Exhibit 2 - Corvus Cyber Insurance Proposal5555 Triangle Parkway,Suite 400
Norcross,GA 30092
Phone:770-448-7148
Jennifer Cobb Sep 24, 2021
Lockton Companies, LLC - Dallas
2100 Ross Ave. Suite 1400
Dallas, TX 75201
Re: City of Denton, Texas, Ref# 9692496-A
Proposed Effective 10/1/2021 to 10/1/2022
Dear Jennifer:
We are pleased to confirm the attached quotation for CYBER being offered with Accredited Specialty
Insurance Company.This carrier is Non-Admitted in the state of TX. Please note that this quotation is
based on the coverage, terms and conditions as stated in the attached quotation, which may be different from
those requested in your original submission. As you are the representative of the Insured, it is incumbent
upon you to review the terms of this quotation carefully with your Insured, and reconcile any differences from
the terms requested in the original submission. CRC Insurance Services, Inc. disclaims any responsibility for
your failure to reconcile with the Insured any differences between the terms quoted as per the attached and
those terms originally requested. The attached quotation may not be bound without a fully executed CRC
brokerage agreement.
NOTE: The Insurance Carrier indicated in this quotation reserves the right, at its sole discretion, to
amend or withdraw this quotation if it becomes aware of any new, corrected or updated information
that is believed to be a material change and consequently would change the original underwriting
decision.
Should coverage be elected as quoted per the attached, Premium and Commission are as follows:
OPTION 1
Premium: $95,956.00
TRIPRA Premium: INCLUDED
Carrier Policy Fee $195.00
Surplus Lines Tax $4,663.32
Stamping Office Fee $72.11
Grand Total: $100,886.43
OPTION 2
Premium: $117,012.00
TRIPRA Premium: INCLUDED
Carrier Policy Fee $195.00
Surplus Lines Tax $5,684.54
Stamping Office Fee $87.91
Grand Total: $122,979.45
Commission: 12.5%
Broker Fees & Policy Fees are Fully Earned at Binding
Dynamic Loss Prevention Preview Report prepared for
City of Denton
88
CORVUSSCORE
Sep 24, 2021
City of Denton scores in the 64thpercentile
Corvus calculates percentile based on other companies with
similar industry class and annual revenue.
Breakdown of Risk Exposure Groups
In addition to calculating an overall Corvus
Score and benchmark percentile, the Corvus
Scan also rates 8 types of risk exposure and
provides a score for each group.
The full Dynamic Loss Prevention (DLP) Report
has specic recommendations to reduce
risk exposure for each group, ranked by
severity.
Ransomware &
Cyber Extortion 98 Phishing & Dark
Web Monitoring 100
Disclosure Of
Sensitive Information 85 Contingent Business
Interruption 80
Network Security
& Privacy 78 Hacking, Malware,
Unauthorized Access 0
Business Interruption
& System Failure 82 Social Engineering
& Cyber Crime 100
Preview Recommendations
Bind with Corvus for additional recommendations on the full DLP Report
Beyond the Report: Risk & Response Services
In addition to receiving your full DLP report at the start of the policy term, and quarterly thereafter, you'll be eligible for
Risk and Response Services to help you prevent, prepare for, and respond to any cyber incident.
See our Services Guide to learn more: https://hubs.ly/H0CFhRM0
®
Learn more about this DLP Report:
Watch at www.corvusinsurance.com/dlp
LOW IMPACT
We discovered 114 open ports on your domains with dedicated servers, a moderate number. Audit
your open ports and ensure only the minimum necessary are open. Open ports leave sensitive
areas vulnerable to attackers which can result in disclosure of sensitive information.
Open Ports: Dedicated Servers
LOW IMPACT
We discovered 118 open ports on your most popular domains, a moderate number, associated
with lower risk of breach. Audit your open ports and ensure only the minimum necessary are open.
Open ports leave sensitive areas vulnerable to attackers, which can result in unintentional
disclosure of sensitive information.
Open Ports: Popular Domains
Dynamic Loss Prevention Preview Report prepared for
City of Denton
Ransomware Risk Report
98
RANSOMWARE
SCORE
You are at lower risk of
a ransomware attack based
on our cyber risk model.
What Makes Up Your Score
No Risky Open Ports Detected
A high number of open ports across a network
is an indicator of a larger attack surface. We
focus on remote administration ports as they
are targeted at a higher rate.
No Software Vulnerabilities Detected
Our risk model considers critical and high
vulnerabilities from the national vulnerability
database for relevant software detected on
your public infrastructure.
How does this scan work?
Corvus scans your public web infrastructure looking for
known vulnerabilities, then compares your security
posture to patterns associated with a higher likelihood
of ransomware events.
Are all risks covered?
Our score accounts for common risk factors, but not all
attempted attacks are part of a recognizable pattern or
trend. Organizations should be vigilant and continually
follow best practices.
Ransomware by the Numbers
Regardless of how sophisticated your business' IT security infrastructure is, ransomware is always a threat.
$233,817
average payment
Average ransomware payment in Q3 2020 is a 31% increase from Q2 2020, with the
increase driven by large ransom demands, some over one million dollars. (Coveware)
31%
of cyber claims
For all businesses with up to $2bn in annual revenue, ransomware accounts for nearly
of cyber claims, making it by far the leading cause of loss. (Net Diligence)
1 in 10
include data theft
More than 1 in 10 ransomware attacks in H1 2020 involved the theft of data, increasing
the attackers' leverage and potential response costs. (emisoft)
Best Practices To Reduce Your Risk
Know your risk: Assess your IT environment for vulnerabilities by
reviewing the full DLP report delivered upon binding your policy, and
test your employees to identify phishing risk.
Improve resiliency: Maintain & test backup strategy; ensure
software is kept up to date; train employees to recognize phishing;
use multi-factor authentication for critical systems.
Monitor your environment: Watch for suspicious behaviors on
your network or devices, ensure security technologies are deployed
& actively monitored, and check vulnerability alerts from Corvus.
Partnerwith Corvus
Not sure where to start?
Our Risk and Response Services,
available for all policyholders,
include hands-on help in
reviewing and prioritizing
cybersecurity practices.
Learn More:
https://hubs.ly/H0CFhNY0
®
Ransomware/Business Interruption Cost Calculator
Prepared For
Let's Approximate the Risk
In the event of a ransomware event leading to a shutdown
of all operations, what might the approximate cost be?
$140,226,502
Annual
Revenue
–40%
Cost of
Goods Sold
=$84,135,901
Net Annual Business
Interruption Expenses
$84,135,901
Over 365 Days
× 100%
Percentage of Revenue Reliant on
Operational Computer Systems
+$1,000,000
Ransom Payment
+$500,000
Data Recovery Costs
& Extra Expenses
+$1,000,000
Breach Response Costs
=
Total Estimated Cost:
$5,957,640
Over 15 Days
$9,415,280
Over 30 Days
$16,330,559
Over 60 Days
Total cyber loss estimates may be greater as this
calculation does not include: regulatory nes and
penalties, PCI-DSS assessment expenses, cyber crime/
nancial fraud, and reputational loss.
This calculation is an approximation of the cost of a ransomware event that shuts down the operations of an organization. If the organization does not rely on
digital assets and tools for all of its operations then this recommendation may be too high and the recommendations should be discounted accordingly. Cost
of Goods Sold percentages are based on sources including eRiskHub and NYU/Stern (Jan. 2020) and other Corvus data; COGS estimates are recommendations
only and should be adjusted for individual company costs. Corvus recommends that each company consult further with their accountants and insurance
broker in order to produce a more exact time-based recommendation. The non-Business Interruption numbers are estimates, based on the client's revenue,
and may include digital forensics, customer notication, public relations, and other rst party breach response expenses.
City of Denton
Smart Cyber Insurance™ Quote
SEPTEMBER 24, 2021
City of Denton Qualies for Corvus Black
Because this account has over $100m in annual revenue, your client qualies for additional free
risk management services to better predict, prevent and prepare for cyber incidents.
Learn More About Corvus Black Services: www.corvusinsurance.com/corvus-black
and more…
NAMED INSURED
City of Denton
State: Texas
POLICY PERIOD From 10/01/2021 to 10/01/2022
Both dates at 12:01 a.m. Standard Time at the address of the named
Insured as stated herein.
RETROACTIVE DATE None; Full Unknown Prior Acts
INSURER Accredited Specialty Insurance Company (Non-Admitted, AM Best
“A-" Excellent)
Scan Your
Insured's
Vendors
"Welcome to
the Flock"
Onboarding Call
Virtual Incident
Response Tabletop
Exercise
Limit Retention Basic Premium TRIA
Option 1 $2,000,000 $100,000 $95,006 $950
Option 2 $3,000,000 $100,000 $115,853 $1,159
OPTION COMPARISON
1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN
Option 1
Third Party Insuring Agreements Limit Retention
A. Network Security and Privacy Liability $2,000,000
Each Claim / Aggregate
$100,000 Each Claim
B. Regulatory Investigations, Fines and
Penalties
$2,000,000
Each Claim / Aggregate
$100,000 Each Claim
C. Media Liability $2,000,000
Each Claim / Aggregate
$100,000 Each Claim
D. PCI DSS Assessment Expenses $2,000,000
Each Claim / Aggregate
$100,000 Each Claim
E. Breach Management Expenses $2,000,000
Each Claim / Aggregate
$100,000 Each Claim
First Party Insuring Agreements Limit
Retention, Waiting Period,
& Period of Indemnity
A. Business Interruption
See Video: www.corvusinsurance.com/bi
$2,000,000
Each Loss / Aggregate
Waiting Period: 12 Hours
Period of Indemnity: 12 Months
B. Contingent Business Interruption
See Video: www.corvusinsurance.com/bi
$2,000,000
Each Loss / Aggregate
Waiting Period: 12 Hours
Period of Indemnity: 12 Months
C. Digital Asset Destruction, Data Retrieval
and System Restoration
$2,000,000
Each Loss / Aggregate
$100,000 Each Loss
D. System Failure Coverage $2,000,000
Each Loss / Aggregate
Waiting Period: 12 Hours
Period of Indemnity: 12 Months
E. Social Engineering & Cyber Crime
Coverage
See Video: www.corvusinsurance.com/1st-party
$100,000
Each Loss / Aggregate
$100,000 Each Loss
F. Reputational Loss Coverage $2,000,000
Each Loss / Aggregate
Waiting Period: 2 Weeks
Period of Indemnity: 12 Months
G. Cyber Extortion and Ransomware
Coverage
See Video: www.corvusinsurance.com/1st-party
$2,000,000
Each Loss / Aggregate
$100,000 Each Loss
H. Breach Response and Remediation
Expenses
See Video: www.corvusinsurance.com/1st-party
$2,000,000
Each Loss / Aggregate
$100,000 Each Loss
I. Court Attendance Costs $250,000
Each Loss / Aggregate
$100,000 Each Loss
Maximum Policy Aggregate Limit: $2,000,000
ENDORSEMENTS
Endorsement Name Limit
CB-125-001 Amend Other Insurance Provision
CB-126-002 Bricking $2,000,000
CB-151-003 CRC Cyber Amendatory
CB-194-001 California Consumer Privacy Act
CB-202-001 Coverage for Certied Acts of Terrorism
CB-123-001 Criminal Reward Expenses $50,000
CB-155-001 Cryptojacking
CB-136-001 Forensic Accounting Coverage $50,000
CB-111-003 GDPR Coverage
CB-133-001 Invoice Manipulation Loss $100,000
CB-128-001 Loss of Funds Exclusion Carveback
CB-300-001 Manuscript - Specied Entity Exclusion $0
CB-120-001 Solicitation Claims $50,000
Endorsement Name Limit
CB-146-001 Specied Claim(s) Exclusion
CB-167-001 War Exclusion Cyber Terrorism Carveback
Option 2
Third Party Insuring Agreements Limit Retention
A. Network Security and Privacy Liability $3,000,000
Each Claim / Aggregate
$100,000 Each Claim
B. Regulatory Investigations, Fines and
Penalties
$3,000,000
Each Claim / Aggregate
$100,000 Each Claim
C. Media Liability $2,000,000
Each Claim / Aggregate
$100,000 Each Claim
D. PCI DSS Assessment Expenses $3,000,000
Each Claim / Aggregate
$100,000 Each Claim
E. Breach Management Expenses $3,000,000
Each Claim / Aggregate
$100,000 Each Claim
First Party Insuring Agreements Limit
Retention, Waiting Period,
& Period of Indemnity
A. Business Interruption
See Video: www.corvusinsurance.com/bi
$3,000,000
Each Loss / Aggregate
Waiting Period: 12 Hours
Period of Indemnity: 12 Months
PREMIUM, TAXES & FEES Premium $95,006
TRIA $950
Policy Fee (Fully Earned)$195
Total $96,151
1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN
B. Contingent Business Interruption
See Video: www.corvusinsurance.com/bi
$3,000,000
Each Loss / Aggregate
Waiting Period: 12 Hours
Period of Indemnity: 12 Months
C. Digital Asset Destruction, Data Retrieval
and System Restoration
$3,000,000
Each Loss / Aggregate
$100,000 Each Loss
D. System Failure Coverage $3,000,000
Each Loss / Aggregate
Waiting Period: 12 Hours
Period of Indemnity: 12 Months
E. Social Engineering & Cyber Crime
Coverage
See Video: www.corvusinsurance.com/1st-party
$100,000
Each Loss / Aggregate
$100,000 Each Loss
F. Reputational Loss Coverage $3,000,000
Each Loss / Aggregate
Waiting Period: 2 Weeks
Period of Indemnity: 12 Months
G. Cyber Extortion and Ransomware
Coverage
See Video: www.corvusinsurance.com/1st-party
$3,000,000
Each Loss / Aggregate
$100,000 Each Loss
H. Breach Response and Remediation
Expenses
See Video: www.corvusinsurance.com/1st-party
$3,000,000
Each Loss / Aggregate
$100,000 Each Loss
I. Court Attendance Costs $250,000
Each Loss / Aggregate
$100,000 Each Loss
Maximum Policy Aggregate Limit: $3,000,000
ENDORSEMENTS
Endorsement Name Limit
CB-125-001 Amend Other Insurance Provision
CB-126-002 Bricking $3,000,000
CB-151-003 CRC Cyber Amendatory
CB-194-001 California Consumer Privacy Act
Endorsement Name Limit
CB-202-001 Coverage for Certied Acts of Terrorism
CB-123-001 Criminal Reward Expenses $50,000
CB-155-001 Cryptojacking
CB-136-001 Forensic Accounting Coverage $50,000
CB-111-003 GDPR Coverage
CB-133-001 Invoice Manipulation Loss $100,000
CB-128-001 Loss of Funds Exclusion Carveback
CB-300-001 Manuscript - Specied Entity Exclusion $0
CB-120-001 Solicitation Claims $50,000
CB-146-001 Specied Claim(s) Exclusion
CB-167-001 War Exclusion Cyber Terrorism Carveback
PREMIUM, TAXES & FEES Premium $115,853
TRIA $1,159
Policy Fee (Fully Earned)$195
Total $117,207
1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN1MFBTFTFF$3$hTDPWFSQBHFGPSUPUBMQSFNJVN
POLICY FORM Corvus Smart Cyber Policy Form No. CB-101-001
SUBJECTIVITIES The proposed quoted terms are valid for 30 days and subject to the
receipt, review, and acceptance of the following information and are
based on the representation that there are no open or unreported
claims, unless previously addressed herein, as of the date of this
quote. The applicant must also pass a sanctions list check which
Corvus will perform prior to binding. If at any time before binding we
are made aware that a claim was reported, we reserve the right to
rescind or revise the terms of this quote. If an insured elects to bind
coverage during this period, the eective date of the policy must be
within 45 days of the date on which the quote was issued.
Due prior to binding:
Conrmation that the Applicant requires out-of-band
authentication prior to executing an electronic payment. (Out
of band authentication is a secondary verication method with
the requestor of a funds transfer through a communication
channel separate from the original request.)
Conrmation that the City's network is completely isolated
from the utility operations
Conrmation that MFA is required for all email access
Additional information on the prior incident noticed to Brit
Conrmation that email ltering is utilized for all users
Due within 7 days of binding:
TRIA Waiver if coverage is rejected (attached to quote).
Please provide policyholder contact information (client name,
policyholder name, email, job title) to grant access to the
Corvus policyholder resource dashboard upon bind.
•
•
•
•
•
•
•
FEES
BREACH RESPONSE
HOTLINE
Policy Issuance Fee: $195
Corvus Smart Cyber Insurance® 24/7 Breach Response
Hotline:(855) 248-2150
TRIA Waiver if coverage is rejected (attached to quote).
Please provide policyholder contact information (client name,
policyholder name, email, job title) to grant access to the
Corvus policyholder resource dashboard upon bind.
Conrmation that the Applicant requires out-of-band
authentication prior to executing an electronic payment. (Out
of band authentication is a secondary verication method with
the requestor of a funds transfer through a communication
channel separate from the original request.)
Conrmation that the City's network is completely isolated
from the utility operations
Conrmation that MFA is required for all email access
Additional information on the prior incident noticed to Brit
Conrmation that email ltering is utilized for all users
Application for Smart Cyber Insurance
1. Company Name 2. Domiciled State
3a. Primary Website 3b. Additional Websites
4. Nature of Business (Industry) 5. Projected Gross Annual Revenue (next 12 months)
0 - 250,000
250,001 - 500,000
500,001 - 1,000,000
1,000,001 - 2,500,000
2,500,001 - 5,000,000
5,000,001 - 10,000,000
10,000,001 +
Yes No
Yes No N/A
Yes No N/A
Yes No
Yes No N/A
Yes No
City of Denton Texas
www.cityofdenton.com
Municipality / Public Entity $140,226,502
6. Estimated number of unique personally identiable records maintained by
the applicant (including records stored by third-party providers).
1
7. Does the Applicant have formal processes for regularly backing up,
archiving, restoring, and segregating sensitive data?
8. If the applicant accepts payment cards in exchange for goods or services
rendered, is the applicant or their outsourced payment processor PCI
compliant?
9. If the Applicant allows remote access to their network, do they use a
properly congured VPN or Multi-Factor Authentication?
10. Does the Applicant use Multi-Factor Authentication to secure all domain or
network administrator accounts?
11. If the Applicant’s users can access email through a web app on a non-
corporate device, does the Applicant enforce Multi-Factor Authentication?
12. Does the Applicant use an email security ltering tool?
If Yes: Please list the vendor.
