The URL can be used to link to this page

Home My WebLink AboutR-2023-061 Authorizing Purchase of Cyber Liability Insurance from Gallagher Insurance for Annual PremiumRESOLUTION NO. R-2023-061 A RESOLUTION AUTHORIZING THE PURCHASE OF CYBER LIABILITY INSURANCE FROM GALLAGHER INSURANCE FOR THE ANNUAL PREMIUM IN AN AMOUNT NOT TO EXCEED $10,750.00 WHEREAS, the City of Riverside has a need for cyber liability insurance as this is no longer under the umbrella of our annual property and liability insurance carrier premium, and WHEREAS. the City of Riverside in the adoption of its purchasing policy requires all expenditures in excess of $10,000 to be presented to the Board of Aldermen for approval and the City's insurance carrier MPR recommended Gallagher Insurance Kansas City, Missouri for cyber liability insurance and has presented an adequate policy in the amount of $10,750 for the FY 2023-2024 for such coverage, and WHEREAS, funds for such purpose is budgeted in the Fiscal Year 2022-2023 budget; and WHEREAS, the Board of Aldermen find it is in the best interest of the citizens of the City of Riverside to authorize purchase of such insurance coverage and approve the payment to Gallagher Insurance, Kansas City, Missouri for cyber liability insurance coverage for the City of Riverside, in an amount not to exceed $10,750. NOW THEREFORE, BE IT RESOLVED BY THE BOARD OF ALDERMEN OF THE CITY OF RIVERSIDE, MISSOURI, AS FOLLOWS: THAT, the acquisition of such insurance coverages and payment to Gallagher Insurance, Kansas City, Missouri, for cyber liability insurance coverage for the City of Riverside, in an amount not to exceed $10,750 is hereby authorized and approved; and FURTHER THAT the Mayor, City Administrator, or either of their designees, are hereby authorized to execute all documents necessary or incidental to this transaction and the City Clerk is authorized to attest thereto. PASSED AND ADOPTED by the Board of Aldermen of the City of Riverside, Missouri, the 20th day of June 2023. Mayor Kathleen L. Rose ATTEST: Robin Kincaid, City Clerk Gallagher Insurance I Risk Management I Consulting Client Authorization to Bind Coverage After careful consideration of Gallagher's Proposal dated June 7, 2023, you accept the following coverage(s). Please check the desired coverage(s) and note any coverage amendments below: X❑ Accept ❑ Reject Cyber Liability Premium: $10,750.00. Underwriters at Lloyd's, London ❑ Accept ❑ Reject TRIA (Included): $0.00 Exposures and Values You confirm the payroll, values, schedules, and any other information pertaining to your operations, and submitted to the underwriters, were compiled from information provided by you. If no updates were provided to Gallagher, the values, exposures and operations used were based on the expiring policies. You acknowledge it is your responsibility to notify Gallagher of any material change in your operations or exposures. Additional Terms and Disclosures Gallagher is not an expert in all aspects of your business. Gallagher's Proposals for insurance are based upon the information concerning your business that was provided to Gallagher by you. Gallagher expects the information you provide is true, correct and complete in all material respects. Gallagher assumes no responsibility to independently investigate the risks that may be facing your business, but rather have relied upon the information you provide to Gallagher in making our insurance Proposals. Gallagher's liability to you arising from any of Gallagher's acts or omissions will not exceed $20 million in the aggregate. The parties each will only be liable for actual damages incurred by the other party, and will not be liable for any indirect, special, exemplary, consequential, reliance or punitive damages. No claim or cause of action, regardless of form (tort, contract, statutory, or otherwise), arising out of, relating to or in any way connected with the Proposal, any of Gallagher's services or your relationship with Gallagher may be brought by either party any later than two (2) years after the accrual of the claim or cause of action. Gallagher has established security controls to protect Client confidential information from unauthorized use or disclosure. For additional information, please review Gallagher's Privacy Policy located at hftps://www.aeg.com/privacy-polic . Gallagher Insurance I Risk Management I Consulting You have read, understand and agree that the information contained in the Proposal and all documents attached to and incorporated into the Proposal, is correct and has been disclosed to you prior to authorizing Gallagher to bind coverage and/or provide services to you. By signing below, or authorizing Gallagher to bind your insurance coverage through email when allowed, you acknowledge you have reviewed and agree with terms, conditions and disclosures contained in the Proposal. By: Brian E. Koral, City Administrator Print Name (Specify Title) City of Riverside Date: June 13, 2023 Gallagher Insurance I Risk Management I Consulting Client Authorization to Bind Coverage After careful consideration of Gallagher's Proposal dated June 7, 2023, you accept the following coverage(s). Please check the desired coverage(s) and note any coverage amendments below: X❑ Accept ❑ Reject Cyber Liability Premium: $10,750.00 Underwriters at Lloyd's, London ❑ Accept ❑ Reject TRIA (Included): $0.00 Exposures and Values You confirm the payroll, values, schedules, and any other information pertaining to your operations, and submitted to the underwriters, were compiled from information provided by you. If no updates were provided to Gallagher, the values, exposures and operations used were based on the expiring policies. You acknowledge it is your responsibility to notify Gallagher of any material change in your operations or exposures. Additional Terms and Disclosures Gallagher is not an expert in all aspects of your business. Gallagher's Proposals for insurance are based upon the information concerning your business that was provided to Gallagher by you. Gallagher expects the information you provide is true, correct and complete in all material respects. Gallagher assumes no responsibility to independently investigate the risks that may be facing your business, but rather have relied upon the information you provide to Gallagher in making our insurance Proposals. Gallagher's liability to you arising from any of Gallagher's acts or omissions will not exceed $20 million in the aggregate. The parties each will only be liable for actual damages incurred by the other party, and will not be liable for any indirect, special, exemplary, consequential, reliance or punitive damages. No claim or cause of action, regardless of form (tort, contract, statutory, or otherwise), arising out of, relating to or in any way connected with the Proposal, any of Gallagher's services or your relationship with Gallagher may be brought by either party any later than two (2) years after the accrual of the claim or cause of action. Gallagher has established security controls to protect Client confidential information from unauthorized use or disclosure. For additional information, please review Gallagher's Privacy Policy located at hftps://www.amq.com/privacy-policy/. Gallagher Insurance I Risk Management I Consulting You have read, understand and agree that the information contained in the Proposal and all documents attached to and incorporated into the Proposal, is correct and has been disclosed to you prior to authorizing Gallagher to bind coverage and/or provide services to you. By signing below, or authorizing Gallagher to bind your insurance coverage through email when allowed, you acknowledge you have reviewed and agree with terms, conditions and disclosures contained in the Proposal. By: Brian E. Koral, City Administrator Print Name (Specify Title) City of Riverside Signature Date: June 13, 2023 Gallagher Insurance I Risk Management I Consulting June 7, 2023 City of Riverside 2950 NW Vivion Rd Riverside, MO 64150 Re: Cyber Liability Underwriters at Lloyd's, London Policy Effective: 07/01/2023 to 07/01/2024 Dear Robin: Your Cyber Liability policy will be renewing shortly. Attached is our quotation for Cyber Liability