The URL can be used to link to this page

Exhibit 2 - Corvus Cyber Insurance Proposal5555 Triangle Parkway,Suite 400 Norcross,GA 30092 Phone:770-448-7148 Jennifer Cobb Sep 24, 2021 Lockton Companies, LLC - Dallas 2100 Ross Ave. Suite 1400 Dallas, TX 75201 Re: City of Denton, Texas, Ref# 9692496-A Proposed Effective 10/1/2021 to 10/1/2022 Dear Jennifer: We are pleased to confirm the attached quotation for CYBER being offered with Accredited Specialty Insurance Company.This carrier is Non-Admitted in the state of TX. Please note that this quotation is based on the coverage, terms and conditions as stated in the attached quotation, which may be different from those requested in your original submission. As you are the representative of the Insured, it is incumbent upon you to review the terms of this quotation carefully with your Insured, and reconcile any differences from the terms requested in the original submission. CRC Insurance Services, Inc. disclaims any responsibility for your failure to reconcile with the Insured any differences between the terms quoted as per the attached and those terms originally requested. The attached quotation may not be bound without a fully executed CRC brokerage agreement. NOTE: The Insurance Carrier indicated in this quotation reserves the right, at its sole discretion, to amend or withdraw this quotation if it becomes aware of any new, corrected or updated information that is believed to be a material change and consequently would change the original underwriting decision. Should coverage be elected as quoted per the attached, Premium and Commission are as follows: OPTION 1 Premium: $95,956.00 TRIPRA Premium: INCLUDED Carrier Policy Fee $195.00 Surplus Lines Tax $4,663.32 Stamping Office Fee $72.11 Grand Total: $100,886.43 OPTION 2 Premium: $117,012.00 TRIPRA Premium: INCLUDED Carrier Policy Fee $195.00 Surplus Lines Tax $5,684.54 Stamping Office Fee $87.91 Grand Total: $122,979.45 Commission: 12.5% Broker Fees & Policy Fees are Fully Earned at Binding Dynamic Loss Prevention Preview Report prepared for City of Denton 88 CORVUSSCORE Sep 24, 2021 City of Denton scores in the 64thpercentile Corvus calculates percentile based on other companies with similar industry class and annual revenue. Breakdown of Risk Exposure Groups In addition to calculating an overall Corvus Score and benchmark percentile, the Corvus Scan also rates 8 types of risk exposure and provides a score for each group. The full Dynamic Loss Prevention (DLP) Report has specic recommendations to reduce risk exposure for each group, ranked by severity. Ransomware & Cyber Extortion 98 Phishing & Dark Web Monitoring 100 Disclosure Of Sensitive Information 85 Contingent Business Interruption 80 Network Security & Privacy 78 Hacking, Malware, Unauthorized Access 0 Business Interruption & System Failure 82 Social Engineering & Cyber Crime 100 Preview Recommendations Bind with Corvus for additional recommendations on the full DLP Report Beyond the Report: Risk & Response Services In addition to receiving your full DLP report at the start of the policy term, and quarterly thereafter, you'll be eligible for Risk and Response Services to help you prevent, prepare for, and respond to any cyber incident. See our Services Guide to learn more: https://hubs.ly/H0CFhRM0 ® Learn more about this DLP Report: Watch at www.corvusinsurance.com/dlp LOW IMPACT We discovered 114 open ports on your domains with dedicated servers, a moderate number. Audit your open ports and ensure only the minimum necessary are open. Open ports leave sensitive areas vulnerable to attackers which can result in disclosure of sensitive information. Open Ports: Dedicated Servers LOW IMPACT We discovered 118 open ports on your most popular domains, a moderate number, associated with lower risk of breach. Audit your open ports and ensure only the minimum necessary are open. Open ports leave sensitive areas vulnerable to attackers, which can result in unintentional disclosure of sensitive information. Open Ports: Popular Domains Dynamic Loss Prevention Preview Report prepared for City of Denton Ransomware Risk Report 98 RANSOMWARE SCORE You are at lower risk of a ransomware attack based on our cyber risk model. What Makes Up Your Score No Risky Open Ports Detected A high number of open ports across a network is an indicator of a larger attack surface. We focus on remote administration ports as they are targeted at a higher rate. No Software Vulnerabilities Detected Our risk model considers critical and high vulnerabilities from the national vulnerability database for relevant software detected on your public infrastructure. How does this scan work? Corvus scans your public web infrastructure looking for known vulnerabilities, then compares your security posture to patterns associated with a higher likelihood of ransomware events. Are all risks covered? Our score accounts for common risk factors, but not all attempted attacks are part of a recognizable pattern or trend. Organizations should be vigilant and continually follow best practices. Ransomware by the Numbers Regardless of how sophisticated your business' IT security infrastructure is, ransomware is always a threat. $233,817 average payment Average ransomware payment in Q3 2020 is a 31% increase from Q2 2020, with the increase driven by large ransom demands, some over one million dollars. (Coveware) 31% of cyber claims For all businesses with up to $2bn in annual revenue, ransomware accounts for nearly of cyber claims, making it by far the leading cause of loss. (Net Diligence) 1 in 10 include data theft More than 1 in 10 ransomware attacks in H1 2020 involved the theft of data, increasing the attackers' leverage and potential response costs. (emisoft) Best Practices To Reduce Your Risk Know your risk: Assess your IT environment for vulnerabilities by reviewing the full DLP report delivered upon binding your policy, and test your employees to identify phishing risk. Improve resiliency: Maintain & test backup strategy; ensure software is kept up to date; train employees to recognize phishing; use multi-factor authentication for critical systems. Monitor your environment: Watch for suspicious behaviors on your network or devices, ensure security technologies are deployed & actively monitored, and check vulnerability alerts from Corvus. Partnerwith Corvus Not sure where to start? Our Risk and Response Services, available for all policyholders, include hands-on help in reviewing and prioritizing cybersecurity practices. Learn More: https://hubs.ly/H0CFhNY0 ® Ransomware/Business Interruption Cost Calculator Prepared For Let's Approximate the Risk In the event of a ransomware event leading to a shutdown of all operations, what might the approximate cost be? $140,226,502 Annual Revenue –40% Cost of Goods Sold =$84,135,901 Net Annual Business Interruption Expenses $84,135,901 Over 365 Days × 100% Percentage of Revenue Reliant on Operational Computer Systems +$1,000,000 Ransom Payment +$500,000 Data Recovery Costs & Extra Expenses +$1,000,000 Breach Response Costs = Total Estimated Cost: $5,957,640 Over 15 Days $9,415,280 Over 30 Days $16,330,559 Over 60 Days Total cyber loss estimates may be greater as this calculation does not include: regulatory nes and penalties, PCI-DSS assessment expenses, cyber crime/ nancial fraud, and reputational loss. This calculation is an approximation of the cost of a ransomware event that shuts down the operations of an organization. If the organization does not rely on digital assets and tools for all of its operations then this recommendation may be too high and the recommendations should be discounted accordingly. Cost of Goods Sold percentages are based on sources including eRiskHub and NYU/Stern (Jan. 2020) and other Corvus data; COGS estimates are recommendations only and should be adjusted for individual company costs. Corvus recommends that each company consult further with their accountants and insurance broker in order to produce a more exact time-based recommendation. The non-Business Interruption numbers are estimates, based on the client's revenue, and may include digital forensics, customer notication, public relations, and other rst party breach response expenses. City of Denton Smart Cyber Insurance™ Quote SEPTEMBER 24, 2021 City of Denton Qualies for Corvus Black Because this account has over $100m in annual revenue, your client qualies for additional free risk management services to better predict, prevent and prepare for cyber incidents. Learn More About Corvus Black Services: www.corvusinsurance.com/corvus-black and more… NAMED INSURED City of Denton State: Texas POLICY PERIOD From 10/01/2021 to 10/01/2022 Both dates at 12:01 a.m. Standard Time at the address of the named Insured as stated herein. RETROACTIVE DATE None; Full Unknown Prior Acts INSURER Accredited Specialty Insurance Company (Non-Admitted, AM Best “A-" Excellent) Scan Your Insured's Vendors "Welcome to the Flock" Onboarding Call Virtual Incident Response Tabletop Exercise Limit Retention Basic Premium TRIA Option 1 $2,000,000 $100,000 $95,006 $950 Option 2 $3,000,000 $100,000 $115,853 $1,159 OPTION COMPARISON 1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN Option 1 Third Party Insuring Agreements Limit Retention A. Network Security and Privacy Liability $2,000,000 Each Claim / Aggregate $100,000 Each Claim B. Regulatory Investigations, Fines and Penalties $2,000,000 Each Claim / Aggregate $100,000 Each Claim C. Media Liability $2,000,000 Each Claim / Aggregate $100,000 Each Claim D. PCI DSS Assessment Expenses $2,000,000 Each Claim / Aggregate $100,000 Each Claim E. Breach Management Expenses $2,000,000 Each Claim / Aggregate $100,000 Each Claim First Party Insuring Agreements Limit Retention, Waiting Period, & Period of Indemnity A. Business Interruption See Video: www.corvusinsurance.com/bi $2,000,000 Each Loss / Aggregate Waiting Period: 12 Hours Period of Indemnity: 12 Months B. Contingent Business Interruption See Video: www.corvusinsurance.com/bi $2,000,000 Each Loss / Aggregate Waiting Period: 12 Hours Period of Indemnity: 12 Months C. Digital Asset Destruction, Data Retrieval and System Restoration $2,000,000 Each Loss / Aggregate $100,000 Each Loss D. System Failure Coverage $2,000,000 Each Loss / Aggregate Waiting Period: 12 Hours Period of Indemnity: 12 Months E. Social Engineering & Cyber Crime Coverage See Video: www.corvusinsurance.com/1st-party $100,000 Each Loss / Aggregate $100,000 Each Loss F. Reputational Loss Coverage $2,000,000 Each Loss / Aggregate Waiting Period: 2 Weeks Period of Indemnity: 12 Months G. Cyber Extortion and Ransomware Coverage See Video: www.corvusinsurance.com/1st-party $2,000,000 Each Loss / Aggregate $100,000 Each Loss H. Breach Response and Remediation Expenses See Video: www.corvusinsurance.com/1st-party $2,000,000 Each Loss / Aggregate $100,000 Each Loss I. Court Attendance Costs $250,000 Each Loss / Aggregate $100,000 Each Loss Maximum Policy Aggregate Limit: $2,000,000 ENDORSEMENTS Endorsement Name Limit CB-125-001 Amend Other Insurance Provision CB-126-002 Bricking $2,000,000 CB-151-003 CRC Cyber Amendatory CB-194-001 California Consumer Privacy Act CB-202-001 Coverage for Certied Acts of Terrorism CB-123-001 Criminal Reward Expenses $50,000 CB-155-001 Cryptojacking CB-136-001 Forensic Accounting Coverage $50,000 CB-111-003 GDPR Coverage CB-133-001 Invoice Manipulation Loss $100,000 CB-128-001 Loss of Funds Exclusion Carveback CB-300-001 Manuscript - Specied Entity Exclusion $0 CB-120-001 Solicitation Claims $50,000 Endorsement Name Limit CB-146-001 Specied Claim(s) Exclusion CB-167-001 War Exclusion Cyber Terrorism Carveback Option 2 Third Party Insuring Agreements Limit Retention A. Network Security and Privacy Liability $3,000,000 Each Claim / Aggregate $100,000 Each Claim B. Regulatory Investigations, Fines and Penalties $3,000,000 Each Claim / Aggregate $100,000 Each Claim C. Media Liability $2,000,000 Each Claim / Aggregate $100,000 Each Claim D. PCI DSS Assessment Expenses $3,000,000 Each Claim / Aggregate $100,000 Each Claim E. Breach Management Expenses $3,000,000 Each Claim / Aggregate $100,000 Each Claim First Party Insuring Agreements Limit Retention, Waiting Period, & Period of Indemnity A. Business Interruption See Video: www.corvusinsurance.com/bi $3,000,000 Each Loss / Aggregate Waiting Period: 12 Hours Period of Indemnity: 12 Months PREMIUM, TAXES & FEES Premium $95,006 TRIA $950 Policy Fee (Fully Earned)$195 Total $96,151 1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN B. Contingent Business Interruption See Video: www.corvusinsurance.com/bi $3,000,000 Each Loss / Aggregate Waiting Period: 12 Hours Period of Indemnity: 12 Months C. Digital Asset Destruction, Data Retrieval and System Restoration $3,000,000 Each Loss / Aggregate $100,000 Each Loss D. System Failure Coverage $3,000,000 Each Loss / Aggregate Waiting Period: 12 Hours Period of Indemnity: 12 Months E. Social Engineering & Cyber Crime Coverage See Video: www.corvusinsurance.com/1st-party $100,000 Each Loss / Aggregate $100,000 Each Loss F. Reputational Loss Coverage $3,000,000 Each Loss / Aggregate Waiting Period: 2 Weeks Period of Indemnity: 12 Months G. Cyber Extortion and Ransomware Coverage See Video: www.corvusinsurance.com/1st-party $3,000,000 Each Loss / Aggregate $100,000 Each Loss H. Breach Response and Remediation Expenses See Video: www.corvusinsurance.com/1st-party $3,000,000 Each Loss / Aggregate $100,000 Each Loss I. Court Attendance Costs $250,000 Each Loss / Aggregate $100,000 Each Loss Maximum Policy Aggregate Limit: $3,000,000 ENDORSEMENTS Endorsement Name Limit CB-125-001 Amend Other Insurance Provision CB-126-002 Bricking $3,000,000 CB-151-003 CRC Cyber Amendatory CB-194-001 California Consumer Privacy Act Endorsement Name Limit CB-202-001 Coverage for Certied Acts of Terrorism CB-123-001 Criminal Reward Expenses $50,000 CB-155-001 Cryptojacking CB-136-001 Forensic Accounting Coverage $50,000 CB-111-003 GDPR Coverage CB-133-001 Invoice Manipulation Loss $100,000 CB-128-001 Loss of Funds Exclusion Carveback CB-300-001 Manuscript - Specied Entity Exclusion $0 CB-120-001 Solicitation Claims $50,000 CB-146-001 Specied Claim(s) Exclusion CB-167-001 War Exclusion Cyber Terrorism Carveback PREMIUM, TAXES & FEES Premium $115,853 TRIA $1,159 Policy Fee (Fully Earned)$195 Total $117,207 1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN POLICY FORM Corvus Smart Cyber Policy Form No. CB-101-001 SUBJECTIVITIES The proposed quoted terms are valid for 30 days and subject to the receipt, review, and acceptance of the following information and are based on the representation that there are no open or unreported claims, unless previously addressed herein, as of the date of this quote. The applicant must also pass a sanctions list check which Corvus will perform prior to binding. If at any time before binding we are made aware that a claim was reported, we reserve the right to rescind or revise the terms of this quote. If an insured elects to bind coverage during this period, the eective date of the policy must be within 45 days of the date on which the quote was issued. Due prior to binding: Conrmation that the Applicant requires out-of-band authentication prior to executing an electronic payment. (Out of band authentication is a secondary verication method with the requestor of a funds transfer through a communication channel separate from the original request.) Conrmation that the City's network is completely isolated from the utility operations Conrmation that MFA is required for all email access Additional information on the prior incident noticed to Brit Conrmation that email ltering is utilized for all users Due within 7 days of binding: TRIA Waiver if coverage is rejected (attached to quote). Please provide policyholder contact information (client name, policyholder name, email, job title) to grant access to the Corvus policyholder resource dashboard upon bind. • • • • • • • FEES BREACH RESPONSE HOTLINE Policy Issuance Fee: $195 Corvus Smart Cyber Insurance® 24/7 Breach Response Hotline:(855) 248-2150 TRIA Waiver if coverage is rejected (attached to quote). Please provide policyholder contact information (client name, policyholder name, email, job title) to grant access to the Corvus policyholder resource dashboard upon bind. Conrmation that the Applicant requires out-of-band authentication prior to executing an electronic payment. (Out of band authentication is a secondary verication method with the requestor of a funds transfer through a communication channel separate from the original request.) Conrmation that the City's network is completely isolated from the utility operations Conrmation that MFA is required for all email access Additional information on the prior incident noticed to Brit Conrmation that email ltering is utilized for all users Application for Smart Cyber Insurance 1. Company Name 2. Domiciled State 3a. Primary Website 3b. Additional Websites 4. Nature of Business (Industry) 5. Projected Gross Annual Revenue (next 12 months) 0 - 250,000 250,001 - 500,000 500,001 - 1,000,000 1,000,001 - 2,500,000 2,500,001 - 5,000,000 5,000,001 - 10,000,000 10,000,001 + Yes No Yes No N/A Yes No N/A Yes No Yes No N/A Yes No City of Denton Texas www.cityofdenton.com Municipality / Public Entity $140,226,502 6. Estimated number of unique personally identiable records maintained by the applicant (including records stored by third-party providers). 1 7. Does the Applicant have formal processes for regularly backing up, archiving, restoring, and segregating sensitive data? 8. If the applicant accepts payment cards in exchange for goods or services rendered, is the applicant or their outsourced payment processor PCI compliant? 9. If the Applicant allows remote access to their network, do they use a properly congured VPN or Multi-Factor Authentication? 10. Does the Applicant use Multi-Factor Authentication to secure all domain or network administrator accounts? 11. If the Applicant’s users can access email through a web app on a non- corporate device, does the Applicant enforce Multi-Factor Authentication? 12. Does the Applicant use an email security ltering tool? If Yes: Please list the vendor. Yes No N/A Yes No N/A Yes No N/A Yes No Yes No Yes No Yes No 13. If the Applicant stores over 1MM PII records, do they encrypt private or sensitive information stored on mobile devices ? 2 14. If the Applicant's industry is retail, restaurant, or online retailer, do they deploy either end-to-end or point-to-point encryption technology on all of their point of sale terminals? 15. If revenue is over $100MM and the applicant uses multimedia material provided by others, does the applicant always obtain the necessary rights, licenses, releases, and consents prior to publishing? 16. Has the Applicant experienced in the past three years any cyber security incident, data privacy incident or any multimedia liability claim ? 3 If Yes: Is the actual or expected total nancial impact to the Applicant and its insurer more than $25,000? If Yes: Please provide additional details. 17. Does the Applicant or any other person or organization proposed for this insurance have knowledge of any actual or alleged: security breach, privacy breach, privacy-related event or incident, breach of privacy, or multimedia incident that may reasonably be expected to give rise to a claim or to costs being incurred? 4 If Yes: Please provide additional details. 18. Has the Applicant or any other organization proposed for this insurance sustained any unscheduled network outage or interruption lasting longer than six hours within the past twenty-four months? If Yes: Please provide additional details. 20. Desired Limits $2MM Each Claim / $2MM Aggregate $3MM Each Claim / $3MM Aggregate Other 21. Desired Retentions $100,000 Other PII includes any information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specic individual. Laptops, tablets, phones, hard drives, USB drives, etc. A multimedia liability claim includes one alleging defamation, disparagement, invasion of privacy, commercial misappropriation of likeness, plagiarism, piracy, or copyright or trademark infringement. Defamation, disparagement, invasion of privacy, commercial misappropriation of likeness, plagiarism, piracy, or copyright or trademark infringement. 20. Additional details. 