Yes No N/A
Yes No N/A
Yes No N/A
Yes No
Yes No
Yes No
Yes No
13. If the Applicant stores over 1MM PII records, do they encrypt private or
sensitive information stored on mobile devices ?
2
14. If the Applicant's industry is retail, restaurant, or online retailer, do they
deploy either end-to-end or point-to-point encryption technology on all of
their point of sale terminals?
15. If revenue is over $100MM and the applicant uses multimedia material
provided by others, does the applicant always obtain the necessary rights,
licenses, releases, and consents prior to publishing?
16. Has the Applicant experienced in the past three years any cyber security
incident, data privacy incident or any multimedia liability claim ?
3
If Yes: Is the actual or expected total nancial impact to the Applicant and its
insurer more than $25,000?
If Yes: Please provide additional details.
17. Does the Applicant or any other person or organization proposed for this
insurance have knowledge of any actual or alleged: security breach, privacy
breach, privacy-related event or incident, breach of privacy, or multimedia
incident that may reasonably be expected to give rise to a claim or to costs
being incurred?
4
If Yes: Please provide additional details.
18. Has the Applicant or any other organization proposed for this insurance
sustained any unscheduled network outage or interruption lasting longer than
six hours within the past twenty-four months?
If Yes: Please provide additional details.
20. Desired Limits
$2MM Each Claim / $2MM Aggregate
$3MM Each Claim / $3MM Aggregate
Other
21. Desired Retentions
$100,000
Other
PII includes any information that can be used to distinguish or trace an individual's identity, either alone or when combined with other
personal or identifying information that is linked or linkable to a specic individual.
Laptops, tablets, phones, hard drives, USB drives, etc.
A multimedia liability claim includes one alleging defamation, disparagement, invasion of privacy, commercial misappropriation of
likeness, plagiarism, piracy, or copyright or trademark infringement.
Defamation, disparagement, invasion of privacy, commercial misappropriation of likeness, plagiarism, piracy, or copyright or
trademark infringement.
20. Additional details.
1
2
3
4
NOTICE
Notice to All Applicants: Any person who knowingly, and with intent to defraud any insurance company or other person, les an
application for insurance or statement of claim containing any materially false information, or, for the purpose of misleading, conceals
information concerning any fact material thereto, may commit a fraudulent insurance act which is a crime and subjects such person to
criminal and civil penalties in many states.
Notice to Colorado Applicants: It is unlawful to knowingly provide false, incomplete or misleading facts or information to an insurance
company for the purpose of defrauding or attempting to defraud the company. Penalties may include imprisonment, nes, denial of
insurance and civil damages. Any insurance company or agent of an insurance company who knowingly provides false, incomplete, or
misleading facts or information to a policyholder or claimant for the purpose of defrauding or attempting to defraud the policyholder or
claiming with regard to a settlement or award payable for insurance proceeds shall be reported to the Colorado Division of Insurance
within the Department of Regulatory Agencies.
Notice to District of Columbia and Louisiana Applicants: Any person who knowingly presents a false or fraudulent claim for payment of
a loss or benet or knowingly presents false information in an application for insurance is guilty of a crime and may be subject to nes
and connement in prison.
Notice to Florida Applicants: Any person who knowingly and with intent to injure, defraud or deceive any insurance company, les a
statement of claim containing any false, incomplete, or misleading information is guilty of a felony of the third degree.
Notice to Oklahoma Applicants: Any person who knowingly, and with intent to injure, defraud or deceive any insurer, les a statement
of claim containing any false, incomplete or misleading information is guilty of a felony.
Notice to Kansas Applicants: An act committed by any person who, knowingly and with intent to defraud, presents, causes to be
presented or prepares with knowledge or belief that it will be presented to or by an insurer, purported insurer, broker or any agent
thereof, any written statement as part of, or in support of, an application for the issuance of, or the rating of an insurance policy for
personal or commercial insurance, or a claim for payment or other benet pursuant to an insurance policy for commercial or personal
insurance which such person knows to contain materially false information concerning any fact material thereto; or conceals, for the
purpose of misleading, information concerning any fact material thereto.
Notice to Maine, Tennessee, Virginia and Washington Applicants: It is a crime to knowingly provide false, incomplete or misleading
information to an insurance company for the purpose of defrauding the company. Penalties may include imprisonment, nes and/or
denial of insurance benets.
Notice to Maryland Applicants: Any person who knowingly or willfully presents a false or fraudulent claim for payment of a loss or
benet or who knowingly or willfully presents false information in an application for insurance is guilty of a crime and may be subject to
nes and connement in prison.
Notice to New Hampshire Applicants: Any person who, with a purpose to injure, defraud or deceive an insurance company, les a
statement of claim containing any false, incomplete or misleading information is subject to prosecution and punishment for insurance
fraud as provided in RSA 638:20.
Notice to New York Applicants: Any person who knowingly and with intent to defraud any insurance company or other person les an
application for insurance or statement of claim containing any materially false information, or conceals for the purpose of misleading,
information concerning any fact material thereto, commits a fraudulent insurance act, which is a crime, and shall also be subject to a
civil penalty not to exceed $5,000 and the stated value of the claim for each such violation.
Notice to Pennsylvania Applicants: Any person who knowingly and with intent to defraud any insurance company or other person les
an application for insurance or statement of claim containing any materially false information or conceals for purposes of misleading,
information concerning any fact material thereto commits a fraudulent insurance act, which is a crime and subjects such person to
criminal and civil penalties.
Signature Print Name & Title Date
Applicant Email Address
Note: You will be added to our software platform, the CrowBar, which
provides helpful risk management advice, alerts and services.
Ransomware Supplemental Application
EMAIL SECURITY
1. Company Name
Yes No
Yes No
Yes No
DATA BACK-UP & RECOVERY
Yes No
Yes No
Yes No
City of Denton
2. If your users can access email through a web app on a non-corporate
device, do you enforce Multi-Factor Authentication?
3a. Which email security ltering tool are you using?
3b. Are you using all available security features (for example: quarantine
service, sandboxing and URL rewriting)?
4. Do you conduct regular phishing training and testing?
Quarterly Semi-annually Annually Never
5. Do you have a secure web gateway or proxy solution to secure inbound
internet trac?
6. How frequently do you back up electronic data?
Daily with multi-generations retained Daily Weekly Less than weekly
7. Are all of your backups kept separate from your network (“oine”) so that
they are inaccessible from endpoints and servers that are joined to the
corporate domain, or in a cloud service designed for this purpose?
If no: please describe compensating controls that you have in place.
8. Is Multi-Factor Authentication required for access to backup les?
9. Have you tested the successful restoration and recovery of key server
congurations and data from backups in the last 6 months?
Yes No
INTERNAL SECURITY & CONTROLS
Yes No
Yes No
Yes No
Yes No
Yes No
Yes No
Yes No
Yes No
Yes No
Yes No
Yes No
Yes No
10. As part of your data back-up strategy, do you maintain at least 3 separate
copies of your data stored in dierent geographic locations? (Production,
Local Copies, and osite storage).
11. Do you use Multi-Factor Authentication to secure all domain or network
administrator accounts?
12. Do you restrict employee access to sensitive information on a business-
need to know basis?
13. Do you use an Endpoint Detection and Response (EDR) or a Next-
Generation Antivirus (NGAV) (i.e. CrowdStrike, SentinelOne, CybeReason,
Carbon Black) software to secure all system endpoints?
If yes: please list providers.
14. Do you allow remote access to your network?
If yes: do you use
a) a properly congured and secure VPN?
b) Multi-Factor Authentication to secure all remote access to your network?
15. Do you have a Business Continuity Plan (BCP) or Disaster Recovery Plan
(DRP) in place?
If yes: is your BCP/DRP tested at least annually?
16. Do you encrypt all sensitive and condential information
a) stored on your organization’s systems and networks?
b) stored on your organization’s backups?
If no to either: are the following compensating controls in place:
I) Segregation of servers that store sensitive and condential information?
II) Access control with role-based assignments?
Yes No
Yes No
Warranty
All Insureds agree that the statements contained herein are their agreements and representations, which
shall be deemed material to the risk, and that, if issued, the Policy will be in reliance upon the truth thereof.
The misrepresentation or non-disclosure of any material matter by the Insured or its agent will render the
Policy null and void and relieve the Company from all liability under the Policy.
Signature Print Name Date
17. Do you encrypt all sensitive and condential information
c) stored on mobile devices?
d) in transit from your network?
Policyholder Disclosure: Notice of Terrorism Insurance
Exclusion and Coverage Option
You are hereby notied that under the Terrorism Risk Insurance Act, as amended, you now have a right to
purchase insurance coverage for losses resulting from acts of terrorism, as dened in Section 102(1) of the
Act: The term “act of terrorism” means any act that is certied by the Secretary of the Treasury – in
consultation with the Secretary of Homeland Security, and the Attorney General of the United States – to
be an act of terrorism; to be a violent act or an act that is dangerous to human life, property, or
infrastructure; to have resulted in damage within the United States, or outside the United States in the case
of an air carrier or vessel or the premises of a United States mission; and to have been committed by an
individual or individuals acting on behalf of any foreign person or foreign interest, as part of an eort to
coerce the civilian population of the United States or to inuence the policy or aect the conduct of the
United States Government by coercion.
YOU SHOULD KNOW THAT WHERE COVERAGE IS PROVIDED BY THIS POLICY FOR LOSSES RESULTING FROM
CERTIFIED ACTS OF TERRORISM SUCH LOSSES MAY BE PARTIALLY REIMBURSED BY THE UNITED STATES
GOVERNMENT UNDER A FORMULA ESTABLISHED BY FEDERAL LAW. HOWEVER, YOUR POLICY MAY CONTAIN
OTHER EXCLUSIONS WHICH MIGHT AFFECT YOUR COVERAGE, SUCH AS AN EXCLUSION FOR NUCLEAR
EVENTS. UNDER THIS FORMULA, THE UNITED STATES GOVERNMENT GENERALLY REIMBURSES 85%
THROUGH 2015; 84% BEGINNING ON JANUARY 1, 2016; 83% BEGINNING ON JANUARY 1, 2017; 82%
BEGINNING ON JANUARY 1, 2018; 81% BEGINNING ON JANUARY 1, 2019 AND 80% BEGINNING ON JANUARY
1, 2020 OF COVERED TERRORISM LOSSES EXCEEDING THE STATUTORILY ESTABLISHED DEDUCTIBLE PAID
BY THE INSURANCE COMPANY PROVIDING THE COVERAGE. THE PREMIUM CHARGED FOR THIS COVERAGE
IS PROVIDED BELOW AND DOES NOT INCLUDE ANY CHARGES FOR THE PORTION OF LOSS COVERED BY
THE FEDERAL GOVERNMENT UNDER THE ACT.
YOU SHOULD ALSO KNOW THAT THE TERRORISM RISK INSURANCE ACT, AS AMENDED, CONTAINS A $100
BILLION CAP THAT LIMITS U.S. GOVERNMENT REIMBURSEMENT AS WELL AS INSURERS’ LIABILITY FOR
LOSSES RESULTING FROM CERTIFIED ACTS OF TERRORISM WHEN THE AMOUNT FOR SUCH LOSSES IN ANY
ONE CALENDAR YEAR EXCEEDS $100 BILLION. IF THE AGGREGATE INSURED LOSSES FOR ALL INSURERS
EXCEED $100 BILLION, YOUR COVERAGE MAY BE REDUCED.
1 of 3CB-200-001
You have the right to accept or reject any coverage that might be provided under provisions of the Act and
under the terms, conditions and exclusions of the policy. If you decide to purchase a policy from us and
wish to take advantage of any terrorism coverage that might be provided, you will have to pay an
additional premium for terrorism coverage in the amount of:
Limit Each Trigger Aggregate Limit Retention Each Trigger * Basic Premium
* Additional Premium
for Certied Acts of
Terrorism Coverage
(1% of Basic)
$2,000,000 $2,000,000 $100,000 $95,006 $950
$3,000,000 $3,000,000 $100,000 $115,853 $1,159
* does not include surplus lines taxes and/or fees
Even if you do decide to take advantage of any terrorism coverage that might be provided under terms of
the Act, we will exclude coverage for losses not eligible for federal reinsurance under the Act, which include
losses due to domestic acts of terrorism and losses due to acts of terrorism to property located outside the
United States. Further, as respects all losses, even losses eligible for federal reinsurance under the Act, the
actual coverage available under our policies for acts of terrorism will still be limited by all of the terms,
conditions, exclusions and endorsements of the policy and by generally applicable rules of law. This means
that even if you decide to pay the additional premium to buy terrorism coverage to the extent provided
under the Act, all terms, conditions and exclusions in the policy, will apply, even if they prevent coverage
for losses resulting from terrorism.
If you decide not to accept this oer of terrorism coverage to the extent provided by the Act and not
otherwise excluded by the policy, you must sign below to waive such coverage and return the original of
this document to us.
2 of 3CB-200-001
WAIVER OF COVERAGE
I/we hereby waive all rights to any coverage for terrorism that may have been available under the
Terrorism Risk Insurance Act and authorize Accredited Specialty Insurance Company to fully exclude
terrorism coverage under the policy issued or to be issued to me/us.
3 of 3
Proposed Named Insured Proposed Named Insured Address
Applicant's Signature Date
Print Name Title
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-200-001
All other terms and conditions of the Policy remain unchanged.
CB-200-001
Notice to Policyholders
Coverage under this Policy is provided on a claims made and reported basis. This Policy applies only to
Claims rst made against the Insured during the Policy Period and reported in writing or by electronic notice
to the Company during the Policy Period or Extended Reporting Period, if applicable, or to Loss rst
discovered by the Insured and notied in writing or by electronic notice to the Company during the Policy
Period or Extended Reporting Period, if applicable, and subject to all other terms.
Any obligation or payment owed by the Company shall in every case be subject to the Limits of Liability as
stated in the Policy Declarations. Defense Expenses shall reduce the applicable Limits of Liability, subject to
any applicable Retention, and may completely exhaust the Maximum Policy Aggregate Limit of Liability.
This Policy only aords coverage under those Insuring Agreements below that are indicated as purchased
in Item 5 of the Policy Declarations.
Please review the coverage aorded under this Policy carefully, and discuss it with your insurance agent or
broker.
1 of 25
SPECIMENyholdersolder
e and reported basis. This Polie and reported basis. This Pol
cy PeriodPeriod and reported in writ and reported in
ded Reporting Period, if applicded Reporting Period, if applic
ng or by electronic notice to thr by electronic n
licable, and subject to all othelicable, and subject to all o
hee CompanyC shall in every caseveryy
Defense Expensesse shall reducereduc
may completely exhaust the Mmay completely exhaust the
erage under those Insuring Agrage under those Insuring Ag
eclarations.clar
coverage aoveraorded under this orded under thi P
CB-101-001
CORVUS SMART CYBER INSURANCE
In consideration of the payment of premium, reliance upon the Application, and subject to all terms of this
Policy, the Company agrees to indemnify the Insured in excess of the Retention or after the expiration of
the Waiting Period, as indicated in Item 5 of the Policy Declarations, for:
THIRD PARTY INSURING AGREEMENTS
I. Amounts which the Insured is legally obligated to pay as a direct result of a Claim rst made against the
Insured during the Policy Period, and reported in writing or by electronic notice to the Company during the
Policy Period or Extended Reporting Period, if applicable, for:
Network Security and Privacy Liability
Damages and Defense Expenses which the Insured is legally obligated to pay as a result of a Claim
arising from a Security Breach or Privacy Breach.
Regulatory Investigations, Fines, and Penalties
Regulatory Fines and Penalties and Defense Expenses which the Insured is legally obligated to pay as a
result of a Claim arising from a Security Breach or Privacy Breach.
Media Liability
Damages and Defense Expenses which the Insured is legally obligated to pay as a result of a Claim
arising from Media Activities.
PCI DSS Assessment Expenses
PCI DSS Assessment Expenses and Defense Expenses which the Insured is legally obligated to pay as a
result of a Claim arising from a Security Breach or Privacy Breach.
Breach Management Expenses
Breach Management and Incident Response Expenses which the Insured has contractually indemnied
a Third Party for a Security Breach or Privacy Breach when the Insured has a legal obligation to notify
aected individuals.
FIRST PARTY INSURING AGREEMENTS
II. Loss, rst discovered by the Control Group during the Policy Period and reported in writing or by
electronic notice to the Company during the Policy Period or Extended Reporting Period, if applicable, for:
Business Interruption
Business Income Loss and Extra Expenses incurred during the Interruption Period directly as a result of
the total, or partial, or intermittent interruption or degradation in service of an Insured's Computer
System caused directly by a Privacy Breach, Security Breach, Administrative Error or Power Failure.
Contingent Business Interruption
Business Income Loss and Extra Expenses incurred during the Interruption Period caused directly as a
2 of 25
A.
B.
C.
D.
E.
A.
B. SPECIMENm rst made agaaga
to thethe CompanyCompany duringuringy
bligated to pay as a result of ated to pay as a result of a
sesses which the which the InsuredInsure is legallyl
or Privacy Breachvacy Breach..
thethe InsuredInsured is legally obligate is legally oblig
s
nsesse and Defense ExpensesDefense Expenses w
from afrom Security Breachy Bre or PrivPriv
ent ExpensesExpenses
ement and Incident Response ement and Incident Respons
yy for a foryy Security Breachecurity Breac or PrivPriv
individuals.div
T PARTY INSURING AGREET PARTY INSURI
Lossoss,rst discovered by theby th C
ctronic notice to thetronic notice to th Comp
ness Interruptioupt
s Incomencom
rp
CB-101-001
result of the total, partial, or intermittent interruption or degradation in service of the Computer System
of an Outsourced Service Provider caused directly by a Privacy Breach, Security Breach, or
Administrative Error at that Outsourced Service Provider.
CB-101-001
Digital Asset Destruction, Data Retrieval and System Restoration
Digital Asset Loss and Related Expenses incurred as a direct and necessary result of a Privacy Breach,
Security Breach or Administrative Error.
System Failure Coverage
Business Income Loss, Extra Expenses, and Digital Asset Loss incurred during the Interruption Period
directly as a result of an unintentional or unplanned outage caused by Administrative Error,
Unintentional Damage or Destruction, or Computer Crime and Computer Attacks.
Social Engineering and Cyber Crime Coverage
Financial Fraud Loss, Telecommunications Fraud Loss, Phishing Attack Loss, theft of Funds Held in
Escrow, or theft of Personal Funds incurred directly as a result of Financial Fraud, Telecommunications
Fraud, or Phishing Attack.