coverage. We have checked competition in recent years and have found the incumbent terms to be the best solution for you. We are not aware of any changes in your exposures to loss, nor are we aware of any changes in your business operations that would necessitate additional coverage options. Please notify us immediately if you are planning any new business operations. We would like to outline the following notable points for your consideration: • Any entity not named in this proposal, may not be an insured entity. This may include affiliates, subsidiaries, LLC's, partnerships and joint ventures. • The insurance carrier is Underwriters at Lloyd's, London. • The renewal premium is $10,600.00 (Includes TRIA Premium: $0.00), plus o Policy Administration Fee: $150.00 Total renewal policy premium: $10,750.00. You will receive an invoice from our office at time of binding. • Defense costs are limited and included within the policy limits. • The policy is claims -made and contains the following restrictions and claims reporting requirements: 1. Retroactive Date: Refer to Policy 2. Definition of claim: Refer to Policy 3. Incident or Claim Reporting Provision: Refer to Policy 4. Continuity Date or specific dates/limits applicable to the claims made conditions: Refer to Policy • Immediately report all claims to: Direct Reporting: o Underwriters at Lloyd's, London o Email: newclaimsP-cfcunderwriting.com o Web: Claims I CFC (cfcunderwriting.com) • Gallagher Reporting: o Email: GGB.NRCClaimsCenter(d-)alq.com o Phone:855-497-0578 o Fax:225-663-3224 • Gallagher is responsible for the placement of the following lines of coverage: Cyber Liability. It is understood that any other type of exposure/coverage is either self -insured or placed by another brokerage firm other than Gallagher. If you need help in placing other lines of coverage or covering other types of exposures, please contact your Gallagher representative. Gallagher Insurance I Risk Management I Consulting Should you elect to change carriers (if a new retro-active date is provided) or non -renew this policy, a supplemental extended reporting endorsement may be available subject to policy terms and conditions. You must request the extended reporting period in writing to the carrier within (refer to policy) days of the expiration dates. The cost of this extended reporting period is 100% of the annual premium and is fully earned. The extended reporting period extends only to those claims that occurred prior to the expiration date and would have been covered by the policy. Claims must be reported to the carrier within (12) months of the end of the policy period. The extended reporting period does not increase the limits of liability and is subject to all policy terms, conditions and exclusions. To renew this policy, please refer to the "Client Authorization to Bind Coverage" page attached. Note any changes you desire to be made. Date and sign. Return prior to the effective date of coverage. 1. Subject to Satisfactory confirmation that you have downloaded & registered our incident response mobile app, details of which can be found with your policy documents. (30 days post binding) 2. Subject to Signed version of the application form submitted, dated within 30 days of the required inception date. (14 days post binding) 3. Subject to Satisfactory confirmation that you have an EDR solution deployed on all endpoints (prior to binding) We appreciate your business and look forward to working with you in the coming year. Please contact me if you have any questions. Sincerely, xyleea, Cu*tdiff Kylee Cundiff Client Service Manager Enclosure Gallagher Insurance I Risk Management I Consulting Compensation Disclosure Schedule Wholesaler, Estimated Comm % Gallagher U.S. MGA or Annual or Fee owned Intermediary Premium Wholesaler, Name MGA or Coverage(s) Carrier Name(s) 1 2 3 Intermediary % Cyber Liability Underwriters at Lloyd's, Risk London Placement $10,750.00 15% 10% 1. We were able to obtain more advantageous terms and conditions for you through an intermediary/wholesaler. 2. If the premium is shown as an indication: The premium indicated is an estimate provided by the market. The actual premium and acceptance of the coverage requested will be determined by the market after a thorough review of the completed application. * A verbal quotation was received from this carrier. We are awaiting a quotation in writing. 3. The commission rate is a percentage of annual premium excluding taxes & fees. * Gallagher is receiving _% commission on this policy. The fee due Gallagher will be reduced by the amount of the commissions received. Gallagher Insurance I Risk Management I Consulting Important Disclosures IMPORTANT: The proposal and/or any executive summaries outline certain terms and conditions of the insurance proposed by the insurers, based on the information provided by your company. The insurance policies themselves must be read to fully understand the terms, coverages, exclusions, limitations and/or conditions of the actual policy contract of insurance. Policy forms will be made available upon request. We make no warranties with respect to policy limits or coverage considerations of the carrier. TRIA/TRIPRA Disclaimer — If this proposal contains options to purchase TRIA/TRIPRA coverage, the proposed TRIA/TRIPRA program may not cover all terrorism losses. While the amendments to TRIA eliminated the distinction between foreign and domestic acts of terrorism, a number of lines of coverage excluded under the amendments passed in 2005 remain excluded including commercial automobile, burglary and theft insurance; surety insurance, farm owners multiple perils and professional liability (although directors and officers liability is specifically included). If such excluded coverages are required, we recommend that you consider purchasing a separate terrorism policy. Please note that a separate terrorism policy for these excluded coverages may be necessary to satisfy loan covenants or other contractual obligations. TRIPRA includes a $100 billion cap on insurers' aggregate liability. TRIPRA is set to expire on December 31, 2027. There is no certainty of extension, thus the coverage provided by your insurers may or may not extend beyond December 31, 2027. In the event you have loan covenants or other contractual obligations requiring that TRIA/TRIPRA be maintained throughout the duration of your policy period, we recommend that a separate "Stand Alone" terrorism policy be purchased to satisfy those obligations. Terms and Conditions It is important that we clearly outline the nature of our mutual relationship. The following terms and conditions (these "Terms") govern your relationship with Gallagher unless you have separately entered into a written services agreement with Gallagher relative to the policies and services outlined in this Proposal, in which case that services agreement will govern and control with respect to any conflicts with these Terms. These Terms will become effective upon your execution of the Client Authorization to Bind Coverage (the "CAB") included in this Proposal and shall survive for the duration of your relationship with Gallagher relative to the policies placed pursuant to the CAB or otherwise at your request. Services Gallagher will represent and assist you in all discussions and transactions with insurance companies relating to the lines of insurance coverage set forth in the CAB and any other lines of insurance coverage with which you request Gallagher's assistance. Gallagher will consult with you regarding any matters involving these or other coverages for which you have engaged Gallagher. You have the sole discretion for approving any insurance policies placed, as well as all other material decisions involving your risk management, risk transfer and/or loss prevention needs. Although you are responsible for notifying applicable insurance companies directly in connection with any claims, demands, suits, notices of potential claims or any other matters as required by the terms and conditions of your policies, Gallagher will assist you in determining applicable claim reporting requirements. Treatment of Information Gallagher understands the need