1 2 3 4 NOTICE Notice to All Applicants: Any person who knowingly, and with intent to defraud any insurance company or other person, les an application for insurance or statement of claim containing any materially false information, or, for the purpose of misleading, conceals information concerning any fact material thereto, may commit a fraudulent insurance act which is a crime and subjects such person to criminal and civil penalties in many states. Notice to Colorado Applicants: It is unlawful to knowingly provide false, incomplete or misleading facts or information to an insurance company for the purpose of defrauding or attempting to defraud the company. Penalties may include imprisonment, nes, denial of insurance and civil damages. Any insurance company or agent of an insurance company who knowingly provides false, incomplete, or misleading facts or information to a policyholder or claimant for the purpose of defrauding or attempting to defraud the policyholder or claiming with regard to a settlement or award payable for insurance proceeds shall be reported to the Colorado Division of Insurance within the Department of Regulatory Agencies. Notice to District of Columbia and Louisiana Applicants: Any person who knowingly presents a false or fraudulent claim for payment of a loss or benet or knowingly presents false information in an application for insurance is guilty of a crime and may be subject to nes and connement in prison. Notice to Florida Applicants: Any person who knowingly and with intent to injure, defraud or deceive any insurance company, les a statement of claim containing any false, incomplete, or misleading information is guilty of a felony of the third degree. Notice to Oklahoma Applicants: Any person who knowingly, and with intent to injure, defraud or deceive any insurer, les a statement of claim containing any false, incomplete or misleading information is guilty of a felony. Notice to Kansas Applicants: An act committed by any person who, knowingly and with intent to defraud, presents, causes to be presented or prepares with knowledge or belief that it will be presented to or by an insurer, purported insurer, broker or any agent thereof, any written statement as part of, or in support of, an application for the issuance of, or the rating of an insurance policy for personal or commercial insurance, or a claim for payment or other benet pursuant to an insurance policy for commercial or personal insurance which such person knows to contain materially false information concerning any fact material thereto; or conceals, for the purpose of misleading, information concerning any fact material thereto. Notice to Maine, Tennessee, Virginia and Washington Applicants: It is a crime to knowingly provide false, incomplete or misleading information to an insurance company for the purpose of defrauding the company. Penalties may include imprisonment, nes and/or denial of insurance benets. Notice to Maryland Applicants: Any person who knowingly or willfully presents a false or fraudulent claim for payment of a loss or benet or who knowingly or willfully presents false information in an application for insurance is guilty of a crime and may be subject to nes and connement in prison. Notice to New Hampshire Applicants: Any person who, with a purpose to injure, defraud or deceive an insurance company, les a statement of claim containing any false, incomplete or misleading information is subject to prosecution and punishment for insurance fraud as provided in RSA 638:20. Notice to New York Applicants: Any person who knowingly and with intent to defraud any insurance company or other person les an application for insurance or statement of claim containing any materially false information, or conceals for the purpose of misleading, information concerning any fact material thereto, commits a fraudulent insurance act, which is a crime, and shall also be subject to a civil penalty not to exceed $5,000 and the stated value of the claim for each such violation. Notice to Pennsylvania Applicants: Any person who knowingly and with intent to defraud any insurance company or other person les an application for insurance or statement of claim containing any materially false information or conceals for purposes of misleading, information concerning any fact material thereto commits a fraudulent insurance act, which is a crime and subjects such person to criminal and civil penalties. Signature Print Name & Title Date Applicant Email Address Note: You will be added to our software platform, the CrowBar, which provides helpful risk management advice, alerts and services. Ransomware Supplemental Application EMAIL SECURITY 1. Company Name Yes No Yes No Yes No DATA BACK-UP & RECOVERY Yes No Yes No Yes No City of Denton 2. If your users can access email through a web app on a non-corporate device, do you enforce Multi-Factor Authentication? 3a. Which email security ltering tool are you using? 3b. Are you using all available security features (for example: quarantine service, sandboxing and URL rewriting)? 4. Do you conduct regular phishing training and testing? Quarterly Semi-annually Annually Never 5. Do you have a secure web gateway or proxy solution to secure inbound internet trac? 6. How frequently do you back up electronic data? Daily with multi-generations retained Daily Weekly Less than weekly 7. Are all of your backups kept separate from your network (“oine”) so that they are inaccessible from endpoints and servers that are joined to the corporate domain, or in a cloud service designed for this purpose? If no: please describe compensating controls that you have in place. 8. Is Multi-Factor Authentication required for access to backup les? 9. Have you tested the successful restoration and recovery of key server congurations and data from backups in the last 6 months? Yes No INTERNAL SECURITY & CONTROLS Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No 10. As part of your data back-up strategy, do you maintain at least 3 separate copies of your data stored in dierent geographic locations? (Production, Local Copies, and osite storage). 11. Do you use Multi-Factor Authentication to secure all domain or network administrator accounts? 12. Do you restrict employee access to sensitive information on a business- need to know basis? 13. Do you use an Endpoint Detection and Response (EDR) or a Next- Generation Antivirus (NGAV) (i.e. CrowdStrike, SentinelOne, CybeReason, Carbon Black) software to secure all system endpoints? If yes: please list providers. 14. Do you allow remote access to your network? If yes: do you use a) a properly congured and secure VPN? b) Multi-Factor Authentication to secure all remote access to your network? 15. Do you have a Business Continuity Plan (BCP) or Disaster Recovery Plan (DRP) in place? If yes: is your BCP/DRP tested at least annually? 16. Do you encrypt all sensitive and condential information a) stored on your organization’s systems and networks? b) stored on your organization’s backups? If no to either: are the following compensating controls in place: I) Segregation of servers that store sensitive and condential information? II) Access control with role-based assignments? Yes No Yes No Warranty All Insureds agree that the statements contained herein are their agreements and representations, which shall be deemed material to the risk, and that, if issued, the Policy will be in reliance upon the truth thereof. The misrepresentation or non-disclosure of any material matter by the Insured or its agent will render the Policy null and void and relieve the Company from all liability under the Policy. Signature Print Name Date 17. Do you encrypt all sensitive and condential information c) stored on mobile devices? d) in transit from your network? Policyholder Disclosure: Notice of Terrorism Insurance Exclusion and Coverage Option You are hereby notied that under the Terrorism Risk Insurance Act, as amended, you now have a right to purchase insurance coverage for losses resulting from acts of terrorism, as dened in Section 102(1) of the Act: The term “act of terrorism” means any act that is certied by the Secretary of the Treasury – in consultation with the Secretary of Homeland Security, and the Attorney General of the United States – to be an act of terrorism; to be a violent act or an act that is dangerous to human life, property, or infrastructure; to have resulted in damage within the United States, or outside the United States in the case of an air carrier or vessel or the premises of a United States mission; and to have been committed by an individual or individuals acting on behalf of any foreign person or foreign interest, as part of an eort to coerce the civilian population of the United States or to inuence the policy or aect the conduct of the United States Government by coercion. YOU SHOULD KNOW THAT WHERE COVERAGE IS PROVIDED BY THIS POLICY FOR LOSSES RESULTING FROM CERTIFIED ACTS OF TERRORISM SUCH LOSSES MAY BE PARTIALLY REIMBURSED BY THE UNITED STATES GOVERNMENT UNDER A FORMULA ESTABLISHED BY FEDERAL LAW. HOWEVER, YOUR POLICY MAY CONTAIN OTHER EXCLUSIONS WHICH MIGHT AFFECT YOUR COVERAGE, SUCH AS AN EXCLUSION FOR NUCLEAR EVENTS. UNDER THIS FORMULA, THE UNITED STATES GOVERNMENT GENERALLY REIMBURSES 85% THROUGH 2015; 84% BEGINNING ON JANUARY 1, 2016; 83% BEGINNING ON JANUARY 1, 2017; 82% BEGINNING ON JANUARY 1, 2018; 81% BEGINNING ON JANUARY 1, 2019 AND 80% BEGINNING ON JANUARY 1, 2020 OF COVERED TERRORISM LOSSES EXCEEDING THE STATUTORILY ESTABLISHED DEDUCTIBLE PAID BY THE INSURANCE COMPANY PROVIDING THE COVERAGE. THE PREMIUM CHARGED FOR THIS COVERAGE IS PROVIDED BELOW AND DOES NOT INCLUDE ANY CHARGES FOR THE PORTION OF LOSS COVERED BY THE FEDERAL GOVERNMENT UNDER THE ACT. YOU SHOULD ALSO KNOW THAT THE TERRORISM RISK INSURANCE ACT, AS AMENDED, CONTAINS A $100 BILLION CAP THAT LIMITS U.S. GOVERNMENT REIMBURSEMENT AS WELL AS INSURERS’ LIABILITY FOR LOSSES RESULTING FROM CERTIFIED ACTS OF TERRORISM WHEN THE AMOUNT FOR SUCH LOSSES IN ANY ONE CALENDAR YEAR EXCEEDS $100 BILLION. IF THE AGGREGATE INSURED LOSSES FOR ALL INSURERS EXCEED $100 BILLION, YOUR COVERAGE MAY BE REDUCED. 1 of 3CB-200-001 You have the right to accept or reject any coverage that might be provided under provisions of the Act and under the terms, conditions and exclusions of the policy. If you decide to purchase a policy from us and wish to take advantage of any terrorism coverage that might be provided, you will have to pay an additional premium for terrorism coverage in the amount of: Limit Each Trigger Aggregate Limit Retention Each Trigger * Basic Premium * Additional Premium for Certied Acts of Terrorism Coverage (1% of Basic) $2,000,000 $2,000,000 $100,000 $95,006 $950 $3,000,000 $3,000,000 $100,000 $115,853 $1,159 * does not include surplus lines taxes and/or fees Even if you do decide to take advantage of any terrorism coverage that might be provided under terms of the Act, we will exclude coverage for losses not eligible for federal reinsurance under the Act, which include losses due to domestic acts of terrorism and losses due to acts of terrorism to property located outside the United States. Further, as respects all losses, even losses eligible for federal reinsurance under the Act, the actual coverage available under our policies for acts of terrorism will still be limited by all of the terms, conditions, exclusions and endorsements of the policy and by generally applicable rules of law. This means that even if you decide to pay the additional premium to buy terrorism coverage to the extent provided under the Act, all terms, conditions and exclusions in the policy, will apply, even if they prevent coverage for losses resulting from terrorism. If you decide not to accept this oer of terrorism coverage to the extent provided by the Act and not otherwise excluded by the policy, you must sign below to waive such coverage and return the original of this document to us. 2 of 3CB-200-001 WAIVER OF COVERAGE I/we hereby waive all rights to any coverage for terrorism that may have been available under the Terrorism Risk Insurance Act and authorize Accredited Specialty Insurance Company to fully exclude terrorism coverage under the policy issued or to be issued to me/us. 3 of 3 Proposed Named Insured Proposed Named Insured Address Applicant's Signature Date Print Name Title This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-200-001 All other terms and conditions of the Policy remain unchanged. CB-200-001 Notice to Policyholders Coverage under this Policy is provided on a claims made and reported basis. This Policy applies only to Claims rst made against the Insured during the Policy Period and reported in writing or by electronic notice to the Company during the Policy Period or Extended Reporting Period, if applicable, or to Loss rst discovered by the Insured and notied in writing or by electronic notice to the Company during the Policy Period or Extended Reporting Period, if applicable, and subject to all other terms. Any obligation or payment owed by the Company shall in every case be subject to the Limits of Liability as stated in the Policy Declarations. Defense Expenses shall reduce the applicable Limits of Liability, subject to any applicable Retention, and may completely exhaust the Maximum Policy Aggregate Limit of Liability. This Policy only aords coverage under those Insuring Agreements below that are indicated as purchased in Item 5 of the Policy Declarations. Please review the coverage aorded under this Policy carefully, and discuss it with your insurance agent or broker. 1 of 25 SPECIMENyholdersolder e and reported basis. This Polie and reported basis. This Pol cy PeriodPeriod and reported in writ and reported in ded Reporting Period, if applicded Reporting Period, if applic ng or by electronic notice to thr by electronic n licable, and subject to all othelicable, and subject to all o hee CompanyC shall in every caseveryy Defense Expensesse shall reducereduc may completely exhaust the Mmay completely exhaust the erage under those Insuring Agrage under those Insuring Ag eclarations.clar coverage aoveraorded under this orded under thi P CB-101-001 CORVUS SMART CYBER INSURANCE In consideration of the payment of premium, reliance upon the Application, and subject to all terms of this Policy, the Company agrees to indemnify the Insured in excess of the Retention or after the expiration of the Waiting Period, as indicated in Item 5 of the Policy Declarations, for: THIRD PARTY INSURING AGREEMENTS I. Amounts which the Insured is legally obligated to pay as a direct result of a Claim rst made against the Insured during the Policy Period, and reported in writing or by electronic notice to the Company during the Policy Period or Extended Reporting Period, if applicable, for: Network Security and Privacy Liability Damages and Defense Expenses which the Insured is legally obligated to pay as a result of a Claim arising from a Security Breach or Privacy Breach. Regulatory Investigations, Fines, and Penalties Regulatory Fines and Penalties and Defense Expenses which the Insured is legally obligated to pay as a result of a Claim arising from a Security Breach or Privacy Breach. Media Liability Damages and Defense Expenses which the Insured is legally obligated to pay as a result of a Claim arising from Media Activities. PCI DSS Assessment Expenses PCI DSS Assessment Expenses and Defense Expenses which the Insured is legally obligated to pay as a result of a Claim arising from a Security Breach or Privacy Breach. Breach Management Expenses Breach Management and Incident Response Expenses which the Insured has contractually indemnied a Third Party for a Security Breach or Privacy Breach when the Insured has a legal obligation to notify aected individuals. FIRST PARTY INSURING AGREEMENTS II. Loss, rst discovered by the Control Group during the Policy Period and reported in writing or by electronic notice to the Company during the Policy Period or Extended Reporting Period, if applicable, for: Business Interruption Business Income Loss and Extra Expenses incurred during the Interruption Period directly as a result of the total, or partial, or intermittent interruption or degradation in service of an Insured's Computer System caused directly by a Privacy Breach, Security Breach, Administrative Error or Power Failure. Contingent Business Interruption Business Income Loss and Extra Expenses incurred during the Interruption Period caused directly as a 2 of 25 A. B. C. D. E. A. B. SPECIMENm rst made agaaga to thethe CompanyCompany duringuringy bligated to pay as a result of ated to pay as a result of a sesses which the which the InsuredInsure is legallyl or Privacy Breachvacy Breach.. thethe InsuredInsured is legally obligate is legally oblig s nsesse and Defense ExpensesDefense Expenses w from afrom Security Breachy Bre or PrivPriv ent ExpensesExpenses ement and Incident Response ement and Incident Respons yy for a foryy Security Breachecurity Breac or PrivPriv individuals.div T PARTY INSURING AGREET PARTY INSURI Lossoss,rst discovered by theby th C ctronic notice to thetronic notice to th Comp ness Interruptioupt s Incomencom rp CB-101-001 result of the total, partial, or intermittent interruption or degradation in service of the Computer System of an Outsourced Service Provider caused directly by a Privacy Breach, Security Breach, or Administrative Error at that Outsourced Service Provider. CB-101-001 Digital Asset Destruction, Data Retrieval and System Restoration Digital Asset Loss and Related Expenses incurred as a direct and necessary result of a Privacy Breach, Security Breach or Administrative Error. System Failure Coverage Business Income Loss, Extra Expenses, and Digital Asset Loss incurred during the Interruption Period directly as a result of an unintentional or unplanned outage caused by Administrative Error, Unintentional Damage or Destruction, or Computer Crime and Computer Attacks. Social Engineering and Cyber Crime Coverage Financial Fraud Loss, Telecommunications Fraud Loss, Phishing Attack Loss, theft of Funds Held in Escrow, or theft of Personal Funds incurred directly as a result of Financial Fraud, Telecommunications Fraud, or Phishing Attack. Reputational Loss Coverage Reputational Loss incurred during the Interruption Period as a direct result of a Media Event arising from a Privacy Breach, Security Breach, Cyber Extortion Threat, or Phishing Attack. Cyber Extortion and Ransomware Coverage Extortion Expenses and Extortion Payment incurred directly as a result of a Cyber Extortion Threat. Breach Response and Remediation Expenses Breach Management and Incident Response Expenses incurred directly as a result of a Privacy Breach or Security Breach. Court Attendance Costs Expenses incurred to attend court for any tribunal, arbitration, adjudication, mediation or other hearing in connection with any Claim for which the Insured is entitled to indemnity under this policy. DYNAMIC LOSS PREVENTION SERVICES III. Consultative and support services requested by the Insured prior to notifying the Company of a potential Loss or Claim, including: IT Security Assessments The Insured shall have access to network security assessments and recommendations provided by the Company’s data provider throughout the Policy Period. The Insured may request assessments as frequently as once every fourteen (14) business days. Pre-Claim Support Services If the Company is provided with notice of a potential Loss or of a Claim that is not yet a Loss or Claim under this policy and the Insured requests the Company’s assistance to mitigate against such a Claim or Loss, the Company may agree to pay for up to $1,000,000 in Breach Management and Incident Response Expenses. Any such fees must be incurred with the Company’s prior written consent by an 3 of 25 C. D. E. F. G. H. I. A. B. SPECIMENerrerr tive ErrorError ks. LossLoss, theft of Funds Held inFun nancial Fraudancial Fraud,,Telecommunicaomm od as a direct result of a direct result of a MediaMedi ThreatThre, or Phishing Attackhishing A . incurred directly as a result ocurred directly as Expensesxpe t Response ExpensesRes incurredincu attend court for any tribunal, attend court for any tribunal, any ClaimCla for which theor w Insur SS PREVENTION SERVICES PREVENTION SERVICE tive and support services reque and support services req laimi, including:luding: IT Security AssessmentsT Security Assessments The Th Insuredred shall have ac shall have ac ompany’sompany data providp uently as once nce SupS CB-101-001 attorney or consultant we have mutually agreed upon. Such attorney’s and consultant’s fees will be considered Claim expenses or Loss and will be subject to the Limits of Liability that would be applicable if a covered Claim is made and is also subject to the Policy’s Aggregate Limit of Liability. CB-101-001 EXCLUSIONS IV. The Company shall not be liable for any Claim, Damages, Defense Expenses or Loss based upon, arising out of, or in any way attributable to: Prior Knowledge or Notication Any act, fact, error, omission, event, incident, occurrence, claim or circumstance that could reasonably be expected to give rise to a Claim or Loss when such act, fact, error, omission, event, incident, occurrence, claim or circumstance was known prior to the Inception Date of this Policy by any member of the Control Group; Deliberate Acts The Insured's willful deliberate, malicious, fraudulent, dishonest, or criminal act or violation of law with the knowledge, connivance or acquiescence of any member of the Control Group; however, this exclusion shall not apply to Defense Expenses incurred in defending any such Claim until such time that there is nal adjudication establishing such conduct, at which time the Insured shall reimburse the Company for all Defense Expenses incurred. Facts, or knowledge possessed by the Control Group regarding the foregoing conduct shall be imputed to other Insureds; Insured. vs Insured Any Claim made by or on behalf of an Insured against another Insured. This exclusion shall not apply to any Claim brought by an Employee outside of the Control Group as a result of a Privacy Breach or Security Breach; Bodily Injury Physical injury, sickness, disease, or death sustained by any individual and, where resulting from such physical injury only, mental anguish, mental injury, shock or emotional distress; Property Damage Physical Injury to, or impairment, destruction or corruption of, any tangible property, including personal property in the care, custody or control of the Insured. Data and Digital Assets are not tangible property; Employment Practices Any employer-employee relations, policies, practices, acts or omissions, any actual or alleged refusal to employ any persons or any misconduct, including physical or sexual, with respect to Employees, including negligent employment, investigation, supervision, hiring, training or retention of any Employee, Insured or person for whom the Insured is legally responsible. However, this exclusion does not apply to a Privacy Breach; 4 of 25 1. 