ARTICLE
23 March 2026

Texas Federal Court Reinforces Single Limit For Social Engineering Loss Arising From Multiple Payments

BA
Bradley Arant Boult Cummings LLP

Contributor

Bradley Arant Boult Cummings LLP logo

Bradley is a national law firm with a reputation for skilled legal work, exceptional client service, and impeccable integrity. Our more than 750 attorneys provide business clients around the world with a full suite of legal services in dozens of industries and practice areas. Bradley’s 13 offices are located in Alabama, Florida, Georgia, Mississippi, North Carolina, Tennessee, Texas, and the District of Columbia, giving us an extensive geographic base to represent clients on a regional, national, and international basis. We frequently serve as national coordinating counsel, regional counsel, and statewide counsel for clients in various industries.

Explore Firm Details
A recent decision from the U.S. District Court for the Western District of Texas offers a cautionary reminder for policyholders evaluating cyber coverage.
United States Insurance
Aaron Campbell
Aaron Campbell’s articles from Bradley Arant Boult Cummings LLP are most popular:
  • in European Union
Bradley Arant Boult Cummings LLP are most popular:
  • within International Law, Finance and Banking and Real Estate and Construction topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel
  • with readers working within the Insurance industries

A recent decision from the U.S. District Court for the Western District of Texas offers a cautionary reminder for policyholders evaluating cyber coverage. In Perry & Perry Builders, Inc. v. Cowbell Cyber, Inc. and Obsidian Specialty Insurance Co. Inc., insufficient policy limits and a key limiting endorsement left the policyholder critically underinsured for a social engineering scam.

An All-Too-Common Scam — and Insufficient Insurance

Perry & Perry Builders fell victim to a familiar but costly fraud. On December 19, 2023, the company received an email appearing to be from a steel vendor requesting payment of two outstanding invoices. The email, however, was a scam. Perry transferred $601,866.25 and $272,997.45 to a bank account controlled by fraudsters. The payments — made less than one minute apart — matched the amounts of two separate invoices.

Perry's cyber insurers paid the single $250,000 per-claim Cyber-Crime Loss Limit. Perry, however, sued for an additional $250,000, arguing that each of the two payments constituted a separate “claim” (and thus triggered a separate limit).

The Court's Decision

In its March 9, 2026, decision, the district court rejected Perry's argument and granted summary judgment for the insurers. Its decision rested on two key points. First, the court emphasized that Perry's choice to split its payment into two did not convert one claim into two separate insured claims. As the court noted, Perry was “hard-pressed to make the argument that the number of ‘claims' or ‘losses' that it can assert under the policy depends on its own bookkeeping choices.”

The court also relied heavily on the policy's Breach Fund Separate Limit Endorsement, which capped the insurer's liability for all cyber-crime losses at the per-claim limit — regardless of the number of Claims [or] Cyber Crime Incidents.” In the court's words, this endorsement “caps at $250,000.00 what Defendants must pay for all of Perry's cyber losses during the policy period.”

This single endorsement, standing alone, would have been sufficient to limit the insured to one $250,000 payment.

Key Takeaways for Policyholders

  • Social engineering exposures can rapidly exceed cyber limits.
    Here, scammers were swiftly able to steal $874,863.70 from Perry – more than triple Perry's policy limits. Even if Perry had succeeded in obtaining another $250,000 in coverage, it still would have faced over $370,000 in uninsured loss. Cyber-crime and social engineering sublimits must be calibrated to the organization's realistic payment flows and risk appetite.
  • Endorsements can dramatically curtail coverage.

As Perry & Perry Builders illustrates, even generous aggregate limits offer little comfort when an endorsement quietly imposes a much lower effective cap. Policyholders must scrutinize endorsements — particularly separate limit, sublimit, or “regardless of number of claims/incidents” provisions — to ensure they align with coverage expectations.

  • Courts may apply a single limit to multiple fraudulent payments arising from the same scam.

Although the endorsement controlled the outcome in Perry & Perry Builders, the court also rejected Perry's argument that multiple invoices equate to multiple losses. Insurers may seize on this reasoning in future claims to apply a single per-occurrence or per-claim limit to numerous fraudulent transfers tied to a single social engineering event.

Conclusion

Perry & Perry Builders underscores the need for policyholders to take a thoughtful, planned approach when selecting cyber-crime limits. Organizations should regularly evaluate their typical payment sizes, the volume and timing of vendor transactions, and their vulnerability to social engineering scams. Equally important, they must ensure the cyber policy's fine print — including endorsements — does not undercut the coverage they expect.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Person photo placeholder
Aaron Campbell
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More