to protect the confidentiality and security of your confidential and sensitive information and strives to comply with applicable data privacy and security laws. Your confidential and sensitive information will be protected by Gallagher and only used to perform services for you; provided that Gallagher may disclose and transfer your information to our affiliates, agents or vendors that have a need to know such information in connection with the provision of such services (including insurance markets, as necessary, for marketing, quoting, placing and/or servicing insurance coverages). Gallagher Insurance I Risk Management I Consulting We may also disclose such information as required by applicable data protection laws or the order of any court or tribunal, subject to our providing you with prior notice as permitted by law. We will (i) implement appropriate administrative, physical and technical safeguards to protect personal information; (ii) timely report security incidents involving personal information to affected parties and/or regulatory bodies; (iii) create and maintain required policies and procedures; and (iv) comply with data subjects' rights, as applicable. To the extent applicable under associated data protection laws, you are a "business" or "controller" and Gallagher is a "service provider" or "data processor." You will ensure that any information provided to Gallagher has been provided with any required notices and that you have obtained all required consents, if any and where required, or are otherwise authorized to transfer all information to Gallagher and enable Gallagher to process the information for the purposes described in this Proposal and as set forth in Gallaher's Privacy Policy located athftps://www.a'q.com/privacy-polic Gallagher may update its Privacy Policy from time to time and any updates will be posted to such site. Dispute Resolution Gallagher does not expect that it will ever have a formal dispute with any of its clients. However, in the event that one should arise, we should each strive to achieve a fair, expedient and efficient resolution and we'd like to clearly outline the resolution process. A. If the parties have a dispute regarding Gallagher's services or the relationship governed by this Proposal ("Dispute"), each party agrees to resolve that Dispute by mediation. If mediation fails to resolve the Dispute, you and Gallagher agree to binding arbitration. Each party waives all rights to commence litigation in court to resolve a Dispute, and specifically waives all rights to pursue relief by class action or mass action in court or through arbitration. However, the parties do not waive the ability to seek a court order of injunction in aid of the mediation and arbitration required by these Terms. B. The party asserting a Dispute must provide a written notice ("Notice") of the claim to the other party and to the American Arbitration Association ("AAA") in accordance with its Commercial Arbitration Rules and Mediation Procedures. All Dispute resolutions will take place in Chicago, IL, unless you and Gallagher agree to another location. The parties will equally divide all costs of the mediation and arbitration proceedings and will each pay their own attorneys' fees. All matters will be before a neutral, impartial and disinterested mediator or arbitrator(s) that have at least 20 years' experience in commercial and insurance coverage disputes. C. Mediation will occur within sixty (60) days of filing the Notice with the AAA. Mediation results will be reduced to a memorandum of understanding signed by you, Gallagher and the mediator. A Dispute that is not resolved in mediation will commence to binding arbitration. For Disputes in excess of $500,000, either party may elect to have the Dispute heard by a panel of three (3) arbitrators. The award of the arbitrator(s) must be accompanied by a reasoned opinion prepared and signed by the arbitrator(s). Except as may be required by law, neither you, Gallagher, nor a mediator or arbitrator may disclose the existence, content or results of any Dispute or its dispute resolution proceeding without the prior written consent of both you and Gallagher. Electronic Delivery In lieu of receiving documents in paper format, you agree, to the fullest extent permitted by law, to accept electronic delivery of any documents that Gallagher may be required to deliver to you (including, but not limited to, insurance policies and endorsements, account statements and all other agreements, forms and communications) in connection with services provided by Gallagher. Electronic delivery of a document to you may be made via electronic mail or by other electronic means, including posting documents to a secure website. Miscellaneous Terms Gallagher is engaged to perform services as an independent contractor and not as your employee or agent, and Gallagher will not be operating in a fiduciary capacity. Gallagher Insurance I Risk Management I Consulting Where applicable, insurance coverage placements and other services may require the payment of federal excise taxes, surplus lines taxes, stamping or other fees to the Internal Revenue Service, various State(s) departments of revenue, state regulators, boards or associations. In such cases, you will be responsible for the payment of the taxes and/or fees, which Gallagher will separately identify on related invoices. The Proposal and these Terms are governed by the laws of the State of Illinois, without regard to its conflict of law rules. If an arbitrator/court of competent jurisdiction determines that any provision of these Terms is void or unenforceable, that provision will be severed, and the arbitrator/court will replace it with a valid and enforceable provision that most closely approximates the original intent, and the remainder of these Terms will remain in effect. Except to the extent in conflict with a services agreement that you may enter into with Gallagher, these Terms and the remainder of the Proposal constitute the entire agreement between you and Gallagher with respect to the subject matter of the Proposal, and supersede all prior negotiations, agreements and understandings as to such matters. Gallagher Insurance I Risk Management I Consulting Compensation Disclosure 1. Gallagher Companies are primarily compensated from the usual and customary commissions, fees or, where permitted, a combination of both, for brokerage and servicing of insurance policies, annuity contracts, guarantee contracts and surety bonds (collectively "insurance coverages") handled for a client's account, which may vary based on market conditions and the insurance product placed for the client. 2. In placing, renewing, consulting on or servicing your insurance coverages, Gallagher companies may participate in contingent and supplemental commission arrangements with intermediaries and insurance companies that provide for additional compensation if certain underwriting, profitability, volume or retention goals are achieved. Such goals are typically based on the total amount of certain insurance coverages placed by Gallagher with the insurance company, not on an individual policy basis. As a result, Gallagher may be considered to have an incentive to place your insurance coverages with a particular insurance company. If you do not wish to have your commercial insurance placement included in consideration for additional compensation, contact your producer or service team for an Opt -out form. 3. Gallagher Companies may receive investment income on fiduciary funds temporarily held by them, or from obtaining or generating premium finance quotes, unless prohibited by law. 4. Gallagher Companies may also access or have an ownership interest in other facilities, including wholesalers, reinsurance intermediaries, captive managers, underwriting managers and others that act as intermediaries for both Gallagher and other brokers in the insurance marketplace some of which may earn and retain customary brokerage commission and fees for their work. If you have specific questions about any compensation received by Gallagher and its affiliates in relation to your insurance placements, please contact your Gallagher representative for more details. Gallagher Insurance I Risk Management I Consulting Market Review We approached the following carriers in an effort to provide the most comprehensive and cost effective insurance program. Cyber Liability Underwriters at Lloyd's, London (A XV) Recommended Non -Admitted *If shown as an indication, the actual premium and acceptance of the coverage requested will be determined by the market after a thorough review of the completed application. **Gallagher companies use AM Best rated insurers and the rating listed above was verified on the date the proposal document was created. Best's Credit RatingsTm reproduced herein appear under license from AM Best and do not constitute, either expressly or impliedly, an endorsement of Gallagher's service or its recommendations. AM Best is not responsible for transcription errors made in presenting Best's Credit Ratings TM. Best's Credit RatingsTm are proprietary and may not be reproduced or distributed without the express written permission of AM Best. A Best's Financial Strength Rating is an independent opinion of an insurer's financial strength and ability to meet its ongoing insurance policy and contract obligations. It is not a warranty of a company's financial strength and ability to meet its obligations to policyholders. Best's Credit RatingsT"" are under continuous review and subject to change and/or affirmation. For the latest Best's Credit RatingsTm and Guide to Best's Credit Ratings, visit the AM Best website at http://www.ambest.com/ratings . ***If coverage placed with a non -admitted carrier, it is doing business in the state as a surplus lines or non -admitted carrier, and is neither subject to the same regulations as an admitted carrier nor do they participate in any state insurance guarantee fund. Gallagher companies make no representations and warranties concerning the solvency of any carrier, nor does it make any representation or warranty concerning the rating of the carrier which may change. Gallagher Insurance I Risk Management I Consulting Client Authorization to Bind Coverage After careful consideration of Gallagher's Proposal dated June 7, 2023, you accept the following coverage(s). Please check the desired coverage(s) and note any coverage amendments below: ❑ Accept ❑ Reject Cyber Liability Premium: $10,750.00. Underwriters at Lloyd's, London ❑ Accept ❑ Reject TRIA (Included): $0.00 Exposures and Values You confirm the payroll, values, schedules, and any other information pertaining to your operations, and submitted to the underwriters, were compiled from information provided by you. If no updates were provided to Gallagher, the values, exposures and operations used were based on the expiring policies. You acknowledge it is your responsibility to notify Gallagher of any material change in your operations or exposures. Additional Terms and Disclosures Gallagher is not an expert in all aspects of your business. Gallagher's Proposals for insurance are based upon the information concerning your business that was provided to Gallagher by you. Gallagher expects the information you provide is true, correct and complete in all material respects. Gallagher assumes no responsibility to independently investigate the risks that may be facing your business, but rather have relied upon the information you provide to Gallagher in making our insurance Proposals. Gallagher's liability to you arising from any of Gallagher's acts or omissions will not exceed $20 million in the aggregate. The parties each will only be liable for actual damages incurred by the other party, and will not be liable for any indirect, special, exemplary, consequential, reliance or punitive damages. No claim or cause of action, regardless of form (tort, contract, statutory, or otherwise), arising out of, relating to or in any way connected with the Proposal, any of Gallagher's services or your relationship with Gallagher may be brought by either party any later than two (2) years after the accrual of the claim or cause of action. Gallagher has established security controls to protect Client confidential information from unauthorized use or disclosure. For additional information, please review Gallagher's Privacy Policy located at https://www.ai4.com/privacy-Policv/. Gallagher Insurance I Risk Management I Consulting You have read, understand and agree that the information contained in the Proposal and all documents attached to and incorporated into the Proposal, is correct and has been disclosed to you prior to authorizing Gallagher to bind coverage and/or provide services to you. By signing below, or authorizing Gallagher to bind your insurance coverage through email when allowed, you acknowledge you have reviewed and agree with terms, conditions and disclosures contained in the Proposal. By: Print Name (Specify Title) Company Signature Date: cfc INDICATION OF TERMS REFERENCE NUMBER: 3421363 COMPANY NAME: City of Riverside TOTAL PAYABLE: USD 10,750.00 Premium breakdown: Cyber & Privacy: USD 8,800.00 Cyber Crime: USD 1,800.00 Policy Administration Fee: USD 150.00 TRIA: USD 0.00 BUSINESS OPERATIONS: Municipality LEGAL ACTION: Worldwide TERRITORIAL SCOPE: Worldwide REPUTATIONAL HARM PERIOD: 12 months INDEMNITY PERIOD: 12 months WAITING PERIOD: 8 hours WORDING: Cyber, Private Enterprise (US) v3.1 ENDORSEMENTS: Public Entity Amendatory Clause Policyholder Disclosure Notice Of Terrorism Insurance Coverage RPS Special Amendatory Clause SUBJECTIVITIES: This quote is subject to the following being provided by the stated deadline: 1. Satisfactory confirmation that you have downloaded & registered our incident response mobile app, details of which can be found with your policy documents. (30 days post binding) POLICY PERIOD: 12 months DATE OF ISSUE: 06 Jun 2023 OPTIONAL EXTENDED REPORTING 12 months for 100% of applicable annualized premium PERIOD: SECURITY: Certain underwriters at Lloyd's and other insurers UNDERWRITER: Paige Carey THIS INDICATION OF TERMS IS ONLY VALID FOR 30 DAYS FROM THE DATE OF ISSUE PLEASE REFER TO THE FOLLOWING PAGES FOR A FULL BREAKDOWN OF LIMITS, RETENTIONS AND APPLICABLE CLAUSES cfc DECLARATIONS INSURING CLAUSE 1: CYBER INCIDENT RESPONSE SECTION A: INCIDENT RESPONSE COSTS Limit of liability: USD1,000,000 each and every claim Deductible: USD0 each and every claim SECTION B: LEGAL AND REGULATORY COSTS Limit of liability: USD1,000,000 each and every claim Deductible: USD 10,000 each and every claim SECTION C: IT SECURITY AND FORENSIC COSTS Limit of liability: USD1,000,000 each and every claim Deductible: USD 10,000 each and every claim SECTION D: CRISIS COMMUNICATION COSTS Limit of liability: USD 1,000,000 each and every claim Deductible: USD 10,000 each and every claim SECTION E: PRIVACY BREACH MANAGEMENT COSTS Limit of liability: USD 1,000,000 each and every claim Deductible: USD 10,000 each and every claim SECTION F: THIRD PARTY PRIVACY BREACH MANAGEMENT COSTS Limit of liability: USD 1,000,000 each and every claim Deductible: USD 10,000 each and every claim SECTION G: POST BREACH REMEDIATION COSTS Limit of liability: USD 50,000 each and every claim, subject to a maximum of 10% of all sums we have paid as a direct result of the cyber event Deductible: USD0 each and every claim cfc INSURING CLAUSE 2: CYBER CRIME SECTION A: FUNDS TRANSFER FRAUD Limit of liability: USD 100,000 each and every claim Deductible: USD10,000 each and every claim SECTION B: THEFT OF FUNDS HELD IN ESCROW Limit of liability: USD 100,000 each and every claim Deductible: USD 10,000 each and every claim SECTION C: THEFT OF PERSONAL FUNDS Limit of liability: USD100,000 each and every claim Deductible: USD 10,000 each and every claim SECTION D: EXTORTION Limit of liability: USD 1,000,000 each and every claim Deductible: USD 10,000 each and every claim SECTION E: CORPORATE IDENTITY THEFT Limit of liability: USD100,000 each and every claim Deductible: USD 10,000 each and every claim SECTION F: TELEPHONE HACKING Limit of liability: USD 100,000 each and every claim Deductible: USD 10,000 each and every claim SECTION G: PUSH PAYMENT FRAUD Limit of liability: USD 50,000 each and every claim Deductible: USD 10,000 each and every claim SECTION H: UNAUTHORIZED USE OF COMPUTER RESOURCES