued its insurers, arguing that it was owed a second $250,000 payment because the fraudulent payment was made through two separate electronic transfers.

One Occurrence Or Two?

The case was brought before a United States District Court of Texas. Perry argued that because the business manager split the $874,863.70 payment into two different electronic transfers to correspond with two separate invoices, those transfers constituted two separate claims under the policy. The manager didn't voluntarily split the invoice, but was paying two separate invoices.

The insurance policy stated that "Each Claim Limit of Liability" for "Cyber Crime Losses" was $250,000. Perry argued that it was owed two $250,000 payments for a total of $500,000.

The court, however, stated that Perry by their own choice decided to pay the invoices as two separate transactions. Further, the two electronic transfers were sent within one minute of each other.

"Perry is hard-pressed to make the argument that the number of "claims" or "losses" that it can assert under the policy depends on its own bookkeeping choices. By that logic, if Perry made the bookkeeping choice to pay Alamo Steel the $874,863.70 it owed in four electronic transfers of $200,000.00 and one of $74,863.70, Perry could claim the full $874,863.70 if those five electronic transfers matched five Alamo Steel invoices in corresponding amounts."

Policy Language

The insurers made a motion for summary judgment, arguing that the policy's liability limits capped their total exposure at $250,000 for the entire policy period, regardless of how many individual transfers the victim made or how many incidents occurred.

The policy stated:

"The Limits of Liability set forth in Item 5. of the Declarations is the maximum amount the Insurer will be liable to pay for all Claims, First Party Loss, First Party Expense, and Liability Expense under each Insuring Agreement, regardless of the number of Claims, Privacy Incidents, Network Security Incidents, Cyber Crime Incidents, Media Incidents, or Insureds. Such Limits of Liability are part of, and not in addition to, the Aggregate Limit of Liability"

The court analyzed the text line by line to determine the coverage. Item 5 showed that the policy limited "Each Claim Limit of Liability" for "Cyber Crime Losses" to $250,000. For the next section, "claims, first party loss, first party expense, and liability expense," both parties agreed that the loss was a first party loss. It was not a claim since a third party did not make a claim against Perry.

Finally, the loss fit under "cyber crime incidents," which includes a "cyber event." The policy also stated a "first party loss" is a "cyber crime loss."

The court reworked the text to include only the relevant parts to make it easier to read: "$250,000.00 is the maximum amount the Insurer will be liable to pay for all [Cyber Crime Incidents/Cyber Events] under each Insuring Agreement, regardless of the number of [Cyber Crime Incidents/Cyber Events."

The court found that the insurers owed only the $250,000 limit for the loss and granted the insurers' motion for summary judgment.

Editor's Note

The court ruled that the insured's bookkeeping decisions should not decide the amount paid by the policy. If that were the case, the insured could have theoretically claimed the entire amount of the loss if the transfer had been made in enough transactions. The court did not find that interpretation reasonable.

Further, after analyzing the policy language and reworking the relevant text to make it easier to read, the court determined that the policy capped all cyber losses during the policy period at $250,000.

Read More: