Assignment

BANAN_UNI.pdf

Home >Information Systems homework help >Assignment

CyberRisk Coverage

Only the Insuring Agreements with Limits shown in the CyberRisk Declarations apply.

Liability Insuring Agreements

Privacy And Security. The Insurer will pay Loss on behalf of the Insured, resulting from a Claim that is first made during the Policy Period, or any applicable extended reporting period, for a Privacy And Security Act.

Media. The Insurer will pay Loss on behalf of the Insured, resulting from a Claim that is first made during the Policy Period, or any applicable extended reporting period, for a Media Act.

Regulatory Proceedings. The Insurer will pay Defense Costs and Regulatory Costs on behalf of the Insured, resulting from a Regulatory Proceeding that is first commenced during the Policy Period, or any applicable extended reporting period, for a Privacy And Security Act or Media Act.

Breach Response Insuring Agreements

Privacy Breach Notification. The Insurer will reimburse, or pay on behalf of, the Insured for Privacy Breach Notification Costs resulting from an actual or suspected Privacy Breach that is Discovered during the Policy Period, or any extended discovery period.

Computer And Legal Experts.

The Insurer will reimburse, or pay on behalf of, the Insured for Computer And Legal Expert Costs resulting from an actual or suspected:

1. Privacy Breach; 2. Security Breach; or 3. Cyber Extortion Threat, that is Discovered during the Policy Period, or any extended discovery period.

Betterment. The Insurer will reimburse the Insured for Betterment Costs, following a Security Breach that is Discovered during the Policy Period.

Cyber Extortion. The Insurer will reimburse, or pay on behalf of, the Insured for Cyber Extortion Costs, resulting from a Cyber Extortion Threat that is Discovered during the Policy Period.

Data Restoration. The Insurer will reimburse, or pay on behalf of, the Insured for Restoration Costs, directly caused by a Security Breach that is Discovered during the Policy Period.

Public Relations. The Insurer will reimburse, or pay on behalf of, the Insured for Public Relations Costs, resulting from an actual or suspected:

1. Privacy And Security Act; or 2. Media Act, that is Discovered during the Policy Period, or any extended discovery period.

Cyber Crime Insuring Agreements

Computer Fraud. The Insurer will pay the Insured Entity for its direct loss of Money, Securities, or Other Property, directly caused by Computer Fraud that is Discovered during the Policy Period.

Funds Transfer Fraud. The Insurer will pay the Insured Entity for its direct loss of Money or Securities, directly caused by Funds Transfer Fraud that is Discovered during the Policy Period.

Spe cim

Cyber Crime Insuring Agreements continued from previous page.

Social Engineering Fraud. The Insurer will pay the Insured Entity for its direct loss of Money or Securities, directly caused by Social Engineering Fraud that is Discovered during the Policy Period.

Telecom Fraud. The Insurer will pay the Insured Entity for its Telecom Charges, directly caused by Telecom Fraud that is Discovered during the Policy Period.

Business Loss Insuring Agreements

Business Interruption. The Insurer will pay the Insured for its Business Interruption Loss that is directly caused by any of the following, if Discovered during the Policy Period:

1. A Security Breach that results in a total or partial interruption of a Computer System. 2. A System Failure, if applicable. 3. The voluntary shutdown of a Computer System by the Insured, if it is reasonably necessary

to minimize the Loss caused by a Security Breach or Privacy Breach in progress.

Dependent Business Interruption.

The Insurer will pay the Insured for its Business Interruption Loss, directly caused by an IT Provider Breach that is Discovered during the Policy Period.

Reputation Harm. The Insurer will pay the Insured for its Reputation Harm, directly caused by an Adverse Media Report or Notification that:

1. first occurs during, or within 60 days after, the Policy Period; and 2. directly relates to a Privacy Breach or Security Breach that is Discovered during the Policy

Period.

Definitions

Accounting Costs. Means the reasonable fees or costs of a forensic accounting firm, incurred by the Insured Entity, to calculate Income Loss, even if such calculation shows there has been no Income Loss.

Additional Insured. Means a person or entity, not otherwise an Insured, with whom the Insured Entity has entered into a written agreement to include as an Insured, but only for Wrongful Acts:

1. by, or on behalf of, the Insured Entity under such agreement; and 2. that occur after the Insured Entity has executed such agreement.

Adverse Media Report. Means any communication of an actual or potential Privacy Breach or Security Breach by a media outlet. Multiple Adverse Media Reports regarding the same Privacy Breach or Security Breach are deemed one Adverse Media Report.

Approved Provider. Means a service provider approved by the Insurer in writing to the Insured.

Automatic ERP. Means a 90-day extended reporting period starting on the effective date this Coverage is canceled or not renewed.

Betterment Costs. 1. Means the reasonable costs incurred and paid by the Insured, with the Insurer’s written consent, for hardware or software to improve a Computer System after a Security Breach, if:

a. the Security Breach has been stopped or contained, and resulted in covered Computer And Legal Expert Costs;

b. the Approved Provider that provided computer services in response to such Security Breach:

i. has identified a weakness in a Computer System that caused, or contributed to, the Security Breach; and

ii. recommends the improvements to prevent a future Security Breach from exploiting such weakness; and

Spe cim

Definitions continued from previous page.

c. such improvements are incurred and paid for by the Insured within the earlier of 90 days after:

i. the recommendation by the Approved Provider; or ii. the end of the Policy Period.

Costs for improvements that are subject to a license, lease, or subscription will be limited to the pro rata portion of such costs for the first 12 months. 2. Does not include wages, benefits, or overhead of any Insured.

Business Interruption Loss. 1. Means: a. Income Loss and Extra Expense incurred or paid by the Insured Entity during the Period

Of Restoration; and b. Accounting Costs, if the Insured Entity’s business operations are interrupted beyond the

Wait Period. 2. Does not include loss arising out of harm to the Insured Entity’s reputation.

Change Of Control. Means when: 1. more than 50% of the Named Insured’s assets are acquired; or 2. the Named Insured is merged with, or consolidated into, another entity, and the Named

Insured is not the surviving entity.

Claim. Means: 1. a written demand for monetary or nonmonetary relief, including injunctive relief,

commenced by an Insured’s receipt of such written demand; 2. a civil proceeding, commenced by the service of a complaint or similar pleading; 3. an arbitration, mediation, or similar alternative dispute resolution proceeding, commenced

by the service of an arbitration petition or similar legal document; 4. a written request to toll or waive a statute of limitations relating to a potential civil or

administrative proceeding, commenced by an Insured’s receipt of such written request; or 5. for the Regulatory Proceedings Insuring Agreement only, a Regulatory Proceeding,

commenced by: a. the filing of charges; b. the filing of an investigative order; c. the service of a summons; or d. the service or filing of a similar document,

against an Insured for a Wrongful Act. Except under Other Conditions, Notice Of Claim, a Claim is deemed made when commenced.

Client. Means a person or entity to whom the Insured Entity: 1. provides goods; or 2. performs services, for a fee, or under a written agreement.

Computer And Legal Expert Costs.

1. Means the reasonable fees or costs incurred or paid by the Insured for services recommended and provided by an Approved Provider, to:

a. conduct a forensic analysis to determine the existence and cause of a Privacy Breach, Security Breach, or Cyber Extortion Threat;

b. determine whose Confidential Information was lost or stolen; or accessed or disclosed without authorization;

c. contain or stop a Privacy Breach or Security Breach in progress; d. certify the Computer System meets Payment Card Security Standards, if a Security

Breach Discovered during the Policy Period results in noncompliance with such standards, but only for the first certification; or

Spe cim

Definitions continued from previous page.

e. provide legal services to respond to a Privacy Breach or Security Breach. 2. Does not include Defense Costs or Privacy Breach Notification Costs.

Computer Fraud. 1. Means an intentional, unauthorized, and fraudulent entry or change of data or computer instructions, directly into or within, a Computer System, that:

a. is not made by an Insured Person, an Independent Contractor, or any other person under the direct supervision of the Insured; and

b. causes Money, Securities, or Other Property to be transferred, paid, or delivered from inside the Insured Entity’s premises or the Insured Entity’s financial institution premises to a place outside of such premises.

2. Does not include Social Engineering Fraud.

Computer System. Means a computer and connected input, output, processing, storage, or communication device, or related network, operating system, website, or application software, that is:

1. under the operational control of, and owned by, licensed to, or leased to: a. the Insured Entity; or b. an Insured Person, while authorized by, and transacting business on behalf of, the

Insured Entity, except under the Betterment or Data Restoration Insuring Agreements, or any Cyber Crime Insuring Agreement; or

2. operated by an IT Provider, but only the portion of such computer system used to provide hosted computer resources to the Insured Entity, except under the Betterment or Business Interruption Insuring Agreements.

Confidential Information. Means a third party’s or Insured Person’s private or confidential information that is in the care, custody, or control of the Insured Entity, or a service provider acting on behalf of the Insured Entity.

Covered Material. 1. Means content that is created or disseminated, via any form or expression, by, or on behalf of, the Insured Entity.

2. Does not include: a. tangible product designs; or b. content created or disseminated by the Insured Entity on behalf of a third party.

Cyber Extortion Costs. 1. Means, with the Insurer’s prior written consent: a. Ransom, in direct response to a Cyber Extortion Threat; b. reasonable amounts incurred or paid by the Insured in the process of paying, or

attempting to pay, Ransom; or c. reasonable amounts incurred or paid by the Insured, recommended by an Approved

Provider, to mitigate Ransom. 2. Does not include Computer And Legal Expert Costs or Restoration Costs.

Cyber Extortion Threat. Means a threat to: 1. access or disclose:

a. Confidential Information; or b. an Insured Entity’s information without authorization; or

2. commit or continue a Security Breach, made against the Insured Entity for Ransom.

Defense Costs. 1. Means reasonable fees and costs incurred by the Insurer, or the Insured with the Insurer’s prior written consent, in the:

a. investigation; b. defense; c. settlement; or

Spe cim

Definitions continued from previous page.

d. appeal, of a Claim.

2. Includes up to $1,000 per day for loss of earnings due to an Insured Person’s attendance in court, if at the Insurer’s request.

3. Does not include wages, benefits, or overhead of the Insurer or of the Insured.

Discover, Discovered, Discovery.

Means when an Executive Officer first becomes aware of facts that would cause a reasonable person to assume that a First Party Loss has been or will be incurred, regardless of when the act or acts causing or contributing to such First Party Loss occurred, even though the exact amount or details of such First Party Loss may not then be known.

Employee. 1. Means a natural person while their labor is engaged and directed by the Insured Entity, and who is:

a. a full-time, part-time, seasonal, or temporary worker compensated directly by the Insured Entity through wages, salaries, or commissions;

b. a volunteer, student, or intern; or c. a worker whose services have been leased to the Insured Entity by a labor leasing firm

under a written agreement. 2. Does not include any:

a. agent; b. broker; c. consignee; d. independent contractor; or e. representative, of the Insured Entity.

Executive Officer. Means a natural person while acting as the Insured Entity’s: 1. chief executive officer; 2. chief financial officer; 3. chief information security officer; 4. risk manager; 5. in-house general counsel; or 6. the functional equivalent of 1 through 5.

Extra Expense. Means reasonable costs incurred by the Insured Entity, with the Insurer’s written consent, that: 1. result from a First Party Event; 2. are in excess of the Insured Entity’s normal operating costs; 3. are intended to reduce Income Loss; and 4. would not have been incurred had there been no First Party Event.

First Party Event. 1. Means: a. Computer Fraud; b. Cyber Extortion Threat; c. Funds Transfer Fraud; d. IT Provider Breach; e. Media Act; f. Privacy Breach; g. Security Breach; h. Social Engineering Fraud; i. System Failure; or j. Telecom Fraud.

Spe cim

Definitions continued from previous page.

2. First Party Events that have a common: a. nexus; b. set of facts; c. circumstance; d. situation; e. event; or f. decision, are deemed a single First Party Event.

First Party Insuring Agreements.

Means the: 1. Breach Response Insuring Agreements; 2. Business Loss Insuring Agreements; and 3. Cyber Crime Insuring Agreements.

First Party Loss. 1. Means: a. Betterment Costs; b. Business Interruption Loss; c. Computer And Legal Expert Costs; d. Cyber Extortion Costs; e. Money; f. Other Property; g. Privacy Breach Notification Costs; h. Public Relations Costs; i. Reputation Harm; j. Restoration Costs; k. Securities; or l. Telecom Charges.

2. Other than Accounting Costs, does not include amounts: a. to establish First Party Loss; or b. to prepare the Insured Entity’s Proof of Loss.

Funds Transfer Fraud. 1. Means a fraudulent instruction that: a. is electronically sent to a financial institution that is not an Insured, at which the Insured

Entity maintains an account; b. directs the transfer, payment, or delivery of Money or Securities from the Insured

Entity’s account; c. is purportedly sent by the Insured Entity; d. is sent by someone, other than an Insured; and e. is sent without the Insured Entity’s knowledge or consent.

2. Does not include Social Engineering Fraud.

Impacted Parties. Means the persons or entities whose Confidential Information was, or is suspected to have been, stolen or lost, or accessed or disclosed without authorization.

Income Loss. 1. Means pretax net profit the Insured Entity did not earn, and net loss the Insured Entity incurred, because of a First Party Event. Continuing normal and necessary operating expenses and payroll are part of the pretax net profit or net loss calculation.

2. Does not include: a. Extra Expense; b. contractual penalties;

Spe cim

Definitions continued from previous page.

c. costs incurred to replace or improve a Computer System to a level of functionality beyond what existed prior to the First Party Event;

d. costs incurred to identify or remediate computer system errors or vulnerabilities; e. interest or investment income; or f. loss incurred due to unfavorable business conditions not related to the First Party

Event.

Independent Contractor. Means a natural person, other than an Employee, while performing services for the Insured Entity under a written agreement.

Insured. Means: 1. Insured Persons; 2. Insured Entities; or 3. for the Liability Insuring Agreements only, also includes Additional Insureds.

Insured Entity. Means: 1. the Named Insured; or 2. Subsidiaries.

Insured Person. Means: 1. Employees; 2. natural persons while:

a. officers; b. partners; c. the sole proprietor; d. in-house general counsel; or e. members of a board of directors, trustees, or governors, of the Insured Entity; or

3. for the Liability Insuring Agreements only, also includes Independent Contractors.

IT Provider. Means an entity while under a written agreement with the Insured Entity to provide it with: 1. hosted computer application services; 2. cloud services or computing; 3. electronic data hosting, back-up, storage, and processing; 4. co-location services; 5. platform-as-a-service; or 6. software-as-a-service.

IT Provider Breach. Means: 1. unauthorized access to; 2. use of authorized access to cause intentional harm to; 3. a denial-of-service attack against; or 4. the introduction of a Virus into, an IT Provider’s computer system, resulting in total or partial interruption.

Loss. 1. Means: a. Defense Costs; b. damages, judgments, settlements, or prejudgment or postjudgment interest, that an

Insured is legally obligated to pay as a result of a Claim, including: i. court awarded legal fees; and

Spe cim

Definitions continued from previous page.

ii. punitive or exemplary damages, or the multiple portion of a multiplied damage award, to the extent insurable under the most favorable applicable law;

c. Payment Card Contract Penalties; d. for the Regulatory Proceedings Insuring Agreement, means Regulatory Costs; or e. for First Party Insuring Agreements, means First Party Loss.

2. Loss does not include voluntary payments made by the Insured with respect to a Claim. 3. Loss, other than Defense Costs, does not include:

a. civil or criminal fines, penalties, sanctions, or taxes, except for: i. Payment Card Contract Penalties; or ii. Regulatory Costs;

b. amounts uninsurable under applicable law; c. restitution, return, or disgorgement of any profits; d. liquidated damages in excess of the amount for which the Insured would be liable

absent the liquidated damages provision of a contract; or e. the cost of complying with injunctive or nonmonetary relief.

Media Act. Means, in Covered Material: 1. the unauthorized use of copyright, title, slogan, trademark, trade dress, service mark,

domain name, logo, or service name; 2. the unauthorized use of a literary or artistic format, character, or performance; 3. a violation of an individual’s right of privacy or publicity; 4. defamation, libel, slander, trade libel, or other tort related to disparagement or harm to the

reputation or character of any person or entity; 5. the misappropriation of ideas under an implied contract; 6. improper deep-linking or framing; or 7. unfair competition, when alleged in connection with 1 through 6.

Merchant Service Agreement.

Means a contract between the Insured Entity and an acquiring bank, or other acquiring institution, that establishes the terms and conditions for accepting and processing payment card transactions.

Money. 1. Means: a. currency, coins, or bank notes in circulation; b. bullion; c. Virtual Currency; d. traveler’s checks; e. certified or cashier’s checks; or f. money orders.

2. Does not include Securities.

Notification. Means written notice to Impacted Parties about a Privacy Breach or Security Breach. Multiple Notifications about the same Privacy Breach or Security Breach are deemed one Notification.

Optional ERP. Means an extended reporting period for the time shown in the Optional ERP Endorsement starting on the effective date this Coverage is:

1. canceled; or 2. not renewed.

Other Property. Means tangible property, other than Money or Securities that has intrinsic value.

Payment Card Contract Penalties.

Means fines, penalties, or assessments imposed under a Merchant Service Agreement against an Insured Entity for noncompliance with Payment Card Security Standards.

Spe cim

Definitions continued from previous page.

Payment Card Security Standards.

Means the Payment Card Industry Data Security Standard (PCI-DSS), or similar standard, to which the Insured Entity has agreed in a Merchant Service Agreement.

Period Of Indemnity. Means the Period Of Indemnity shown in the CyberRisk Declarations. It begins on the earlier of the date of the first:

1. Notification; or 2. Adverse Media Report, whichever is earlier.

Period Of Restoration. Means the period of time that begins after the Wait Period ends, and ends on the earlier of: 1. the expiration of the Period Of Restoration shown in the CyberRisk Declarations; or 2. when the Insured Entity’s business operations have been restored for a consecutive 24-hour

period to the level of operation that existed immediately before the First Party Event.

Policy Period. Means the Policy Period shown in the Declarations, which is subject to the cancelation of this Policy.

Pollutant. Means a solid, liquid, gaseous, or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals, and waste. Waste includes materials to be recycled, reconditioned, or reclaimed.

Potential Claim. Means conduct or circumstances that could reasonably be expected to give rise to a Claim.

Privacy And Security Act. Means: 1. the failure to prevent a Privacy Breach; 2. the failure to destroy Confidential Information; 3. a violation of law, when alleged in connection with 1 or 2; 4. the failure to provide Notification required by law; 5. the failure to comply with a Privacy Policy; 6. the unauthorized, unlawful, or wrongful collection of Confidential Information; or 7. the failure to prevent a Security Breach, directly resulting in the:

a. alteration or deletion of Confidential Information; b. transmission of a Virus into a computer or network system that is not a Computer

System; c. participation in a denial-of-service attack directed against a computer or network

system that is not a Computer System; or d. failure to provide an authorized user with access to a Computer System.

Privacy Breach. Means the loss or theft of, or unauthorized access to or disclosure of, Confidential Information.

Privacy Breach Notification Costs.

Means reasonable costs or fees incurred or paid by an Insured Entity, voluntarily or as required by agreement or law, for:

1. printing and delivering notice to; 2. providing credit or identity monitoring for up to 24 months, or longer where required by

law, to; 3. call center services for; 4. the costs to purchase an identity fraud insurance policy to benefit natural persons who are;

or 5. with the Insurer’s prior written consent, other services to mitigate Loss or provide notice to, Impacted Parties, if recommended and provided by an Approved Provider.

Privacy Policy. Means the Insured Entity’s publicly available written policies or procedures regarding Confidential Information.

Spe cim

Definitions continued from previous page.

Public Relations Costs. Means reasonable costs or fees for public relations services recommended and provided by an Approved Provider to mitigate or prevent negative publicity.

Ransom. 1. Means: a. Money; b. Securities; or c. the fair market value of property or services, paid or surrendered by, or on behalf of, the Insured.

2. Will be valued as of the date paid or surrendered.

Regulatory Costs. Means: 1. civil money fines; 2. civil penalties; or 3. amounts deposited in a consumer redress fund, imposed in a Regulatory Proceeding, to the extent insurable under the most favorable applicable law.

Regulatory Proceeding. Means an administrative or regulatory proceeding, or a civil investigative demand, brought by a domestic or foreign governmental entity.

Reputation Harm. Means damage to the Insured Entity’s reputation incurred during the Period Of Indemnity that results in Income Loss, other than the value of:

1. coupons; 2. price discounts; 3. prizes; 4. awards; or 5. consideration given by the Insured in excess of the contracted or expected amount.

Restoration Costs. 1. Means the reasonable amounts incurred or paid by the Insured, with the Insurer’s prior written consent:

a. to restore or recover damaged or destroyed computer programs, software, or electronic data stored within a Computer System, to its condition immediately before a Security Breach; or

b. to determine that such computer programs, software, or electronic data cannot reasonably be restored or recovered.

2. Does not include: a. costs to recover or replace computer programs, software, or electronic data that the

Insured did not have a license to use; b. costs to design, update, or improve the operation of computer programs or software; c. costs to recreate work product, research, or analysis; or d. wages, benefits, or overhead of the Insured.

Run-Off Period. Means the period starting on the date of the Change Of Control to the end of the Policy Period.

Securities. Means written agreements representing Money or property, other than Virtual Currency.

Security Breach. Means: 1. the unauthorized access to; 2. the use of authorized access to cause intentional harm to; 3. a denial-of-service attack against; or 4. the introduction of a Virus into, a Computer System.

Spe cim

Definitions continued from previous page.

Social Engineering Fraud. Means intentionally misleading an Insured Person, by providing an instruction that: 1. is not made by an Insured; 2. is purportedly from a Vendor, Client, or Insured Person; 3. directs the Insured Person to transfer, pay, or deliver Money or Securities; 4. contains a misrepresentation of material fact; and 5. is relied upon by the Insured Person, believing the material fact to be true.

Subsidiary. Means: 1. an entity while the Named Insured owns more than 50% of the outstanding securities or

voting rights representing the right to select the entity’s board of directors, or functional equivalent;

2. a nonprofit entity while the Named Insured exercises management control over such entity; or

3. an entity while the Named Insured owns exactly 50%, as a joint venture, and while an Insured Entity controls the entity’s management and operations under a written agreement.

System Failure. Means an accidental, unintentional, and unplanned total or partial interruption of a Computer System, not caused by:

1. a Security Breach; or 2. a total or partial interruption of a third party computer system or network.

Telecom Charges. Means amounts charged to the Insured Entity for telephone services by its telephone service provider.

Telecom Fraud. Means the unauthorized access to, or use of, the Insured Entity’s telephone system by a person or entity other than an Insured Person.

Vendor. Means a person or entity that provides goods or services to the Insured Entity under an agreement.

Virtual Currency. 1. Means a publicly available digital or electronic medium of exchange used and accepted as a means of payment.

2. Does not include: a. coupons; b. discounts; c. gift cards; d. rebates; e. reward points; or f. similar mediums of exchange.

Virus. Means malicious code that could destroy, or change the integrity or performance of, electronic data, software, or operating systems.

Wait Period. Means the Wait Period shown in the CyberRisk Declarations. It begins when a total or partial interruption to an Insured Entity’s business operations is caused by a First Party Event. A separate Wait Period applies to each unrelated First Party Event.

Wrongful Act. 1. Means any: a. Media Act; or b. Privacy And Security Act.

2. All Wrongful Acts that share a common: a. nexus; b. set of facts; c. circumstance;

Spe cim

Definitions continued from previous page.

d. situation; e. event; or f. decision, are deemed a single Wrongful Act that occurred at the time the first such Wrongful Act occurred.

Exclusions

Assumed Liability. 1. The Insurer will not pay Loss arising out of liability assumed by an Insured. 2. This does not apply:

a. when the Insured would have been liable in the absence of such assumption of liability; b. to a Claim for Payment Card Contract Penalties; c. to Privacy Breach Notification Costs; or d. to any privacy or confidentiality obligation that the Insured has agreed to under a

Bodily Injury. 1. The Insurer will not pay Loss for: a. bodily injury; b. sickness; c. disease; d. death; or e. loss of consortium.

2. This does not apply to: a. emotional distress; b. mental anguish; c. humiliation; or d. loss of reputation.

Conduct. 1. The Insurer will not pay Loss arising out of an Insured’s: a. intentionally dishonest or fraudulent act or omission; or b. willful violation of law or regulation.

2. This does not apply to: a. Defense Costs; or b. Loss other than Defense Costs, unless a final nonappealable adjudication in the

underlying action establishes such conduct occurred. 3. In applying this exclusion, knowledge or conduct of an Insured will not be imputed to another

Insured, except that knowledge or conduct of an Executive Officer will be imputed to the Insured Entity.

Cyber Crime. The Cyber Crime Insuring Agreements do not apply to: 1. indirect or consequential loss; 2. potential income, including interest and dividends, not realized by an Insured or Client; 3. loss of confidential information; 4. loss of intellectual property; 5. loss resulting from the use or purported use of credit, debit, charge, access, convenience,

identification, or other cards; 6. loss resulting from a fraudulent instruction, if the sender or anyone acting in collusion with

the sender, ever had authorized access to the Insured’s password, PIN, or other security code;

7. amounts the Insured incurs without a legal obligation to do so;

Spe cim

Exclusions continued from previous page.

8. loss resulting from forged, altered, or fraudulent negotiable instruments, securities, documents, or instructions used as source documentation to enter electronic data or send instructions, provided this does not apply to the Social Engineering Fraud Insuring Agreement;

9. loss resulting from the failure of any party to perform under any contract; or 10. loss due to any nonpayment of, or default upon, any loan, extension of credit, or similar

promise to pay.

Government Action. The Insurer will not pay Loss arising out of: 1. seizure; 2. confiscation; 3. nationalization; 4. requisition; or 5. destruction of property, by or under the order of domestic or foreign government authority.

Infrastructure. The Insurer will not pay Loss arising out of a total or partial interruption or failure of any: 1. satellite; 2. electrical or mechanical system; 3. electric, gas, water, or other utility; 4. cable, telecommunications, or Internet service provider; or 5. other infrastructure, except when such is under the Insured’s control.

Insured vs. Insured. 1. The Insurer will not pay Loss for a Claim brought by or on behalf of: a. an Insured; or b. an entity that, at the time the Wrongful Act occurs, or the date the Claim is made:

i. is owned, operated, or controlled by any Insured; or ii. owns, operates, or controls any Insured.

2. This does not apply to a Claim: a. by an Insured Person for contribution or indemnity, if resulting from another covered

Claim; or b. by or on behalf of an Insured Person or Additional Insured who did not commit or

participate in the Wrongful Act.

Intellectual Property. The Insurer will not pay Loss arising out of an Insured’s misappropriation, infringement, or violation of:

1. copyrighted software; 2. patent rights or laws; or 3. trade secret rights or laws.

Labor Disputes. The Insurer will not pay Loss under the Business Loss Insuring Agreements arising out of labor disputes.

Licensing And Royalties. The Insurer will not pay Loss arising out of any obligation to pay licensing fees or royalties.

Ownership Rights. The Insurer will not pay Loss for a Claim by, or on behalf of, an independent contractor, joint venturer, or venture partner arising out of disputes over ownership rights in Covered Material.

Physical Peril. The Insurer will not pay Loss arising out of: 1. fire, smoke, or explosion; 2. lightning, wind, rain, or hail;

Spe cim

Exclusions continued from previous page.

3. surface water, waves, flood, or overflow of any body of water; 4. earthquake, earth movement, or earth sinking; 5. mudslide, landslide, erosion, or volcanic eruption; 6. collapse, wear and tear, rust, corrosion, or deterioration; 7. magnetic or electromagnetic fields; 8. extremes of temperature or humidity; or 9. any similar physical event or peril.

Pollution. The Insurer will not pay Loss arising out of: 1. the actual, alleged, or threatened discharge, dispersal, seepage, migration, release, or

escape of a Pollutant; 2. a request, demand, order, or statutory, or regulatory requirement that an Insured or others

test for, monitor, clean up, remove, contain, treat, detoxify, or neutralize, or in any way respond to, or assess, the effects of, a Pollutant; or

3. testing for, monitoring, cleaning up, removing, containing, treating, detoxifying, or neutralizing, or in any way responding to, or assessing the effects of, a Pollutant.

Prior Acts. The Insurer will not pay Loss arising out of a Wrongful Act that occurs prior to the Retro Date shown in the CyberRisk Declarations.

Prior Matters. The Insurer will not pay Loss arising out of any fact, circumstance, situation, event, or Wrongful Act: 1. that is, or reasonably would be regarded as, the basis for a Claim under the Liability Insuring

Agreements about which any Executive Officer had knowledge prior to the Knowledge Date shown in the CyberRisk Declarations;

2. that, prior to the Inception date shown in the Declarations, was the subject of any notice of claim, or circumstance, given by or on behalf of any Insured and accepted under any policy of insurance that this Coverage directly renews, replaces, or succeeds in time; or

3. previously alleged in a civil, criminal, administrative, or regulatory proceeding against any Insured prior to the P&P Date shown in the CyberRisk Declarations.

Property Damage. 1. The Insurer will not pay Loss under the Liability or Breach Response Insuring Agreements for the: a. damage to; b. destruction of; c. loss of; or d. loss of use of, any tangible property.

2. The Insurer will not pay Loss under the Cyber Crime or Business Loss Insuring Agreements arising out of the:

a. damage to; b. destruction of; c. loss of; or d. loss of use of, any tangible property, other than loss of Other Property covered under the Computer Fraud Insuring Agreement.

Securities Laws. The Insurer will not pay Loss arising out of: 1. a violation of a securities law or regulation; or 2. except under the Cyber Crime Insuring Agreements:

a. the ownership of; b. the sale or purchase of; or c. the offer to sell or purchase, stock or other securities.

Spe cim

Exclusions continued from previous page.

Unlawful Collection. 1. The Insurer will not pay Loss arising out of the collection of Confidential Information in violation of law.

2. This does not apply to Defense Costs.

Unsolicited Communications.

1. The Insurer will not pay Loss arising out of a violation of a law that restricts or prohibits unsolicited communications.

2. This does not apply to a Security Breach under the Breach Response Insuring Agreements.

War. 1. The Insurer will not pay Loss arising out of: a. war, including undeclared or civil war; b. warlike action, including action in hindering or defending against an actual or expected

attack, by any government, military force, sovereign, or other authority using military personnel or other agents; or

c. insurrection, rebellion, revolution, usurped power, or action taken by governmental authority in hindering or defending against any of these.

2. This does not apply to an actual or threatened attack against a Computer System with intent to cause harm, or further social, ideological, religious, political, or similar objectives, except when in support of 1a through 1c.

Limits And Retentions

Limits Of Insurance. 1. The most the Insurer will pay for all Loss is the CyberRisk Aggregate Limit shown in the CyberRisk Declarations.

2. The most the Insurer will pay for all Loss under an Insuring Agreement is the applicable Limit for such Insuring Agreement shown in the CyberRisk Declarations; but:

a. The most the Insurer will pay for all Payment Card Contract Penalties is the Payment Card Costs Limit shown in the CyberRisk Declarations, which is within and will reduce the Privacy And Security Limit.

b. The most the Insurer will pay for all Business Interruption Loss that results from a System Failure is the System Failure Limit shown in the CyberRisk Declarations, which is within and will reduce the Business Interruption Limit.

c. Payment of Loss under the Dependent Business Interruption Insuring Agreement and Reputation Harm Insuring Agreement is within and will reduce, the remaining Business Interruption Limit.

d. The most the Insurer will pay for all Accounting Costs is the Accounting Costs Limit shown in the CyberRisk Declarations, which is within and will reduce the Limit for the applicable Business Loss Insuring Agreement.

e. If a Betterment Coparticipation percentage is shown in the CyberRisk Declarations, such percentage of Betterment Costs will be paid by the Insured. The Insurer will pay the remaining Betterment Costs, up to the Betterment Limit shown in the CyberRisk Declarations.

3. The most the Insurer will pay for all Loss with respect to an Additional Insured is the limit agreed to in the agreement between such Additional Insured and the Insured Entity, or the applicable Limit shown in the CyberRisk Declarations, whichever is less.

4. If the CyberRisk Declarations indicates that a Shared Limit applies, the most the Insurer will pay under all Shared Coverages is the Shared Limit shown in the Shared Limit Declarations.

5. Once the CyberRisk Aggregate Limit or Shared Limit is exhausted, the premium is fully earned, and all obligations of the Insurer, including any duty to defend, will cease.

Retention. 1. The Insurer will only pay Loss once the applicable Retention shown in the CyberRisk Declarations has been paid by the Insured.

2. Except for the Betterment Insuring Agreement, if multiple Retentions apply to:

Spe cim

Limits And Retentions continued from previous page.

a. a Claim; b. a First Party Event; or c. Claims and First Party Events that share a common nexus, set of facts, circumstance,

situation, event, or decision, the Insured will not pay more than the amount of the largest applicable Retention.

3. The Insured Person is deemed indemnified by the Insured Entity to the extent permitted or required by law, written agreement, or the by-laws of the Insured Entity. For the Liability Insuring Agreements, no Retention will apply to an Insured Person if indemnification by the Insured Entity is:

a. not permitted by law; or b. not possible due to the financial insolvency of such Insured Entity.

4. The Insurer may pay any amount of Retention. In such event, the Insured agrees to repay the Insurer such amounts.

Other Conditions

Allocation. 1. Subject to Other Conditions, Settlement, if an Insured incurs: a. Loss jointly with others who are not covered for a Claim; or b. Loss covered and loss not covered by this Coverage because a Claim includes both

covered and uncovered matters, then the Insured and the Insurer will use their best efforts to allocate such amount between covered Loss and uncovered loss based upon the relative legal and financial exposures of the parties to covered and uncovered matters.

2. If the CyberRisk Declarations shows that the Insurer has the duty to defend Claims, all Defense Costs will be allocated to covered Loss.

Cancelation And Nonrenewal.

1. The Insurer will cancel this Coverage only if premium is not paid when due. If nonpayment occurs, the Insurer will give at least 20 days written notice of cancelation to the Named Insured. Unless payment is received when due, this Coverage will be canceled.

2. The Named Insured may cancel any part of this Coverage by giving advanced written notice to the Insurer, stating when such cancelation will be effective.