2. 3. 4. 5. 6. SPECIMENat coucou event, incidencide hishis PolicyPol by any mny my or criminal act or violation of lar criminal act or violation f the Control GroupControl Gro ; however, defending any suchefending any su Claim untiunt t, at which time thewhich time the InsuredInsured sh s r knowledge possessed by thege possessed by th to other o other Insuredseds; sured against another gainst another InsuredI utside of theutside Control GroupControl Group asa disease, or death sustained bydisease, or death sustained b mental anguish, mental injury, ental anguish, mental injury, e y to, or impairment, destructioy to, or impairment, destructi n the care, custody or control n the care, custody or control ty; Employment Practicesmployment Practices Any employer-employee relAny employer-employee employ any persons or aemploy any perso luding negligent emuding negligent oyee,Insuredured to a to a P CB-101-001 Breach of Contract Any breach of any express, implied, actual or constructive contract, warranty, guarantee or promise. This exclusion does not apply to: Any liability or obligation an Insured would have had in the absence of such contract, warranty, guarantee or promise and which would have been insured by this Policy; A breach of the Insured's privacy policy; or An otherwise covered Claim under Insuring Agreement I. D. PCI DSS Assessment Expenses; 7. a. b. c. CB-101-001 Description of Price of Goods Actual or alleged inaccurate, inadequate or incomplete description of the price of goods, products, or services, including cost guarantees, cost representations, contract price, or cost estimates being exceeded; Discrimination Any actual or alleged discrimination of any kind, including but not limited to age, color, race, gender, religion, creed, national origin, marital status, sexual orientation, sexual preference, disability, nancial condition, or pregnancy, including violations of civil rights or discrimination or retaliatory conduct of any kind; Government Intervention Non-discriminatory measures of a government taken in the public interest for the purposes of ensuring public safety, raising revenues, protecting the environment or regulating economic activities; Patent Infringement The actual or alleged: Infringement of any patent or patent rights or misuse or abuse of a patent; or The misappropriation, theft, copying, display or publication of any trade secret, unless arising out of a Privacy Breach or Security Breach; Bankruptcy The insolvency, liquidation or bankruptcy of any person or entity, including any Insured to the extent permitted by law, or the failure, inability or unwillingness of any person or entity or Insured to make payments or perform obligations or conduct business because of insolvency, liquidation, or bankruptcy; However, the Insured's insolvency will not relieve the Company of any legal obligation under this contract of insurance where this insolvency does not give rise to a claim under this policy; Loss of Funds Loss, decrease in value or theft of securities or currency; Trading losses, liabilities or changes in trading account value; or The value of electronic funds, money, securities or wire transfer; Force Majeure Any loss incurred as a result of a natural disaster, including re, smoke, explosion, lightning, wind, water, ood, earthquake, volcanic eruption, tidal wave, landslide, hail or any other natural physical event however caused; Payment Card Industry The failure by the Insured to comply with or follow the Payment Card Industry Data Security Standards, Merchant Services Agreements or any Payment Card Company rules, or the failure to implement, 5 of 25 8. 9. 10. 11. a. b. 12. 13. a. b. c. 14. 15. SPECIMENcolor, racerace ence, disability,ence, disability, or retaliatory conduct retaliatory conduct blic interest for the purposes ofnterest for the purposes o or regulating economic activitior regulating economic activ or misuse or abuse of a patenuse or abuse of a pat display or publication of any traay or publication h;; bankruptcy of any person or eruptcy of any person or e lure, inability or unwillingnessure, inability or unwillingne bligations or conduct business ligations or conduct business d's's insolvency will not relieve t insolvency will not relieve nce where this insolvency doewhere this i dss s, decrease in value or theft oecrease in value or theft o Trading losses, liabilities or chTrading losses, lia The value of electronic fctron orce Majeureorce Ma oss incurred aed a ood, eaod, ea ev c. c CB-101-001 maintain or comply with any payment card industry security measures or standards. However, this exclusion does not apply to Insuring Agreement I.D. PCI DSS Assessment Expenses; CB-101-001 Pollutants Any actual or alleged or threatened presence, discharge, dispersal, release, escape or failure to detect pollutants or solid, liquid, gaseous or thermal irritant or contaminant of any kind, including smoke, vapor, soot, fumes, other air emission, acids, toxic chemicals, alkalis, mold, spores, fungi germs, odor, waste, water, oil or oil product, infectious or medical waste, asbestos or asbestos product, lead or lead product, noise, and electric, magnetic, or electromagnetic eld chemicals, or waste (including waste material to be recycled, reconditioned, or reclaimed), whether or not such presence, discharge, dispersal, release, escape or failure to detect results from the Insured's activities or the activities of others of whether such presence happened suddenly, gradually, accidentally or intentionally. This exclusion shall not apply to an otherwise covered claim under Insuring Agreement I. A. Security and Privacy Liability and I. B. Regulatory Investigations, Fines, and Penalties; Satellite, Electrical or Mechanical Failures Satellite failures; electrical or mechanical failures including spike, brownout or blackout; failures of overhead or subterranean transmission and distribution lines; or outage to utility infrastructure, including gas, water, telecommunications, telephone, internet, or cable, unless such infrastructure is under the Insured's direct operational control; Specic Legislation The actual or alleged purchase, sale, or oer of, or solicitation of an oer to purchase or sell securities, or violations of any securities law including but not limited to the Securities Act of 1933, the Securities Exchange Act of 1934, the Sarbanes Oxley Act of 2002, including “Blue Sky” laws; The actual or alleged violation of the Organized Crime Control Act of 1970 (RICO); The actual or alleged government enforcement of any state or federal law or regulation including law or regulations promulgated by the United States Federal Trade Commission, Federal Communications Commission, or the Securities and Commission; however, this exclusion does not apply to Insuring Agreement II. B. Regulatory Investigations, Fines, and Penalties; Any breach or alleged breach of any workers’ compensation, unemployment compensation, disability benets or similar laws, including the Federal Employers Liability Act, the Fair Labor Standards Act of 1938, the National Labor Relations Act, the Worker Adjustment and Retraining Act of 1988, the Certied Omnibus Budget Reconciliation Act of 1985, the Occupational Safety and Health Act of 1970; Any violation of any pension, healthcare, welfare, prot sharing, mutual or investment plans, funds, or trusts; or any violation of any provision of the Employee Retirement Income Security Act of 1974 and/or the Pension Protection Act of 2006; The violation of, or the exposure of the Insured or Company to, any sanction, prohibition or restriction under United Nations resolutions or the trade or economic sanctions, laws or regulations of the European Union, UK, or USA; 6 of 25 16. 17. 18. a. b. c. d. e. f. SPECIMENinclncl ce, dischascha es or the activities or the activiti lly or intentionally. Thisor intentionally. This Agreement I. A. Security andAgreement I. A. Security and es;es; spike, brownout or blackout; fapike, brownout or blackout; lines; or outage to utility infras; or outage to utility infra internet, or cable, unless suc, or cable, unless suc , or oor oer of, or solicitation of aof, or solicitatio curities law including but not lcurities law including but not f 1934, the Sarbanes Oxley Ac1934, the Sarbanes Oxle ation of the Organized Crime Cof the Organized Cri d government enforcement of government enforcement of s promulgated by the United Spromulgated by the United S ns Commission, or the SecuritCommission, suring Agreement II. B. Regulauring Agreement II. B. Regu each or alleged breach of any each or alleged breach of any ability benety be ts or similar laws,or similar laws Standards Act of 1938, the NaStandards Act of 1 of 1988, the Certiof 1988, the Certied Omn Health Act of 1970;70; Any violation of anyAny violation o or trusts; or anyan d/or the Pehe Pe e. e. CB-101-001 The Telephone Consumer Protection Act of 1991 or CAN-SPAM Act of 2003 or any similar state or federal statute, law, regulation or rule with regard to unsolicited distribution of email, text messages, direct mail, facsimiles, spam, actual or alleged wiretapping, audio or video recording, or telemarketing; g. CB-101-001 Terrorism Any act of terrorism, except for a terrorist event perpetrated by electronic or internet based applications or means; Unauthorized Trading Any and all trading by an Insured, including trade that at the time of the trade is: In excess of permitted nancial limits; or Outside of permitted product lines; Anti-Trust Laws and Unfair Competition Any actual or alleged violation of any anti-trust statute, legislation or regulation including the Sherman Anti-Trust Act, the Clayton Act or any similar provisions of any federal, state or local statutory law or common law; or unfair competition, price xing, deceptive trade practices; Use of Illegal or Unlicensed Programs Use of illegal or unlicensed programs or software; War Conscation, nationalization, requisition, strikes, labor strikes or similar labor actions; war, invasion, or warlike operations, civil war, mutiny, rebellion, insurrection, civil commotion assuming the proportions of or amounting to an uprising, military coup or usurped power; Radioactive Contamination, Chemical, Biological, Biochemical and Electromagnetic In no case shall this insurance cover loss, damage, liability or expense directly or indirectly caused by or contributed to, by, or arising from: Ionizing radiations from or contamination by radioactivity from any nuclear fuel or from any nuclear waste; The radioactive, toxic, explosive or other hazardous or contaminating properties of any nuclear installation, reactor or other nuclear assembly or nuclear component thereof; Any weapon or device employing atomic or nuclear ssion and/or fusion or other like reaction or radioactive force or matter; The radioactive, toxic, explosive or other hazardous or contaminating properties of any radioactive matter; Any chemical, biological, bio-chemical or electromagnetic weapon; DEFINITIONS Administrative Error An error or omission by an Employee or member of the Control Group in the input, processing or output of the Insured’s Digital Assets of the Insured’s Computer System operation or maintenance; With respect to Insuring Agreement II. B. Contingent Business Interruption, Administrative Error includes error or omission 7 of 25 19. 20. a. b. 21. 22. 23. 24. a. b. c. d. e. SPECIMENor regulation including the Sher regulation including t deral, state or local statutory ral, state or local statutory ade practices;ade practices; rikes, labor strikes or similar laes, labor strikes or sim bellion, insurrection, civil commellion, insurrection, civil c ary coup or usurped power;ry coup or usurped emical, Biological, Biochemicacal, Biological, Biochemic ce cover loss, damage, liabilityce cover loss, damage, liab arising from:arisi ns from or contamination by rs from or contamination by oactive, toxic, explosive or othoactive, toxic, explosive or oth lation, reactor or other nucleaation, reactor or other nuclea Any weapon or device employny weapon or dev radioactive force or matter;radioactive force The radioactive, toxic, edioactive, toxic matter;matter Any chemical, bal, SS d.d CB-101-001 by an employee of an Outsourced Service Provider in the input, processing or output of the Insured’s Digital Assets or the Outsourced Service Provider’s Computer System operation or maintenance. CB-101-001 Application All information provided by or on behalf of the Insured to the Company as part of any request for this Policy, including any supplemental information submitted therewith; All of the above are deemed attached to, material and incorporated into this Policy; Breach Management and Incident Response Expenses Costs of an external IT security expert to determine the cause, scope and extent of the Privacy Breach or Security Breach or any immediate actions necessary to mitigate ongoing harm to the Insured’s Computer System; Costs and expenses of a legal rm to determine any actions necessary to comply with Privacy Regulations; Notication costs and related expenses to notify: Individuals who are required to be notied in compliance with Privacy Regulations mandating notications; or Any individual aected by the actual or suspected cyber event or to send email notices or issue substitute notices; Costs of setting up a telephone call center in order to support notied individuals and to provide credit le monitoring services and/or identity theft assistance; Crisis Management Expenses; Costs to provide credit monitoring services, identity monitoring services, identity restoration services or identity theft insurance to aected individuals for up to 24 months. Access to Company’s 24/7 Cyber Incident Response Hotline; Costs to obtain initial report support and assistance from the Company; Costs to conduct a forensic investigation of the Insured’s Computer System where reasonable and necessary or as required by law or a regulatory body (including a requirement for a PCI Forensic Investigator); Costs to contain and remove any malware discovered on the Insured’s Computer Systems; Costs to complete an information security risk assessment; Costs to conduct an information security gap analysis; 8 of 25 a. b. c. I. II. III. d. e. f. g. h. i. j. k. SPECIMENtent of theent of the Privacy Bacy B ng harm to theng harm to the Insured’sInsured’s essary to comply withsary to compl Privacyrivac ompliance with mpliance with Privacy Regularivacy Regula suspected cyber event or to suspected cyber event o call center in order to support call center in order to s and/or identity theft assistannd/or identity theft assist seses;; it monitoring services, identityt monitoring services, identity rance to ae to ected individuals foecte ompany’smpany’s 24/7 Cyber Incident 24/7 Cyber Incident to obtain initial report support ain initial report support Costs to conduct a forensic invCosts to conduct a for necessary or as required bynecessary or as required Investigator);nvestigator to contain ain a CB-101-001 Business Income Loss The net prot before income taxes that the Insured is prevented from earning during the Interruption Period; and Normal operating expenses incurred by the Insured (including payroll), but solely to the extent that such operating expenses must continue during the Interruption Period and would have been incurred had there been no interruption or degradation in service; a. b. CB-101-001 Business Income Loss does not include any: Contractual penalties; Costs or expenses incurred to update, restore, replace or improve a Computer System to a level beyond that which existed just before the Interruption of Service; Expenses incurred to identify or remediate software program errors or vulnerabilities; Legal costs or expenses; Loss arising out of liability to any third party; Other consequential loss or damage; or Extra Expenses; ‘Business Income Loss’, as used in item a. Shall mean: For manufacturing operations, the net sales value of production less the cost of all raw stock, materials and supplies used in such production; Claim The following, when rst received in writing or by electronic notice by any Insured during the Policy Period or, if applicable, an Extended Reporting Period. A notice of an intention to hold the Insured responsible for Damages, including the service of legal proceedings, the institution of arbitration or mediation, or a written request to toll or waive a statute of limitations against any of the Insureds; A request for information, civil investigative demand, formal civic administrative proceeding or formal regulatory action only to the extent covered by Insuring Agreement I. B. Regulatory Investigations, Fines, and Penalties; A demand for PCI DSS Assessment Expenses only to the extent covered by Insuring Agreement I. D. PCI DSS Assessment Expenses. First receipt by any Insured is deemed to be rst receipt by all Insureds. Company The Insurer listed under Item 3 of the Policy Declarations. Computer Crime and Computer Attacks An unintentional or negligent act, error or omission by an Insured, or an Outsourced Service Provider in the operation of an Insured’s Computer System or in the handling of Digital Assets, which fails to prevent or 9 of 25 I. II. III. IV. V. VI. VII. a. a. b. c. SPECIMENlities; alue of production less the coalue of production less the co writing or by electronic notice iting or by electronic not orting Period.g P o hold the o ho Insuredsure responsiblesibl tution of arbitration or mediattution of arbitration or mediat t any of the y of t Insuredsnsu; r information, civil investigativr information, civil investigativ y action only to the extent covaction only to the extent co and Penalties;enalt A demand for A de PCI DSS AssessDSS DSS Assessment ExpensesDSS Assessment Expens ceipt by any Insurns CB-101-001 hinder attacks on an Insured’s Computer System, including, but not limited to Denial of Service attacks, unauthorized access, infection of malicious computer code, unauthorized use or an act of cyber terrorism. CB-101-001 Computer System A system of interconnected hardware and peripherals, and associated software, including Internet of Things (Iot) devices, systems and application software, terminal devices, related communication networks, mobile devices, storage and back-up devices, operated by the Insured or an Outsourced Service Provider; With respect to Insuring Agreement II. A. Business Interruption, a Computer System will not include devices, systems, software, or networks operated by an Outsourced Service Provider; Control Group Any of the Chief Executive Ocer, Chief Financial Ocer, Chief Information Ocer, Chief Operating Ocer, Chief Information Security Ocer, Chief Legal Ocer/General Counsel, Risk Manager or the