Cyber criminals do not need a crowbar, a ski mask, or a getaway car. They need a believable email, a rushed employee, and a business that trusts a payment instruction without independently verifying it. That was one painful lesson in Perry & Perry Builders, Inc. v. Cowbell Cyber, Inc. and Obsidian Specialty Insurance Company. 1
The facts are unfortunately familiar. Perry & Perry Builders received communications that appeared to come from its steel vendor, Alamo Structural Steel. The fraudster claimed Alamo would no longer accept paper checks and asked for payment by an electronic funds transfer (ACH). Perry’s office manager followed up by phone, but the phone number came from the fraudulent communication. Perry then sent two ACH transfers, one for $272,997.45 and another for $601,866.25, to the account supplied by the fraudster. The money was gone.
The insurer acknowledged coverage for a social engineering loss and paid $250,000. The fight was over whether Perry was entitled to a second $250,000 payment because the funds were sent in two separate ACH transfers corresponding to two separate invoices.
Perry’s argument was that the declarations page listed Cyber Crime Loss with an “Each Claim Limit of Liability” of $250,000. Perry argued that the policy’s definition of “Claim” applied only to third-party liability claims, not first-party losses like cyber crime reimbursement. If “Claim” was undefined for first-party loss, Perry said the word should be given its ordinary meaning. Under that view, each demand for insurance benefits arising out of each separate payment could be treated as a separate claim. Since there were two transfers, Perry argued there were two claims.
This is a good policyholder argument because insurance companies write these forms. If they want one limit to apply to all social engineering losses arising from one scheme, one vendor impersonation, one payment run, or one cyber event, they can say so. Courts should not rewrite policies to give insurers limitations they almost wrote but did not quite put into the contract. Perry also made a strong point that merely defining “Interrelated Incident” does not limit coverage unless some operative provision actually uses that definition to restrict recovery. A definition sitting alone in a policy is not a limitation. It is just a word waiting for work.
The insurer said this was one “social engineering” attack. One fraudster impersonated one vendor, supplied one set of false ACH instructions, directed payment to one fraudulent account, and caused two transfers made only one minute apart. The two transfers matched two legitimate invoices, but that was a function of Perry’s own payment processing. The insurer argued that coverage limits should not multiply based on bookkeeping choices.
The insurer’s strongest legal argument came from the Cowbell Breach Fund Separate Limit Endorsement. The endorsement stated that the limits of liability in the declarations were the maximum amount the insurer would pay for all Claims, First Party Loss, First Party Expense, and Liability Expense under each insuring agreement, regardless of the number of Claims, Cyber Crime Incidents, or Insureds. The insurer said that language capped the Cyber Crime Loss recovery at the $250,000 limit already paid.
The court agreed with the insurer. The opinion’s most important point was not that two transfers can never be two losses. It was that, under this policy and these facts, the two transfers did not create two separately payable cyber crime limits. The judge was plainly troubled by the idea that the insured’s internal accounting decision could determine the number of available limits. If Perry could obtain two limits because it made two transfers one minute apart, why not five limits if it had paid five invoices in five transfers?
The court treated the $250,000 Cyber Crime Loss amount as the applicable limit and read the endorsement to make that amount the maximum payable for all first-party cyber crime loss under that insuring agreement, regardless of the number of claims or cyber crime incidents. Since the insurer had already paid $250,000, the court held that nothing more was owed.
The opinion deserves some criticism. The court did not spend enough discussion on the policyholder’s best textual argument. Why did the declarations use the phrase “Each Claim Limit of Liability” for first-party Cyber Crime Loss if the policy’s definition of “Claim” only fits third-party claims? This is the kind of wording that invites coverage disputes. The insurer won, but the policy language was hardly a model of clarity. When a cyber policy uses liability-claim terminology in a first-party loss chart, nobody should be shocked when a policyholder argues that each first-party demand is a separate claim.
The court’s result is nevertheless understandable because the facts pushed hard in the insurer’s direction. This looked like one fraudulent transaction resulting in two transfers because of two invoices. The transfers were made one minute apart to the same fraudulent account after one vendor impersonation scheme. Courts often say they start with the policy language. But the facts pulled toward one loss.
Businesses should learn several lessons from this decision. The first lesson is that the aggregate limit on a cyber policy may be the least important number on the page. A business may think it purchased a million dollars of cyber insurance, but the social engineering or cyber crime coverage may be subject to a much smaller sublimit. Worse, an endorsement may say that sublimit is the most the insurer will pay regardless of how many payments, invoices, cyber crime incidents, or claims are involved.
The second lesson is that declarations pages can be dangerous half-truths. They summarize limits, but endorsements can change how those limits apply. Business owners and risk managers must ask their brokers to explain, in writing, how much coverage exists for a realistic vendor impersonation loss. The question should not be, “Do we have cyber coverage?” The better question is, “If a fraudster tricks us into wiring $900,000 to a fake vendor account through two or three transfers, how much will this policy actually pay?”
The third lesson is that payment verification procedures must be treated as insurance conditions of survival, not office suggestions. Vendor bank changes should be verified through independently stored contact information, not phone numbers or email addresses supplied in the payment-change request. Dual approval should be mandatory. Large ACH payments should trigger a callback, written confirmation, and a waiting period. A business should assume that any email changing payment instructions is guilty until proven innocent.
The fourth lesson is that social engineering limits should match the business’s real payment exposure. Contractors, property managers, manufacturers, distributors, law firms, and other businesses regularly moving six- and seven-figure payments need cyber crime limits that reflect that risk. A $250,000 sub-limit may be woefully inadequate for a company that routinely pays vendors more than that in a single payment cycle. I am sending this blog article to our firm’s CFO and our insurance broker.
My often repeated lessons remain. Read the policy and the endorsements. Challenge unclear wording before the loss. Document the broker’s representations. Never assume that the label “cyber” means the policy will fully respond to cyber fraud.
The thieves are getting smarter. Businesses must get smarter before the loss, not after the denial letter.
Thought For The Day
“I am convinced that there are only two types of companies: those that have been hacked and those that will be.”
— Robert S. Mueller III, former FBI Director, RSA Cyber Security Conference, March 1, 2012.
1 Perry & Perry Builders v. Cowbell Cyber, Inc. and Obsidian Specialty Ins. Co., No. 6:25-cv-00106 (W.D. Tex. Mar. 9, 2026). See Plaintiff’s Motion for Summary Judgment and Defendant’s Motion for Summary Judgment.
