The potential application of policy sublimits is a critical issue to understand in ensuring the availability of adequate coverage for the variety of losses a policyholder may experience as the result of a cyber incident. Hotel Monteleone, a historic New Orleans hotel, is currently pursuing a case against its insurer over whether the hotel is entitled to the full $3 million limit of liability in its cyber insurance policy, or instead confined to a mere $200,000 sublimit in connection with a recent cyber incident. New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s of London,No. 2015-11711 (Civ. Dist. Ct. for Orleans Parish, Louisiana). In late 2014, the Hotel experienced a cyber incident in which consumer payment card numbers were breached and allegedly compromised. As a result of the incident, the Hotel faced liability imposed by means of a written demand from BMO Harris Bank N.A., a payment card processor. The demand alleged that the Hotel had failed to maintain the security and confidentiality of the consumer payment card numbers, and sought damages falling into four different categories: (1) the cost of the fraudulent charges resulting from the 2014 incident, (2) the cost of replacing the compromised consumer payment cards, (3) reimbursement for investigations and other costs incurred by MasterCard in connection with the incident, and (4) costs incurred in connection with the Hotel’s alleged violation of the requirements of the Payment Card Industry Data Security Standards (“PCI DSS”). The Hotel sought coverage for this demand from its insurer, Ascent Underwriting (“Ascent”), claiming that all of its losses would be covered by the $3 million limit of liability applicable to the security and privacy liability coverage in its cyber insurance policy. In response, Ascent acknowledged only limited coverage, citing the application of a $200,000 sublimit in the policy’s Payment Card Industry Fines or Penalties Endorsement. That Endorsement defined “Payment Card Industry fines and penalties” to mean “a written demand received by [the policyholder] by a credit card association for a monetary fine or penalty because of [the policyholder’s] non-compliance with Payment Card Industry Data Security Standards.” Complaint ¶ 27. “Credit card association” was separately defined to include the major payment card associations like Visa, MasterCard, and Discover. Id. On December 10, 2015, the Hotel filed suit against Ascent seeking a declaratory judgment. In its complaint, the Hotel asserts that the sublimit applies only to amounts owed for violations of PCI DSS requirements and only if those amounts result from a written demand received from a credit card association—not a payment card processor like BMO Harris Bank N.A. The Hotel also notes in its complaint that shortly after the 2014 cyber incident, it purchased a new policy from the same insurer for the policy period November 1, 2014 through November 1, 2015 (the “2015 Policy”). The 2015 Policy revised the Payment Card Industry Fines or Penalties Endorsement to cover “reimbursements, fraud recoveries or assessments” that the Hotel would owe under the terms of a Merchant Service Agreement with the credit card associations. Pointing to the Endorsement of the same name in the 2014 Policy, which covered only “a monetary fine or penalty,” the Hotel argues that the revision to the language of the Endorsement in the 2015 Policy makes clear that the 2014 Policy Endorsement is narrower in scope and does not include the types of loss suffered by the Hotel in the 2014 cyber incident. Although this suit against is only in the early stages, the case serves as a cautionary tale for policyholders to ensure that the potential application of a sublimit is clear and does not frustrate the purpose of the intended coverage.