functional equivalent of any of those positions; Crisis Management Expenses Expense reasonably incurred by the Insured and approved in writing in advance by the Company for the employment of a public relations consultant if the Insured reasonably considers that action is needed in order to avert or mitigate a Business Income Loss or Media Event; Cyber Extortion Threat A credible threat or series of credible threats, that includes a demand for Extortion Payment, to: Release, disseminate, destroy or corrupt the Insured’s Digital Assets; Introduce Malicious Code into the Insured’s Computer System; Corrupt, damage or destroy the Insured’s Computer System; Electronically communicate with the Insured's customers and falsely claim to be the Insured or to be acting under the Insured's direction in order to falsely obtain personal condential information of the Named Insured’s customers (also known as “pharming,” “phishing,” or other types of false communications); or Restrict or hinder access to the Insured’s Computer System, including the threat of a criminal or malicious Denial of Service; Damages The amount an Insured is legally obligated to pay in respect of: a Claim, including a monetary judgement, award or settlement, interest and a claimant’s legal costs; punitive and exemplary damages, to the extent such damages are insurable under the law pursuant to which this Policy is construed; Regulatory Fines and Penalties only to the extent covered by Insuring Agreement I. B. Regulatory Investigations, Fines, and Penalties; and PCI DSS Assessment Expenses only to the extent covered by Insuring Agreement I. D.; Damages shall not include: Future prots or royalties, restitution, or disgorgement of the Insured's prots; 10 of 25 a. b. c. d. e. a. SPECIMENcer, Chief Operating Or, Chief Operating O Manager or the functionalManager or the functional iting in advance by theting in advance Compaom asonably considers that actionnably considers that action a Event; t includes a demand for t includes a demand fo Extor pt the pt the Insured’s Digital Assetsred’s Digital Asse Insured’s Computer Systemnsured’s Computer Syste ; theth Insured’s Computer Systeured’s Computer Sy nicate with the nicate with th Insured'sured's custo custo sured'sred's direction in order to faction s customers (also known as “customers (also known a ions); orons); or t or hinder access to theinder acces Insursu iciousciou Denial of Serviceal of Se ; amagesma amount an amount an Insuredsure is le or settlement, inter settlement, i ages are inse ins y to thto t CB-101-001 The cost of complying with orders granting injunctive or non-monetary relief, including specic performance, or any agreement to provide such relief; Loss of the Insured's fees or prots, return or oset of the Insured's fees or charges (invoiced or not), or the Insured's commissions or royalties provided or contracted to be provided; b. c. CB-101-001 Fines, taxes or loss of tax benets, sanctions unless covered under Insuring Agreement I.B. Regulatory Investigations, Fines, and Penalties and unless covered under Insuring Agreement I.D. Payment Card Industry Fines, Assessments and Expenses; Liquidated damages to the extent that such damages exceed the amount for which the Insured would have been liable in the absence of such liquidated damages agreement, unless covered under Coverage I.D. Payment Card Industry Fines, Assessments and Expenses; Any amount which the Insured is not legally obligated to pay; and Amounts which are uninsurable under the law pursuant to which this Policy is construed; Data Information represented, transmitted or stored electronically, or digitally including code, or a series of instructions, operation systems program, software and rmware; Defense Expenses Reasonable and necessary: fees charged by an attorney to defend a Claim, and costs and expenses resulting from the investigation, adjustment, defense and appeal of a Claim incurred with the Company’s prior written consent, or such fees and costs incurred by an attorney from the Pre-Approved Vendors specied on the Policy Declarations; Denial of Service Unauthorized interference or malicious attack that restricts or prevents access to the Insured’s Computer System for entities authorized to gain access; Digital Asset Loss Expenses incurred to restore, recreate, or replace Digital Assets or Computer Systems directly impacted by a Privacy Breach or Security Breach. If it is determined that Digital Assets or a Computer System cannot be restored, recreated, or replaced, the Company will only reimburse the Insured's losses or expenses incurred up to the date of such determination; Digital Assets The Insured's digital les including Data, computer programs, electronic documents and audio content stored by the Insured’s Computer System; E-Media Hard drives, CD ROMs, magnetic tapes, magnetic discs or any other media on which electronic Data is stored; Employee Any individual whose labor or service is engaged by and directed by the Insured, including volunteers and part-time, seasonal, temporary or leased workers, and independent contractors; 11 of 25 d. e. f. g. SPECIMENvered ued u s PolicyPol is construed;ued;y r digitally including code, or a digitally including code, or ware; orney to defend a to defend a ClaimCla, and cand fense and appeal of anse and appeal of a ClaimCl in incurred by an attorney from curred by an attorney licious attack that restricts or attack that restricts d to gain access;d to gain access o restore, recreate, or replacee, recrea or or Security BreachSecurity Breach. If it is detedet eated, or replaced, the ated, or replaced, the CompaCompa ate of such determination;of such deter al Assetsal As e Insured'sIn digital les includis inc red by the ed by the Insured’s ComInsured’s Com CD ROCD RO CB-101-001 Extra Expenses Reasonable and necessary extra costs incurred by the Insured to temporarily continue as nearly normal as practicable in the conduct of the Insured's business during the Interruption Period, less any value remaining at the end of the Interruption Period for property or services obtained in connection with such costs; “Normal” shall mean the condition that would have existed had no Privacy Breach, Security Breach, Administrative Error or Power Failure occurred; Extortion Expenses Reasonable and necessary expenses incurred to avoid a Privacy Breach, Security Breach or the disruption failure of the Insured’s Computer System, resulting directly from a Cyber Extortion Threat; Extortion Payment The payment of a ransom demand to avoid a Privacy Breach, Security Breach or the disruption or failure of the Insured’s Computer System, resulting directly from a Cyber Extortion Threat. The Insured must report any payments to legal or federal law enforcement authorities. Financial Fraud An intentional, unauthorized and fraudulent written, electronic or telephonic instruction transmitted to a nancial institution, directing such institution to debit the Insured's account and to transfer, pay or deliver money or securities from the Insured's account, which instruction purports to have been transmitted by the Insured, an Executive, or an Employee, but was in fact fraudulently transmitted by a Third Party without the Insured's knowledge or consent; or An intentional, unauthorized and fraudulent written, electronic or telephonic instruction transmitted to a nancial institution by an Executive or Employee as a result of that Executive or Employee receiving intentional, misleading or deceptive telephonic or electronic communications from a Third Party falsely purporting to be the Insured or the Insured's client, vendor, Executive or Employee, and which directs the nancial institution to debit the Insured's account and to transfer, pay or deliver money or securities from the Insured's account; or The theft of money or securities from the Insured's bank account or corporate credit cards by electronic means; Financial Fraud Loss Insured's loss of money, securities, or Specied Property which is directly caused by Financial Fraud; Financial Fraud Loss does not include any amounts reimbursed to the Insured by any nancial institution; Funds Held In Escrow Money or securities belonging to a Third Party; 12 of 25 a. b. c. SPECIMENcurity Brty Br ecurity Breachecurity Breach or the disruptio or the disrupti er Extortion Threater Extortion T ; Security Breachecurity Breach or the disrupt or the disrup yber Extortion Threatxtortion Threat. The. T InsIns orities. ent written, electronic or telepnt written, electronic o nstitution to debit thenstitution to debit Insuredured hee Insured'sIn account, which int, wh Executivecu, or an Employee, bub red'se knowledge or consent; oowledge or consent orized and fraudulent writtenorized and fraudulent written, on by anby a Executivecut or Employe eading or deceptive telephonading or deceptive teleph o be the be the InsuredInsured or the or Insuredured cial institution to debit the al institution to debit the InsuIns ties from theom t Insured'snsu accounun The theft of money or securitieThe theft of money or means;m al Fraud LosslF oss of monemone L CB-101-001 Insured The entity specied in Item 1 of the Policy Declarations; Any Subsidiary but only during the time period such qualies as a Subsidiary; Any past, present or future ocer, director, trustee, court-appointed receiver, or Employee of any of (a) and (b) above, but only while acting solely within the scope of their duties as such; Any general or managing partner, principal, stockholder, or owner of any of (a) and (b) above, but only while acting solely within the scope of their duties as such; Any legal entity required by contract to be named as an Insured under this Policy if agreed in advance and in writing by the Company, but only for the acts of any above parties (a) through (d), as detailed under the Insuring Agreements purchased; Any agent or independent contractor, including distributors, licensees, and sublicensees, but only while acting on behalf of, at the direction of, or under the control of any party of (a) through (e) above; however, not including any Outsourced Service Provider; Interruption Period Under Insuring Agreement II. A. Business Interruption, Insuring Agreement II. B. Contingent Business Interruption, and Insuring Agreement II. D. System Failure, the period of time that commences when the partial or complete interruption, degradation or failure of the Computer System begins, and ends on the earlier of: The date of full system restoration of the Computer System plus up to 30 days thereafter if necessary to allow for restoration of the Insured's business; or The maximum Period of Indemnity as stated in Item 5 of the Policy Declarations; Under Insuring Agreement II. D. Reputational Loss, the period of time that commences on the date of the earliest Media Event and ends after the maximum indemnity period as stated in Item 5 of the Policy Declarations; Loss Breach Management and Incident Response Expenses, Crisis Management Expenses, Digital Asset Loss, Extortion Expenses, Extra Expenses, Extortion Payment, Business Income Loss, Financial Fraud Loss, Phishing Attack Loss, Related Expenses, Telecommunications Fraud Loss, and theft of Funds Held In Escrow; Malicious Code Software intentionally designed to damage Digital Assets or a Computer System by a variety of forms including, but not limited to, virus, worms, Trojan horses, spyware, dishonest adware, ransomware and crimeware; 13 of 25 a. b. c. d. e. f. a. b. SPECIMENEmployeeoyee uch; of (a) and (b) above, but oof (a) and (b) above, but o under this nde PolicyPolic if agreed in ad iny bove parties (a) through (d), above parties (a) through (d ributors, licensees, and subliceibutors, licensees, and sublic he control of any party of (a) tcontrol of any party of e Providerer;; s Interruption, Insuring AgreemInterruption, Insuring Agreem II. D. System Failure, the perio D. System Failure, the egradation or failure of the dation or failure of t CoCo m restoration of them restoration o ComputerComputer tion of the n of Insured'snsu business m Period of Indemnity as statm Period of Indemnity as stat uring Agreement II. D. ReputatAgreement II. D. Reputat Media EventMedia Event and ends after tand tt arations;arat s Management andManagement a Expenseses, , EE ck Losck Lo CB-101-001 Media Activities The release or display of any Media Material that is under the direct sole control of the Insured and directly results in any of the following: Defamation, libel, slander, product disparagement or trade libel; Infringement, interference, or invasion of an individual’s right or privacy or publicity, including false light, intrusion upon seclusion, commercial misappropriation of likeness, and public disclosure of private facts; Plagiarism, piracy, or misappropriation of ideas under an implied contract; Infringement of copyright, trademark, trade name, trade dress, title, slogan, service mark or service names; or Domain name infringement or improper deep-linking or framing; Media Event A report in the media of a Privacy Breach or Security Breach including via newspapers, radio, television, internet, blogging, and social media that has an adverse impact on the Insured's business or reputation; Media Material Communicative material of any kind or nature for which the Insured is responsible, including, but not limited to, words, pictures, sounds, images, graphics, code and Data, regardless of the method or medium of communication of such material or the purpose for which the communication is intended. Media Material does not include any tangible goods or products that are manufactured, produced, processed, prepared, assembled, packaged, labeled, sold, handled or distributed by the Insured or others trading under the Insured's name; Named Insured The entity listed in Item 1 of the Policy Declarations; Outsourced Service Provider An independent service provider that provides information technology services or business processing outsourcing services, including, but not limited to hosting, security management, colocation, call center services, fulllment services, logistical support, and data storage, for the benet of the Insured under a written contract with the Insured; Personal Funds Money, securities, or nancial assets from a personal bank account belonging to the Control Group; 14 of 25 a. b. c. d. e. SPECIMENublicity, including fablicity, including fa nd public disclosure of prublic disclosure of pr contract;ont ess, title, slogan, service markess, title, slogan, service ma ng or framing;g or framing; Security Breachty Br including via ncludi as an adverse impact on the as an adverse impact on th I kind or nature for which thenature for which th Ins unds, images, graphics, code ands, images, graphics, code material or the purpose for whmaterial or the purpose for wh ngible goods or products that gible goods or products tha d, labeled, sold, handled or died, sold, redd ty listed in Item 1 of the Policyy listed in Item 1 tsourced Service Providersourced Service Provide independent service provindependent service prov urcing services, incluurcing services, i fulllment sert se ract witact wit CB-101-001 PCI-DSS Assessment Expenses Payment Card Industry forensic investigation costs, nes or penalties, assessments, including fraud loss recoveries and card replacement costs, and administrative costs that the Insured is legally obligated to pay under the terms of a Merchant Services Agreement as a result of the Insured's actual or alleged non- compliance with Payment Card Industry Data Security Standards. PCI DSS Assessment Expenses does not include any ongoing obligation or audit following the imposition of an assessment, ne or penalty; Phishing Attack The use of fraudulent electronic communications or malicious websites to impersonate the Insured, the Insured's brand, or any of the Insured's products or services, in order to solicit Protected Personal Information; Phishing Attack Loss Expenses the Insured incurs, with the Company’s prior written consent, to create and issue a specic press release or to establish a specic website to advise the Insured's customers and prospective customers of a Phishing Attack; and The cost of reimbursing the Insured's existing customers for their losses arising directly from a Phishing Attack; The cost of reimbursing the Insured's existing customers for their nancial loss arising directly from the fraudulent communications; Insured's direct loss of prots for 120 days following the Insured's discovery of the fraudulent communications as a direct result of the fraudulent communications; External costs associated with the removal of websites designed to impersonate the Insured; Policy or Insurance This contract of insurance including the Application, any Declarations, and any endorsements or variations, all material to and forming part hereof; Policy Period The period of time between the Inception Date and Time and the Expiration Date and Time specied in Item 2 of the Policy Declarations unless terminated earlier, and specically excluding any Extended Reporting Period; Power Failure Failure in electrical power supply caused by a Security Breach, but only where such power is under the direct operational control of the Insured or the equipment necessary to supply the power is under the direct operational control of the Insured; 15 of 25 a. b. c. d. e. SPECIMENExpenxpen ne or penaltenalt mpersonate thempersonate th Insuredured, the , the solicitolic Protected PersonalPers r written consent, to create ann consent, to create a dvise thedvise Insured'ssured's customers customer ting customers for their lossescustomers for the ed's's existing customers for th existing customers for prorots for 120 days following thts for 120 days following t a direct result of the fraudulendirect result of the fraudulen associated with the removal ossociated with the remova ranceanc act of insurance including thensurance including the terial to and forming part hereterial to and formin olicy Periodcy period of time betweenperiod of time bet of the Policy DeclDe Period; CB-101-001 Privacy Breach A breach of condentiality, or infringement or violation of any right to privacy, or a breach of the Named Insured’s privacy policy or of Privacy Regulations; or An accidental release, unauthorized disclosure, loss, theft or misappropriation of Protected Personal Information or condential corporate information in the care, custody or control of an Insured Entity or Outsourced Service Provider; Privacy Regulations Statutes, laws and regulations associated with the condentiality, access, controls and use of personally identiable, non-public information, including: Health Insurance Portability and Accountability Act of 1996 (Public Law 104- 191); Gramm-Leach-Bliley Act of 1999, also known as the Financial Services Modernization Act of 1999; State and federal statutes and regulations regarding the security and privacy of consumer information; Governmental privacy protection regulations, statutes, or laws associated with the control and use of personal information; Privacy provisions of consumer protection laws, including the Federal Fair Credit Reporting Act; Children’s Online Privacy Protection Act; The EU Data Protection Act or other similar privacy laws worldwide; Protected Personal Information With respect to natural persons, any private, non-public information of any kind in an Insured's care, custody, or control, regardless of the nature or form of such information, including but not limited to the following, but only if such information allows an individual to be uniquely identied: Social security number; Medical service or healthcare data; Driver’s license or state identication number; Equivalents of any of the information listed in a.