3. If any part of this Coverage is canceled, the Insurer will refund the unearned premium on a pro rata basis.

4. The Insurer is not required to renew this Coverage upon its expiration. If the Insurer elects not to renew, it will provide the Named Insured written notice to that effect at least 60 days before the Expiration date shown in the Declarations.

Change Of Structure. 1. Under the Liability and Breach Response Insuring Agreements, if a Change Of Control occurs during the Policy Period, the coverage will continue for the Run-Off Period.

2. Coverage during the Run-Off Period is only for Wrongful Acts or First Party Events occurring before such Change Of Control.

3. Under the Cyber Crime and Business Loss Insuring Agreements, if an entity ceases to be an Insured Entity during the Policy Period, First Party Loss is only covered if:

a. such First Party Loss is sustained; and b. the applicable First Party Event is Discovered, prior to the time such entity ceased to be an Insured Entity.

4. The Named Insured may request to extend the time of the Run-Off Period.

Claim Defense. 1. If the CyberRisk Declarations shows that the Insurer has the duty to defend Claims, the Insurer: a. has the right and duty to defend covered Claims, even if groundless or false; b. has the right to select defense counsel for such Claims; and

Spe cim

Other Conditions continued from previous page.

c. has no duty to defend, or to continue to defend, Claims after the applicable Limit has been exhausted.

2. If the CyberRisk Declarations shows that the Insurer does not have the duty to defend Claims: a. the Insured has the duty to defend Claims; b. the Insurer has the right to participate in the selection of defense counsel; c. the Insurer has the right to participate in the investigation, defense, and settlement of

such Claims; d. subject to the applicable Limit, the Insurer will reimburse the Insured for Defense Costs; e. upon written request, the Insurer will advance Defense Costs; and f. advanced Defense Costs will be repaid to the Insurer to the extent that the Insured is

not entitled to such payment. 3. With respect to a Claim, the Insured will not, without the Insurer’s prior written consent:

a. make an offer to settle, or settle, a Claim; b. admit liability; or c. except at the Insured’s own cost, make a voluntary payment, pay or incur Defense Costs

or other expense, or assume any obligation.

Cyber Crime And Business Loss Change.

The Cyber Crime and Business Loss Insuring Agreements will end upon: 1. a Change Of Control; or 2. the voluntary liquidation or dissolution of the Named Insured.

ERP – Automatic. 1. The Automatic ERP applies without additional premium. 2. Claims resulting from Wrongful Acts that occur prior to cancelation or nonrenewal can be made

and reported to the Insurer during the Automatic ERP. Such Claim is deemed reported on the last day of the Policy Period.

3. The most the Insurer will pay for Loss resulting from Claims reported during the Automatic ERP is the remaining portion of the applicable Limit shown in the CyberRisk Declarations as of the effective date of cancelation or nonrenewal.

ERP – Optional. 1. The Named Insured may elect to purchase an Optional ERP shown in the CyberRisk Declarations for any reason other than nonpayment of premium. The Optional ERP will only take effect if:

a. the Insurer receives written notice of such election no later than 90 days after cancelation or nonrenewal; and

b. the additional premium for the Optional ERP is paid when due. 2. Claims or Potential Claims resulting from Wrongful Acts that occur prior to cancelation or

nonrenewal can be made and reported to the Insurer during the Optional ERP. Such Claim or Potential Claim is deemed reported on the last day of the Policy Period.

3. For the Privacy Breach Notification, Computer And Legal Experts, and Public Relations Insuring Agreements, First Party Loss that results from a First Party Event occurring prior to cancelation or nonrenewal can be Discovered during the Optional ERP. Such First Party Event is deemed Discovered on the last day of the Policy Period.

4. The premium due for the Optional ERP is shown in the CyberRisk Declarations. Such premium is fully earned at the start of the Optional ERP.

5. The most the Insurer will pay for Loss resulting from Claims made, or First Party Events Discovered, during the Optional ERP is the remaining portion of the applicable Limit shown in the CyberRisk Declarations as of the effective date of cancelation or nonrenewal.

6. When the Optional ERP applies, it replaces the Automatic ERP and the Extended Discovery Period for the Privacy Breach Notification, Computer And Legal Experts, and Public Relations Insuring Agreements.

Extended Discovery Period. 1. For the First Party Insuring Agreements, the Insured has an extended period of time to Discover a First Party Loss arising out of a First Party Event that occurred prior to the effective date of cancelation. Such First Party Event will be deemed Discovered on the last day of the Policy

Spe cim

Other Conditions continued from previous page.

Period. This period begins on the effective date such First Party Insuring Agreement is canceled. It ends on the earlier of:

a. 90 days; or b. the effective date of similar coverage purchased by the Insured, even if such insurance

does not provide coverage for loss sustained prior to its effective date. 2. When Optional ERP is purchased, it replaces the Extended Discovery Period for the Privacy

Breach Notification, Computer And Legal Experts, and Public Relations Insuring Agreements.

Income Loss Appraisal. If, after submission of the Proof of Loss, the Insurer and Insured do not agree on the amount of Income Loss, each party will select an appraiser. If the appraisers do not agree, they will select an umpire. Each appraiser will submit the amount of Income Loss to the umpire. Agreement by the umpire and at least one of the appraisers as to the amount of Income Loss is binding. Each party will:

1. pay its own appraiser, except when covered as Accounting Costs, and 2. share the fees and costs of the umpire equally.

Notice Of Claim. 1. If an Insured gives the Insurer written notice of a Potential Claim during the Policy Period, or any extended reporting period, then a Claim subsequently arising from such Potential Claim will be deemed made on the last day of the Policy Period. Such notice must include a description of the anticipated allegations of Wrongful Acts, potential damages, and the names of potential claimants and Insureds involved.

2. Once an Executive Officer becomes aware that a Claim has been made, the Insured must give the Insurer written notice of such Claim as soon as practicable. If such Claim involves facts that are subject to a court order or law enforcement hold, the Insured must give the Insurer written notice of such Claim as soon as practicable once such order or hold is not in effect. Such notice must include a copy of the Claim or description of its particulars.