Reputational Loss Coverage
Reputational Loss incurred during the Interruption Period as a direct result of a Media Event arising from
a Privacy Breach, Security Breach, Cyber Extortion Threat, or Phishing Attack.
Cyber Extortion and Ransomware Coverage
Extortion Expenses and Extortion Payment incurred directly as a result of a Cyber Extortion Threat.
Breach Response and Remediation Expenses
Breach Management and Incident Response Expenses incurred directly as a result of a Privacy Breach
or Security Breach.
Court Attendance Costs
Expenses incurred to attend court for any tribunal, arbitration, adjudication, mediation or other hearing
in connection with any Claim for which the Insured is entitled to indemnity under this policy.
DYNAMIC LOSS PREVENTION SERVICES
III. Consultative and support services requested by the Insured prior to notifying the Company of a potential
Loss or Claim, including:
IT Security Assessments
The Insured shall have access to network security assessments and recommendations provided by the
Company’s data provider throughout the Policy Period. The Insured may request assessments as
frequently as once every fourteen (14) business days.
Pre-Claim Support Services
If the Company is provided with notice of a potential Loss or of a Claim that is not yet a Loss or Claim
under this policy and the Insured requests the Company’s assistance to mitigate against such a Claim
or Loss, the Company may agree to pay for up to $1,000,000 in Breach Management and Incident
Response Expenses. Any such fees must be incurred with the Company’s prior written consent by an
3 of 25
C.
D.
E.
F.
G.
H.
I.
A.
B. SPECIMENerrerr
tive ErrorError
ks.
LossLoss, theft of Funds Held inFun
nancial Fraudancial Fraud,,Telecommunicaomm
od as a direct result of a direct result of a MediaMedi
ThreatThre, or Phishing Attackhishing A .
incurred directly as a result ocurred directly as
Expensesxpe
t Response ExpensesRes incurredincu
attend court for any tribunal, attend court for any tribunal,
any ClaimCla for which theor w Insur
SS PREVENTION SERVICES PREVENTION SERVICE
tive and support services reque and support services req
laimi, including:luding:
IT Security AssessmentsT Security Assessments
The Th Insuredred shall have ac shall have ac
ompany’sompany data providp
uently as once nce
SupS
CB-101-001
attorney or consultant we have mutually agreed upon. Such attorney’s and consultant’s fees will be
considered Claim expenses or Loss and will be subject to the Limits of Liability that would be applicable
if a covered Claim is made and is also subject to the Policy’s Aggregate Limit of Liability.
CB-101-001
EXCLUSIONS
IV. The Company shall not be liable for any Claim, Damages, Defense Expenses or Loss based upon, arising
out of, or in any way attributable to:
Prior Knowledge or Notication
Any act, fact, error, omission, event, incident, occurrence, claim or circumstance that could reasonably
be expected to give rise to a Claim or Loss when such act, fact, error, omission, event, incident,
occurrence, claim or circumstance was known prior to the Inception Date of this Policy by any member
of the Control Group;
Deliberate Acts
The Insured's willful deliberate, malicious, fraudulent, dishonest, or criminal act or violation of law with
the knowledge, connivance or acquiescence of any member of the Control Group; however, this
exclusion shall not apply to Defense Expenses incurred in defending any such Claim until such time
that there is nal adjudication establishing such conduct, at which time the Insured shall reimburse the
Company for all Defense Expenses incurred. Facts, or knowledge possessed by the Control Group
regarding the foregoing conduct shall be imputed to other Insureds;
Insured. vs Insured
Any Claim made by or on behalf of an Insured against another Insured. This exclusion shall not apply to
any Claim brought by an Employee outside of the Control Group as a result of a Privacy Breach or
Security Breach;
Bodily Injury
Physical injury, sickness, disease, or death sustained by any individual and, where resulting from such
physical injury only, mental anguish, mental injury, shock or emotional distress;
Property Damage
Physical Injury to, or impairment, destruction or corruption of, any tangible property, including personal
property in the care, custody or control of the Insured. Data and Digital Assets are not tangible
property;
Employment Practices
Any employer-employee relations, policies, practices, acts or omissions, any actual or alleged refusal to
employ any persons or any misconduct, including physical or sexual, with respect to Employees,
including negligent employment, investigation, supervision, hiring, training or retention of any
Employee, Insured or person for whom the Insured is legally responsible. However, this exclusion does
not apply to a Privacy Breach;
4 of 25
1.
2.
3.
4.
5.
6. SPECIMENat coucou
event, incidencide
hishis PolicyPol by any mny my
or criminal act or violation of lar criminal act or violation
f the Control GroupControl Gro ; however,
defending any suchefending any su Claim untiunt
t, at which time thewhich time the InsuredInsured sh s
r knowledge possessed by thege possessed by th
to other o other Insuredseds;
sured against another gainst another InsuredI
utside of theutside Control GroupControl Group asa
disease, or death sustained bydisease, or death sustained b
mental anguish, mental injury, ental anguish, mental injury,
e
y to, or impairment, destructioy to, or impairment, destructi
n the care, custody or control n the care, custody or control
ty;
Employment Practicesmployment Practices
Any employer-employee relAny employer-employee
employ any persons or aemploy any perso
luding negligent emuding negligent
oyee,Insuredured
to a to a P
CB-101-001
Breach of Contract
Any breach of any express, implied, actual or constructive contract, warranty, guarantee or promise.
This exclusion does not apply to:
Any liability or obligation an Insured would have had in the absence of such contract, warranty,
guarantee or promise and which would have been insured by this Policy;
A breach of the Insured's privacy policy; or
An otherwise covered Claim under Insuring Agreement I. D. PCI DSS Assessment Expenses;
7.
a.
b.
c.
CB-101-001
Description of Price of Goods
Actual or alleged inaccurate, inadequate or incomplete description of the price of goods, products, or
services, including cost guarantees, cost representations, contract price, or cost estimates being
exceeded;
Discrimination
Any actual or alleged discrimination of any kind, including but not limited to age, color, race, gender,
religion, creed, national origin, marital status, sexual orientation, sexual preference, disability, nancial
condition, or pregnancy, including violations of civil rights or discrimination or retaliatory conduct of any
kind;
Government Intervention
Non-discriminatory measures of a government taken in the public interest for the purposes of ensuring
public safety, raising revenues, protecting the environment or regulating economic activities;
Patent Infringement
The actual or alleged:
Infringement of any patent or patent rights or misuse or abuse of a patent; or
The misappropriation, theft, copying, display or publication of any trade secret, unless arising out of
a Privacy Breach or Security Breach;
Bankruptcy
The insolvency, liquidation or bankruptcy of any person or entity, including any Insured to the extent
permitted by law, or the failure, inability or unwillingness of any person or entity or Insured to make
payments or perform obligations or conduct business because of insolvency, liquidation, or bankruptcy;
However, the Insured's insolvency will not relieve the Company of any legal obligation under this
contract of insurance where this insolvency does not give rise to a claim under this policy;
Loss of Funds
Loss, decrease in value or theft of securities or currency;
Trading losses, liabilities or changes in trading account value; or
The value of electronic funds, money, securities or wire transfer;
Force Majeure
Any loss incurred as a result of a natural disaster, including re, smoke, explosion, lightning, wind,
water, ood, earthquake, volcanic eruption, tidal wave, landslide, hail or any other natural physical
event however caused;
Payment Card Industry
The failure by the Insured to comply with or follow the Payment Card Industry Data Security Standards,
Merchant Services Agreements or any Payment Card Company rules, or the failure to implement,
5 of 25
8.
9.
10.
11.
a.
b.
12.
13.
a.
b.
c.
14.
15. SPECIMENcolor, racerace
ence, disability,ence, disability,
or retaliatory conduct retaliatory conduct
blic interest for the purposes ofnterest for the purposes o
or regulating economic activitior regulating economic activ
or misuse or abuse of a patenuse or abuse of a pat
display or publication of any traay or publication
h;;
bankruptcy of any person or eruptcy of any person or e
lure, inability or unwillingnessure, inability or unwillingne
bligations or conduct business ligations or conduct business
d's's insolvency will not relieve t insolvency will not relieve
nce where this insolvency doewhere this i
dss
s, decrease in value or theft oecrease in value or theft o
Trading losses, liabilities or chTrading losses, lia
The value of electronic fctron
orce Majeureorce Ma
oss incurred aed a
ood, eaod, ea
ev
c. c
CB-101-001
maintain or comply with any payment card industry security measures or standards. However, this
exclusion does not apply to Insuring Agreement I.D. PCI DSS Assessment Expenses;
CB-101-001
Pollutants
Any actual or alleged or threatened presence, discharge, dispersal, release, escape or failure to detect
pollutants or solid, liquid, gaseous or thermal irritant or contaminant of any kind, including smoke,
vapor, soot, fumes, other air emission, acids, toxic chemicals, alkalis, mold, spores, fungi germs, odor,
waste, water, oil or oil product, infectious or medical waste, asbestos or asbestos product, lead or lead
product, noise, and electric, magnetic, or electromagnetic eld chemicals, or waste (including waste
material to be recycled, reconditioned, or reclaimed), whether or not such presence, discharge,
dispersal, release, escape or failure to detect results from the Insured's activities or the activities of
others of whether such presence happened suddenly, gradually, accidentally or intentionally. This
exclusion shall not apply to an otherwise covered claim under Insuring Agreement I. A. Security and
Privacy Liability and I. B. Regulatory Investigations, Fines, and Penalties;
Satellite, Electrical or Mechanical Failures
Satellite failures; electrical or mechanical failures including spike, brownout or blackout; failures of
overhead or subterranean transmission and distribution lines; or outage to utility infrastructure,
including gas, water, telecommunications, telephone, internet, or cable, unless such infrastructure is
under the Insured's direct operational control;
Specic Legislation
The actual or alleged purchase, sale, or oer of, or solicitation of an oer to purchase or sell
securities, or violations of any securities law including but not limited to the Securities Act of 1933,
the Securities Exchange Act of 1934, the Sarbanes Oxley Act of 2002, including “Blue Sky” laws;
The actual or alleged violation of the Organized Crime Control Act of 1970 (RICO);
The actual or alleged government enforcement of any state or federal law or regulation including
law or regulations promulgated by the United States Federal Trade Commission, Federal
Communications Commission, or the Securities and Commission; however, this exclusion does not
apply to Insuring Agreement II. B. Regulatory Investigations, Fines, and Penalties;
Any breach or alleged breach of any workers’ compensation, unemployment compensation,
disability benets or similar laws, including the Federal Employers Liability Act, the Fair Labor
Standards Act of 1938, the National Labor Relations Act, the Worker Adjustment and Retraining Act
of 1988, the Certied Omnibus Budget Reconciliation Act of 1985, the Occupational Safety and
Health Act of 1970;
Any violation of any pension, healthcare, welfare, prot sharing, mutual or investment plans, funds,
or trusts; or any violation of any provision of the Employee Retirement Income Security Act of 1974
and/or the Pension Protection Act of 2006;
The violation of, or the exposure of the Insured or Company to, any sanction, prohibition or
restriction under United Nations resolutions or the trade or economic sanctions, laws or regulations
of the European Union, UK, or USA;
6 of 25
16.
17.
18.
a.
b.
c.
d.
e.
f. SPECIMENinclncl
ce, dischascha
es or the activities or the activiti
lly or intentionally. Thisor intentionally. This
Agreement I. A. Security andAgreement I. A. Security and
es;es;
spike, brownout or blackout; fapike, brownout or blackout;
lines; or outage to utility infras; or outage to utility infra
internet, or cable, unless suc, or cable, unless suc
, or oor oer of, or solicitation of aof, or solicitatio
curities law including but not lcurities law including but not
f 1934, the Sarbanes Oxley Ac1934, the Sarbanes Oxle
ation of the Organized Crime Cof the Organized Cri
d government enforcement of government enforcement of
s promulgated by the United Spromulgated by the United S
ns Commission, or the SecuritCommission,
suring Agreement II. B. Regulauring Agreement II. B. Regu
each or alleged breach of any each or alleged breach of any
ability benety be ts or similar laws,or similar laws
Standards Act of 1938, the NaStandards Act of 1
of 1988, the Certiof 1988, the Certied Omn
Health Act of 1970;70;
Any violation of anyAny violation o
or trusts; or anyan
d/or the Pehe Pe
e. e.
CB-101-001
The Telephone Consumer Protection Act of 1991 or CAN-SPAM Act of 2003 or any similar state or
federal statute, law, regulation or rule with regard to unsolicited distribution of email, text
messages, direct mail, facsimiles, spam, actual or alleged wiretapping, audio or video recording, or
telemarketing;
g.
CB-101-001
Terrorism
Any act of terrorism, except for a terrorist event perpetrated by electronic or internet based
applications or means;
Unauthorized Trading
Any and all trading by an Insured, including trade that at the time of the trade is:
In excess of permitted nancial limits; or
Outside of permitted product lines;
Anti-Trust Laws and Unfair Competition
Any actual or alleged violation of any anti-trust statute, legislation or regulation including the Sherman
Anti-Trust Act, the Clayton Act or any similar provisions of any federal, state or local statutory law or
common law; or unfair competition, price xing, deceptive trade practices;
Use of Illegal or Unlicensed Programs
Use of illegal or unlicensed programs or software;
War
Conscation, nationalization, requisition, strikes, labor strikes or similar labor actions; war, invasion, or
warlike operations, civil war, mutiny, rebellion, insurrection, civil commotion assuming the proportions
of or amounting to an uprising, military coup or usurped power;
Radioactive Contamination, Chemical, Biological, Biochemical and Electromagnetic
In no case shall this insurance cover loss, damage, liability or expense directly or indirectly caused by
or contributed to, by, or arising from:
Ionizing radiations from or contamination by radioactivity from any nuclear fuel or from any nuclear
waste;
The radioactive, toxic, explosive or other hazardous or contaminating properties of any nuclear
installation, reactor or other nuclear assembly or nuclear component thereof;
Any weapon or device employing atomic or nuclear ssion and/or fusion or other like reaction or
radioactive force or matter;
The radioactive, toxic, explosive or other hazardous or contaminating properties of any radioactive
matter;
Any chemical, biological, bio-chemical or electromagnetic weapon;
DEFINITIONS
Administrative Error
An error or omission by an Employee or member of the Control Group in the input, processing or output of
the Insured’s Digital Assets of the Insured’s Computer System operation or maintenance; With respect to
Insuring Agreement II. B. Contingent Business Interruption, Administrative Error includes error or omission
7 of 25
19.
20.
a.
b.
21.
22.
23.
24.
a.
b.
c.
d.
e. SPECIMENor regulation including the Sher regulation including t
deral, state or local statutory ral, state or local statutory
ade practices;ade practices;
rikes, labor strikes or similar laes, labor strikes or sim
bellion, insurrection, civil commellion, insurrection, civil c
ary coup or usurped power;ry coup or usurped
emical, Biological, Biochemicacal, Biological, Biochemic
ce cover loss, damage, liabilityce cover loss, damage, liab
arising from:arisi
ns from or contamination by rs from or contamination by
oactive, toxic, explosive or othoactive, toxic, explosive or oth
lation, reactor or other nucleaation, reactor or other nuclea
Any weapon or device employny weapon or dev
radioactive force or matter;radioactive force
The radioactive, toxic, edioactive, toxic
matter;matter
Any chemical, bal,
SS
d.d
CB-101-001
by an employee of an Outsourced Service Provider in the input, processing or output of the Insured’s Digital
Assets or the Outsourced Service Provider’s Computer System operation or maintenance.
CB-101-001
Application
All information provided by or on behalf of the Insured to the Company as part of any request for this
Policy, including any supplemental information submitted therewith; All of the above are deemed attached
to, material and incorporated into this Policy;
Breach Management and Incident Response Expenses
Costs of an external IT security expert to determine the cause, scope and extent of the Privacy Breach
or Security Breach or any immediate actions necessary to mitigate ongoing harm to the Insured’s
Computer System;
Costs and expenses of a legal rm to determine any actions necessary to comply with Privacy
Regulations;
Notication costs and related expenses to notify:
Individuals who are required to be notied in compliance with Privacy Regulations mandating
notications; or
Any individual aected by the actual or suspected cyber event or to send email notices or issue
substitute notices;
Costs of setting up a telephone call center in order to support notied individuals and to provide
credit le monitoring services and/or identity theft assistance;
Crisis Management Expenses;
Costs to provide credit monitoring services, identity monitoring services, identity restoration services or
identity theft insurance to aected individuals for up to 24 months.
Access to Company’s 24/7 Cyber Incident Response Hotline;
Costs to obtain initial report support and assistance from the Company;
Costs to conduct a forensic investigation of the Insured’s Computer System where reasonable and
necessary or as required by law or a regulatory body (including a requirement for a PCI Forensic
Investigator);
Costs to contain and remove any malware discovered on the Insured’s Computer Systems;
Costs to complete an information security risk assessment;
Costs to conduct an information security gap analysis;
8 of 25
a.
b.
c.
I.
II.
III.
d.
e.
f.
g.
h.
i.
j.
k. SPECIMENtent of theent of the Privacy Bacy B
ng harm to theng harm to the Insured’sInsured’s
essary to comply withsary to compl Privacyrivac
ompliance with mpliance with Privacy Regularivacy Regula
suspected cyber event or to suspected cyber event o
call center in order to support call center in order to
s and/or identity theft assistannd/or identity theft assist
seses;;
it monitoring services, identityt monitoring services, identity
rance to ae to ected individuals foecte
ompany’smpany’s 24/7 Cyber Incident 24/7 Cyber Incident
to obtain initial report support ain initial report support
Costs to conduct a forensic invCosts to conduct a for
necessary or as required bynecessary or as required
Investigator);nvestigator
to contain ain a
CB-101-001
Business Income Loss
The net prot before income taxes that the Insured is prevented from earning during the Interruption
Period; and
Normal operating expenses incurred by the Insured (including payroll), but solely to the extent that
such operating expenses must continue during the Interruption Period and would have been incurred
had there been no interruption or degradation in service;
a.
b.
CB-101-001
Business Income Loss does not include any:
Contractual penalties;
Costs or expenses incurred to update, restore, replace or improve a Computer System to a level
beyond that which existed just before the Interruption of Service;
Expenses incurred to identify or remediate software program errors or vulnerabilities;
Legal costs or expenses;
Loss arising out of liability to any third party;
Other consequential loss or damage; or
Extra Expenses;
‘Business Income Loss’, as used in item a. Shall mean:
For manufacturing operations, the net sales value of production less the cost of all raw stock, materials
and supplies used in such production;
Claim
The following, when rst received in writing or by electronic notice by any Insured during the Policy Period
or, if applicable, an Extended Reporting Period.
A notice of an intention to hold the Insured responsible for Damages, including the service of legal
proceedings, the institution of arbitration or mediation, or a written request to toll or waive a statute of
limitations against any of the Insureds;
A request for information, civil investigative demand, formal civic administrative proceeding or formal
regulatory action only to the extent covered by Insuring Agreement I. B. Regulatory Investigations,
Fines, and Penalties;
A demand for PCI DSS Assessment Expenses only to the extent covered by Insuring Agreement I. D. PCI
DSS Assessment Expenses.
First receipt by any Insured is deemed to be rst receipt by all Insureds.
Company
The Insurer listed under Item 3 of the Policy Declarations.
Computer Crime and Computer Attacks
An unintentional or negligent act, error or omission by an Insured, or an Outsourced Service Provider in the
operation of an Insured’s Computer System or in the handling of Digital Assets, which fails to prevent or
9 of 25
I.
II.
III.
IV.
V.
VI.
VII.
a.
a.
b.
c. SPECIMENlities;
alue of production less the coalue of production less the co
writing or by electronic notice iting or by electronic not
orting Period.g P
o hold the o ho Insuredsure responsiblesibl
tution of arbitration or mediattution of arbitration or mediat
t any of the y of t Insuredsnsu;
r information, civil investigativr information, civil investigativ
y action only to the extent covaction only to the extent co
and Penalties;enalt
A demand for A de PCI DSS AssessDSS
DSS Assessment ExpensesDSS Assessment Expens
ceipt by any Insurns
CB-101-001
hinder attacks on an Insured’s Computer System, including, but not limited to Denial of Service attacks,
unauthorized access, infection of malicious computer code, unauthorized use or an act of cyber terrorism.
CB-101-001
Computer System
A system of interconnected hardware and peripherals, and associated software, including Internet of Things
(Iot) devices, systems and application software, terminal devices, related communication networks, mobile
devices, storage and back-up devices, operated by the Insured or an Outsourced Service Provider; With
respect to Insuring Agreement II. A. Business Interruption, a Computer System will not include devices,
systems, software, or networks operated by an Outsourced Service Provider;
Control Group
Any of the Chief Executive Ocer, Chief Financial Ocer, Chief Information Ocer, Chief Operating Ocer,
Chief Information Security Ocer, Chief Legal Ocer/General Counsel, Risk Manager or the functional
equivalent of any of those positions;
Crisis Management Expenses
Expense reasonably incurred by the Insured and approved in writing in advance by the Company for the
employment of a public relations consultant if the Insured reasonably considers that action is needed in
order to avert or mitigate a Business Income Loss or Media Event;
Cyber Extortion Threat
A credible threat or series of credible threats, that includes a demand for Extortion Payment, to:
Release, disseminate, destroy or corrupt the Insured’s Digital Assets;
Introduce Malicious Code into the Insured’s Computer System;
Corrupt, damage or destroy the Insured’s Computer System;
Electronically communicate with the Insured's customers and falsely claim to be the Insured or to be
acting under the Insured's direction in order to falsely obtain personal condential information of the
Named Insured’s customers (also known as “pharming,” “phishing,” or other types of false
communications); or
Restrict or hinder access to the Insured’s Computer System, including the threat of a criminal or
malicious Denial of Service;
Damages
The amount an Insured is legally obligated to pay in respect of: a Claim, including a monetary judgement,
award or settlement, interest and a claimant’s legal costs; punitive and exemplary damages, to the extent
such damages are insurable under the law pursuant to which this Policy is construed; Regulatory Fines and
Penalties only to the extent covered by Insuring Agreement I. B. Regulatory Investigations, Fines, and
Penalties; and PCI DSS Assessment Expenses only to the extent covered by Insuring Agreement I. D.;
Damages shall not include:
Future prots or royalties, restitution, or disgorgement of the Insured's prots;
10 of 25
a.
b.
c.
d.
e.
a. SPECIMENcer, Chief Operating Or, Chief Operating O
Manager or the functionalManager or the functional
iting in advance by theting in advance Compaom
asonably considers that actionnably considers that action
a Event;
t includes a demand for t includes a demand fo Extor
pt the pt the Insured’s Digital Assetsred’s Digital Asse
Insured’s Computer Systemnsured’s Computer Syste ;
theth Insured’s Computer Systeured’s Computer Sy
nicate with the nicate with th Insured'sured's custo custo
sured'sred's direction in order to faction
s customers (also known as “customers (also known a
ions); orons); or
t or hinder access to theinder acces Insursu
iciousciou Denial of Serviceal of Se ;
amagesma
amount an amount an Insuredsure is le
or settlement, inter settlement, i
ages are inse ins
y to thto t
CB-101-001
The cost of complying with orders granting injunctive or non-monetary relief, including specic
performance, or any agreement to provide such relief;
Loss of the Insured's fees or prots, return or oset of the Insured's fees or charges (invoiced or not), or
the Insured's commissions or royalties provided or contracted to be provided;
b.
c.
CB-101-001
Fines, taxes or loss of tax benets, sanctions unless covered under Insuring Agreement I.B. Regulatory
Investigations, Fines, and Penalties and unless covered under Insuring Agreement I.D. Payment Card
Industry Fines, Assessments and Expenses;
Liquidated damages to the extent that such damages exceed the amount for which the Insured would
have been liable in the absence of such liquidated damages agreement, unless covered under
Coverage I.D. Payment Card Industry Fines, Assessments and Expenses;
Any amount which the Insured is not legally obligated to pay; and
Amounts which are uninsurable under the law pursuant to which this Policy is construed;
Data
Information represented, transmitted or stored electronically, or digitally including code, or a series of
instructions, operation systems program, software and rmware;
Defense Expenses
Reasonable and necessary: fees charged by an attorney to defend a Claim, and costs and expenses
resulting from the investigation, adjustment, defense and appeal of a Claim incurred with the Company’s
prior written consent, or such fees and costs incurred by an attorney from the Pre-Approved Vendors
specied on the Policy Declarations;
Denial of Service
Unauthorized interference or malicious attack that restricts or prevents access to the Insured’s Computer
System for entities authorized to gain access;
Digital Asset Loss
Expenses incurred to restore, recreate, or replace Digital Assets or Computer Systems directly impacted by
a Privacy Breach or Security Breach. If it is determined that Digital Assets or a Computer System cannot be
restored, recreated, or replaced, the Company will only reimburse the Insured's losses or expenses incurred
up to the date of such determination;
Digital Assets
The Insured's digital les including Data, computer programs, electronic documents and audio content
stored by the Insured’s Computer System;
E-Media
Hard drives, CD ROMs, magnetic tapes, magnetic discs or any other media on which electronic Data is
stored;
Employee
Any individual whose labor or service is engaged by and directed by the Insured, including volunteers and
part-time, seasonal, temporary or leased workers, and independent contractors;
11 of 25
d.
e.
f.
g. SPECIMENvered ued u
s PolicyPol is construed;ued;y
r digitally including code, or a digitally including code, or
ware;
orney to defend a to defend a ClaimCla, and cand
fense and appeal of anse and appeal of a ClaimCl in
incurred by an attorney from curred by an attorney
licious attack that restricts or attack that restricts
d to gain access;d to gain access
o restore, recreate, or replacee, recrea
or or Security BreachSecurity Breach. If it is detedet
eated, or replaced, the ated, or replaced, the CompaCompa
ate of such determination;of such deter
al Assetsal As
e Insured'sIn digital les includis inc
red by the ed by the Insured’s ComInsured’s Com
CD ROCD RO
CB-101-001
Extra Expenses
Reasonable and necessary extra costs incurred by the Insured to temporarily continue as nearly normal as
practicable in the conduct of the Insured's business during the Interruption Period, less any value remaining
at the end of the Interruption Period for property or services obtained in connection with such costs;
“Normal” shall mean the condition that would have existed had no Privacy Breach, Security Breach,
Administrative Error or Power Failure occurred;
Extortion Expenses
Reasonable and necessary expenses incurred to avoid a Privacy Breach, Security Breach or the disruption
failure of the Insured’s Computer System, resulting directly from a Cyber Extortion Threat;
Extortion Payment
The payment of a ransom demand to avoid a Privacy Breach, Security Breach or the disruption or failure of
the Insured’s Computer System, resulting directly from a Cyber Extortion Threat. The Insured must report
any payments to legal or federal law enforcement authorities.
Financial Fraud
An intentional, unauthorized and fraudulent written, electronic or telephonic instruction transmitted to
a nancial institution, directing such institution to debit the Insured's account and to transfer, pay or
deliver money or securities from the Insured's account, which instruction purports to have been
transmitted by the Insured, an Executive, or an Employee, but was in fact fraudulently transmitted by a
Third Party without the Insured's knowledge or consent; or
An intentional, unauthorized and fraudulent written, electronic or telephonic instruction transmitted to
a nancial institution by an Executive or Employee as a result of that Executive or Employee receiving
intentional, misleading or deceptive telephonic or electronic communications from a Third Party falsely
purporting to be the Insured or the Insured's client, vendor, Executive or Employee, and which directs
the nancial institution to debit the Insured's account and to transfer, pay or deliver money or
securities from the Insured's account; or
The theft of money or securities from the Insured's bank account or corporate credit cards by electronic
means;
Financial Fraud Loss
Insured's loss of money, securities, or Specied Property which is directly caused by Financial Fraud;
Financial Fraud Loss does not include any amounts reimbursed to the Insured by any nancial institution;
Funds Held In Escrow
Money or securities belonging to a Third Party;
12 of 25
a.
b.
c. SPECIMENcurity Brty Br
ecurity Breachecurity Breach or the disruptio or the disrupti
er Extortion Threater Extortion T ;
Security Breachecurity Breach or the disrupt or the disrup
yber Extortion Threatxtortion Threat. The. T InsIns
orities.
ent written, electronic or telepnt written, electronic o
nstitution to debit thenstitution to debit Insuredured
hee Insured'sIn account, which int, wh
Executivecu, or an Employee, bub
red'se knowledge or consent; oowledge or consent
orized and fraudulent writtenorized and fraudulent written,
on by anby a Executivecut or Employe
eading or deceptive telephonading or deceptive teleph
o be the be the InsuredInsured or the or Insuredured
cial institution to debit the al institution to debit the InsuIns
ties from theom t Insured'snsu accounun
The theft of money or securitieThe theft of money or
means;m
al Fraud LosslF
oss of monemone
L
CB-101-001
Insured
The entity specied in Item 1 of the Policy Declarations;
Any Subsidiary but only during the time period such qualies as a Subsidiary;
Any past, present or future ocer, director, trustee, court-appointed receiver, or Employee of any of (a)
and (b) above, but only while acting solely within the scope of their duties as such;
Any general or managing partner, principal, stockholder, or owner of any of (a) and (b) above, but only
while acting solely within the scope of their duties as such;
Any legal entity required by contract to be named as an Insured under this Policy if agreed in advance
and in writing by the Company, but only for the acts of any above parties (a) through (d), as detailed
under the Insuring Agreements purchased;
Any agent or independent contractor, including distributors, licensees, and sublicensees, but only while
acting on behalf of, at the direction of, or under the control of any party of (a) through (e) above;
however, not including any Outsourced Service Provider;
Interruption Period
Under Insuring Agreement II. A. Business Interruption, Insuring Agreement II. B. Contingent Business
Interruption, and Insuring Agreement II. D. System Failure, the period of time that commences when the
partial or complete interruption, degradation or failure of the Computer System begins, and ends on the
earlier of:
The date of full system restoration of the Computer System plus up to 30 days thereafter if necessary
to allow for restoration of the Insured's business; or
The maximum Period of Indemnity as stated in Item 5 of the Policy Declarations;
Under Insuring Agreement II. D. Reputational Loss, the period of time that commences on the date of the
earliest Media Event and ends after the maximum indemnity period as stated in Item 5 of the Policy
Declarations;
Loss
Breach Management and Incident Response Expenses, Crisis Management Expenses, Digital Asset Loss,
Extortion Expenses, Extra Expenses, Extortion Payment, Business Income Loss, Financial Fraud Loss,
Phishing Attack Loss, Related Expenses, Telecommunications Fraud Loss, and theft of Funds Held In Escrow;
Malicious Code
Software intentionally designed to damage Digital Assets or a Computer System by a variety of forms
including, but not limited to, virus, worms, Trojan horses, spyware, dishonest adware, ransomware and
crimeware;
13 of 25
a.
b.
c.
d.
e.
f.
a.
b. SPECIMENEmployeeoyee
uch;
of (a) and (b) above, but oof (a) and (b) above, but o
under this nde PolicyPolic if agreed in ad iny
bove parties (a) through (d), above parties (a) through (d
ributors, licensees, and subliceibutors, licensees, and sublic
he control of any party of (a) tcontrol of any party of
e Providerer;;
s Interruption, Insuring AgreemInterruption, Insuring Agreem
II. D. System Failure, the perio D. System Failure, the
egradation or failure of the dation or failure of t CoCo
m restoration of them restoration o ComputerComputer
tion of the n of Insured'snsu business
m Period of Indemnity as statm Period of Indemnity as stat
uring Agreement II. D. ReputatAgreement II. D. Reputat
Media EventMedia Event and ends after tand tt
arations;arat
s
Management andManagement a
Expenseses, , EE
ck Losck Lo
CB-101-001
Media Activities
The release or display of any Media Material that is under the direct sole control of the Insured and directly
results in any of the following:
Defamation, libel, slander, product disparagement or trade libel;
Infringement, interference, or invasion of an individual’s right or privacy or publicity, including false
light, intrusion upon seclusion, commercial misappropriation of likeness, and public disclosure of private
facts;
Plagiarism, piracy, or misappropriation of ideas under an implied contract;
Infringement of copyright, trademark, trade name, trade dress, title, slogan, service mark or service
names; or
Domain name infringement or improper deep-linking or framing;
Media Event
A report in the media of a Privacy Breach or Security Breach including via newspapers, radio, television,
internet, blogging, and social media that has an adverse impact on the Insured's business or reputation;
Media Material
Communicative material of any kind or nature for which the Insured is responsible, including, but not
limited to, words, pictures, sounds, images, graphics, code and Data, regardless of the method or medium
of communication of such material or the purpose for which the communication is intended. Media Material
does not include any tangible goods or products that are manufactured, produced, processed, prepared,
assembled, packaged, labeled, sold, handled or distributed by the Insured or others trading under the
Insured's name;
Named Insured
The entity listed in Item 1 of the Policy Declarations;
Outsourced Service Provider
An independent service provider that provides information technology services or business processing
outsourcing services, including, but not limited to hosting, security management, colocation, call center
services, fulllment services, logistical support, and data storage, for the benet of the Insured under a
written contract with the
Insured;
Personal Funds
Money, securities, or nancial assets from a personal bank account belonging to the Control Group;
14 of 25
a.
b.
c.
d.
e. SPECIMENublicity, including fablicity, including fa
nd public disclosure of prublic disclosure of pr
contract;ont
ess, title, slogan, service markess, title, slogan, service ma
ng or framing;g or framing;
Security Breachty Br including via ncludi
as an adverse impact on the as an adverse impact on th I
kind or nature for which thenature for which th Ins
unds, images, graphics, code ands, images, graphics, code
material or the purpose for whmaterial or the purpose for wh
ngible goods or products that gible goods or products tha
d, labeled, sold, handled or died, sold,
redd
ty listed in Item 1 of the Policyy listed in Item 1
tsourced Service Providersourced Service Provide
independent service provindependent service prov
urcing services, incluurcing services, i
fulllment sert se
ract witact wit
CB-101-001
PCI-DSS Assessment Expenses
Payment Card Industry forensic investigation costs, nes or penalties, assessments, including fraud loss
recoveries and card replacement costs, and administrative costs that the Insured is legally obligated to pay
under the terms of a Merchant Services Agreement as a result of the Insured's actual or alleged non-
compliance with Payment Card Industry Data Security Standards. PCI DSS Assessment Expenses does not
include any ongoing obligation or audit following the imposition of an assessment, ne or penalty;
Phishing Attack
The use of fraudulent electronic communications or malicious websites to impersonate the Insured, the
Insured's brand, or any of the Insured's products or services, in order to solicit Protected Personal
Information;
Phishing Attack Loss
Expenses the Insured incurs, with the Company’s prior written consent, to create and issue a specic
press release or to establish a specic website to advise the Insured's customers and prospective
customers of a Phishing Attack; and
The cost of reimbursing the Insured's existing customers for their losses arising directly from a
Phishing Attack;
The cost of reimbursing the Insured's existing customers for their nancial loss arising directly from the
fraudulent communications;
Insured's direct loss of prots for 120 days following the Insured's discovery of the fraudulent
communications as a direct result of the fraudulent communications;
External costs associated with the removal of websites designed to impersonate the Insured;
Policy or Insurance
This contract of insurance including the Application, any Declarations, and any endorsements or variations,
all material to and forming part hereof;
Policy Period
The period of time between the Inception Date and Time and the Expiration Date and Time specied in
Item 2 of the Policy Declarations unless terminated earlier, and specically excluding any Extended
Reporting Period;
Power Failure
Failure in electrical power supply caused by a Security Breach, but only where such power is under the
direct operational control of the Insured or the equipment necessary to supply the power is under the
direct operational control of the Insured;
15 of 25
a.
b.
c.
d.
e. SPECIMENExpenxpen
ne or penaltenalt
mpersonate thempersonate th Insuredured, the , the
solicitolic Protected PersonalPers
r written consent, to create ann consent, to create a
dvise thedvise Insured'ssured's customers customer
ting customers for their lossescustomers for the
ed's's existing customers for th existing customers for
prorots for 120 days following thts for 120 days following t
a direct result of the fraudulendirect result of the fraudulen
associated with the removal ossociated with the remova
ranceanc
act of insurance including thensurance including the
terial to and forming part hereterial to and formin
olicy Periodcy
period of time betweenperiod of time bet
of the Policy DeclDe
Period;
CB-101-001
Privacy Breach
A breach of condentiality, or infringement or violation of any right to privacy, or a breach of the
Named Insured’s privacy policy or of Privacy Regulations; or
An accidental release, unauthorized disclosure, loss, theft or misappropriation of Protected Personal
Information or condential corporate information in the care, custody or control of an Insured Entity or
Outsourced Service Provider;
Privacy Regulations
Statutes, laws and regulations associated with the condentiality, access, controls and use of personally
identiable, non-public information, including:
Health Insurance Portability and Accountability Act of 1996 (Public Law 104- 191);
Gramm-Leach-Bliley Act of 1999, also known as the Financial Services Modernization Act of 1999;
State and federal statutes and regulations regarding the security and privacy of consumer information;
Governmental privacy protection regulations, statutes, or laws associated with the control and use of
personal information;
Privacy provisions of consumer protection laws, including the Federal Fair Credit Reporting Act;
Children’s Online Privacy Protection Act;
The EU Data Protection Act or other similar privacy laws worldwide;
Protected Personal Information
With respect to natural persons, any private, non-public information of any kind in an Insured's care,
custody, or control, regardless of the nature or form of such information, including but not limited to the
following, but only if such information allows an individual to be uniquely identied:
Social security number;
Medical service or healthcare data;
Driver’s license or state identication number;
Equivalents of any of the information listed in a.-c. above;
Account, credit card, or debit card number, alone or in combination with any information that permits
access to an individual’s nancial information, including, but not limit to, security or access code or
password; and
16 of 25
a.
b.
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
d.
e. SPECIMENc
an Insunsu
controls and use of personallycontrols and use of personally
ublic Law 104- 191);w 104- 1
ancial Services Modernization Services Modernization
ng the security and privacy ofg the security and priv
s, statutes, or laws associated statutes, or laws assoc
tection laws, including the Fedection laws, including
ection Act; A
Act or other similar privacy lawAct or other similar privacy la
ormationation
tural persons, any private, nonural persons, any private, n
trol, regardless of the nature otrol, regardless of the nature o
ut only if such information allowonly if such information allo
cial security number;cial security numb
Medical service or healthcaMedical service or health
ver’s license or staor
nts of ats of
b.
CB-101-001
Other-non-public information to the extent prescribed under Privacy Regulations;
However, Protected Personal Information does not mean publicly available information that is lawfully in
the public domain or information available to the general public from government records;
Regulatory Fines and Penalties
Civil nes, monetary penalties payable or a monetary amount which the Insured is legally obligated to
deposit in a fund as equitable relief as imposed by a governmental agency or regulatory authority as a
result of a breach of the Privacy Regulations;
f.
CB-101-001
Related Expenses
Reasonable and necessary costs and expenses the Insured incurs to:
Prevent, preserve, minimize, or mitigate any further damage to Digital Assets, including the reasonable
and necessary fees and expenses of specialists, outside consultants or forensic experts;
Preserve critical evidence of any criminal or malicious wrongdoing;
Purchase replacement licenses for computer programs because the copy protection system or access
control software was damaged or destroyed by a Loss; or
Notify aected individuals of a total or partial interruption, degradation in service, or failure of an
Insured’s Computer System resulting from a Loss;
Reputational Loss
Provable and determinable Business Income Loss during the Interruption Period;
Reputational Loss shall not mean, and no coverage shall be available for, any of the following:
Loss arising out of any liability to a Third Party;
Legal costs or legal expenses of any type;
Loss incurred as a result of unfavorable business conditions, loss of market or any other consequential
loss;
Loss, liability, or expense incurred in connection with a Media Event that also aects or refers in similar
terms to a general security issue, an industry, or the Insured's specic competitors without any specic
allegations regarding a Security Breach, Privacy Breach, Extortion Threat, or Phishing Attack committed
by an Insured, or by others acting on your behalf, for whom you are legally responsible, including
Outsourced Service Providers;
Costs or expenses the Insured incurs to identify, investigate, respond to or remediate a Privacy Breach,
Security Breach, Extortion Threat or Phishing Attack;
Retention
The gures specied in Item 5 of the Policy Declarations that is payable by the Insured in respect of every
Claim and Loss;
Security Breach
The use of the Computer System by an unauthorized person or persons, or by an authorized person in
an unauthorized manner, including social engineering techniques;
A Denial of Service attack or DDoS attack;
17 of 25
a.
b.
c.
d.
a.
b.
c.
d.
e.
a.
b.
otection system or aection system or a
ion in service, or failure of an on in service, or failur
e Interruption Periodrruption Period;;
be available for, any of the foble for, any of the fo
;
able business conditions, loss ble business conditio
ncurred in connection with ancurred in connection with a M
urity issue, an industry, or the rity issue, an industry, or the
g aa Security BreachSecurity Bre , Privacy B
r by others acting on your behhers actin
ervice Providerservice Providers;;
r expenses the xpenses the InsuredIn incurs curs
urity Breachrity Breach, , Extortion ThreatExtortt
tentionent
e gures specigures specied in Item 5ed in Item
andand LossLo;
each
CB-101-001
Transmission of Malicious Code;
The failure to prevent or hinder participation in a Denial of Service attack from a Computer System;
A series of continuing Security Breaches, or related or repeated Security Breaches arising from the same
sequence of events, shall be considered a single Security Breach and be deemed to have occurred at the
time of the rst such Security Breach;
c.
d.
CB-101-001
Specied Property
Any tangible property, other than money or securities, which has intrinsic value;
Subsidiary
Any corporation, limited liability company, or partnership while more than 50% of the outstanding voting
securities or shares that represent the present right to vote for the election or appointment or designation
of such entity’s directors, managers or equivalent are directly owned or controlled by the Insured; or any
joint venture while the Named Insured has managerial control, or while it has the right to elect or designate
or otherwise appoint or directly control the appointment of more than 50% of such entity’s directors,
trustees, managers or equivalent;
Telecommunications Fraud
The intentional, unauthorized and fraudulent gaining of access to outgoing telephone service through
inltration and manipulation of an Insured Telecommunications System;
Telecommunications Fraud Loss
Charges the Insured incurs for unauthorized calls directly resulting from Telecommunications Fraud;
Telecommunications Systems
Any telephone network or system that the Insured owns, rents, licenses, or borrows.
Third Party
Any person who is not an Employee or any legal entity that is not the Insured.
Unintentional Damage or Destruction
Accidental physical damage to, or destruction of, E-Media so that stored Digital Assets are no longer
machine-readable; Accidental damage to, or destruction of, computer hardware so that stored Data is
no longer machine- readable;
Failure in power supply or under/over voltage, but only if such power supply, including back-up
generators, is under the Insured's direct operational control;
Electrostatic build-up and static electricity.
Waiting Period
Under Insuring Agreement II. A. Business Interruption and Insuring Agreement II. B. Contingent Business
Interruption, the period of time that commences when the partial or complete interruption, degradation or
failure of the Computer System begins, and expires after the number of hours specied in Item 5 of the
Policy Declarations. Under Insuring Agreement II. F. Reputational Loss, the period of time that commences
when the Media Event occurs and expires after the number of hours specied in Item 5 of the Policy
Declarations. Business Income Loss incurred during the Waiting Period is uninsured.
18 of 25
a.
b.
c. SPECIMENutstasta
tment or dor d
by theby Insuredred; ;
he right to elect or desiright to elect or desi
of such entity’s directors,of such entity’s directors,
to outgoing telephone service o outgoing telephone servic
ons SystemSystem;
rectly resulting from resulting from Telecommeco
InsuredInsure owns, rents, licenses,wns, rents, licens
ee or any legal entity that is nany legal entity that
estructionestru
al damage to, or destruction ofmage to, or
ble; Accidental damage to, or ble; Accidental damage to,
achine- readable;achine- readable;
e in power supply or under/ovewer supply or under/ov
nerators, is under thenerators, is under Insured'
Electrostatic build-up and sElectrostatic build-up and
g PeriodP
uring Agreemree
the pehe p
c.
CB-101-001
CLAIMS CONDITIONS
Subrogation
If any payment is made under this Policy, the Insured shall maintain all rights of recovery against
any Third Party. The Insured shall execute and deliver instruments and papers and do whatever
else is necessary to secure such rights, and shall do nothing to prejudice such rights. Any recoveries
shall be applied rst in payment of the Company's subrogation expenses, secondly to Loss,
Damages, Defense Expenses, or any other amounts paid by the Company, thirdly to any uninsured
amount, and lastly to the Retention. Any additional amounts recovered shall be paid to the Insured.
Notice of Claim, Loss or Circumstance
If, during the Policy Period, the Control Group becomes aware of a Claim or Loss, the Insured must
forward details to the Company as soon as practicable during the Policy Period or the Extended
Reporting Period, if applicable. Notice must be provided through the contacts listed in Item 4 of the
Policy Declarations. The Insured must report a Claim or Loss regardless of whether the Claim or
Loss arises out of any previously reported incident, circumstances, acts, errors or omissions, or
related Claim or Loss.
If during the Policy Period, the Control Group becomes aware of any incidents, circumstances, acts,
errors or omissions that could reasonably result in a Claim or Loss, the Insured must forward details
to the Company as soon as practicable during the Policy Period. Notice must be provided through
the contacts listed in Item 4 of the Policy Declarations. Any Claim or Loss arising out of such
reported incidents, circumstances, acts, errors or omissions will be deemed to have been made or
incurred when the Company rst received notice complying with this paragraph.
Any Loss, Claim or incidents, circumstances, acts, errors or omissions that could reasonably result
in Loss or a Claim shall be considered properly reported to the Company when notice is provided
through the contacts listed in Item 4 of the Policy Declarations.
Dispute Resolution
No legal action shall be instituted by any Insured against the Company in any court in respect of
any alleged Defense Expenses or indemnity payable by the Company in respect of any Claim
unless, as a condition precedent thereto, there has been full compliance with all the terms of the
Policy and the amount of the Insured’s obligation to pay the relevant Third Party Claim shall have
been nally determined by judgement or award against the Insured after actual trial or arbitration,
or by written agreement of the Insured, the claimant and the Company.
Any person or organization of the legal representative thereof who has secured such judgement,
award, or written agreement shall thereafter be entitled to make a Claim under this Policy to the
extent of the insurance aorded by this Policy. No person or organization shall have any right under
this policy to join the Company as a party to an action or other proceeding against the Insured to
determine the Insured’s liability, nor shall the Company be impleaded by the Insured or the
Insured’s legal representative. Bankruptcy or insolvency of the Insured or of the Insured’s estate
shall not relieve the Company of their obligations hereunder.
19 of 25
1.
2.
a.
b.
c.
3.
a.
b. SPECIMENhtshts
ondly toy to
thirdly to any uany u
shall be paid to the all be paid to the InIn
of a of a Claim or r LossL, the InsureIns
ring the e Policy PeriodPolicy Pe or the Ex
d through the contacts listed inthrough the contacts listed
or Lossoss regardless of whethe regardless of whethe
nt, circumstances, acts, errorsstances, acts, errors
oupoup becomes aware of any inces aware of any inc
ably result in a esul Claimaim or Loss,t
able during the able during the Policy Perioderiod
the Policy Declarations. Anyhe Policy Declarations Cl
ances, acts, errors or omissiones, acts, errors or omissi
any rst received notice compst received notice co
cidents, circumstances, acts, cidents, circumstances, acts,
shall be considered properly shall be considered properly
ontacts listed in Item 4 of the Pcts listed in I
olutionlution
egal action shall be instituted al action shall be instituted
ny allegedny alleged Defense ExpensesDefens
unless, as a condition preceunless, as a cond
Policy and the amount omouy
been n nally determinnally determin
or by written agreor by written a
y person oron o
, or wor
CB-101-001
Mediation. If any dispute arises between any Insured and the Company involving Loss or a Claim
under this Policy, such dispute shall be referred by the parties to a qualied mediator to negotiate a
resolution of the dispute in good faith, prior to the initiation of any arbitration or other judicial
proceedings. The party electing to mediation shall provide written notice to other party of its
request to mediate with a brief statement regarding the issue to be mediated. The Named Insured
is authorized and directed to accept such Notice of Mediation on behalf of any Insured.
In the event that non-binding Mediation does not resolve or settle the dispute between any Insured
and the Company, after 30 days from the date of the Mediation, either party may:
commence a judicial proceeding; or
seek agreement to submit the matter to nal and binding arbitration before either a single
mutually agreed arbitrator or a three arbitrator panel whereby the Insured selects one
arbitrator, the Company select one arbitrator and the two selected arbitrators agree upon the
selection of the third arbitrator.
Defense, Settlement and Investigation of Claims
The Company shall have the right and duty to defend any Claim against the Insured, even if any of
the allegations of the Claim are groundless, false, or fraudulent, subject to the Limit of Liability,
Exclusions and other terms and conditions of this Policy.
Unless defense counsel or breach counsel is chosen from the list of PreApproved vendors specied
on the Policy Declarations, defense counsel or breach counsel shall be appointed with the
Company's prior written consent. Such consent shall not be unreasonably withheld. However, in the
absence of agreement the Company's decision shall be nal.
The Company shall have the right to make any investigation they deem necessary including with
respect to the Application or to coverage.
If the Insured refuses to consent to a settlement that the Company recommends, and that the
claimant will accept, the Insured must then defend, investigate or settle the Claim at the Insured’s
own expense. As a consequence of the refusal to settle as per Company's recommendation,
Company's liability for any Claim shall not be more than the amount of the initial recommended
settlement plus up to 70% of any additional costs incurred by the Insured above this amount in
order to settle this matter, subject always to the limit of the Policy.
No Insured may incur any Defense Expenses, PCI DSS Assessment Expenses, or admit liability for,
or settle, any Claim, without the Company's written consent, which shall not be unreasonably
withheld. Provided that, if a proposal settlement amount, when combined with any Defense
Expenses or PCI DSS Assessment Expenses incurred, does not exceed 50% of the applicable
Retention set forth in the Policy Declarations, the Insured may settle a Claim, or accept an oer of
settlement, without the prior written consent of the Company. Such settlement must fully resolve
the Claim with respect to the Insured and the Company.
20 of 25
c.
d.
1.
2.
a.
b.
c.
d.
e. SPECIMENThee NaNa
ny Insuredd..
spute between anypute between any InIn
er party may:er party may
ng arbitration before either a sarbitration before either a
l whereby thewhereby the InsuredIn selects ec
d the two selected arbitrators ae two selected arbitrators
uty to defend any ty to defend any ClaimClaim agains
dless, false, or fraudulent, sub, false, or fraudu
nditions of this nditions of this Policy.
ach counsel is chosen from thch counsel is chosen fro
defense counsel or breach conse counsel or breach co
consent. Such consent shall nconsent. Such consent sha
nt thent th Company'sany's decision shash
hall have the right to make anyall have the right to make an
e Applicationcation or to coverage. or
uredured refuses to consent to a s refuses to consent to a s
ant will accept, the nt will accept Insuredsured m m
wn expense. As a consequenceense. As a consequenc
Company'sCom liability for anyliabili C
settlement plus up to 70%s up
order to settle this matto settle this m
NoNo Insured may inma
r settle, any ny CC
held. Preld. Pr
CB-101-001
GENERAL CONDITIONS
The Company has no duty to provide coverage under this Policy unless there has been full compliance with
all the conditions contained in this Policy. Any clause designated as a condition precedent shall require the
entity to which it applies to comply specically and completely with it and any breach or failure to do so
shall entitle the Company to reject all or part of the Claim, Damages, Defense Expenses or Loss or any
related Claim or Loss whether or not such breach or failure causes loss, prejudice or damage.
Policy Limits
The Aggregate Limit specied in Item 5 of the Policy Declarations shall be the maximum liability of the
Company under this Policy. The limits for each Insuring Agreement specied in Item 5 of the Policy
Declarations form part of, and are not in addition to, such Aggregate Limit.
After the Policy Limit of Liability has been exhausted, the Company has no obligations to pay any
Damages, Defense Expenses, Loss or any other amounts under the Policy, and shall have the right to
withdraw from the defense.
Retention and Waiting Period
The Retention amount specied in Item 5 of the Policy Declarations for each Insuring Agreement apply
separately to each and every Loss and Claim and shall be satised in full by the Insured’s monetary
payments of Loss, Damages, or Defense Expenses.
The Company shall only be liable for amounts in excess of the Retention, subject to the Limit of
Liability.
For Insuring Agreements subject to a Waiting Period, the Company will only become liable for any Loss
upon expiration of the applicable Waiting Period. Any Loss incurred during the Waiting Period is
uninsured.
In the event of a Claim or Loss attaches to more than one Insuring Agreement, only the highest
Retention or the longer Waiting Period will apply to that Claim or Loss.
The Insured’s payment of the applicable Retention is a condition precedent to the payment by the
Company of any amounts covered under the Policy. The Insured shall make direct payments within the
Retention to the appropriate parties as designated by the Company.
Related Claims and Loss
All Claims and Loss arising out of the same related or continuing acts, facts, circumstances or events
shall be considered a single Claim or Loss, without regard to the number of Insureds, Claims or
claimants. All such Claims or Loss shall be deemed to have been made at the time of the rst such
Claim or Loss.
21 of 25
1.
2.
3. SPECIMENmage.age.
the maximum liability ofmaximum liability of
cicied in Item 5 of the Policyed in Item 5 of the Policy
e Limit.Lim
any has no obligations to pay has no obligations to pay
der thede Policyolicy, and shall have , and shall ha
Policy Declarations for each Incy Declarations for eac
and shall be satisand shall be satised in full bed in full b
Expensesnses.
amounts in excess of theamounts in excess ReteRet
ect to aa Waiting Period, the th Co
licable ica Waiting Periodaitin. Any Losy L
aimm or or Loss attaches to more atta
e longer Waiting PeriodWaiting will app
’s’s payment of the applicable payment of the applicable
ny of any amounts covered unof any amounts covered uny
ntiono to the appropriate partiehe appro
Related Claims and LossRelated Claims and Los
All Al Claimss and and LossLo arisingsin
hall be considered a shall be considered
mants. All such uch
Lossoss..
CB-101-001
Cancellation
If this Policy is cancelled by the Named Insured, the Company will refund the unearned premium
computed at the Company's short rate then in force. No premium will be refunded where any Claim or
circumstance has been notied under this Policy, whether or not it has been accepted for coverage.
Other Insurance
This Policy is excess to any other valid and collectible insurance (or other indemnity) available to the
Insured.
Inspection and Audit
The Company shall be permitted, but not obligated, to inspect any of the Insured’s property,
operations, or records and take copies of same at any time at the Insured’s cost.