-c. above; Account, credit card, or debit card number, alone or in combination with any information that permits access to an individual’s nancial information, including, but not limit to, security or access code or password; and 16 of 25 a. b. a. b. c. d. e. f. g. a. b. c. d. e. SPECIMENc an Insunsu controls and use of personallycontrols and use of personally ublic Law 104- 191);w 104- 1 ancial Services Modernization Services Modernization ng the security and privacy ofg the security and priv s, statutes, or laws associated statutes, or laws assoc tection laws, including the Fedection laws, including ection Act; A Act or other similar privacy lawAct or other similar privacy la ormationation tural persons, any private, nonural persons, any private, n trol, regardless of the nature otrol, regardless of the nature o ut only if such information allowonly if such information allo cial security number;cial security numb Medical service or healthcaMedical service or health ver’s license or staor nts of ats of b. CB-101-001 Other-non-public information to the extent prescribed under Privacy Regulations; However, Protected Personal Information does not mean publicly available information that is lawfully in the public domain or information available to the general public from government records; Regulatory Fines and Penalties Civil nes, monetary penalties payable or a monetary amount which the Insured is legally obligated to deposit in a fund as equitable relief as imposed by a governmental agency or regulatory authority as a result of a breach of the Privacy Regulations; f. CB-101-001 Related Expenses Reasonable and necessary costs and expenses the Insured incurs to: Prevent, preserve, minimize, or mitigate any further damage to Digital Assets, including the reasonable and necessary fees and expenses of specialists, outside consultants or forensic experts; Preserve critical evidence of any criminal or malicious wrongdoing; Purchase replacement licenses for computer programs because the copy protection system or access control software was damaged or destroyed by a Loss; or Notify aected individuals of a total or partial interruption, degradation in service, or failure of an Insured’s Computer System resulting from a Loss; Reputational Loss Provable and determinable Business Income Loss during the Interruption Period; Reputational Loss shall not mean, and no coverage shall be available for, any of the following: Loss arising out of any liability to a Third Party; Legal costs or legal expenses of any type; Loss incurred as a result of unfavorable business conditions, loss of market or any other consequential loss; Loss, liability, or expense incurred in connection with a Media Event that also aects or refers in similar terms to a general security issue, an industry, or the Insured's specic competitors without any specic allegations regarding a Security Breach, Privacy Breach, Extortion Threat, or Phishing Attack committed by an Insured, or by others acting on your behalf, for whom you are legally responsible, including Outsourced Service Providers; Costs or expenses the Insured incurs to identify, investigate, respond to or remediate a Privacy Breach, Security Breach, Extortion Threat or Phishing Attack; Retention The gures specied in Item 5 of the Policy Declarations that is payable by the Insured in respect of every Claim and Loss; Security Breach The use of the Computer System by an unauthorized person or persons, or by an authorized person in an unauthorized manner, including social engineering techniques; A Denial of Service attack or DDoS attack; 17 of 25 a. b. c. d. a. b. c. d. e. a. b. otection system or aection system or a ion in service, or failure of an on in service, or failur e Interruption Periodrruption Period;; be available for, any of the foble for, any of the fo ; able business conditions, loss ble business conditio ncurred in connection with ancurred in connection with a M urity issue, an industry, or the rity issue, an industry, or the g aa Security BreachSecurity Bre , Privacy B r by others acting on your behhers actin ervice Providerservice Providers;; r expenses the xpenses the InsuredIn incurs curs urity Breachrity Breach, , Extortion ThreatExtortt tentionent e gures specigures specied in Item 5ed in Item andand LossLo; each CB-101-001 Transmission of Malicious Code; The failure to prevent or hinder participation in a Denial of Service attack from a Computer System; A series of continuing Security Breaches, or related or repeated Security Breaches arising from the same sequence of events, shall be considered a single Security Breach and be deemed to have occurred at the time of the rst such Security Breach; c. d. CB-101-001 Specied Property Any tangible property, other than money or securities, which has intrinsic value; Subsidiary Any corporation, limited liability company, or partnership while more than 50% of the outstanding voting securities or shares that represent the present right to vote for the election or appointment or designation of such entity’s directors, managers or equivalent are directly owned or controlled by the Insured; or any joint venture while the Named Insured has managerial control, or while it has the right to elect or designate or otherwise appoint or directly control the appointment of more than 50% of such entity’s directors, trustees, managers or equivalent; Telecommunications Fraud The intentional, unauthorized and fraudulent gaining of access to outgoing telephone service through inltration and manipulation of an Insured Telecommunications System; Telecommunications Fraud Loss Charges the Insured incurs for unauthorized calls directly resulting from Telecommunications Fraud; Telecommunications Systems Any telephone network or system that the Insured owns, rents, licenses, or borrows. Third Party Any person who is not an Employee or any legal entity that is not the Insured. Unintentional Damage or Destruction Accidental physical damage to, or destruction of, E-Media so that stored Digital Assets are no longer machine-readable; Accidental damage to, or destruction of, computer hardware so that stored Data is no longer machine- readable; Failure in power supply or under/over voltage, but only if such power supply, including back-up generators, is under the Insured's direct operational control; Electrostatic build-up and static electricity. Waiting Period Under Insuring Agreement II. A. Business Interruption and Insuring Agreement II. B. Contingent Business Interruption, the period of time that commences when the partial or complete interruption, degradation or failure of the Computer System begins, and expires after the number of hours specied in Item 5 of the Policy Declarations. Under Insuring Agreement II. F. Reputational Loss, the period of time that commences when the Media Event occurs and expires after the number of hours specied in Item 5 of the Policy Declarations. Business Income Loss incurred during the Waiting Period is uninsured. 18 of 25 a. b. c. SPECIMENutstasta tment or dor d by theby Insuredred; ; he right to elect or desiright to elect or desi of such entity’s directors,of such entity’s directors, to outgoing telephone service o outgoing telephone servic ons SystemSystem; rectly resulting from resulting from Telecommeco InsuredInsure owns, rents, licenses,wns, rents, licens ee or any legal entity that is nany legal entity that estructionestru al damage to, or destruction ofmage to, or ble; Accidental damage to, or ble; Accidental damage to, achine- readable;achine- readable; e in power supply or under/ovewer supply or under/ov nerators, is under thenerators, is under Insured' Electrostatic build-up and sElectrostatic build-up and g PeriodP uring Agreemree the pehe p c. CB-101-001 CLAIMS CONDITIONS Subrogation If any payment is made under this Policy, the Insured shall maintain all rights of recovery against any Third Party. The Insured shall execute and deliver instruments and papers and do whatever else is necessary to secure such rights, and shall do nothing to prejudice such rights. Any recoveries shall be applied rst in payment of the Company's subrogation expenses, secondly to Loss, Damages, Defense Expenses, or any other amounts paid by the Company, thirdly to any uninsured amount, and lastly to the Retention. Any additional amounts recovered shall be paid to the Insured. Notice of Claim, Loss or Circumstance If, during the Policy Period, the Control Group becomes aware of a Claim or Loss, the Insured must forward details to the Company as soon as practicable during the Policy Period or the Extended Reporting Period, if applicable. Notice must be provided through the contacts listed in Item 4 of the Policy Declarations. The Insured must report a Claim or Loss regardless of whether the Claim or Loss arises out of any previously reported incident, circumstances, acts, errors or omissions, or related Claim or Loss. If during the Policy Period, the Control Group becomes aware of any incidents, circumstances, acts, errors or omissions that could reasonably result in a Claim or Loss, the Insured must forward details to the Company as soon as practicable during the Policy Period. Notice must be provided through the contacts listed in Item 4 of the Policy Declarations. Any Claim or Loss arising out of such reported incidents, circumstances, acts, errors or omissions will be deemed to have been made or incurred when the Company rst received notice complying with this paragraph. Any Loss, Claim or incidents, circumstances, acts, errors or omissions that could reasonably result in Loss or a Claim shall be considered properly reported to the Company when notice is provided through the contacts listed in Item 4 of the Policy Declarations. Dispute Resolution No legal action shall be instituted by any Insured against the Company in any court in respect of any alleged Defense Expenses or indemnity payable by the Company in respect of any Claim unless, as a condition precedent thereto, there has been full compliance with all the terms of the Policy and the amount of the Insured’s obligation to pay the relevant Third Party Claim shall have been nally determined by judgement or award against the Insured after actual trial or arbitration, or by written agreement of the Insured, the claimant and the Company. Any person or organization of the legal representative thereof who has secured such judgement, award, or written agreement shall thereafter be entitled to make a Claim under this Policy to the extent of the insurance aorded by this Policy. No person or organization shall have any right under this policy to join the Company as a party to an action or other proceeding against the Insured to determine the Insured’s liability, nor shall the Company be impleaded by the Insured or the Insured’s legal representative. Bankruptcy or insolvency of the Insured or of the Insured’s estate shall not relieve the Company of their obligations hereunder. 19 of 25 1. 2. a. b. c. 3. a. b. SPECIMENhtshts ondly toy to thirdly to any uany u shall be paid to the all be paid to the InIn of a of a Claim or r LossL, the InsureIns ring the e Policy PeriodPolicy Pe or the Ex d through the contacts listed inthrough the contacts listed or Lossoss regardless of whethe regardless of whethe nt, circumstances, acts, errorsstances, acts, errors oupoup becomes aware of any inces aware of any inc ably result in a esul Claimaim or Loss,t able during the able during the Policy Perioderiod the Policy Declarations. Anyhe Policy Declarations Cl ances, acts, errors or omissiones, acts, errors or omissi any rst received notice compst received notice co cidents, circumstances, acts, cidents, circumstances, acts, shall be considered properly shall be considered properly ontacts listed in Item 4 of the Pcts listed in I olutionlution egal action shall be instituted al action shall be instituted ny allegedny alleged Defense ExpensesDefens unless, as a condition preceunless, as a cond Policy and the amount omouy been n nally determinnally determin or by written agreor by written a y person oron o , or wor CB-101-001 Mediation. If any dispute arises between any Insured and the Company involving Loss or a Claim under this Policy, such dispute shall be referred by the parties to a qualied mediator to negotiate a resolution of the dispute in good faith, prior to the initiation of any arbitration or other judicial proceedings. The party electing to mediation shall provide written notice to other party of its request to mediate with a brief statement regarding the issue to be mediated. The Named Insured is authorized and directed to accept such Notice of Mediation on behalf of any Insured. In the event that non-binding Mediation does not resolve or settle the dispute between any Insured and the Company, after 30 days from the date of the Mediation, either party may: commence a judicial proceeding; or seek agreement to submit the matter to nal and binding arbitration before either a single mutually agreed arbitrator or a three arbitrator panel whereby the Insured selects one arbitrator, the Company select one arbitrator and the two selected arbitrators agree upon the selection of the third arbitrator. Defense, Settlement and Investigation of Claims The Company shall have the right and duty to defend any Claim against the Insured, even if any of the allegations of the Claim are groundless, false, or fraudulent, subject to the Limit of Liability, Exclusions and other terms and conditions of this Policy. Unless defense counsel or breach counsel is chosen from the list of PreApproved vendors specied on the Policy Declarations, defense counsel or breach counsel shall be appointed with the Company's prior written consent. Such consent shall not be unreasonably withheld. However, in the absence of agreement the Company's decision shall be nal. The Company shall have the right to make any investigation they deem necessary including with respect to the Application or to coverage. If the Insured refuses to consent to a settlement that the Company recommends, and that the claimant will accept, the Insured must then defend, investigate or settle the Claim at the Insured’s own expense. As a consequence of the refusal to settle as per Company's recommendation, Company's liability for any Claim shall not be more than the amount of the initial recommended settlement plus up to 70% of any additional costs incurred by the Insured above this amount in order to settle this matter, subject always to the limit of the Policy. No Insured may incur any Defense Expenses, PCI DSS Assessment Expenses, or admit liability for, or settle, any Claim, without the Company's written consent, which shall not be unreasonably withheld. Provided that, if a proposal settlement amount, when combined with any Defense Expenses or PCI DSS Assessment Expenses incurred, does not exceed 50% of the applicable Retention set forth in the Policy Declarations, the Insured may settle a Claim, or accept an oer of settlement, without the prior written consent of the Company. Such settlement must fully resolve the Claim with respect to the Insured and the Company. 20 of 25 c. d. 1. 2. a. b. c. d. e. SPECIMENThee NaNa ny Insuredd.. spute between anypute between any InIn er party may:er party may ng arbitration before either a sarbitration before either a l whereby thewhereby the InsuredIn selects ec d the two selected arbitrators ae two selected arbitrators uty to defend any ty to defend any ClaimClaim agains dless, false, or fraudulent, sub, false, or fraudu nditions of this nditions of this Policy. ach counsel is chosen from thch counsel is chosen fro defense counsel or breach conse counsel or breach co consent. Such consent shall nconsent. Such consent sha nt thent th Company'sany's decision shash hall have the right to make anyall have the right to make an e Applicationcation or to coverage. or uredured refuses to consent to a s refuses to consent to a s ant will accept, the nt will accept Insuredsured m m wn expense. As a consequenceense. As a consequenc Company'sCom liability for anyliabili C settlement plus up to 70%s up order to settle this matto settle this m NoNo Insured may inma r settle, any ny CC held. Preld. Pr CB-101-001 GENERAL CONDITIONS The Company has no duty to provide coverage under this Policy unless there has been full compliance with all the conditions contained in this Policy. Any clause designated as a condition precedent shall require the entity to which it applies to comply specically and completely with it and any breach or failure to do so shall entitle the Company to reject all or part of the Claim, Damages, Defense Expenses or Loss or any related Claim or Loss whether or not such breach or failure causes loss, prejudice or damage. Policy Limits The Aggregate Limit specied in Item 5 of the Policy Declarations shall be the maximum liability of the Company under this Policy. The limits for each Insuring Agreement specied in Item 5 of the Policy Declarations form part of, and are not in addition to, such Aggregate Limit. After the Policy Limit of Liability has been exhausted, the Company has no obligations to pay any Damages, Defense Expenses, Loss or any other amounts under the Policy, and shall have the right to withdraw from the defense. Retention and Waiting Period The Retention amount specied in Item 5 of the Policy Declarations for each Insuring Agreement apply separately to each and every Loss and Claim and shall be satised in full by the Insured’s monetary payments of Loss, Damages, or Defense Expenses. The Company shall only be liable for amounts in excess of the Retention, subject to the Limit of Liability. For Insuring Agreements subject to a Waiting Period, the Company will only become liable for any Loss upon expiration of the applicable Waiting Period. Any Loss incurred during the Waiting Period is uninsured. In the event of a Claim or Loss attaches to more than one Insuring Agreement, only the highest Retention or the longer Waiting Period will apply to that Claim or Loss. The Insured’s payment of the applicable Retention is a condition precedent to the payment by the Company of any amounts covered under the Policy. The Insured shall make direct payments within the Retention to the appropriate parties as designated by the Company. Related Claims and Loss All Claims and Loss arising out of the same related or continuing acts, facts, circumstances or events shall be considered a single Claim or Loss, without regard to the number of Insureds, Claims or claimants. All such Claims or Loss shall be deemed to have been made at the time of the rst such Claim or Loss. 21 of 25 1. 2. 3. SPECIMENmage.age. the maximum liability ofmaximum liability of cicied in Item 5 of the Policyed in Item 5 of the Policy e Limit.Lim any has no obligations to pay has no obligations to pay der thede Policyolicy, and shall have , and shall ha Policy Declarations for each Incy Declarations for eac and shall be satisand shall be satised in full bed in full b Expensesnses. amounts in excess of theamounts in excess ReteRet ect to aa Waiting Period, the th Co licable ica Waiting Periodaitin. Any Losy L aimm or or Loss attaches to more atta e longer Waiting PeriodWaiting will app ’s’s payment of the applicable payment of the applicable ny of any amounts covered unof any amounts covered uny ntiono to the appropriate partiehe appro Related Claims and LossRelated Claims and Los All Al Claimss and and LossLo arisingsin hall be considered a shall be considered mants. All such uch Lossoss.. CB-101-001 Cancellation If this Policy is cancelled by the Named Insured, the Company will refund the unearned premium computed at the Company's short rate then in force. No premium will be refunded where any Claim or circumstance has been notied under this Policy, whether or not it has been accepted for coverage. Other Insurance This Policy is excess to any other valid and collectible insurance (or other indemnity) available to the Insured. Inspection and Audit The Company shall be permitted, but not obligated, to inspect any of the Insured’s property, operations, or records and take copies of same at any time at the Insured’s cost. Mergers and Acquisitions If any Named Insured completes the legal acquisition of another entity during the Policy Period, then that acquired entity will automatically be included as an Insured but only with respect to Claims or Loss sustained or occurring after the date of the acquisition and otherwise qualifying for coverage under this Policy, unless: That acquired entity has an annual revenue of more than 20% of the Named Insured’s annual revenue (evaluated according to the last set of audited accounts formally led by that entity against the information provided by the Named Insured when applying for this Policy); or Unless that acquired entity stores a total number of unique, personally identiable records that are in excess of 20% of the total unique, personally identiable records that the Named Insured stores (as at the date of completion of such acquisition). If the above cover is not automatically provided to the newly acquired entity, to obtain cover the Named Insured must notify and obtain the written consent of the Company prior to the acquisition, and agree to pay any additional premium required. Assignment The interest hereunder is not assignable by any qualifying Insured. Innocent Insured Whenever coverage under this Policy would be excluded, suspended, or lost owning to non- compliance with Claims Conditions 2. Notice of claim or circumstance, with respect to which any other Named Insured shall be in default solely as a result of such non-compliance, then such insurance as would otherwise be aorded under this Policy shall cover and be payable to those Insureds who did not personally commit or personally participate in committing or personally acquiesce in such failure to give notice, provided that Insured entitled to the benet of this provision shall comply with Claims Conditions 2. Notice of Claim or Circumstance promptly after obtaining knowledge of the failure of any other Insured to comply therewith. 