3. All notices under this section must be sent to the Insurer at an address shown in the Declarations.

Notice Of First Party Event. 1. Upon the Discovery of a First Party Event, the Insured must give the Insurer written notice of the particulars of such event, as soon as practicable.

2. If such First Party Event causes First Party Loss under the Cyber Crime or Business Loss Insuring Agreements in an amount more than 25% of the applicable Retention, the Insured must:

a. give the Insurer a detailed, sworn Proof of Loss within 120 days; b. submit to an examination Under Oath, and give the Insurer a signed statement of the

Insured’s answers; and c. notify law enforcement, if such First Party Event violates law.

3. Demands for payment of First Party Loss must be provided to the Insurer by the Insured Entity. 4. All notices and demands must be sent to the Insurer at an address shown in the Declarations.

Other Insurance. 1. The Breach Response and Business Loss Insuring Agreements are primary insurance. 2. The Liability and Cyber Crime Insuring Agreements are excess over, and will not contribute with,

any other valid and collectible insurance available to the Insured. This applies even if such other insurance is stated to be primary, excess, or otherwise, unless such other insurance states by specific reference that it is excess over this Coverage.

Property Covered. Coverage under the Cyber Crime Insuring Agreements is limited to property: 1. the Insured Entity:

a. owns; b. leases; or c. holds for others; or

2. for which the Insured Entity is legally liable, except property located inside premises of the Insured Entity’s client or such client’s financial institution.

Spe cim

Other Conditions continued from previous page.

Recovery And Subrogation. 1. The Insurer has no duty to recover amounts paid under this Coverage. 2. Amounts recovered from a third party, less costs incurred in obtaining such recovery, will be

applied in this order: a. to the Insurer for any Retention it paid on behalf of an Insured; b. to the Insured for Loss the Insurer did not pay because the applicable Limit was

exhausted; c. to the Insurer for Loss it paid; d. to the Insured for any Retention it paid; and then e. to the Insured for any uncovered loss it paid.

3. Recoveries do not include amounts from insurance or reinsurance. 4. The Insurer is subrogated to, and the Insured must transfer to the Insurer, all of the Insured’s

rights of recovery against any person or organization for Loss the Insurer has paid under this Coverage. The Insured agrees to:

a. execute and deliver instruments and papers; b. do everything necessary to secure such rights; and c. do nothing to impair or prejudice those rights.

5. Subrogation will not apply if the Insured, prior to the date of a Wrongful Act or a First Party Event, waived its rights to recovery.

6. Any of the Insured Entity’s property that the Insurer pays for becomes the Insurer’s property.

Related Claims. Multiple Claims arising out of the same Wrongful Act are a single Claim that is deemed first made on the date the earliest of such Claims is made, whether before or during the Policy Period.

Representations. 1. The Insurer has issued this coverage in reliance on the accuracy and completeness of the representations that the Insured made to the Insurer.

2. If any such representation is untrue, and: a. was material to the acceptance of the risk; and b. is material to a covered Loss, then this coverage will not apply to such Loss with respect to:

i. an Insured Person who knew; or ii. an Insured Entity, if an Executive Officer knew, that such representation was untrue on the Inception date shown in the Declarations.

Settlement. The Insurer may, with the written consent of the Insured, settle a Claim. If the Insurer and claimant agree to settle a Claim but the Insured withholds its consent, the Insured will be responsible for 20% of all:

1. Defense Costs incurred after the date the Insured withheld its consent; and 2. Loss, other than Defense Costs, in excess of such settlement offer.

Subsidiaries. If a Subsidiary is acquired or created by an Insured Entity during the Policy Period, and its revenues are:

1. less than 35% of the total annual revenues of such Insured Entity, then it will be covered for Wrongful Acts or First Party Events that occur after its acquisition or creation; or

2. are at least 35% of the total annual revenues of such Insured Entity, then it will be covered for:

a. Wrongful Acts that occur after its acquisition or creation, for Claims made; or b. First Party Events that occur after its acquisition or creation and that are Discovered

and reported, within 90 days of its acquisition or creation, or the end of the Policy Period, whichever is earlier. Additional coverage may be negotiated at the time of acquisition or creation.

Spe cim

Other Conditions continued from previous page.

Suits Against The Insurer – Cyber Crime.

The Insured Entity may not bring any legal action against the Insurer involving a First Party Event covered under the Cyber Crime Insuring Agreements:

1. until 60 days after the Insured Entity has filed Proof of Loss; and 2. unless such legal action is commenced within two years from the date the Insured Entity

Discovers the First Party Event.

Valuation Under First Party Insuring Agreements.

1. Money, except Virtual Currency, is valued in the U.S. dollar equivalent determined at the rate of exchange published by The Wall Street Journal:

a. for the Cyber Crime Insuring Agreements, on the date the First Party Event was Discovered; and

b. for the Breach Response and Business Loss Insuring Agreements, on the date of payment of First Party Loss.

2. Securities are valued at market value as of the close of business on the date the First Party Event was Discovered; and at its discretion, the Insurer will:

a. pay the Insured Entity such value; b. replace such Securities in kind, in which case the Insured Entity must assign to the

Insurer all rights, title, and interest in such Securities; or c. pay the cost of a Lost Securities Bond required when issuing duplicates of the Securities.

Such Lost Securities Bond will have a penalty no more than the value of the Securities at the close of business on the date the First Party Event was Discovered.

3. Virtual Currency is valued in the U.S. dollar equivalent determined at the rate of exchange: a. for the Cyber Crime Insuring Agreements, on the date the First Party Event was

Discovered; and b. for the Breach Response and Business Loss Insuring Agreements, on the date of

payment of First Party Loss. 4. Other Property is valued for the lesser of:

a. the actual cash value of the Other Property on the date the First Party Event was Discovered; or

b. the cost to replace Other Property with comparable property, but only after such property is actually replaced.

Spe cim