Mergers and Acquisitions
If any Named Insured completes the legal acquisition of another entity during the Policy Period, then
that acquired entity will automatically be included as an Insured but only with respect to Claims or Loss
sustained or occurring after the date of the acquisition and otherwise qualifying for coverage under this
Policy, unless:
That acquired entity has an annual revenue of more than 20% of the Named Insured’s annual
revenue (evaluated according to the last set of audited accounts formally led by that entity
against the information provided by the Named Insured when applying for this Policy); or
Unless that acquired entity stores a total number of unique, personally identiable records that are
in excess of 20% of the total unique, personally identiable records that the Named Insured stores
(as at the date of completion of such acquisition).
If the above cover is not automatically provided to the newly acquired entity, to obtain cover the
Named Insured must notify and obtain the written consent of the Company prior to the acquisition,
and agree to pay any additional premium required.
Assignment
The interest hereunder is not assignable by any qualifying Insured.
Innocent Insured
Whenever coverage under this Policy would be excluded, suspended, or lost owning to non-
compliance with Claims Conditions 2. Notice of claim or circumstance, with respect to which any
other Named Insured shall be in default solely as a result of such non-compliance, then such
insurance as would otherwise be aorded under this Policy shall cover and be payable to those
Insureds who did not personally commit or personally participate in committing or personally
acquiesce in such failure to give notice, provided that Insured entitled to the benet of this
provision shall comply with Claims Conditions 2. Notice of Claim or Circumstance promptly after
obtaining knowledge of the failure of any other Insured to comply therewith.
22 of 25
4.
5.
6.
7.
a.
b.
8.
9.
a. SPECIMENty) availavaila
the the Insured’sI property,prop
nsured’snsur cost.t
nother entity during thether entity during Policyolicy
an Insureded but only with respec but only with respe
ion and otherwise qualifying fon and otherwise qualifying f
enue of more than 20% of theue of more than 20% o
last set of audited accounts foast set of audited acco
by theby th Named Insuredd Ins when aen
tores a total number of uniquees a total number of uniq
tal unique, personally identiique, personally ide
pletion of such acquisition).pletion of such acquisition).
is not automatically providedis not automatically provided
must notify and obtain the wust notify and
o pay any additional premiumpay any additional premi
ntnt
terest hereunder is not assignahereunder is not assign
nnocent Insurednnoc
Whenever coverage unever coverage
compliance with compliance wit Cla
other Named Insd I
urance as e as
dsd w
a. a
CB-101-001
Any insurance aorded by this provision shall not cover a Claim if a member of the Control Group
knew or should reasonably have known of a Claim or circumstance that could reasonably form the
basis of a Claim or Loss and failed to give notice as required by Claims Conditions 2.
Notwithstanding the above, the reporting of any such Claim or Loss must be made during the Policy
Period or Extended Reporting Period, if applicable.
Whenever coverage this Policy would be excluded, suspended, or lost because of the Insured
Misconduct Exclusion, then such insurance as would otherwise be aorded under this Policy shall
converge and be payable with respect to those Insureds who did not personally commit, personally
participate in committing, personally acquiesce, or remain passive after having personal knowledge
thereof, provided that the Insured entitled to the benet of this provision shall comply with Claims
Conditions 2. Notice of Claim or Circumstance promptly after obtaining knowledge of the failure of
any other Insured to comply therewith.
Extended Reporting Period
Automatic Extended Reporting Period
The Named Insured shall have a period of sixty (60) days following the end of the Policy Period in
which to give written or electronic notice to the Company of any Claim or Loss, but only in respect
of any:
Claim rst made during the Policy Period or Automatic Extended Reporting Period when such
Claim is based upon a Security Breach, Privacy Breach or Media Activity prior to the end of the
Policy Period or
Loss based upon a Security Breach, Privacy Breach, Administrative Error, Power Failure,
Unintentional Damage or Destruction, Computer Crime and Computer Attacks, Financial Fraud,
Telecommunications Fraud, Phishing Attack or Cyber Extortion Threat during the Policy Period
when rst discovered by the Control Group during the Policy Period or Automatic Extended
Reporting Period and which is otherwise covered by this Policy.
Optional Extended Reporting Period
In the event of cancellation or non-renewal of this Policy, the Named Insured shall have the right to
purchase an Optional Extended Reporting Period for additional premium, as stated in Item 7 of the
Policy Declarations. Once purchased, the premium for the Extended Reporting Period will be
deemed fully earned. The Company must receive the Named Insured’s request for the Optional
Extended Reporting Period by written or electronic notice within thirty (30) days of such
cancellation or non-renewal that it requires, and the Company shall provide, an Optional Extended
Reporting Period commencing at the end of the Policy Period in which to give written or electronic
notice to the Company of any:
Claim rst made during the Policy Period or Optional Extended Reporting Period when such
Claim is based upon a Security Breach, Privacy Breach or Media Activity prior to the end of the
Policy Period, or
23 of 25
b.
10.
a.
I.
II.
b.
I. SPECIMENe of the Inhe In
under this PolicPolic
rsonally commit, personally commit, pers
fter having personal knowlefter having personal knowle
rovision shall comply with ovision shall comp Clai
obtaining knowledge of the faibtaining knowledge of th
ty (60) days following the end (60) days following th
o the Companympany of any of anyyy Claimm o
icy Periodicy Pe or Automatic Extenor Automatic Ext
rity Breachity ,Privacy Breachcy Br or
Security Breachecurity Bre ,Privacy BreacBre
mage or Destructionmage or Destruct ,Computmpu
cations Fraudations Fraud,, Phishing Attacking Attack
discovered by the overed by th Control Gro
ng Period and which is otherwng Period and which is othe
al Extended Reporting Periodal Extended Reporting Period
he event of cancellation or novent of cancellation or no
purchase an Optional Extendepurchase an Optio
Policy Declarations. Once pPolicy Declaration
deemed fully earned. Thfully earned
Extended Reporting Extended Repo
cancellation or nocancellation or
eporting PeriPer
e to thto th
CB-101-001
Loss based upon a Security Breach, Privacy Breach, Administrative Error, Power Failure,
Unintentional Damage or Destruction, Computer Crime and Computer Attacks, Financial Fraud,
Telecommunications Fraud, Phishing Attack or Cyber Extortion Threat during the Policy Period
when rst discovered by the Control Group during the Policy Period or Optional Extended
Reporting Period and which is otherwise covered by this Policy. The payment of the additional
premium for the Optional Extended Reporting Period must be paid to the Company within thirty
(30) days of the non-renewal or cancellation.
The Limit of Liability for any Extended Reporting Period shall be part of, and not in addition to, the
Limit of Liability for the Policy Period.
The right to any Extended Reporting Period shall not be available to the Insured where cancellation
or non-renewal by the Company arises through non-payment of premium or the Insured’s failure at
any time to pay amounts within the applicable Retention.
Change of Control
In the event of the Named Insured’s acquisition by or merger into another entity, or the Named
Insured’s liquidation or dissolution, the Named Insured may notify the Company within sixty (60) days
of the actual change of control of the Named Insured’s election for an Extended Reporting Period of
twelve (12) months from the date of such change of control. Such Extended Reporting Period shall
cover Claims reported or Loss notied to the Company during this change of control Extended
Reporting Period, but only in respect of any Claim made during the Policy Period or Loss incurred during
the Policy Period which is otherwise covered by this Policy.
Assistance and Cooperation
The Insured shall cooperate with the Company in all investigations relating to this Policy. The
Insured shall execute or cause to be executed all documents and papers and render all assistance
as requested by the Company, including providing copies of a Third Party’s system security and
event logs.
Upon the Company's request, the Insured shall assist in making settlements, in the conduct of all
third party dispute resolution procedures and in enforcing any right of contribution or indemnity
against any person or organization who may be liable to the Insured with respect to which
insurance is aorded under this Policy, and the Insured shall attend hearings and trials and assist in
securing and giving evidence and obtaining the attendance of witnesses at the Insured’s own cost.
It is a condition precedent to the Company's liability that the Insured shall not admit liability, make
any payment, assume any obligations, incur any expense, enter into any settlement, stipulate to
any judgement or award, or dispose of any Claim without the Company's prior written consent.
However, the prompt public admission of a Privacy Breach potentially impacting non-public
personally identiable information as required by governmental privacy legislation or credit card
association operating requirements will not be considered as an admission of liability requiring the
Company's prior consent.
24 of 25
II.
c.
d.
11.
12.
a.
b.
c. SPECIMENmpampa
nd not in addition tnd not in addition t
to theto th Insured where cancellawhe
of premium or the of premium or Insured’ssured fa
merger into another entity, orinto another entity, o
redred may notify the may notify the CompanyC
sured’s’s election for an Extend election for an Exte
hange of control. Such Extendeange of control. Such Ex
the Companyompa during this channg thy
of anyof any ClaimC made during themade during the
e covered by thisco Policyolicy.
operate with the perate with the Company in ain y
cute or cause to be executed aute or cause to be executed a
by the he CompanyCompany, including pro
he he Company'sCompany' request, the est, the InsIn
d party dispute resolution procarty dispute resolution pro
against any person or organizaagainst any person
insurance is ainorded undeor
securing and giving evidand giving e
It is a condition preIt is a condition
any payment, asnt,
judgemegeme
er
c. c.
CB-101-001
The Company shall have the right to make any investigation they deem necessary with respect to
coverage including the Application.
The Insured shall submit for examination under oath by the Company's representative, if
requested, in connection with all matters relating to this Policy.
d.
e.
CB-101-001
Warranty by the Named Insured
By acceptance of this Policy, all Insureds agree that the statements in the Application are their
agreements and representations, which shall be deemed material to the risk, and that this Policy is
issued in reliance upon the truth thereof. The misrepresentation or non-disclosure in the Application of
any material matter by the Insured or its agent will render the Policy null and void and relieve the
Company from all liability under the Policy.
Forfeiture
Any:
Action or failure to act by the Insured with the intent to defraud the Company; or
Material misrepresentation or non-disclosure of any material fact or claims by the Insured in the
Application or in any supplemental materials submitted to the Company:
Shall render this Policy null and void, and all coverage hereunder shall be forfeited.
Construction and Interpretation
Any reference to legislation, statute, regulation or law includes any similar or related law, statute,
ordinance, or regulation, any amendments, and any rules or regulations or executive orders
promulgated thereunder, or by a federal, state, local or other agencies or similar bodies thereof.
Any reference to a regulatory or investigative or other state or local governmental body includes
any similar, subsidiary or related agency or body.
All or part of any provision of this Policy which is or becomes void or illegal, invalid or unenforceable
by a court or other competent body under the law of any applicable jurisdiction shall be deleted.
The parties shall use their best eorts to agree a replacement for the provision deleted which
achieves as far as possible the same eect as would have been achieved by the deleted provision
had it remained enforceable.
Coverage Territory
Coverage under this Policy applies anywhere in the world.
25 of 25
13.
14.
a.
b.
15.
a.
b.
16. SPECIMENplicationlicat are theirheir
sk, and that thisand that this PolicyPolicy yy
-disclosure in thedisclosure in th Applicationplication
null and void and relieve the null and void and re
tent to defraud the tent to defraud the Companyny
re of any material fact or claimny material fact or cla
erials submitted to the ials submitted to the CompaC
d all coverage hereunder shad all coverage hereunder
on, statute, regulation or law intute, regulation or la
on, any amendments, and anyn, any amendments, and an
under, or by a federal, state, lounder, or by a federal, state, lo
o a regulatory or investigative a regulatory or investigativ
subsidiary or related agency oary or rela
rt of any provision of this rt of any provision of PolicPolic
court or other competent bodyourt or other competent bod
he parties shall use their best ees shall use their best
achieves as far as possible thachieves as far a
had it remained enforcead en
Coverage TerritoryCoverage Territory
erage under thisth
CB-101-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
Amend Other Insurance Provision
In consideration of the premium charged, it is hereby understood and agreed that the Policy is amended as
follows:
General Conditions 5. Other Insurance is deleted in its entirety and replaced with the following:
This Policy is primary to any other valid and collectible insurance available to the Insured.
1 of 1
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-125-001
All other terms and conditions of the Policy remain unchanged.SPECIMENread it carefully.it carefully.
ORSEMENTORSEMENT
ance Provisione Provision
understood and agreed that thnderstood and agree
ted in its entirety and replacedn its entirety and
and collectible insurance avaiand collectible insurance ava
ect on: ect TBDBD
DD
e: TBDD
mber:ber: CB-125-001CB-125-00
All other terms and other terms and
CB-125-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
Bricking Endorsement
In consideration of the premium charged, up to the amount of $2,000,000 subject to an applicable
Retention of $100,000, it is hereby understood and agreed that the Policy to which this endorsement
attaches is amended as follows:
Exclusions, Property Damage is deleted in its entirety and replaced with the following:
Property Damage
Physical Injury to, or impairment, destruction or corruption of, any tangible property, including personal
property in the care, custody or control of the Insured. Data and Digital Assets are not tangible property
and are not Property Damage. Property Damage does not include the loss of use of electronic equipment
caused by the reprogramming of the software (including rmware) of such electronic equipment rendering
it useless for its intended purposes.
The denition of Security Breach is amended to include the following sentence to the end thereof:
e. The loss of use of all or part of a Computer System caused by the unauthorized reprogramming of
software (including rmware) which renders such Computer System, or any component thereof,
nonfunctional or useless for its intended purpose;
1 of 1
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-126-002
All other terms and conditions of the Policy remain unchanged.SPECIMENsubject to an applicablesubject to an ap
cy to which this endorsementcy to which this endors
aced with the following:ced with the follo
rruption of, any tangible propen of, any tangible pro
nsured.ured Data and Digital Assetand Digital
mageage does not include the losses not include th
ware (including ware (including rmware) of srmware) of
is amended to include the fo is amended to include the
part of a part Computer Systemer System ca ca
mware) which renders suchare) which ren Co
eless for its intended purpose;its inten
ement is to take eent is to take ect on: :TBTB
umber:umb TBDD
y Inception Date: y Inc TBDTBD
olicy Expiration Date: cy Expiration Da TBDBD
orsement Number:orsement Number CB-1
CB-126-002
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
CRC Smart Cyber Amendatory Endorsement
In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this
endorsement attaches is amended as follows:
On the Policy Declarations, Item 6 B. Business Interruption, Contingent Business Interruption, System
Failure Coverage and Reputational Loss Coverage Period of Indemnity shall be 12 months;
On the Policy Declarations, Item 8 Extended Reporting Period is deleted and replaced with the
following:
1 year: 90% of the annual policy premium
2 years: 150% of the annual policy premium
3 years: 175% of the annual policy premium
First Party Insuring Agreement II. A Business Interruption is deleted and replaced with the following:
Business Income Loss and Extra Expenses incurred during the Interruption Period directly as a result of
the total, or partial, or intermittent interruption or degradation in service of an Insured's Computer
System caused directly by a Privacy Breach, Security Breach, Administrative Error, Power Failure, or
Preventative Shutdown.
First Party Insuring Agreement II. B Contingent Business Interruption is deleted and replaced with the
following:
Business Income Loss and Extra Expenses incurred during the Interruption Period caused directly as a
result of the total, partial, or intermittent interruption or degradation in service of the Computer System
of an Outsourced Service Provider caused directly by a Privacy Breach, Security Breach, Administrative
Error or Preventative Shutdown at that Outsourced Service Provider.
First Party Insuring Agreement II. D. System Failure is deleted and replaced with the following:
D. System Failure and Contingent System Failure Coverage
Business Income Loss, Extra Expenses, and Digital Asset Loss incurred during the Interruption Period
directly as a result of any unintentional and unplanned total or partial outage of the Insured's Computer
System that is not caused by a Security Breach, Privacy Breach, Cyber Extortion Threat, Phishing
Attack, Financial Fraud, Telecommunications Fraud, or Contingent System Failure;
Business Income Loss, Extra Expenses, and Digital Asset Loss incurred during the Interruption Period
directly as a result of any unintentional and unplanned total or partial outage of an Outsourced Service
Provider's Computer System that is not caused by a Security Breach, Privacy Breach, Cyber Extortion
Threat, Phishing Attack, Financial Fraud, Telecommunications Fraud, or Contingent Business Event.
1 of 7
1.
2.
3.
4.
5. SPECIMENs Interruption, ion,
be 12 months;e 12 months
ed and replaced with thed and replaced w
uptionption is deleted and replaced is deleted and r
urred during theurred during the Interruption PInterruption
ption or degradation in servicen or degradation
eacheach,, Security Breachurity, AdminisAd
II. B Contingent Business InteContingent Business Inte
and nd Extra Expensesses incurred d incurred d
artial, or intermittent interruptrtial, or intermittent interru
d Service Providere Provide caused direr
ntative Shutdownntative Shutdown at that OutOut
rty Insuring Agreement II. D. nsuring Agreement II. D. SS
System Failure and ContingenSystem Failure and
Business Income LossBusiness Income Loss,, ExtraE
directly as a result of anydirectly as a result of any
ystemystem that is not cau that is not
k Financial Fral F
ncomnco
CB-151-003
2. The following denitions are added to the Policy:
Contingent Business Event
The acquisition, access, or disclosure of Protected Personal Information or condential corporate
information by a person or entity, or in a manner, that is unauthorized by the Outsourced Service
Provider;
A threat from a Third Party to commit an intentional attack against the Outsourced Service
Provider's Computer System or publicly disclose Protected Personal Information or condential
corporate information misappropriated from the Outsourced Service Provider if money, securities,
or Specied Property is not paid; or
Any failure by the Outsourced Service Provider or by others on the Outsourced Service Provider's
behalf (including the Outsourced Service Provider's subcontractors, outsourcers, or independent
contractors) in securing the Outsourced Service Provider Computer System.
Contingent System Failure
Any unintentional and unplanned total or partial outage of an Outsourced Service Provider's Computer
System that is not caused by a Contingent Business Event.
Denitions, Claim, is deleted and replaced with the following:
The following, when rst received in writing or by electronic notice by any Insured during the Policy
Period or, if applicable, an Extended Reporting Period:
A notice of an intention to hold the Insured responsible for Damages, including the service of legal
proceedings, the institution of arbitration or mediation, or a written request to toll or waive a
statute of limitations against any of the Insureds.
A request for information, civil investigative demand, formal civic administrative proceeding or
formal regulatory action only to the extent covered by Insuring Agreement I. B. Regulatory
Investigations, Fines, and Penalties;
A demand for PCI DSS Assessment Expenses only to the extent covered by Insuring Agreement I. D.
PCI DSS Assessment Expenses.
With respect to Insuring Agreements I.A. Network Security and Privacy Liability, and I.C. Media
Liability only, a written demand made against an Insured for Damages or non-monetary relief;
First receipt by any Insured is deemed to be rst receipt by all Insureds.