22 of 25 4. 5. 6. 7. a. b. 8. 9. a. SPECIMENty) availavaila the the Insured’sI property,prop nsured’snsur cost.t nother entity during thether entity during Policyolicy an Insureded but only with respec but only with respe ion and otherwise qualifying fon and otherwise qualifying f enue of more than 20% of theue of more than 20% o last set of audited accounts foast set of audited acco by theby th Named Insuredd Ins when aen tores a total number of uniquees a total number of uniq tal unique, personally identiique, personally ide pletion of such acquisition).pletion of such acquisition). is not automatically providedis not automatically provided must notify and obtain the wust notify and o pay any additional premiumpay any additional premi ntnt terest hereunder is not assignahereunder is not assign nnocent Insurednnoc Whenever coverage unever coverage compliance with compliance wit Cla other Named Insd I urance as e as dsd w a. a CB-101-001 Any insurance aorded by this provision shall not cover a Claim if a member of the Control Group knew or should reasonably have known of a Claim or circumstance that could reasonably form the basis of a Claim or Loss and failed to give notice as required by Claims Conditions 2. Notwithstanding the above, the reporting of any such Claim or Loss must be made during the Policy Period or Extended Reporting Period, if applicable. Whenever coverage this Policy would be excluded, suspended, or lost because of the Insured Misconduct Exclusion, then such insurance as would otherwise be aorded under this Policy shall converge and be payable with respect to those Insureds who did not personally commit, personally participate in committing, personally acquiesce, or remain passive after having personal knowledge thereof, provided that the Insured entitled to the benet of this provision shall comply with Claims Conditions 2. Notice of Claim or Circumstance promptly after obtaining knowledge of the failure of any other Insured to comply therewith. Extended Reporting Period Automatic Extended Reporting Period The Named Insured shall have a period of sixty (60) days following the end of the Policy Period in which to give written or electronic notice to the Company of any Claim or Loss, but only in respect of any: Claim rst made during the Policy Period or Automatic Extended Reporting Period when such Claim is based upon a Security Breach, Privacy Breach or Media Activity prior to the end of the Policy Period or Loss based upon a Security Breach, Privacy Breach, Administrative Error, Power Failure, Unintentional Damage or Destruction, Computer Crime and Computer Attacks, Financial Fraud, Telecommunications Fraud, Phishing Attack or Cyber Extortion Threat during the Policy Period when rst discovered by the Control Group during the Policy Period or Automatic Extended Reporting Period and which is otherwise covered by this Policy. Optional Extended Reporting Period In the event of cancellation or non-renewal of this Policy, the Named Insured shall have the right to purchase an Optional Extended Reporting Period for additional premium, as stated in Item 7 of the Policy Declarations. Once purchased, the premium for the Extended Reporting Period will be deemed fully earned. The Company must receive the Named Insured’s request for the Optional Extended Reporting Period by written or electronic notice within thirty (30) days of such cancellation or non-renewal that it requires, and the Company shall provide, an Optional Extended Reporting Period commencing at the end of the Policy Period in which to give written or electronic notice to the Company of any: Claim rst made during the Policy Period or Optional Extended Reporting Period when such Claim is based upon a Security Breach, Privacy Breach or Media Activity prior to the end of the Policy Period, or 23 of 25 b. 10. a. I. II. b. I. SPECIMENe of the Inhe In under this PolicPolic rsonally commit, personally commit, pers fter having personal knowlefter having personal knowle rovision shall comply with ovision shall comp Clai obtaining knowledge of the faibtaining knowledge of th ty (60) days following the end (60) days following th o the Companympany of any of anyyy Claimm o icy Periodicy Pe or Automatic Extenor Automatic Ext rity Breachity ,Privacy Breachcy Br or Security Breachecurity Bre ,Privacy BreacBre mage or Destructionmage or Destruct ,Computmpu cations Fraudations Fraud,, Phishing Attacking Attack discovered by the overed by th Control Gro ng Period and which is otherwng Period and which is othe al Extended Reporting Periodal Extended Reporting Period he event of cancellation or novent of cancellation or no purchase an Optional Extendepurchase an Optio Policy Declarations. Once pPolicy Declaration deemed fully earned. Thfully earned Extended Reporting Extended Repo cancellation or nocancellation or eporting PeriPer e to thto th CB-101-001 Loss based upon a Security Breach, Privacy Breach, Administrative Error, Power Failure, Unintentional Damage or Destruction, Computer Crime and Computer Attacks, Financial Fraud, Telecommunications Fraud, Phishing Attack or Cyber Extortion Threat during the Policy Period when rst discovered by the Control Group during the Policy Period or Optional Extended Reporting Period and which is otherwise covered by this Policy. The payment of the additional premium for the Optional Extended Reporting Period must be paid to the Company within thirty (30) days of the non-renewal or cancellation. The Limit of Liability for any Extended Reporting Period shall be part of, and not in addition to, the Limit of Liability for the Policy Period. The right to any Extended Reporting Period shall not be available to the Insured where cancellation or non-renewal by the Company arises through non-payment of premium or the Insured’s failure at any time to pay amounts within the applicable Retention. Change of Control In the event of the Named Insured’s acquisition by or merger into another entity, or the Named Insured’s liquidation or dissolution, the Named Insured may notify the Company within sixty (60) days of the actual change of control of the Named Insured’s election for an Extended Reporting Period of twelve (12) months from the date of such change of control. Such Extended Reporting Period shall cover Claims reported or Loss notied to the Company during this change of control Extended Reporting Period, but only in respect of any Claim made during the Policy Period or Loss incurred during the Policy Period which is otherwise covered by this Policy. Assistance and Cooperation The Insured shall cooperate with the Company in all investigations relating to this Policy. The Insured shall execute or cause to be executed all documents and papers and render all assistance as requested by the Company, including providing copies of a Third Party’s system security and event logs. Upon the Company's request, the Insured shall assist in making settlements, in the conduct of all third party dispute resolution procedures and in enforcing any right of contribution or indemnity against any person or organization who may be liable to the Insured with respect to which insurance is aorded under this Policy, and the Insured shall attend hearings and trials and assist in securing and giving evidence and obtaining the attendance of witnesses at the Insured’s own cost. It is a condition precedent to the Company's liability that the Insured shall not admit liability, make any payment, assume any obligations, incur any expense, enter into any settlement, stipulate to any judgement or award, or dispose of any Claim without the Company's prior written consent. However, the prompt public admission of a Privacy Breach potentially impacting non-public personally identiable information as required by governmental privacy legislation or credit card association operating requirements will not be considered as an admission of liability requiring the Company's prior consent. 24 of 25 II. c. d. 11. 12. a. b. c. SPECIMENmpampa nd not in addition tnd not in addition t to theto th Insured where cancellawhe of premium or the of premium or Insured’ssured fa merger into another entity, orinto another entity, o redred may notify the may notify the CompanyC sured’s’s election for an Extend election for an Exte hange of control. Such Extendeange of control. Such Ex the Companyompa during this channg thy of anyof any ClaimC made during themade during the e covered by thisco Policyolicy. operate with the perate with the Company in ain y cute or cause to be executed aute or cause to be executed a by the he CompanyCompany, including pro he he Company'sCompany' request, the est, the InsIn d party dispute resolution procarty dispute resolution pro against any person or organizaagainst any person insurance is ainorded undeor securing and giving evidand giving e It is a condition preIt is a condition any payment, asnt, judgemegeme er c. c. CB-101-001 The Company shall have the right to make any investigation they deem necessary with respect to coverage including the Application. The Insured shall submit for examination under oath by the Company's representative, if requested, in connection with all matters relating to this Policy. d. e. CB-101-001 Warranty by the Named Insured By acceptance of this Policy, all Insureds agree that the statements in the Application are their agreements and representations, which shall be deemed material to the risk, and that this Policy is issued in reliance upon the truth thereof. The misrepresentation or non-disclosure in the Application of any material matter by the Insured or its agent will render the Policy null and void and relieve the Company from all liability under the Policy. Forfeiture Any: Action or failure to act by the Insured with the intent to defraud the Company; or Material misrepresentation or non-disclosure of any material fact or claims by the Insured in the Application or in any supplemental materials submitted to the Company: Shall render this Policy null and void, and all coverage hereunder shall be forfeited. Construction and Interpretation Any reference to legislation, statute, regulation or law includes any similar or related law, statute, ordinance, or regulation, any amendments, and any rules or regulations or executive orders promulgated thereunder, or by a federal, state, local or other agencies or similar bodies thereof. Any reference to a regulatory or investigative or other state or local governmental body includes any similar, subsidiary or related agency or body. All or part of any provision of this Policy which is or becomes void or illegal, invalid or unenforceable by a court or other competent body under the law of any applicable jurisdiction shall be deleted. The parties shall use their best eorts to agree a replacement for the provision deleted which achieves as far as possible the same eect as would have been achieved by the deleted provision had it remained enforceable. Coverage Territory Coverage under this Policy applies anywhere in the world. 25 of 25 13. 14. a. b. 15. a. b. 16. SPECIMENplicationlicat are theirheir sk, and that thisand that this PolicyPolicy yy -disclosure in thedisclosure in th Applicationplication null and void and relieve the null and void and re tent to defraud the tent to defraud the Companyny re of any material fact or claimny material fact or cla erials submitted to the ials submitted to the CompaC d all coverage hereunder shad all coverage hereunder on, statute, regulation or law intute, regulation or la on, any amendments, and anyn, any amendments, and an under, or by a federal, state, lounder, or by a federal, state, lo o a regulatory or investigative a regulatory or investigativ subsidiary or related agency oary or rela rt of any provision of this rt of any provision of PolicPolic court or other competent bodyourt or other competent bod he parties shall use their best ees shall use their best achieves as far as possible thachieves as far a had it remained enforcead en Coverage TerritoryCoverage Territory erage under thisth CB-101-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT Amend Other Insurance Provision In consideration of the premium charged, it is hereby understood and agreed that the Policy is amended as follows: General Conditions 5. Other Insurance is deleted in its entirety and replaced with the following: This Policy is primary to any other valid and collectible insurance available to the Insured. 1 of 1 This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-125-001 All other terms and conditions of the Policy remain unchanged.SPECIMENread it carefully.it carefully. ORSEMENTORSEMENT ance Provisione Provision understood and agreed that thnderstood and agree ted in its entirety and replacedn its entirety and and collectible insurance avaiand collectible insurance ava ect on: ect TBDBD DD e: TBDD mber:ber: CB-125-001CB-125-00 All other terms and other terms and CB-125-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT Bricking Endorsement In consideration of the premium charged, up to the amount of $2,000,000 subject to an applicable Retention of $100,000, it is hereby understood and agreed that the Policy to which this endorsement attaches is amended as follows: Exclusions, Property Damage is deleted in its entirety and replaced with the following: Property Damage Physical Injury to, or impairment, destruction or corruption of, any tangible property, including personal property in the care, custody or control of the Insured. Data and Digital Assets are not tangible property and are not Property Damage. Property Damage does not include the loss of use of electronic equipment caused by the reprogramming of the software (including rmware) of such electronic equipment rendering it useless for its intended purposes. The denition of Security Breach is amended to include the following sentence to the end thereof: e. The loss of use of all or part of a Computer System caused by the unauthorized reprogramming of software (including rmware) which renders such Computer System, or any component thereof, nonfunctional or useless for its intended purpose; 1 of 1 This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-126-002 All other terms and conditions of the Policy remain unchanged.SPECIMENsubject to an applicablesubject to an ap cy to which this endorsementcy to which this endors aced with the following:ced with the follo rruption of, any tangible propen of, any tangible pro nsured.ured Data and Digital Assetand Digital mageage does not include the losses not include th ware (including ware (including rmware) of srmware) of is amended to include the fo is amended to include the part of a part Computer Systemer System ca ca mware) which renders suchare) which ren Co eless for its intended purpose;its inten ement is to take eent is to take ect on: :TBTB umber:umb TBDD y Inception Date: y Inc TBDTBD olicy Expiration Date: cy Expiration Da TBDBD orsement Number:orsement Number CB-1 CB-126-002 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT CRC Smart Cyber Amendatory Endorsement In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this endorsement attaches is amended as follows: On the Policy Declarations, Item 6 B. Business Interruption, Contingent Business Interruption, System Failure Coverage and Reputational Loss Coverage Period of Indemnity shall be 12 months; On the Policy Declarations, Item 8 Extended Reporting Period is deleted and replaced with the following: 1 year: 90% of the annual policy premium 2 years: 150% of the annual policy premium 3 years: 175% of the annual policy premium First Party Insuring Agreement II. A Business Interruption is deleted and replaced with the following: Business Income Loss and Extra Expenses incurred during the Interruption Period directly as a result of the total, or partial, or intermittent interruption or degradation in service of an Insured's Computer System caused directly by a Privacy Breach, Security Breach, Administrative Error, Power Failure, or Preventative Shutdown. First Party Insuring Agreement II. B Contingent Business Interruption is deleted and replaced with the following: Business Income Loss and Extra Expenses incurred during the Interruption Period caused directly as a result of the total, partial, or intermittent interruption or degradation in service of the Computer System of an Outsourced Service Provider caused directly by a Privacy Breach, Security Breach, Administrative Error or Preventative Shutdown at that Outsourced Service Provider. First Party Insuring Agreement II. D. System Failure is deleted and replaced with the following: D. System Failure and Contingent System Failure Coverage Business Income Loss, Extra Expenses, and Digital Asset Loss incurred during the Interruption Period directly as a result of any unintentional and unplanned total or partial outage of the Insured's Computer System that is not caused by a Security Breach, Privacy Breach, Cyber Extortion Threat, Phishing Attack, Financial Fraud, Telecommunications Fraud, or Contingent System Failure; Business Income Loss, Extra Expenses, and Digital Asset Loss incurred during the Interruption Period directly as a result of any unintentional and unplanned total or partial outage of an Outsourced Service Provider's Computer System that is not caused by a Security Breach, Privacy Breach, Cyber Extortion Threat, Phishing Attack, Financial Fraud, Telecommunications Fraud, or Contingent Business Event. 1 of 7 1. 2. 3. 4. 5. SPECIMENs Interruption, ion, be 12 months;e 12 months ed and replaced with thed and replaced w uptionption is deleted and replaced is deleted and r urred during theurred during the Interruption PInterruption ption or degradation in servicen or degradation eacheach,, Security Breachurity, AdminisAd II. B Contingent Business InteContingent Business Inte and nd Extra Expensesses incurred d incurred d artial, or intermittent interruptrtial, or intermittent interru d Service Providere Provide caused direr ntative Shutdownntative Shutdown at that OutOut rty Insuring Agreement II. D. nsuring Agreement II. D. SS System Failure and ContingenSystem Failure and Business Income LossBusiness Income Loss,, ExtraE directly as a result of anydirectly as a result of any ystemystem that is not cau that is not k Financial Fral F ncomnco CB-151-003 2. The following denitions are added to the Policy: Contingent Business Event The acquisition, access, or disclosure of Protected Personal Information or condential corporate information by a person or entity, or in a manner, that is unauthorized by the Outsourced Service Provider; A threat from a Third Party to commit an intentional attack against the Outsourced Service Provider's Computer System or publicly disclose Protected Personal Information or condential corporate information misappropriated from the Outsourced Service Provider if money, securities, or Specied Property is not paid; or Any failure by the Outsourced Service Provider or by others on the Outsourced Service Provider's behalf (including the Outsourced Service Provider's subcontractors, outsourcers, or independent contractors) in securing the Outsourced Service Provider Computer System. Contingent System Failure Any unintentional and unplanned total or partial outage of an Outsourced Service Provider's Computer System that is not caused by a Contingent Business Event. Denitions, Claim, is deleted and replaced with the following: The following, when rst received in writing or by electronic notice by any Insured during the Policy Period or, if applicable, an Extended Reporting Period: A notice of an intention to hold the Insured responsible for Damages, including the service of legal proceedings, the institution of arbitration or mediation, or a written request to toll or waive a statute of limitations against any of the Insureds. A request for information, civil investigative demand, formal civic administrative proceeding or formal regulatory action only to the extent covered by Insuring Agreement I. B. Regulatory Investigations, Fines, and Penalties; A demand for PCI DSS Assessment Expenses only to the extent covered by Insuring Agreement I. D. PCI DSS Assessment Expenses. With respect to Insuring Agreements I.A. Network Security and Privacy Liability, and I.C. Media Liability only, a written demand made against an Insured for Damages or non-monetary relief; First receipt by any Insured is deemed to be rst receipt by all Insureds. 