Limit of liability: USD 100,000 each and every claim Deductible: USD 10,000 each and every claim cfc INSURING CLAUSE 3: SYSTEM DAMAGE AND BUSINESS INTERRUPTION SECTION A: SYSTEM DAMAGE AND RECTIFICATION COSTS Limit of liability: USD 1,000,000 each and every claim Deductible: USD 10,000 each and every claim SECTION B: INCOME LOSS AND EXTRA EXPENSE Limit of liability: USD 1,000,000 each and every claim, sub -limited to USD1,000,000 in respect of system failure Deductible: USD 10,000 each and every claim SECTION C: ADDITIONAL EXTRA EXPENSE Limit of liability: USD 100,000 each and every claim Deductible: USD 10,000 each and every claim SECTION D: DEPENDENT BUSINESS INTERRUPTION Limit of liability: USD 1,000,000 each and every claim, sub-limited to USD 1,000,000 in respect of system failure Deductible: USD 10,000 each and every claim SECTION E: CONSEQUENTIAL REPUTATIONAL HARM Limit of liability: USD 1,000,000 each and every claim Deductible: USD 10,000 each and every claim SECTION F: CLAIM PREPARATION COSTS Limit of liability: USD2 5,000 each and every claim Deductible: USD 0 each and every claim SECTION G: HARDWARE REPLACEMENT COSTS Limit of liability: USD 1,000,000 each and every claim Deductible: USD 10,000 each and every claim INSURING CLAUSE 4: NETWORK SECURITY & PRIVACY LIABILITY SECTION A: NETWORK SECURITY LIABILITY Aggregate limit of liability: USD 1,000,000 in the aggregate, including costs and expenses Deductible: USD 10,000 each and every claim, including costs and expenses SECTION B: PRIVACY LIABILITY Aggregate limit of liability: USD 1,000,000 in the aggregate, including costs and expenses Deductible: USD 10,000 each and every claim, including costs and expenses SECTION C: MANAGEMENT LIABILITY Aggregate limit of liability: USD 1,000,000 in the aggregate, including costs and expenses Deductible: USD 10,000 each and every claim, including costs and expensesSECTION D: REGULATORY FINES Aggregate limit of liability: USD 1,000,000 in the aggregate, including costs and expenses Deductible: USD 10,000 each and every claim, including costs and expenses SECTION E: PCI FINES, PENALTIES AND ASSESSMENTS Aggregate limit of liability: USD 1,000,000 in the aggregate, including costs and expenses Deductible: USD 10,000 each and every claim, including costs and expenses INSURING CLAUSES: MEDIA LIABILITY SECTION A: DEFAMATION Aggregate limit of liability: USD 1,000,000 in the aggregate, including costs and expenses Deductible: USD 10,000 each and every claim, including costs and expenses SECTION B: INTELLECTUAL PROPERTY RIGHTS INFRINGEMENT Aggregate limit of liability: USD 1,000,000 in the aggregate, including costs and expenses Deductible: USD 10,000 each and every claim, including costs and expenses INSURING CLAUSE 6: TECHNOLOGY ERRORS AND OMISSIONS NO COVER GIVEN cfc INSURING CLAUSE 7: COURT ATTENDANCE COSTS Aggregate limit of liability: USD 100,000 in the aggregate Deductible: USD 0 each and every claim • cfc ATTACHING TO POLICY N/A NUMBER: THE INSURED: City of Riverside WITH EFFECT FROM: - It is understood and agreed that the following amendments are made to this Policy: 1. The DEFINITION of "Company" is deleted in its entirety and replaced with the following: "Company" means the organization stated in the Declarations page and any of its departments or divisions that are included within the operating budget provided to us byyou in your application for this insurance. 2. The DEFINITION of "Senior executive officer" is deleted in its entirety and replaced with the following: "Senior executive officer" means board members and executive committee members of the company or any individual holding an equivalent position in the company. SUBJECT OTHERWISE TO THE TERMS AND CONDITIONS OF THE POLICY • cfc ATTACHING TO POLICY N/A NUMBER: THE INSURED: City of Riverside WITH EFFECT FROM: - Coverage for acts of terrorism is included in your policy. You are hereby notified that under the Terrorism Risk Insurance Act, as amended in 2015, the definition of act of terrorism has changed. As defined in Section 102(1) of the Act: The term "act of terrorism" means any act or acts that are certified by the Secretary of the Treasury —in consultation with the Secretary of Homeland Security, and the Attorney General of the United States —to be an act of terrorism; to be a violent act or an act that is dangerous to human life, property, or infrastructure; to have resulted in damage within the United States, or outside the United States in the case of certain air carriers or vessels or the premises of a United States mission; and to have been committed by an individual or individuals as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion. Under your coverage, any losses resulting from certified acts of terrorism may be partially reimbursed by the United States Government under a formula established by the Terrorism Risk Insurance Act, as amended. However, your policy may contain other exclusions which might affect your coverage, such as an exclusion for nuclear events. Under the formula, the United States Government generally reimburses 85% through 2015; 84% beginning on January 1, 2016; 83% beginning on January 1, 2017; 82% beginning on January 1, 2018; 81% beginning on January 1, 2019 and 80% beginning on January 1, 2020, of covered terrorism losses exceeding the statutorily established deductible paid by the insurance company providing the coverage. The Terrorism Risk Insurance Act, as amended, contains a $100 billion cap that limits U.S. Government reimbursement as well as insurers' liability for losses resulting from certified acts of terrorism when the amount of such losses exceeds $100 billion in any one calendar year. If the aggregate insured losses for all insurers exceed $100 billion, your coverage may be reduced. The portion of your annual premium that is attributable to coverage for acts of terrorism is USD0.00 and does not include any charges for the portion of losses covered by the United States government under the Act. SUBJECT OTHERWISE TO THE TERMS AND CONDITIONS OF THE POLICY • cfc ATTACHING TO POLICY N/A NUMBER: THE INSURED: City of Riverside WITH EFFECT FROM: - It is understood and agreed that the following amendments are made to the Declarations page: 1. The time period stated as the "WAITING PERIOD" in the Declarations page is deleted in its entirety and replaced with the following: 6 hours 2. The following INSURING CLAUSE is added: CRIMINAL REWARD COVERAGE Aggregate limit of USD50,000 in the aggregate liability: Deductible: USD10,000 each and everyclain 3. The following SECTION is added to INSURING CLAUSE 4: SECTION F: CONTINGENT BODILY INJURY Aggregate limit of USD250,000 in the aggregate, liability: including costs and expenses Deductible: USD10,000 each and every clain including costs and expenses It is further understood and agreed that the following amendments are made to this Policy: 1. The following INSURING CLAUSE is added: CRIMINAL REWARD COVERAGE We agree to reimburse you for any reasonable sums necessarily incurred with our prior written agreement to pay any person or organization, other than: a. any external or internal auditor of the company, or b. any individual or organization who manages or supervises the individuals stated in a. above; for information not otherwise available which directly results in the arrest and conviction of any person or organization who is committing or has committed any illegal act directly relating to a claim covered under INSURING CLAUSES 1, 2,3 or 4. 2. INSURING CLAUSE 1 (SECTION D only) is deleted in its entirety and replaced with the following: • cfc SECTION D: CRISIS COMMUNICATION COSTS We agree to pay on your behalf any reasonable sums necessarily incurred by you, or on your behalf, as a direct result of a cyber event or system failure first discovered by you during the period of the policy to: a. engage with a crisis communications consultant to obtain specific advice in direct relation to the cyber event or system failure; b. coordinate media relations in response to the cyber event or system failure; c. receive training for relevant spokespeople with respect to media communications in direct relation to the cyber event or system failure; and d. formulate a crisis communications plan in order to reduce damage to your brand and reputation as a direct result of the cyber event or system failure. 3. INSURING CLAUSE 2 (SECTION D only) is deleted in its entirety and replaced with the following: SECTION D: EXTORTION We agree to reimburse you for any ransom, including costs associated with securing funds or digital currencies, paid by you, or on your behalf, in response to an extortion demand first discovered by you during the period of the policy as a direct result of any threat to: a. introduce malware, or the actual introduction of malware, including Ransomware, into your computer systems; b. prevent or not return access to your computer systems or data or any third party systems hosting your applications or data; c. reveal your confidential information or confidential information entrusted to you; or d. damage your brand or reputation by posting false or misleading comments about you on social media sites. 4. The following paragraph is added to INSURING CLAUSE 2 (SECTION H only): We will also reimburse you for loss first discovered by you during the period of the policy as a direct result of any unauthorized use of or access to, any cloud computing services, including any Software as a Service, Infrastructure as a Service or Network as a Service, that are directly used to conduct your business operations. S. The following SECTION is added to INSURING CLAUSE 4: • cfc SECTION F: CONTINGENT BODILY INJURY We agree to pay on your behalf all sums which you become legally obliged to pay (including liability for claimant's costs and expenses) as a result of any claim arising out of bodily injury caused as a direct result of a cyber event affecting your computer systems first discovered byyou during the period of the policy. We will also pay costs and expenses on your behalf. However, we will not make any payment under this Section for which you are entitled to indemnity under any other insurance, except for any additional sum which is payable over and above the other insurance. 6. The following DEFINITION is added: "Bodily injury" means death, bodily injury, mental injury, illness or disease. 7. Where 10W is stated in the "Associated companies" EXCLUSION, it is deleted in its entirety and replaced with "15W. 8. The "Bodily injury and property damage" EXCLUSION is deleted in its entirety and replaced with the following: Bodily injury and property damage arising directly or indirectly out of: a. bodily injury, or b. tangible property damage. However, part a. of this Exclusion will not apply to: INSURING CLAUSES 4 (SECTIONS A, B and C only) and 5 for any claim as a direct result of mental injury or emotional distress; and b. INSURING CLAUSE 4 (SECTION F only). 9. The first paragraph of the "Cancellation" CONDITION is deleted in its entirety and replaced with the following: This Policy may be canceled: a. at anytime upon written request by you; or b. with 60 days written notice by us. 10. Where "60 days" and "60 day" are stated in the "Extended reporting period" CONDITION, they are deleted in their entirety and replaced with "90 days" and "90 day" respectively. SUBJECT OTHERWISE TO THE TERMS AND CONDITIONS OF THE POLICY CfC Response An integral part of our cyber policy, our award -winning mobile app Response gives policyholders access to a range of proactive cybersecurity tools and services. Here's what this valuable tool has to offer: Access to CFC's cyber risk management tools 1 Phishing simulations -Targeting members of your team whose credentials are the most vulnerable, these simulations send mock phishing emails in order to raise awareness of this criminal tactic. 2 Dark web monitoring -This tool scours the dark web for information relating to your business, including corporate login credentials and other breaches of sensitive data relating to your domain name. 3 Deep scanning - This service actively scans the external client network footprint to identify claims correlated vulnerabilities that lead to cyber attacks and ransomware. 4 Cybersecurity advice - The "Ask the Expert" section of Response allows users to get in touch with our specialist team for help with cyber risk mitigation, best practices, cybersecurity services on offer, and more. 5 Real time threat alerts - Through continuous monitoring of our customers and analysis of the latest cyber claims, our team is able to spot problems fast. Through Response, we send policyholders critical alerts specific to their business along with guidance on how to rectify any issues. + ... and instant notification of claims Suffering an incident? The app allows you to instantly notify our specialist team ifyou have an issue. This feature of Response triggers an immediate call-back from our experience team of responders. � ,❑ ❑�}r- Simply use your CFC cyber policy number to register. �o! The app is available on the App Store or Google Play. SC f C Cyber, Private Enterprise (US) v3.1 Policy wording amendments This document is provided as a matter of information only, please review the policy wording for full details SUMMARY OF AMENDMENTS DEFINITIONS New Definitions The following Definitions have been added: "Cyber war" "Impacted state" "State" "War" EXCLUSIONS Amended Exclusions The following Exclusion has been amended: "War" amended to "War and Cyber war" The updated "War and cyber war" Exclusion clarifies that both physical acts of war as well as Cyber war are excluded. However, Cyber war is carved back in respect of INSURING CLAUSE 1 (SECTION A only) and that part of any claim relating to computer systems which are physically located outside of an impacted state. CONDITIONS New Conditions The following Condition has been added: Dispute resolution This new Condition provides a clear process through which disputes between the insurer and insured will be handled. • CfC Cyber Private enterprise Policy document United States • cfc IMPORTANT: COVERAGE TRIGGERS. It is important for you to review this Policy carefully as the trigger for coverage, including when you must notify us of a claim, under each Section and Insuring Clause may differ. This Policy is a contract of insurance between you and us. Your Policy contains all the details of the cover that we provide. This Policy consists of and must be read together with the Declarations page and any Endorsements. This Policy is not complete unless it is signed and a Declarations page is attached. The sections of this Policy are identified by the blue lines across the page with white upper case print, these are for information purposes only and do not form part of the cover given by this Policy. Terms in bold upper case print are references to specific Insuring Clauses, Sections or Conditions. Other terms in bold lower case print are defined terms and have a special meaning as set forth in the Definitions section and elsewhere. Words stated in the singular will include the plural and vice versa. In consideration of the premium and in reliance upon the information that you have provided to us prior to the commencement of this insurance, we agree to provide the cover as set out below: INSURING CLAUSE 1: CYBER INCIDENT RESPONSE SECTION A: INCIDENT RESPONSE COSTS We agree to pay on your behalf any reasonable sums necessarily incurred by you, or on your behalf, as a direct result of a cyber event first discovered byyou during the period of the policy to: a. gain access to our 24/7 cyber incident response line; b. engage with our cyber incident manager who will coordinate the initial response; c. obtain initial advice and consultancy from our cyber incident manager, including threat intelligence in relation to the cyber event; and d. obtain initial remote support and assistance from our cyber incident manager to respond to the cyber event. SECTION B: LEGAL AND REGULATORY COSTS We agree to pay on your behalf any reasonable sums necessarily incurred by you, or on your behalf, as a direct result of a cyber event first discovered by you during the period of the policy to: a. obtain legal advice to determine the correct course of action; V. cfc b. draft privacy breach notification letters, substitute notices, website notices or e-mail notification templates; c. notify any appropriate governmental, regulatory, law enforcement, professional or statutory body; d. respond to any regulatory investigation; and e. defend any regulatory action. SECTION C: IT SECURITY AND FORENSIC COSTS We agree to pay on your behalf any reasonable sums necessarily incurred by you, or on your behalf, as a direct result of a cyber event first discovered byyou during the period of the policy to: a. engage with an external IT security consultant to identify the source and scope of the cyber event; b. obtain initial advice to remediate the impact of the cyber event; c. conduct a forensic investigation of your computer systems where reasonable and necessary or as required by law or a regulatory body (including a requirement for a PCI Forensic Investigator); d. contain and remove any malware discovered on your computer systems; and e. engage with an IT security consultant to provide expert witness testimony at any trial or hearing arising from the cyber event. SECTION D: CRISIS COMMUNICATION COSTS We agree to pay on your behalf any reasonable sums necessarily incurred by you, or on your behalf, as a direct result of a cyber event first discovered by you during the period of the policy to: a. engage with a crisis communications consultant to obtain specific advice in direct relation to the cyber event; b. coordinate media relations in response to the cyber event; c. receive training for relevant spokespeople with respect to media communications in direct relation to the cyber event; and d. formulate a crisis communications plan in order to reduce damage to your brand and reputation as a direct result of the cyber event. SECTION E: PRIVACY BREACH MANAGEMENT COSTS We agree to pay on your behalf any reasonable sums necessarily incurred by you, or on your behalf, as a direct result of a cyber event first discovered during the period of the policy to: a. print and post appropriate notices for any individual affected by the actual or suspected cyber event or to send e-mail notices or issue substitute notices; b. provide credit monitoring services, identity monitoring services, identity restoration services or identity theft insurance to affected individuals; c. set up a call center to manage inbound and outbound calls in direct relation to the cyber event; and 0 cfc d. provide translation services to manage communications with affected individuals. SECTION F: THIRD PARTY PRIVACY BREACH MANAGEMENT COSTS We agree to pay on behalf of any third party any reasonable sums necessarily incurred as a direct result of a cyber event first discovered by you during the period of the policy to: a. print and post appropriate notices for any individual affected by the actual or suspected cyber event or to send e-mail notices or issue substitute notices; b. provide credit monitoring services, identity monitoring services, identity restoration services or identity theft insurance to affected individuals; c. set up a call center to manage inbound and outbound calls in direct relation to the cyber event; and d. provide translation services to manage communications with affected individuals; provided that you have contractually indemnified the third party against this cyber event and they have a legal obligation to notify affected individuals. SECTION G: POST BREACH REMEDIATION COSTS We agree to pay on your behalf any reasonable sums necessarily incurred by you, or on your behalf, with our cyber incident manager following a cyber event covered under INSURING CLAUSE 1 (SECTIONS A, B, C, D, E and F only) for the following services in order to mitigate the potential of a future cyber event: a. complete an information security risk assessment; b. conduct an information security gap analysis; c. develop an information security document set; and d. deliver an information security awareness training session. INSURING CLAUSE 2: CYBER CRIME SECTION A: FUNDS TRANSFER FRAUD We agree to reimburse you for loss first discovered by you during the period of the policy as a direct result of any third party committing: a. any unauthorized electronic transfer of funds from your bank; b. theft of money or other financial assets from your bank by electronic means; c. theft of money or other financial assets from your corporate credit cards by electronic means; or d. any phishing, vishing or other social engineering attack against any employee or senior executive officer that results in the transfer of your funds to an unintended third party. SECTION B: THEFT OF FUNDS HELD IN ESCROW We agree to reimburse you for loss (including compensation you are required to pay) first discovered by you during the period of the policy as a direct result of you having to reimburse ber, Pr vate Enter; rive ✓3.i sCfC any third party for theft, committed by a third party by electronic means, of their money or other financial assets from a bank account held by you on their behalf. SECTION C: THEFT OF PERSONAL FUNDS We agree to reimburse any senior executive officer for personal financial loss first discovered by them during the period of the policy as a direct result of any third party compromising the company's network security which results in: a. theft of money or other financial assets from a personal bank account of the senior executive officer; or b. identity theft of the senior executive officer as a result of a privacy breach suffered by you. SECTION D: EXTORTION We agree to reimburse you for any ransom paid by you, or on your behalf, in response to an extortion demand first discovered by you during the period of the policy as a direct result of any threat to: a. introduce malware, or the actual introduction of malware, including Ransomware, into your computer systems; b. prevent access to your computer systems or data or any third party systems hosting your applications or data; c. reveal your confidential information or confidential information entrusted to you; or d. damage your brand or reputation by posting false or misleading comments about you on social media sites. SECTION E: CORPORATE IDENTITYTHEFT We agree to reimburse you for loss first discovered by you during the period of the policy arising as a direct result of the fraudulent use or misuse of your electronic identity including the establishment of credit in your name, the electronic signing of any contract, the creation of any website designed to impersonate you or the reliance by any third party on a fraudulent version of your digital identity. SECTION F: TELEPHONE HACKING We agree to reimburse you for loss first discovered by you during the period of the policy as a direct result of your telephone system being hacked by a third party including the cost of unauthorized calls or unauthorized use of your bandwidth. SECTION G: PUSH PAYMENT FRAUD We agree to reimburse you in the event of fraudulent electronic communications or websites designed to impersonate you or any of your products first discovered byyou during the period of the policy, for: IF cfc a. the cost of creating and issuing a specific press release or establishing a specific website to advise your customers and prospective customers of the fraudulent communications; and b. the cost of reimbursing your existing customers for their financial loss arising directly from the fraudulent communications, including fraudulent invoices manipulated to impersonate you; and c. your income loss sustained following your discovery of the fraudulent communications as a direct result of the fraudulent communications; and d. external costs associated with the removal of websites designed to impersonate you. SECTION H: UNAUTHORIZED USE OF COMPUTER RESOURCES We agree to reimburse you for loss first discovered by you during the period of the policy as a direct result of cryptojacking or botnetting. INSURING CLAUSE 3: SYSTEM DAMAGE AND BUSINESS INTERRUPTION SECTION A: SYSTEM DAMAGE AND RECTIFICATION COSTS We agree to reimburse you for the additional cost of employing: a. contract staff or overtime costs for employees to rebuild your data, including the cost of data re-entry or data re-creation; b. specialist consultants, including IT forensic consultants, to recover your data or applications; and c. specialist consultants or overtime