2 of 7
a.
b.
c.
6.
a.
b.
c.
d. SPECIMENurced ServServ
mationatio or condenden
roviderer if money, securit if money, securitrr
the the Outsourced Service Providced Service
tractors, outsourcers, or indeptors, outsourcers, or indep
r Computer SystemComputer Syst .
tage of antage Outsourced ServiceOutsourced Service
ness EventEvent..
with the following:h the following:
writing or by electronic notice bwriting or by electronic notice
d Reporting Period:d Re
hold the th Insured responsible fnsible
ution of arbitration or mediatiotion of arbitration or mediat
s against any of the against any of the Insuredsds
formation, civil investigative drmation, civil i
atory action only to the extenttion only
tions, Fines, and Penalties;tions, Fines, and Penalties;
mand for and PCI DSS AssessmentDSS Assessmen
CI DSS Assessment Expenses.Assessmen
With respect to Insuring AgWith respect to In
Liability only, a written donly, a writte
irst receipt by anyirst receipt by any Insu
d.d.
CB-151-003
Denitions, Damages, is deleted and replaced with the following:
The amount an Insured is legally obligated to pay in respect of: a Claim, including a monetary
judgement, award or settlement, interest and a claimant's legal costs; liquidated, punitive, multiplied
and exemplary damages, to the extent such damages are insurable under the law pursuant to which
this Policy is construed; Regulatory Fines and Penalties only to the extent covered by Insuring
Agreement I. B. Regulatory Investigations, Fines, and Penalties; and PCI DSS Assessment Expenses only
to the extent covered by Insuring Agreement I. D.;
Damages shall not include:
Future prots or royalties, restitution, or disgorgement of the Insured's prots;
The cost of complying with orders granting injunctive or non-monetary relief, including specic
performance, or any agreement to provide such relief;
Loss of the Insured's fees or prots, return or oset of the Insured's fees or charges (invoiced or
not), or the Insured's commissions or royalties provided or contracted to be provided;
Fines, taxes or loss of tax benets, sanctions unless covered under Insuring Agreement I.B.
Regulatory Investigations, Fines, and Penalties and unless covered under Insuring Agreement I.D.
Payment Card Industry Fines, Assessments and Expenses;
Liquidated damages to the extent that such damages exceed the amount for which the Insured
would have been liable in the absence of such liquidated damages agreement, unless covered
under Coverage I.D. Payment Card Industry Fines, Assessments and Expenses;
Any amount which the Insured is not legally obligated to pay; and
Amounts which are uninsurable under the law pursuant to which this Policy is construed;
With respect to the insurability of Damages, the applicable law will be the law of the state most
favorable to the Insured, provided that the state whose law is most favorable to the Insured has a
reasonable relationship to the Claim. A state's law will be considered to have a reasonable relationship
to the Claim if it is the state where:
The Named Insured is incorporated or has a place of business;
The claim is pending; or
The acts giving rise to the claim were committed or allegedly committed.
3 of 7
7.
a.
b.
c.
d.
e.
f.
g.
a.
b.
c. SPECIMENment Eent E
d'sd's prots;
onetary relief, including specionetary relief, including
he e Insured'sIn fees or charges (ifees or charges
ded or contracted to be providor contracted to be provi
nless covered under Insuring Aless covered under Insuring A
es and unless covered under Ind unless covered und
ts and Expenses;ts and Expenses;
at such damages exceed the t such damages excee
sence of such liquidated damaence of such liquidated dam
Card Industry Fines, Assessmeard Industry Fines, Asse
ured is not legally obligated tos not legally obligat
ninsurable under the law pursninsurable under the law pur
nsurability of Damages, the apsurability of Damages, the ap
nsured, provided that the stated, provided
ationship to the Claim. A stateationship to the Claim. A sta
m if it is the state where: if it is the state wher
e Named Insured is incorporatmed Insured is incorpora
The claim is pending; orThe claim is pen
The acts giving rise to th giving rise to
..
c. c
CB-151-003
Denitions, Digital Assets is deleted and replaced with the following:
The Insured's digital les including Data, computer programs, electronic documents and audio
content stored by the Insured's Computer System;
Data owned by or entrusted to the Insured that is being held, stored, maintained, transferred or
processed by an Outsourced IT Service Provider on the Insured's behalf.
Denitions, Privacy Breach is deleted and replaced with the following:
A breach of condentiality, or infringement or violation of any right to privacy, or a breach of the
Named Insured's privacy policy or of Privacy Regulations; or
An accidental release, unauthorized disclosure, loss, theft or misappropriation of Protected Personal
Information or condential corporate information in the care, custody or control of an Insured Entity
or Outsourced Service Provider;
A failure to prevent a privacy breach or failure to implement, maintain, or comply with privacy
policies and procedures that identify the Insured's obligations relating to Protected Personal
Information, including but not limited to the Insured's privacy policy.
Denitions, PCI DSS Assessment Expenses is deleted and replaced with the following:
Payment Card Industry forensic investigation costs, nes or penalties, assessments, including fraud loss
recoveries and card replacement costs, and administrative costs that the Insured is legally obligated to
pay under the terms of a Merchant Services Agreement as a result of the Insured's actual or alleged
non-compliance with Payment Card Industry Data Security Standards. PCI DSS Assessment Expenses
includes costs related to PCI recertication or a PCI forensic investigator to investigate the existence
and extent of an actual or reasonably suspected Security Breach involving payment card data and for a
Qualied Security Assessor to certify and assist in attesting to the Insured's PCI compliance, as required
by a Merchant Services Agreement.PCI DSS Assessment Expenses does not include any other ongoing
obligations or audits following the imposition of an assessment, ne or penalty.
Denitions, Computer System paragraph is deleted and replaced with the following:
A system of interconnected hardware and peripherals, and associated software, including Internet of
Things (Iot) devices, systems and application software, terminal devices, related communication
networks, mobile devices, storage and back-up devices, and industrial systems operated by the
Insured or an Outsourced Service Provider;
4 of 7
8.
a.
b.
9.
a.
b.
c.
10.
11. SPECIMENprivacy, or a breach of tacy, or a breach of t
sappropriation of sappropriatio Protected Perote
, custody or control of anustody or con InsuIns
plement, maintain, or comply went, maintain, or comply
s obligations relating to ons rela ProtecProtec
sured'sured's privacy policy. privacy policy.
s deleted and replaced with thdeleted and replaced w
ation costs,ation costs, nes or penalties,pena
sts, and administrative costs tsts, and administrative costs t
nt Services Agreement as a reServices Agreement as
Card Industry Data Security Sd Industry Data Security
I recerti re cation or a PCI forencation or a PCI fore
or reasonably suspected or reasonably susp SecuSecu
sessor to certify and assist in sessor to certify and assist in
rvices Agreement.s Agreeme PCI DSS As
audits following the impositionaudits following the impositio
ns,Computer SystemComputer S paragraparagra
stem of interconnected hardwstem of interconn
Things (Iot) devices, systems ahings (Iot) devices, s
networks, mobile devices, snetworks, mobile devices
Insurednsured or an or a OutsourceOuts
CB-151-003
Denitions, Control Group is deleted and replaced with the following:
Any of the Chief Executive Ocer, Chief Financial Ocer, Chief Information Ocer, Chief Legal Ocer/
General Counsel, Risk Manager or functional equivalent;
Denitions, Financial Fraud, b., is deleted and replaced with the following:
b. An intentional, unauthorized and fraudulent written, electronic or telephonic instruction transmitted
to a nancial institution by an Executive or Employee as a result of that Executive or Employee
receiving intentional, misleading or deceptive telephonic or electronic communications from a Third
Party falsely purporting to be the Insured or the Insured's client, vendor, Executive or Employee, and
which directs the nancial institution to debit the Insured's account and to transfer, pay or deliver
money, securities, or Specied Property from the Insured's account; or"
Denitions, Interruption Period part a. is deleted and replaced with the following:
The date of full system restoration of the Computer System plus up to 60 days thereafter if necessary
to allow for restoration of the Insured's business; or
Denitions, Media Activities b. is deleted and replaced with the following: Infringement, interference, or
invasion of an individual's right or privacy or publicity, including false light, intrusion upon seclusion,
misappropriation of likeness, and public disclosure of private facts;
Denitions, Media Activities f. is amended to include the following:
f. Negligence in Media Material, including a Claim alleging harm to any person or entity that acted or
failed to act in reliance upon such Media Material;
Denitions, Media Material is amended to include the following:
Media Material also includes content posted by users to any website that is operated and managed by
the Insured.
Denitions, Preventative Shutdown is added and means:
An Insured's reasonable and necessary intentional shutdown of:
With respect to Insuring Agreement II. A Business Interruption, an Insured's Computer System, but
only to the extent that such shut down:
5 of 7
12.
13.
14.
15.
16.
17.
18.
i. SPECIMENtruction tion
ve or Employeploye
munications from anications from a ThTh
Executivexecutive or o Employeemployee, an, an
nd to transfer, pay or deliverd to transfer, pay
t; or"; or
d with the following:d with the follow
em plus up to 60 days thereafplus up to 60 days therea
placed with the following: Infrd with the following: In
publicity, including false lightpublicity, including false
disclosure of private facts;ure of private fac
ended to include the followingended to include the f
, including a ud Claim alleging haha
n such n s Media MaterialMed;
erialeria is amended to include thnded to include th
so includes content posted by ludes cont
ns,Preventative ShutdownPreventative Shutdown is is
nsured'ssur reasonable and neceeasonab
With respect to Insuring AInsu
only to the extent thato the extent tha
i. i
CB-151-003
is in response to an actual or credible threat of Computer Crime and Computer Attacks
expressly directed against such Insured's Computer System which may reasonably be expected
to cause an interruption in service in the absence of such shutdown; and
serves to mitigate, reduce, or avoid Business Income Loss as a result of the actual or credible
threat of such Computer Crime and Computer Attacks; or
With respect to Insuring Agreement II. B. Contingent Business Interruption, the Insured's access or
connectivity to an Outsourced Service Provider's Computer Network, but only to the extent that
such shutdown:
is in response to actual Computer Crime and Computer Attacks against such Outsourced
Service Provider's Computer Network which may reasonably be expected to cause an
interruption in service in the absence of such shutdown; and
serves to mitigate, reduce, or avoid Business Income Loss as a result of such Computer Crime
and Computer Attacks.
Denitions, Subsidiary is deleted and replaced with the following:
Any entity while more than 50% of the outstanding voting securities or shares that represent the
present right to vote for the election or appointment or designation of such entity's directors, managers
or equivalent are directly owned or controlled by the Insured; or any joint venture while the Named
Insured has managerial control, or while it has the right to elect or designate or otherwise appoint or
directly control the appointment of more than 50% of such entity's directors, trustees, managers or
equivalent;
Denitions, Insured, e., is deleted and replaced with the following:
Any legal entity required by written contract to be named as an additional insured under this Policy ,
but only for the acts of any above parties (a) through (d), as detailed under the Insuring Agreements
purchased;
General Conditions 2. Retention and Waiting Period is amended to include the following:
Solely with respect to Insuring Agreement II. E. Social Engineering and Cyber Crime Coverage, the
Company will recognize erosion of the Retention by any payments made by or on behalf of the Insured
pursuant to such commercial crime policy issued to the Insured but only if such payments for loss
would be otherwise covered by the Social Engineering and Cyber Crime insuring agreement;
General Conditions 7. Mergers and Acquisitions is deleted and replaced with the following:
If any Named Insured completes the legal acquisition of another entity during the Policy Period, then
that acquired entity will automatically be included as an Insured but only with respect to Claims or Loss
sustained or occurring after the date of the acquisition and otherwise qualifying for coverage under this
Policy, unless that acquired entity has an annual revenue of more than 35% of the Named Insured’s
annual revenue (evaluated according to the last set of audited accounts formally led by that entity
against the information provided by the Named Insured when applying for this Policy)
6 of 7
a.
b.
ii.
a.
b.
19.
20.
21.
22. SPECIMENInsuredred
nly to the extennly to the exten
against such gainst such Outsourcedsourced
be expected to cause anbe expected to cau
ndnd
Loss as a result of sucha result Comp
he following:ng
ing voting securities or sharesvoting securities or sha
ntment or designation of suchntment or designation of such
olled by theby th Insureded; or any join; o
le it has the right to elect or dele it has the right to elect or
more than 50% of such entitymore than 50% of suc
deleted and replaced with the deleted and replaced with th
red by written contract to be ned by written contract to be n
ts of any above parties (a) throof any above
onditions 2. ondi Retention and WaRetention and Wa
y with respect to Insuring Agreespect to In
ompanyompan will recognize erosion cogny
pursuant to such commerciapursuant to such comm
would be otherwise coverwould be otherwise cove
eral Conditions ons
med Inmed In
CB-151-003
If the annual revenues of the newly acquired entity exceed the threshold above, the Named Insured
must notify and obtain the written consent of the Company within 60 days of the acquisition and agree
to pay any additional premium required. The newly acquired entity will automatically be included as an
insured for 60 days after the acquisition but only with respect to Claims or Loss sustained or occurring
after the date of acquisition and otherwise qualifying for coverage under this Policy.
Claims Conditions 2. Notice of Claim, Loss or Circumstance is deleted and replaced with the following:
Notice of Claim, Loss or Circumstance
If, during the Policy Period, the Control Group becomes aware of a Claim or Loss, the Insured must
forward details to the Company as soon as practicable during the Policy Period or the Extended
Reporting Period, if applicable, but no later than sixty (60) days after expiration of this Policy,
through the persons named in the Policy Declarations. The Insured must report a Claim or Loss
regardless of whether the Claim or Loss arises out of any previously reported incident,
circumstances, acts, errors or omissions, or related Claim or Loss.
If during the Policy Period, the Control Group becomes aware of any incidents, circumstances, acts,
errors or omissions that could reasonably result in a Claim or Loss, the Insured must forward details
to the Company as soon as practicable during the Policy Period through the persons named in the
Policy Declarations. Any Claim or Loss arising out of such reported incidents, circumstances, acts,
errors or omissions will be deemed to have been made or incurred when the Company rst
received notice complying with this paragraph.
Any Loss, Claim or incidents, circumstances, acts, errors or omissions that could reasonably result
in Loss or a Claim shall be considered properly reported to the Company when notice is rst given,
as specied under Item 4 of the Policy Declarations.
Claims Conditions - Defense, Settlement, and Investigation of Claims, paragraph (d) is deleted in its
entirety and replaced with the following:
d. If the Insured refuses to consent to a settlement that the Company recommends, and that the
claimant will accept, the Insured must then defend, investigate or settle the Claim at the Insured's own
expense. As a consequence of the refusal to settle as per Company's recommendation, Company's
liability for any Claim shall not be more than the amount of the initial recommended settlement plus
70% of any additional costs incurred by the Insured above this amount in order to settle this matter,
subject always to the limit of the Policy. The remaining thirty percent (30%) of such additional costs will
be borne by the Insured at the Insured's own risk and will be uninsured under this Policy.
This clause will not apply to any settlement where the total incurred Damages do not exceed the
applicable Retention.
23.
a.
b.
c.
24.
CB-151-003
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-151-003
All other terms and conditions of the Policy remain unchanged.
CB-151-003
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
California Consumer Privacy Act Endorsement
In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this
endorsement attaches is amended as follows:
Denitions, Privacy Regulations, is amended to include the following:
The California Consumer Privacy Act or any rules or regulations promulgated thereunder.
Exclusion, 21. Anti-Trust Laws and Unfair Competition will not apply to claims grounded in the California
Consumer Privacy Act, provided no member of the Control Group participated or colluded in the
activities or incident giving rise to coverage under this endorsement.
1 of 1
1.
a.
2.
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-194-001
All other terms and conditions of the Policy remain unchanged.SPECIMENit carefully.t ca
EMENTME
Act EndorsementAct Endorsement
rstood and agreed that the Poand agreed that the Po
o include the following: e the following
any rules or regulations promny rules or regulations
fair Competition will not applyfair Competition will not appl
o member of theme Control Grountro
to coverage under this endorsoverage under this endo
ke ee eect on: TBD
e: TBD
Date: Date: TBDTBD
Number:Num CB-194-001-194-001
All other termsAll
CB-194-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
Coverage for Certied Acts of Terrorism Endorsement
You and the Company agree to the following:
Exclusions, item 19. is deleted and replaced with the following:
7.Terrorism;
Any act of terrorism.
This exclusion shall apply and prevent any and all coverage for claims arising from terrorism,
regardless of whether any other cause or event that otherwise would be covered contributes in
any way to the loss. This exclusion does not apply to a Certied Act of Terrorism, or to a terrorist
event perpetrated by electronic or internet based applications or means, however:
Except for a terrorist event perpetrated by electronic or internet based applications or
means, the Company will not pay any amounts for which the Company is not responsible
under the terms of the federal Terrorism Risk Insurance Act of 2002 as amended (the “Act”);
and
The amendment of this exclusion does not create coverage for any loss that would otherwise
be excluded under the Policy. All other policy terms and conditions, including the Policy’s
exclusions, remain in full force and eect, even in the event of a Certied Act of Terrorism.
Denitions is changed to add the following:
Certied Act of Terrorism means an act that is certied by the Secretary of the Treasury, in consultation
with the Secretary of Homeland Security and the Attorney General of the United States, to be an act of
terrorism pursuant to the federal Terrorism Risk Insurance Act (the “Act”). Section 102(1) of the Act
requires such act be certied to be an act of terrorism and resulted in insured losses in excess of $5
million in the aggregate, attributable to all types of insurance subject to the Act; to be a violent act or
an act that is dangerous to human life, property or infrastructure; to have resulted in damage within
the United States, or outside the United States in the case of certain air carriers or vessels or the
premises of a United States mission; and to have committed by an individual or individuals as part of
an eort to coerce the civilian population of the United States or to inuence the policy or aect the
conduct of the United States Government by coercion.
1 of 2
1.
a.
b.
2. SPECIMENorsementent
coverage for erage claimsms arising fro arising fro
t that otherwise would be coveerwise would be cov
apply to a pply t Certiertied Act of Terrd Ac
et based applications or meaned applications or me
etrated by electronic or interneted by electronic
pay any amounts for which thpay any amounts for whic
eral Terrorism Risk Insurance eral Terrorism Risk Insurance
f this exclusion does not creatxclusion does not cr
der the Policy. All other policy der the Policy. All other policy
emain in full force and eemain in full force and eect, ect,
hanged to add the following:anged to add the following
ct of Terrorismct of Terrorism means an act tns an act
e Secretary of Homeland Secucretary of Homeland Secu
orism pursuant to the federal Torism pursuant to
equires such act be certiequires such act be c ed t
million in the aggregate, attmillion in the aggregate,
an act that is dangerous an act that is dang
e United States, or United States,
ses of a UnitUnit
to coeo coe
CB-202-001
In all other respects, the policy remains the same.