2 of 7 a. b. c. 6. a. b. c. d. SPECIMENurced ServServ mationatio or condenden roviderer if money, securit if money, securitrr the the Outsourced Service Providced Service tractors, outsourcers, or indeptors, outsourcers, or indep r Computer SystemComputer Syst . tage of antage Outsourced ServiceOutsourced Service ness EventEvent.. with the following:h the following: writing or by electronic notice bwriting or by electronic notice d Reporting Period:d Re hold the th Insured responsible fnsible ution of arbitration or mediatiotion of arbitration or mediat s against any of the against any of the Insuredsds formation, civil investigative drmation, civil i atory action only to the extenttion only tions, Fines, and Penalties;tions, Fines, and Penalties; mand for and PCI DSS AssessmentDSS Assessmen CI DSS Assessment Expenses.Assessmen With respect to Insuring AgWith respect to In Liability only, a written donly, a writte irst receipt by anyirst receipt by any Insu d.d. CB-151-003 Denitions, Damages, is deleted and replaced with the following: The amount an Insured is legally obligated to pay in respect of: a Claim, including a monetary judgement, award or settlement, interest and a claimant's legal costs; liquidated, punitive, multiplied and exemplary damages, to the extent such damages are insurable under the law pursuant to which this Policy is construed; Regulatory Fines and Penalties only to the extent covered by Insuring Agreement I. B. Regulatory Investigations, Fines, and Penalties; and PCI DSS Assessment Expenses only to the extent covered by Insuring Agreement I. D.; Damages shall not include: Future prots or royalties, restitution, or disgorgement of the Insured's prots; The cost of complying with orders granting injunctive or non-monetary relief, including specic performance, or any agreement to provide such relief; Loss of the Insured's fees or prots, return or oset of the Insured's fees or charges (invoiced or not), or the Insured's commissions or royalties provided or contracted to be provided; Fines, taxes or loss of tax benets, sanctions unless covered under Insuring Agreement I.B. Regulatory Investigations, Fines, and Penalties and unless covered under Insuring Agreement I.D. Payment Card Industry Fines, Assessments and Expenses; Liquidated damages to the extent that such damages exceed the amount for which the Insured would have been liable in the absence of such liquidated damages agreement, unless covered under Coverage I.D. Payment Card Industry Fines, Assessments and Expenses; Any amount which the Insured is not legally obligated to pay; and Amounts which are uninsurable under the law pursuant to which this Policy is construed; With respect to the insurability of Damages, the applicable law will be the law of the state most favorable to the Insured, provided that the state whose law is most favorable to the Insured has a reasonable relationship to the Claim. A state's law will be considered to have a reasonable relationship to the Claim if it is the state where: The Named Insured is incorporated or has a place of business; The claim is pending; or The acts giving rise to the claim were committed or allegedly committed. 3 of 7 7. a. b. c. d. e. f. g. a. b. c. SPECIMENment Eent E d'sd's prots; onetary relief, including specionetary relief, including he e Insured'sIn fees or charges (ifees or charges ded or contracted to be providor contracted to be provi nless covered under Insuring Aless covered under Insuring A es and unless covered under Ind unless covered und ts and Expenses;ts and Expenses; at such damages exceed the t such damages excee sence of such liquidated damaence of such liquidated dam Card Industry Fines, Assessmeard Industry Fines, Asse ured is not legally obligated tos not legally obligat ninsurable under the law pursninsurable under the law pur nsurability of Damages, the apsurability of Damages, the ap nsured, provided that the stated, provided ationship to the Claim. A stateationship to the Claim. A sta m if it is the state where: if it is the state wher e Named Insured is incorporatmed Insured is incorpora The claim is pending; orThe claim is pen The acts giving rise to th giving rise to .. c. c CB-151-003 Denitions, Digital Assets is deleted and replaced with the following: The Insured's digital les including Data, computer programs, electronic documents and audio content stored by the Insured's Computer System; Data owned by or entrusted to the Insured that is being held, stored, maintained, transferred or processed by an Outsourced IT Service Provider on the Insured's behalf. Denitions, Privacy Breach is deleted and replaced with the following: A breach of condentiality, or infringement or violation of any right to privacy, or a breach of the Named Insured's privacy policy or of Privacy Regulations; or An accidental release, unauthorized disclosure, loss, theft or misappropriation of Protected Personal Information or condential corporate information in the care, custody or control of an Insured Entity or Outsourced Service Provider; A failure to prevent a privacy breach or failure to implement, maintain, or comply with privacy policies and procedures that identify the Insured's obligations relating to Protected Personal Information, including but not limited to the Insured's privacy policy. Denitions, PCI DSS Assessment Expenses is deleted and replaced with the following: Payment Card Industry forensic investigation costs, nes or penalties, assessments, including fraud loss recoveries and card replacement costs, and administrative costs that the Insured is legally obligated to pay under the terms of a Merchant Services Agreement as a result of the Insured's actual or alleged non-compliance with Payment Card Industry Data Security Standards. PCI DSS Assessment Expenses includes costs related to PCI recertication or a PCI forensic investigator to investigate the existence and extent of an actual or reasonably suspected Security Breach involving payment card data and for a Qualied Security Assessor to certify and assist in attesting to the Insured's PCI compliance, as required by a Merchant Services Agreement.PCI DSS Assessment Expenses does not include any other ongoing obligations or audits following the imposition of an assessment, ne or penalty. Denitions, Computer System paragraph is deleted and replaced with the following: A system of interconnected hardware and peripherals, and associated software, including Internet of Things (Iot) devices, systems and application software, terminal devices, related communication networks, mobile devices, storage and back-up devices, and industrial systems operated by the Insured or an Outsourced Service Provider; 4 of 7 8. a. b. 9. a. b. c. 10. 11. SPECIMENprivacy, or a breach of tacy, or a breach of t sappropriation of sappropriatio Protected Perote , custody or control of anustody or con InsuIns plement, maintain, or comply went, maintain, or comply s obligations relating to ons rela ProtecProtec sured'sured's privacy policy. privacy policy. s deleted and replaced with thdeleted and replaced w ation costs,ation costs, nes or penalties,pena sts, and administrative costs tsts, and administrative costs t nt Services Agreement as a reServices Agreement as Card Industry Data Security Sd Industry Data Security I recerti re cation or a PCI forencation or a PCI fore or reasonably suspected or reasonably susp SecuSecu sessor to certify and assist in sessor to certify and assist in rvices Agreement.s Agreeme PCI DSS As audits following the impositionaudits following the impositio ns,Computer SystemComputer S paragraparagra stem of interconnected hardwstem of interconn Things (Iot) devices, systems ahings (Iot) devices, s networks, mobile devices, snetworks, mobile devices Insurednsured or an or a OutsourceOuts CB-151-003 Denitions, Control Group is deleted and replaced with the following: Any of the Chief Executive Ocer, Chief Financial Ocer, Chief Information Ocer, Chief Legal Ocer/ General Counsel, Risk Manager or functional equivalent; Denitions, Financial Fraud, b., is deleted and replaced with the following: b. An intentional, unauthorized and fraudulent written, electronic or telephonic instruction transmitted to a nancial institution by an Executive or Employee as a result of that Executive or Employee receiving intentional, misleading or deceptive telephonic or electronic communications from a Third Party falsely purporting to be the Insured or the Insured's client, vendor, Executive or Employee, and which directs the nancial institution to debit the Insured's account and to transfer, pay or deliver money, securities, or Specied Property from the Insured's account; or" Denitions, Interruption Period part a. is deleted and replaced with the following: The date of full system restoration of the Computer System plus up to 60 days thereafter if necessary to allow for restoration of the Insured's business; or Denitions, Media Activities b. is deleted and replaced with the following: Infringement, interference, or invasion of an individual's right or privacy or publicity, including false light, intrusion upon seclusion, misappropriation of likeness, and public disclosure of private facts; Denitions, Media Activities f. is amended to include the following: f. Negligence in Media Material, including a Claim alleging harm to any person or entity that acted or failed to act in reliance upon such Media Material; Denitions, Media Material is amended to include the following: Media Material also includes content posted by users to any website that is operated and managed by the Insured. Denitions, Preventative Shutdown is added and means: An Insured's reasonable and necessary intentional shutdown of: With respect to Insuring Agreement II. A Business Interruption, an Insured's Computer System, but only to the extent that such shut down: 5 of 7 12. 13. 14. 15. 16. 17. 18. i. SPECIMENtruction tion ve or Employeploye munications from anications from a ThTh Executivexecutive or o Employeemployee, an, an nd to transfer, pay or deliverd to transfer, pay t; or"; or d with the following:d with the follow em plus up to 60 days thereafplus up to 60 days therea placed with the following: Infrd with the following: In publicity, including false lightpublicity, including false disclosure of private facts;ure of private fac ended to include the followingended to include the f , including a ud Claim alleging haha n such n s Media MaterialMed; erialeria is amended to include thnded to include th so includes content posted by ludes cont ns,Preventative ShutdownPreventative Shutdown is is nsured'ssur reasonable and neceeasonab With respect to Insuring AInsu only to the extent thato the extent tha i. i CB-151-003 is in response to an actual or credible threat of Computer Crime and Computer Attacks expressly directed against such Insured's Computer System which may reasonably be expected to cause an interruption in service in the absence of such shutdown; and serves to mitigate, reduce, or avoid Business Income Loss as a result of the actual or credible threat of such Computer Crime and Computer Attacks; or With respect to Insuring Agreement II. B. Contingent Business Interruption, the Insured's access or connectivity to an Outsourced Service Provider's Computer Network, but only to the extent that such shutdown: is in response to actual Computer Crime and Computer Attacks against such Outsourced Service Provider's Computer Network which may reasonably be expected to cause an interruption in service in the absence of such shutdown; and serves to mitigate, reduce, or avoid Business Income Loss as a result of such Computer Crime and Computer Attacks. Denitions, Subsidiary is deleted and replaced with the following: Any entity while more than 50% of the outstanding voting securities or shares that represent the present right to vote for the election or appointment or designation of such entity's directors, managers or equivalent are directly owned or controlled by the Insured; or any joint venture while the Named Insured has managerial control, or while it has the right to elect or designate or otherwise appoint or directly control the appointment of more than 50% of such entity's directors, trustees, managers or equivalent; Denitions, Insured, e., is deleted and replaced with the following: Any legal entity required by written contract to be named as an additional insured under this Policy , but only for the acts of any above parties (a) through (d), as detailed under the Insuring Agreements purchased; General Conditions 2. Retention and Waiting Period is amended to include the following: Solely with respect to Insuring Agreement II. E. Social Engineering and Cyber Crime Coverage, the Company will recognize erosion of the Retention by any payments made by or on behalf of the Insured pursuant to such commercial crime policy issued to the Insured but only if such payments for loss would be otherwise covered by the Social Engineering and Cyber Crime insuring agreement; General Conditions 7. Mergers and Acquisitions is deleted and replaced with the following: If any Named Insured completes the legal acquisition of another entity during the Policy Period, then that acquired entity will automatically be included as an Insured but only with respect to Claims or Loss sustained or occurring after the date of the acquisition and otherwise qualifying for coverage under this Policy, unless that acquired entity has an annual revenue of more than 35% of the Named Insured’s annual revenue (evaluated according to the last set of audited accounts formally led by that entity against the information provided by the Named Insured when applying for this Policy) 6 of 7 a. b. ii. a. b. 19. 20. 21. 22. SPECIMENInsuredred nly to the extennly to the exten against such gainst such Outsourcedsourced be expected to cause anbe expected to cau ndnd Loss as a result of sucha result Comp he following:ng ing voting securities or sharesvoting securities or sha ntment or designation of suchntment or designation of such olled by theby th Insureded; or any join; o le it has the right to elect or dele it has the right to elect or more than 50% of such entitymore than 50% of suc deleted and replaced with the deleted and replaced with th red by written contract to be ned by written contract to be n ts of any above parties (a) throof any above onditions 2. ondi Retention and WaRetention and Wa y with respect to Insuring Agreespect to In ompanyompan will recognize erosion cogny pursuant to such commerciapursuant to such comm would be otherwise coverwould be otherwise cove eral Conditions ons med Inmed In CB-151-003 If the annual revenues of the newly acquired entity exceed the threshold above, the Named Insured must notify and obtain the written consent of the Company within 60 days of the acquisition and agree to pay any additional premium required. The newly acquired entity will automatically be included as an insured for 60 days after the acquisition but only with respect to Claims or Loss sustained or occurring after the date of acquisition and otherwise qualifying for coverage under this Policy. Claims Conditions 2. Notice of Claim, Loss or Circumstance is deleted and replaced with the following: Notice of Claim, Loss or Circumstance If, during the Policy Period, the Control Group becomes aware of a Claim or Loss, the Insured must forward details to the Company as soon as practicable during the Policy Period or the Extended Reporting Period, if applicable, but no later than sixty (60) days after expiration of this Policy, through the persons named in the Policy Declarations. The Insured must report a Claim or Loss regardless of whether the Claim or Loss arises out of any previously reported incident, circumstances, acts, errors or omissions, or related Claim or Loss. If during the Policy Period, the Control Group becomes aware of any incidents, circumstances, acts, errors or omissions that could reasonably result in a Claim or Loss, the Insured must forward details to the Company as soon as practicable during the Policy Period through the persons named in the Policy Declarations. Any Claim or Loss arising out of such reported incidents, circumstances, acts, errors or omissions will be deemed to have been made or incurred when the Company rst received notice complying with this paragraph. Any Loss, Claim or incidents, circumstances, acts, errors or omissions that could reasonably result in Loss or a Claim shall be considered properly reported to the Company when notice is rst given, as specied under Item 4 of the Policy Declarations. Claims Conditions - Defense, Settlement, and Investigation of Claims, paragraph (d) is deleted in its entirety and replaced with the following: d. If the Insured refuses to consent to a settlement that the Company recommends, and that the claimant will accept, the Insured must then defend, investigate or settle the Claim at the Insured's own expense. As a consequence of the refusal to settle as per Company's recommendation, Company's liability for any Claim shall not be more than the amount of the initial recommended settlement plus 70% of any additional costs incurred by the Insured above this amount in order to settle this matter, subject always to the limit of the Policy. The remaining thirty percent (30%) of such additional costs will be borne by the Insured at the Insured's own risk and will be uninsured under this Policy. This clause will not apply to any settlement where the total incurred Damages do not exceed the applicable Retention. 23. a. b. c. 24. CB-151-003 This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-151-003 All other terms and conditions of the Policy remain unchanged. CB-151-003 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT California Consumer Privacy Act Endorsement In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this endorsement attaches is amended as follows: Denitions, Privacy Regulations, is amended to include the following: The California Consumer Privacy Act or any rules or regulations promulgated thereunder. Exclusion, 21. Anti-Trust Laws and Unfair Competition will not apply to claims grounded in the California Consumer Privacy Act, provided no member of the Control Group participated or colluded in the activities or incident giving rise to coverage under this endorsement. 1 of 1 1. a. 2. This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-194-001 All other terms and conditions of the Policy remain unchanged.SPECIMENit carefully.t ca EMENTME Act EndorsementAct Endorsement rstood and agreed that the Poand agreed that the Po o include the following: e the following any rules or regulations promny rules or regulations fair Competition will not applyfair Competition will not appl o member of theme Control Grountro to coverage under this endorsoverage under this endo ke ee eect on: TBD e: TBD Date: Date: TBDTBD Number:Num CB-194-001-194-001 All other termsAll CB-194-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT Coverage for Certied Acts of Terrorism Endorsement You and the Company agree to the following: Exclusions, item 19. is deleted and replaced with the following: 7.Terrorism; Any act of terrorism. This exclusion shall apply and prevent any and all coverage for claims arising from terrorism, regardless of whether any other cause or event that otherwise would be covered contributes in any way to the loss. This exclusion does not apply to a Certied Act of Terrorism, or to a terrorist event perpetrated by electronic or internet based applications or means, however: Except for a terrorist event perpetrated by electronic or internet based applications or means, the Company will not pay any amounts for which the Company is not responsible under the terms of the federal Terrorism Risk Insurance Act of 2002 as amended (the “Act”); and The amendment of this exclusion does not create coverage for any loss that would otherwise be excluded under the Policy. All other policy terms and conditions, including the Policy’s exclusions, remain in full force and eect, even in the event of a Certied Act of Terrorism. Denitions is changed to add the following: Certied Act of Terrorism means an act that is certied by the Secretary of the Treasury, in consultation with the Secretary of Homeland Security and the Attorney General of the United States, to be an act of terrorism pursuant to the federal Terrorism Risk Insurance Act (the “Act”). Section 102(1) of the Act requires such act be certied to be an act of terrorism and resulted in insured losses in excess of $5 million in the aggregate, attributable to all types of insurance subject to the Act; to be a violent act or an act that is dangerous to human life, property or infrastructure; to have resulted in damage within the United States, or outside the United States in the case of certain air carriers or vessels or the premises of a United States mission; and to have committed by an individual or individuals as part of an eort to coerce the civilian population of the United States or to inuence the policy or aect the conduct of the United States Government by coercion. 1 of 2 1. a. b. 2. SPECIMENorsementent coverage for erage claimsms arising fro arising fro t that otherwise would be coveerwise would be cov apply to a pply t Certiertied Act of Terrd Ac et based applications or meaned applications or me etrated by electronic or interneted by electronic pay any amounts for which thpay any amounts for whic eral Terrorism Risk Insurance eral Terrorism Risk Insurance f this exclusion does not creatxclusion does not cr der the Policy. All other policy der the Policy. All other policy emain in full force and eemain in full force and eect, ect, hanged to add the following:anged to add the following ct of Terrorismct of Terrorism means an act tns an act e Secretary of Homeland Secucretary of Homeland Secu orism pursuant to the federal Torism pursuant to equires such act be certiequires such act be c ed t million in the aggregate, attmillion in the aggregate, an act that is dangerous an act that is dang e United States, or United States, ses of a UnitUnit to coeo coe CB-202-001 In all other respects, the policy remains the same. NOTICE COVERAGE FOR CERTIFIED ACTS OF TERRORISM IS INCLUDED IN YOUR POLICY. UNDER YOUR COVERAGE, ANY LOSSES RESULTING FROM CERTIFIED ACTS OF TERRORISM MAY BE PARTIALLY REIMBURSED BY THE UNITED STATES GOVERNMENT UNDER A FORMULA ESTABLISHED BY THE TERRORISM RISK INSURANCE ACT, AS AMENDED. HOWEVER, YOUR POLICY MAY CONTAIN OTHER EXCLUSIONS WHICH MIGHT AFFECT YOUR COVERAGE, SUCH AS AN EXCLUSION FOR NUCLEAR EVENTS. UNDER THE FORMULA, THE UNITED STATES GOVERNMENT GENERALLY REIMBURSES 85% THROUGH 2015; 84% BEGINNING ON JANUARY 1, 2016; 83% BEGINNING ON JANUARY 1, 2017; 82% BEGINNING ON JANUARY 1, 2018; 81% BEGINNING ON JANUARY 1, 2019 AND 80% BEGINNING ON JANUARY 1, 2020 OF COVERED TERRORISM LOSSES EXCEEDING THE STATUTORILY ESTABLISHED DEDUCTIBLE PAID BY THE INSURANCE COMPANY PROVIDING THE COVERAGE. THE TERRORISM RISK INSURANCE ACT, AS AMENDED, CONTAINS A $100 BILLION CAP THAT LIMITS U.S. GOVERNMENT REIMBURSEMENT AS WELL AS INVESTORS’ LIABILITY FOR LOSSES RESULTING FROM CERTIFIED ACTS OF TERRORISM WHEN THE AMOUNT OF SUCH LOSSES EXCEEDS $100 BILLION IN ANY ONE CALENDAR YEAR. IF THE AGGREGATE INSURED LOSSES FOR ALL INSURERS EXCEED $100 BILLION, YOUR COVERAGE MAY BE REDUCED. 2 of 2 This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-202-001 All other terms and conditions of the Policy remain unchanged.SPECIMENNECOUR POLICY. UNDER YOURUR POLICY. UNDER YOUR TERRORISMRISM MAY BE PARTIALLMA A FORMULA ESTABLISHED BYFORMULA ESTABLISHED BY VER, YOUR POLICY MAY CONTAOUR POLICY MAY CONT SUCH AS AN EXCLUSION FORSUCH AS AN EXCLUSION FO RNMENT GENERALLY REIMBURMENT GENERALLY REIM 3% BEGINNING ON JANUARY 1% BEGINNING ON JANUARY 1 ANUARY 1, 2019 AND 80% BEGARY 1, 2019 AND DING THE STATUTORILY ESTABDING THE STATUTORILY ES G THE COVERAGE. THE TERRO THE COVERAGE. TH ON CAP THAT LIMITS U.S. GOV CAP THAT LIMITS U.S. G OSSES RESULTING FROM S RESULTING FROM CERT XCEEDS $100 BILLION IN ANYXCEEDS $100 BILLION IN AN L INSURERS EXCEED $100 BILL INSURERS EXCEED $100 BIL nt is to take et is to take ect on: ect o TBDD er:: TBDTB eption Date: Date TBDBD Expiration Date: Expiration Date: TBDTB orsement Number:orsement Number: CB-202-00CB All ot CB-202-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT Criminal Reward Expenses Endorsement In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this endorsement attaches is amended as follows: The Company will pay for the Reward Expenses up to the amount of $50,000 subject to an application retention of $100,000 incurred by the Insured and approved in writing in advance by the Company, but only if a written request for indemnication is made by a member of the Control Group to the Company in accordance with Claims Conditions, section 2. Notice of Claim, Loss or Circumstance. Reward Expenses means the reasonable amount that the Insured pays to an Informant for information not otherwise available, and which leads to the arrest and conviction of any person who commits an illegal act that causes a Loss. Informant means any person, other than a member of the Control Group, who provides information regarding an illegal act committed by another person which causes a Loss, solely in return for money that the Insured pays or promises to pay. Informant does not include: 1) any person who commits an illegal act which causes a Loss, whether acting alone or in collusion with others; 2) any Insured; 3) any Insured's auditors, whether internal or external; 4) any person or rm hired or retained to investigate a Loss; 1 of 1 This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-123-001 All other terms and conditions of the Policy remain unchanged.SPECIMENsementsement greed that the Policy to which greed that the Policy t unt of $50,000 subject to an ant of $50,000 subject to an d in writing in advance by theriting in advance by the a member of theof the Control GroupControl Grou of Claim, Loss or CircumstancClaim, Loss or Circum nt that the tha Insuredsure pays to anys arrest and conviction of any prrest and conviction of r than a member of then Controont ed by another person which caed by another person whic to pay.to p Informantrma does not inot int ther acting alone or in collusiother acting alone or in collusio rnal or external; 4) any personl or external; ment is to take ement is to take ect on: on: TBDTBD mber:TBDTBD nception Date: nception Date: TBDTB cy Expiration Date: y Expiration Date: TBDTB ndorsement Number:orsement Numb CB-123B-12 All CB-123-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT Cryptojacking Endorsement In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this endorsement attaches is amended as follows: Denitions, Telecommunications Fraud Loss is deleted and replaced with the following: Charges the Insured incurs for unauthorized calls directly resulting from Telecommunications Fraud and Cryptojacking Fraud. Denitions, Cryptojacking Fraud is added to the policy and means: The secret use of your Telecommunications Systems by a Third Party to mine cryptocurrency. 1 of 1 1. 2. This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-155-001 All other terms and conditions of the Policy remain unchanged.SPECIMENt carefully.car MENTMEN rsementsement stood and agreed that the Polid and agreed that the Pol deleted and replaced with the d and replaced with th zed calls directly resulting fromcalls directly res s added to the policy and meaadded to the policy and by a Third PartyTh to mine crypte crypty ke eke eect on: TBDT te: e: TBDT n Date: Dat TBDTBD t Number:Num CB-155-001-1 All other termsAll CB-155-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT Forensic Accounting Coverage In consideration of the premium charged, it is hereby understood and agreed that the Policy is amended as follows: The denition of Business Income Loss is amended to include the following: c. Forensic Accounting Costs; provided however, that the Company’s maximum liability for such costs shall be $50,000, which amount shall be part of, and not in addition to, the limit of liability for Insuring Agreement II. A Business Interruption and Insuring Agreement II. B. Contingent Business Interruption. Forensic Accounting Costs means those costs and expenses of establishing or proving an Insured’s Loss under Insuring Agreement II. A Business Interruption and Insuring Agreement II. B. Contingent Business Interruption, including, without limitation, those connected with preparing a proof of loss. All loss described in this paragraph must be reported, and all proofs of loss must be provided, to the Underwriters no later than 6 months after the end of the Policy Period. 1 of 1 1. 2. This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-136-001 All other terms and conditions of the Policy remain unchanged.SPECIMENly. ragerag nd agreed that the Policy is amagreed that the Policy is a include the following:the fo , that the t the Company’sCompany maximumaxi t of, and not in addition to, theof, and not in addition to, the Insuring Agreement II. B. Conring Agreement I hose costs and expenses of esose costs and expenses of es usiness Interruption and Insurness Interruption and Ins ut limitation, those connected tation, those connec h must be reported, and all prh must be reported, and all p han 6 months after the end of an 6 months after the end of is to take es to ta ect on: ect TBD TBDTBD tion Date: n Da TBDD xpiration Date: piration Date TBDTBD rsement Number:rsement Number: CB-136-001C All otheth CB-136-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT GDPR Coverage In consideration of the premium charged, it is hereby understood and agreed that the Policy is amended as follows: A. The following Insuring Agreement is added to the Policy, under Third Party Insuring Agreements: I. Amounts which the Insured is legally obligated to pay as a direct result of a Claim rst made against the Insured during the Policy Period, and reported in writing or by electronic notice to the Company during the Policy Period or Extended Reporting Period, if applicable, for General Data Protection Regulation. B. The following denition is added to the DEFINITIONS section of the Policy: General Data Protection Regulation Damages, Regulatory Fines and Penalties and Defense Expenses which the Insured is legally obligated to pay because of any Claim rst made against any Insured during the Policy Period for a violation of the EU General Data Protection Regulation (or legislation in the relevant EU jurisdiction implementing this Regulation) arising from a Security Breach or Privacy Breach. C. Solely for purposes of coverage provided by this Endorsement, the denition of Claim is amended to include a request for information or institution of a regulatory proceeding against any Insured under the General Data Protection Regulation Insuring Agreement for a violation of the EU General Data Protection Regulation (or legislation in the relevant EU jurisdiction implementing this Regulation). D. Solely for purposes of coverage provided by this Endorsement, Exclusion 21. Anti-Trust Laws and Unfair Competition shall not apply to the General Data Protection Regulation insuring agreement, provided no member of the Control Group participated or colluded in the activities or incident giving rise to coverage under such insuring agreement. E. Solely for purposes of coverage provided by this Endorsement, Exclusion 10. Government Intervention is deleted. 1 of 1 This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-111-003 All other terms and conditions of the Policy remain unchanged.SPE.E.SPECIMENy Insuring Agreemy Insuring Agreem ect result of a ect result of a Claimim rst marst ma writing or by electronic noticewriting or by electr rting Period, if applicable, for ting Period, if applicable, f G section of thectio PolicyPolic: ndn Defense Expensese Expen which tch rst made against anymade against any InsuredIns a Protection Regulation (or lega Protection Regulation (or leg gulation) arising from a tion) arising from Securit e provided by this Endorsemenprovided by this Endorseme ation or institution of a regulaton or institution of a reg tection Regulationon Insuring Agring Ag on (or legislation in the relevaon (or legislation in the relev rposes of coverage provided bes of covera petition shall not apply to the Getition shall not apply to the no member of theno member of the Control GroControl Gr o coverage under such insuringoverage under such insurin Solely for purposes of cover Solely for purpo Intervention is deleted.Intervention is delet dorsement is to tto mber:TBDBD on Don D CB-111-003 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT Invoice Manipulation Loss In consideration of the premium charged, up to the amount of $100,000 subject to an applicable retention of $100,000, it is hereby understood and agreed that the Policy to which this endorsement attaches is amended as follows: Clause II. E. Social Engineering and Cyber Crime Coverage is amended to include: Invoice Manipulation Loss Insured’s Direct Net Loss resulting directly from the Insured’s inability to collect Payment for goods, products or services after such goods, products or services have been transferred to a Third Party, as a result of an Invoice Manipulation Loss that the Insured rst discovers during the Policy Period: DEFINITIONS is amended to include: Direct Net Loss means the direct net cost to the Insured to provide goods, products or services to a Third Party. Direct Net Loss will not include any prot to the Insured as a result of providing such goods, products or services. Invoice Manipulation Loss means the release or distribution of any fraudulent invoice or fraudulent payment instruction to a Third Party as a direct result of a Security Breach or a Privacy Breach. Payment means currency, coins or bank notes in current use and having a face value. 1 of 1 This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-133-001 All other terms and conditions of the Policy remain unchanged.SPECIMENect to an applicable retentect to an applicable retent his endorsement attaches ishis endorsement attaches is ended to include:o include red’s inability to collectlity to co Paymeym rvices have been transferred ces have been transfe ured rst discovers during thediscovers during the ost to thest Insured to provide go pro de any pronyt to the Insuredd asa means the release or distribumeans the release or distribu a Third PartyThird Party as a direct resul as currency, coins or bank notes currency, coins or bank notes orsement is to take ersement is to tak ect on: y Number:y Nu TBD olicy Inception Date: cy TBDBD cy Expiration Date: cy Expiration Date TBD sement Number:ement Number CB CB-133-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT Loss of Funds Exclusion Carveback In consideration of the premium charged, it is hereby understood and agreed that the Policy is amended as follows: Exclusions, exclusion #13 is deleted in its entirety and replaced with the following: 13. Loss of Funds Loss, decrease in value or theft of securities or currency; Trading losses, liabilities or changes in trading account value; or The value of electronic funds, money, securities or wire transfer; However, this exclusion does not apply to Insuring Agreement II.E. Social Engineering and Cyber Crime Coverage. 1 of 1 a. b. c. This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-128-001 All other terms and conditions of the Policy remain unchanged.SPECIMENy. vebackeba nd agreed that the Policy is amagreed that the Policy is a aced with the following:with the following: s or currency;or cu n trading account value; orn trading account value; or money, securities or wire transfey, securities or wire tran not apply to Insuring Agreemenot apply to Insuring Agreem is to take eis to ta ect on: ect TBD TBDTBD ption Date: n Da TBDD xpiration Date: piration Date: TBDTB rsement Number:rsement Number: CB-128-001C All othth CB-128-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT Manuscript Specied Entity Exclusion Any event originating at or involving the City's utility operations 1 of 1 This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-300-001 All other terms and conditions of the Policy remain unchanged.SPECIMENy. Please read it carefully.se read it carefully. CE ENDORSEMENTRSEMEN ed Entity Exclusiod Entity Exclus utility operationslity operations TBDTBD B-300-001-30 All other terms and conditioher terms and con CB-300-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT Solicitation Claims Endorsement In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this endorsement attaches is amended as follows: General Conditions Policy Limits is amended by the addition of the following: Any Solicitation Claim will be subject to the sub-limits set forth below. The limits shown below will be the exclusive limits applicable to Solicitation Claims. Such sub- limits are part of, and will erode, the Limits of Liability set forth in Item 5.A. of the Declarations for the Network Security and Privacy Liability insuring agreement or the Regulatory Investigations, Fines and Penalties insuring agreement, whichever applies, and the Maximum Policy Aggregate Limit of Liability set forth in Item 5.C. of the Declarations. Solicitation Claim sublimit: $50,000 each Solicitation Claim $50,000 Aggregate Denitions, Privacy Regulations, is amended to include the following: CAN-SPAM Act of 2003; Truth In Caller Act of 2009; and Telephone Consumer Protection Act of 1991. Denitions is amended to include the following denition: Solicitation Claim means any Claim under the Network Security and Privacy Liability insuring agreement or Regulatory Investigations, Fines and Penalties insuring agreement for, based upon, arising from, in consequence of, or in any way involving any actual or alleged Privacy Breach in violation of the CAN-SPAM Act of 2003, the Truth In Caller Act of 2009, or the Telephone Consumer Protection Act of 1991, as amended, or any regulation promulgated under the foregoing statutes, or any federal, state, local or foreign laws similar to the foregoing statutes, whether such law is statutory, regulatory or common law. 1 of 2 1. 2. A. B. C. 3. This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-120-001 All other terms and conditions of the Policy remain unchanged.SPECIMENlimits shown below will bs shown below will b re part of, and will erode, there part of, and will erode, the etwork Security and Privacy Litwork Security and Pr Penalties insuring agreement, wnalties insuring agreement set forth in Item 5.C. of the Dein Item ed to include the following:o include the follo nd tection Act of 1991.Ac d to include the following deto include the following denn means anyns a ClaimClaim under the N Regulatory Investigations, Fineegulatory Investigations, Fi , in consequence of, or in any in consequence of, or in any of the CAN-SPAM Act of 2003,f the CAN-SPAM Act of 2003 ction Act of 1991, as amendedt of 1991, y federal, state, local or foreigy federal, state, lo regulatory or common law.regulatory or common l dorsement is to tto ber:TBDTBD nD CB-120-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT Specied Claim(s) Exclusion In consideration of the premium charged, it is hereby understood and agreed that the Policy is amended as follows: The Company shall not be liable for any Claim, Damages, Defense Expenses or Loss based upon, arising out of, or in any way attributable to Prior event reported to Brit. 1 of 1 This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-146-001 All other terms and conditions of the Policy remain unchanged.SPECIMENe read it carefully.t carefully. DORSEMENTORSEMENT s) Exclusionxclusi understood and agreed that tnderstood and agreed m, ,DamagesDamage,Defense Expensse E event reported to Brit. event reported to ct on: TBDTBD D TBDD ber:CB-146-00146-001 All other terms and cother terms and c CB-146-001 This Endorsement changes the Policy. Please read it carefully. SMART CYBER INSURANCE ENDORSEMENT War Exclusion Cyber Terrorism Carveback In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this endorsement attaches is amended as follows: Exclusion 23., War is deleted and replaced with the following: Conscation, nationalization, requisition, strikes, labor strikes or similar labor actions; war, invasion, or warlike operations, civil war, mutiny, rebellion, insurrection, civil commotion assuming the proportions of or amounting to an uprising, military coup or usurped power. This exclusion shall not apply to a terrorist event perpetrated by electronic or internet-based applications or means; 1 of 1 This endorsement is to take eect on: TBD Policy Number: TBD Policy Inception Date: TBD Policy Expiration Date: TBD Endorsement Number: CB-167-001 All other terms and conditions of the Policy remain unchanged.SPECIMENarefully.arefu ENTENT m CarvebackCarveba ood and agreed that the Policyd and agreed that the Policy ollowing:owing: s, labor strikes or similar labor abor strikes or similar on, insurrection, civil commotion, insurrection, civil com r usurped power.r usurped power. errorist event perpetrated by rist event perpetrated by take eke ect on:on: TBDT Date:Date: TBDTBD ion Date:on D TBDD ent Number: umb CB-167-001B-1 All other terAll CB-167-001