NOTICE
COVERAGE FOR CERTIFIED ACTS OF TERRORISM IS INCLUDED IN YOUR POLICY. UNDER YOUR
COVERAGE, ANY LOSSES RESULTING FROM CERTIFIED ACTS OF TERRORISM MAY BE PARTIALLY
REIMBURSED BY THE UNITED STATES GOVERNMENT UNDER A FORMULA ESTABLISHED BY THE
TERRORISM RISK INSURANCE ACT, AS AMENDED. HOWEVER, YOUR POLICY MAY CONTAIN OTHER
EXCLUSIONS WHICH MIGHT AFFECT YOUR COVERAGE, SUCH AS AN EXCLUSION FOR NUCLEAR EVENTS.
UNDER THE FORMULA, THE UNITED STATES GOVERNMENT GENERALLY REIMBURSES 85% THROUGH
2015; 84% BEGINNING ON JANUARY 1, 2016; 83% BEGINNING ON JANUARY 1, 2017; 82% BEGINNING
ON JANUARY 1, 2018; 81% BEGINNING ON JANUARY 1, 2019 AND 80% BEGINNING ON JANUARY 1, 2020
OF COVERED TERRORISM LOSSES EXCEEDING THE STATUTORILY ESTABLISHED DEDUCTIBLE PAID BY
THE INSURANCE COMPANY PROVIDING THE COVERAGE. THE TERRORISM RISK INSURANCE ACT, AS
AMENDED, CONTAINS A $100 BILLION CAP THAT LIMITS U.S. GOVERNMENT REIMBURSEMENT AS WELL
AS INVESTORS’ LIABILITY FOR LOSSES RESULTING FROM CERTIFIED ACTS OF TERRORISM WHEN THE
AMOUNT OF SUCH LOSSES EXCEEDS $100 BILLION IN ANY ONE CALENDAR YEAR. IF THE AGGREGATE
INSURED LOSSES FOR ALL INSURERS EXCEED $100 BILLION, YOUR COVERAGE MAY BE REDUCED.
2 of 2
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-202-001
All other terms and conditions of the Policy remain unchanged.SPECIMENNECOUR POLICY. UNDER YOURUR POLICY. UNDER YOUR
TERRORISMRISM MAY BE PARTIALLMA
A FORMULA ESTABLISHED BYFORMULA ESTABLISHED BY
VER, YOUR POLICY MAY CONTAOUR POLICY MAY CONT
SUCH AS AN EXCLUSION FORSUCH AS AN EXCLUSION FO
RNMENT GENERALLY REIMBURMENT GENERALLY REIM
3% BEGINNING ON JANUARY 1% BEGINNING ON JANUARY 1
ANUARY 1, 2019 AND 80% BEGARY 1, 2019 AND
DING THE STATUTORILY ESTABDING THE STATUTORILY ES
G THE COVERAGE. THE TERRO THE COVERAGE. TH
ON CAP THAT LIMITS U.S. GOV CAP THAT LIMITS U.S. G
OSSES RESULTING FROM S RESULTING FROM CERT
XCEEDS $100 BILLION IN ANYXCEEDS $100 BILLION IN AN
L INSURERS EXCEED $100 BILL INSURERS EXCEED $100 BIL
nt is to take et is to take ect on: ect o TBDD
er:: TBDTB
eption Date: Date TBDBD
Expiration Date: Expiration Date: TBDTB
orsement Number:orsement Number: CB-202-00CB
All ot
CB-202-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
Criminal Reward Expenses Endorsement
In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this
endorsement attaches is amended as follows:
The Company will pay for the Reward Expenses up to the amount of $50,000 subject to an application
retention of $100,000 incurred by the Insured and approved in writing in advance by the Company, but
only if a written request for indemnication is made by a member of the Control Group to the Company in
accordance with Claims Conditions, section 2. Notice of Claim, Loss or Circumstance.
Reward Expenses means the reasonable amount that the Insured pays to an Informant for information not
otherwise available, and which leads to the arrest and conviction of any person who commits an illegal act
that causes a Loss.
Informant means any person, other than a member of the Control Group, who provides information
regarding an illegal act committed by another person which causes a Loss, solely in return for money that
the Insured pays or promises to pay. Informant does not include: 1) any person who commits an illegal act
which causes a Loss, whether acting alone or in collusion with others; 2) any Insured; 3) any Insured's
auditors, whether internal or external; 4) any person or rm hired or retained to investigate a Loss;
1 of 1
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-123-001
All other terms and conditions of the Policy remain unchanged.SPECIMENsementsement
greed that the Policy to which greed that the Policy t
unt of $50,000 subject to an ant of $50,000 subject to an
d in writing in advance by theriting in advance by the
a member of theof the Control GroupControl Grou
of Claim, Loss or CircumstancClaim, Loss or Circum
nt that the tha Insuredsure pays to anys
arrest and conviction of any prrest and conviction of
r than a member of then Controont
ed by another person which caed by another person whic
to pay.to p Informantrma does not inot int
ther acting alone or in collusiother acting alone or in collusio
rnal or external; 4) any personl or external;
ment is to take ement is to take ect on: on: TBDTBD
mber:TBDTBD
nception Date: nception Date: TBDTB
cy Expiration Date: y Expiration Date: TBDTB
ndorsement Number:orsement Numb CB-123B-12
All
CB-123-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
Cryptojacking Endorsement
In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this
endorsement attaches is amended as follows:
Denitions, Telecommunications Fraud Loss is deleted and replaced with the following:
Charges the Insured incurs for unauthorized calls directly resulting from Telecommunications Fraud
and Cryptojacking Fraud.
Denitions, Cryptojacking Fraud is added to the policy and means: The secret use of your
Telecommunications Systems by a Third Party to mine cryptocurrency.
1 of 1
1.
2.
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-155-001
All other terms and conditions of the Policy remain unchanged.SPECIMENt carefully.car
MENTMEN
rsementsement
stood and agreed that the Polid and agreed that the Pol
deleted and replaced with the d and replaced with th
zed calls directly resulting fromcalls directly res
s added to the policy and meaadded to the policy and
by a Third PartyTh to mine crypte crypty
ke eke eect on: TBDT
te: e: TBDT
n Date: Dat TBDTBD
t Number:Num CB-155-001-1
All other termsAll
CB-155-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
Forensic Accounting Coverage
In consideration of the premium charged, it is hereby understood and agreed that the Policy is amended as
follows:
The denition of Business Income Loss is amended to include the following:
c. Forensic Accounting Costs; provided however, that the Company’s maximum liability for such costs
shall be $50,000, which amount shall be part of, and not in addition to, the limit of liability for Insuring
Agreement II. A Business Interruption and Insuring Agreement II. B. Contingent Business Interruption.
Forensic Accounting Costs means those costs and expenses of establishing or proving an Insured’s Loss
under Insuring Agreement II. A Business Interruption and Insuring Agreement II. B. Contingent Business
Interruption, including, without limitation, those connected with preparing a proof of loss. All loss
described in this paragraph must be reported, and all proofs of loss must be provided, to the
Underwriters no later than 6 months after the end of the Policy Period.
1 of 1
1.
2.
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-136-001
All other terms and conditions of the Policy remain unchanged.SPECIMENly.
ragerag
nd agreed that the Policy is amagreed that the Policy is a
include the following:the fo
, that the t the Company’sCompany maximumaxi
t of, and not in addition to, theof, and not in addition to, the
Insuring Agreement II. B. Conring Agreement I
hose costs and expenses of esose costs and expenses of es
usiness Interruption and Insurness Interruption and Ins
ut limitation, those connected tation, those connec
h must be reported, and all prh must be reported, and all p
han 6 months after the end of an 6 months after the end of
is to take es to ta ect on: ect TBD
TBDTBD
tion Date: n Da TBDD
xpiration Date: piration Date TBDTBD
rsement Number:rsement Number: CB-136-001C
All otheth
CB-136-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
GDPR Coverage
In consideration of the premium charged, it is hereby understood and agreed that the Policy is amended as
follows:
A. The following Insuring Agreement is added to the Policy, under Third Party Insuring Agreements:
I. Amounts which the Insured is legally obligated to pay as a direct result of a Claim rst made
against the Insured during the Policy Period, and reported in writing or by electronic notice to
the Company during the Policy Period or Extended Reporting Period, if applicable, for General
Data Protection Regulation.
B. The following denition is added to the DEFINITIONS section of the Policy:
General Data Protection Regulation
Damages, Regulatory Fines and Penalties and Defense Expenses which the Insured is legally
obligated to pay because of any Claim rst made against any Insured during the Policy Period
for a violation of the EU General Data Protection Regulation (or legislation in the relevant EU
jurisdiction implementing this Regulation) arising from a Security Breach or Privacy Breach.
C. Solely for purposes of coverage provided by this Endorsement, the denition of Claim is amended
to include a request for information or institution of a regulatory proceeding against any Insured
under the General Data Protection Regulation Insuring Agreement for a violation of the EU General
Data Protection Regulation (or legislation in the relevant EU jurisdiction implementing this
Regulation).
D. Solely for purposes of coverage provided by this Endorsement, Exclusion 21. Anti-Trust Laws and
Unfair Competition shall not apply to the General Data Protection Regulation insuring agreement,
provided no member of the Control Group participated or colluded in the activities or incident giving
rise to coverage under such insuring agreement.
E. Solely for purposes of coverage provided by this Endorsement, Exclusion 10. Government
Intervention is deleted.
1 of 1
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-111-003
All other terms and conditions of the Policy remain unchanged.SPE.E.SPECIMENy Insuring Agreemy Insuring Agreem
ect result of a ect result of a Claimim rst marst ma
writing or by electronic noticewriting or by electr
rting Period, if applicable, for ting Period, if applicable, f G
section of thectio PolicyPolic:
ndn Defense Expensese Expen which tch
rst made against anymade against any InsuredIns
a Protection Regulation (or lega Protection Regulation (or leg
gulation) arising from a tion) arising from Securit
e provided by this Endorsemenprovided by this Endorseme
ation or institution of a regulaton or institution of a reg
tection Regulationon Insuring Agring Ag
on (or legislation in the relevaon (or legislation in the relev
rposes of coverage provided bes of covera
petition shall not apply to the Getition shall not apply to the
no member of theno member of the Control GroControl Gr
o coverage under such insuringoverage under such insurin
Solely for purposes of cover Solely for purpo
Intervention is deleted.Intervention is delet
dorsement is to tto
mber:TBDBD
on Don D
CB-111-003
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
Invoice Manipulation Loss
In consideration of the premium charged, up to the amount of $100,000 subject to an applicable retention
of $100,000, it is hereby understood and agreed that the Policy to which this endorsement attaches is
amended as follows:
Clause II. E. Social Engineering and Cyber Crime Coverage is amended to include:
Invoice Manipulation Loss
Insured’s Direct Net Loss resulting directly from the Insured’s inability to collect Payment for goods,
products or services after such goods, products or services have been transferred to a Third Party, as a
result of an Invoice Manipulation Loss that the Insured rst discovers during the Policy Period:
DEFINITIONS is amended to include:
Direct Net Loss means the direct net cost to the Insured to provide goods, products or services to a Third
Party. Direct Net Loss will not include any prot to the Insured as a result of providing such goods, products
or services.
Invoice Manipulation Loss means the release or distribution of any fraudulent invoice or fraudulent
payment instruction to a Third Party as a direct result of a Security Breach or a Privacy Breach.
Payment means currency, coins or bank notes in current use and having a face value.
1 of 1
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-133-001
All other terms and conditions of the Policy remain unchanged.SPECIMENect to an applicable retentect to an applicable retent
his endorsement attaches ishis endorsement attaches is
ended to include:o include
red’s inability to collectlity to co Paymeym
rvices have been transferred ces have been transfe
ured rst discovers during thediscovers during the
ost to thest Insured to provide go pro
de any pronyt to the Insuredd asa
means the release or distribumeans the release or distribu
a Third PartyThird Party as a direct resul as
currency, coins or bank notes currency, coins or bank notes
orsement is to take ersement is to tak ect on:
y Number:y Nu TBD
olicy Inception Date: cy TBDBD
cy Expiration Date: cy Expiration Date TBD
sement Number:ement Number CB
CB-133-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
Loss of Funds Exclusion Carveback
In consideration of the premium charged, it is hereby understood and agreed that the Policy is amended as
follows:
Exclusions, exclusion #13 is deleted in its entirety and replaced with the following:
13. Loss of Funds
Loss, decrease in value or theft of securities or currency;
Trading losses, liabilities or changes in trading account value; or
The value of electronic funds, money, securities or wire transfer;
However, this exclusion does not apply to Insuring Agreement II.E. Social Engineering and Cyber Crime
Coverage.
1 of 1
a.
b.
c.
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-128-001
All other terms and conditions of the Policy remain unchanged.SPECIMENy.
vebackeba
nd agreed that the Policy is amagreed that the Policy is a
aced with the following:with the following:
s or currency;or cu
n trading account value; orn trading account value; or
money, securities or wire transfey, securities or wire tran
not apply to Insuring Agreemenot apply to Insuring Agreem
is to take eis to ta ect on: ect TBD
TBDTBD
ption Date: n Da TBDD
xpiration Date: piration Date: TBDTB
rsement Number:rsement Number: CB-128-001C
All othth
CB-128-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
Manuscript Specied Entity Exclusion
Any event originating at or involving the City's utility operations
1 of 1
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-300-001
All other terms and conditions of the Policy remain unchanged.SPECIMENy. Please read it carefully.se read it carefully.
CE ENDORSEMENTRSEMEN
ed Entity Exclusiod Entity Exclus
utility operationslity operations
TBDTBD
B-300-001-30
All other terms and conditioher terms and con
CB-300-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
Solicitation Claims Endorsement
In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this
endorsement attaches is amended as follows:
General Conditions Policy Limits is amended by the addition of the following:
Any Solicitation Claim will be subject to the sub-limits set forth below. The limits shown below will be
the exclusive limits applicable to Solicitation Claims. Such sub- limits are part of, and will erode, the
Limits of Liability set forth in Item 5.A. of the Declarations for the Network Security and Privacy Liability
insuring agreement or the Regulatory Investigations, Fines and Penalties insuring agreement, whichever
applies, and the Maximum Policy Aggregate Limit of Liability set forth in Item 5.C. of the Declarations.
Solicitation Claim sublimit:
$50,000 each Solicitation Claim
$50,000 Aggregate
Denitions, Privacy Regulations, is amended to include the following:
CAN-SPAM Act of 2003;
Truth In Caller Act of 2009; and
Telephone Consumer Protection Act of 1991.
Denitions is amended to include the following denition:
Solicitation Claim means any Claim under the Network Security and Privacy Liability insuring
agreement or Regulatory Investigations, Fines and Penalties insuring agreement for, based upon,
arising from, in consequence of, or in any way involving any actual or alleged Privacy Breach in
violation of the CAN-SPAM Act of 2003, the Truth In Caller Act of 2009, or the Telephone Consumer
Protection Act of 1991, as amended, or any regulation promulgated under the foregoing statutes, or
any federal, state, local or foreign laws similar to the foregoing statutes, whether such law is statutory,
regulatory or common law.
1 of 2
1.
2.
A.
B.
C.
3.
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-120-001
All other terms and conditions of the Policy remain unchanged.SPECIMENlimits shown below will bs shown below will b
re part of, and will erode, there part of, and will erode, the
etwork Security and Privacy Litwork Security and Pr
Penalties insuring agreement, wnalties insuring agreement
set forth in Item 5.C. of the Dein Item
ed to include the following:o include the follo
nd
tection Act of 1991.Ac
d to include the following deto include the following denn
means anyns a ClaimClaim under the N
Regulatory Investigations, Fineegulatory Investigations, Fi
, in consequence of, or in any in consequence of, or in any
of the CAN-SPAM Act of 2003,f the CAN-SPAM Act of 2003
ction Act of 1991, as amendedt of 1991,
y federal, state, local or foreigy federal, state, lo
regulatory or common law.regulatory or common l
dorsement is to tto
ber:TBDTBD
nD
CB-120-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
Specied Claim(s) Exclusion
In consideration of the premium charged, it is hereby understood and agreed that the Policy is amended as
follows:
The Company shall not be liable for any Claim, Damages, Defense Expenses or Loss based upon, arising
out of, or in any way attributable to Prior event reported to Brit.
1 of 1
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-146-001
All other terms and conditions of the Policy remain unchanged.SPECIMENe read it carefully.t carefully.
DORSEMENTORSEMENT
s) Exclusionxclusi
understood and agreed that tnderstood and agreed
m, ,DamagesDamage,Defense Expensse E
event reported to Brit. event reported to
ct on: TBDTBD
D
TBDD
ber:CB-146-00146-001
All other terms and cother terms and c
CB-146-001
This Endorsement changes the Policy. Please read it carefully.
SMART CYBER INSURANCE ENDORSEMENT
War Exclusion Cyber Terrorism Carveback
In consideration of the premium charged, it is hereby understood and agreed that the Policy to which this
endorsement attaches is amended as follows:
Exclusion 23., War is deleted and replaced with the following:
Conscation, nationalization, requisition, strikes, labor strikes or similar labor actions; war, invasion, or
warlike operations, civil war, mutiny, rebellion, insurrection, civil commotion assuming the proportions of or
amounting to an uprising, military coup or usurped power.
This exclusion shall not apply to a terrorist event perpetrated by electronic or internet-based applications or
means;
1 of 1
This endorsement is to take eect on: TBD
Policy Number: TBD
Policy Inception Date: TBD
Policy Expiration Date: TBD
Endorsement Number: CB-167-001
All other terms and conditions of the Policy remain unchanged.SPECIMENarefully.arefu
ENTENT
m CarvebackCarveba
ood and agreed that the Policyd and agreed that the Policy
ollowing:owing:
s, labor strikes or similar labor abor strikes or similar
on, insurrection, civil commotion, insurrection, civil com
r usurped power.r usurped power.
errorist event perpetrated by rist event perpetrated by
take eke ect on:on: TBDT
Date:Date: TBDTBD
ion Date:on D TBDD
ent Number: umb CB-167-001B-1
All other terAll
CB-167-001