costs for employees working within your IT department to reconstitute your computer systems to the position they were in immediately prior to the cyber event; reasonably and necessarily incurred as a direct result of a cyber event first discovered by you during the period of the policy. SECTION B: INCOME LOSS AND EXTRA EXPENSE We agree to reimburse you for your income loss and extra expense during the indemnity period as a direct result of an interruption to your business operations caused by computer systems downtime arising directly out of a cyber event or system failure which is first discovered by you during the period of the policy, provided that the computer systems downtime lasts longer than the waiting period. SECTION C: ADDITIONAL EXTRA EXPENSE We agree to reimburse you for any reasonable sums necessarily incurred during the indemnity period that are in addition to your normal operating expenses and the extra expense recoverable under INSURING CLAUSE 3 (SECTION B only): a. to source your products or services from alternative sources in order to meet contractual obligations to supplyyour customers; 6 cfc b. to employ contract staff or overtime costs for employees in order to continue your business operations; c. to employ specialist consultants, including IT forensic consultants to diagnose the source of the computer systems downtime; and d. for employees working overtime within your IT department to diagnose and fix the source of the computer systems downtime; to mitigate an interruption to your business operations caused by computer systems downtime arising directly out of a cyber event or system failure which is first discovered by you during the period of the policy, provided that the computer systems downtime lasts longer than the waiting period. SECTION D: DEPENDENT BUSINESS INTERRUPTION We agree to reimburse you for your income loss and extra expense sustained during the indemnity period as a direct result of an interruption to your business operations arising directly out of any sudden, unexpected and continuous outage of computer systems used directly by a supply chain partner which is first discovered by you during the period of the policy, provided that the computer systems downtime lasts longer than the waiting period and arises directly out of any cyber event or system failure. SECTION E: CONSEQUENTIAL REPUTATIONAL HARM We agree to reimburse you for your income loss sustained during the reputational harm period as a direct result of the loss of current or future customers caused by damage to your reputation as a result of a cyber event first discovered byyou during the period of the policy. SECTION F: CLAIM PREPARATION COSTS We agree to pay on your behalf any reasonable sums necessarily incurred to determine the amount of your income loss sustained following an interruption to your business operations covered under INSURING CLAUSE 3 (SECTIONS A, B, C, D and E only). We will only pay these costs where they are incurred with an independent expert appointed by the cyber incident manager. SECTION G: HARDWARE REPLACEMENT COSTS We agree to pay on your behalf any reasonable sums necessarily incurred to replace any computer hardware or tangible equipment forming part of your computer systems that have been damaged as a direct result of a cyber event first discovered by you during the period of the policy, provided that replacing the computer hardware or tangible equipment is a more time efficient and cost effective solution than installing new firmware or software onto your existing hardware. cfc INSURING CLAUSE 4: NETWORK SECURITY & PRIVACY LIABILITY SECTION A: NETWORK SECURITY LIABILITY We agree to pay on your behalf all sums which you become legally obliged to pay (including the establishment of any consumer redress fund and associated expenses) as a result of any claim arising out of a cyber event first discovered byyou during the period of the policy that results in: a. the transmission of malware to a third party's computer system; b. your computer systems being used to carry out a denial of service attack; c. your failure to prevent unauthorized access to information stored or applications hosted on your computer systems or a third party's computer systems; and d. identity theft, experienced by your employees, senior executive officers or any third party. We will also pay costs and expenses on your behalf. SECTION B: PRIVACY LIABILITY We agree to pay on your behalf all sums which you become legally obliged to pay (including the establishment of any consumer redress fund and associated expenses) as a result of any claim arising out of a cyber event first discovered byyou during the period of the policy that results in: a. an actual or suspected disclosure of or unauthorized access to any Personally Identifiable Information (PII), including payment card information or Protected Health Information (PHI); b. your failure to adequately warn affected individuals of a privacy breach, including the failure to provide a data breach notification in a timely manner; c. a breach of any rights of confidentiality as a direct result of your failure to maintain the confidentiality of any data pertaining to an employee or a senior executive officer; d. a breach of any rights of confidentiality, including a breach of any provisions of a non- disclosure agreement or breach of a contractual warranty relating to the confidentiality of commercial information, PII, or PHI; e. a breach of any part of your privacy policy; or f. actual or suspected disclosure of or unauthorized access to your data or data for which you are responsible. We will also pay costs and expenses on your behalf. SECTION C: MANAGEMENT LIABILITY We agree to pay on behalf of any senior executive officer all sums they become legally obliged to pay as a result of any claim made against them arising directly out of a cyber event first discovered byyou during the period of the policy. We will also pay costs and expenses on behalf of your senior executive officers. sCfC However, we will not make any payment under this Section for which the senior executive officer is entitled to indemnity under any other insurance, except for any additional sum which is payable over and above the other insurance. SECTION D: REGULATORY FINES We agree to pay on your behalf any fines and penalties resulting from a regulatory investigation arising as a direct result of a cyber event first discovered byyou during the period of the policy. We will also pay costs and expenses on your behalf. SECTION E: PCI FINES, PENALTIES AND ASSESSMENTS We agree to pay on your behalf any fines, penalties and card brand assessments including fraud recoveries, operational reimbursements, non -cooperation costs and case management fees which you become legally obliged to pay your acquiring bank or payment processor as a direct result of a payment card breach first discovered byyou during the period of the policy. We will also pay costs and expenses on your behalf. INSURING CLAUSES: MEDIA LIABILITY SECTION A: DEFAMATION We agree to pay on your behalf all sums which you become legally obliged to pay (including liability for claimants' costs and expenses) as a result of any claim first made against you during the period of the policy for any: a. defamation, including but not limited to libel, slander, trade libel, product disparagement and injurious falsehood; or b. emotional distress or outrage based on harm to the character or reputation of any person or entity; arising out of any media content. We will also pay costs and expenses on your behalf. SECTION B: INTELLECTUAL PROPERTY RIGHTS INFRINGEMENT We agree to pay on your behalf all sums which you become legally obliged to pay (including liability for claimants' costs and expenses) as a result of any claim first made against you during the period of the policy for any: a. infringement of any intellectual property rights, including, but not limited to, copyright, trademark, trade dilution, trade dress, commercial rights, design rights, domain name rights, image rights, moral rights, service mark or service name, but not including patent; b. act of passing -off, piracy or plagiarism or any misappropriation of content, concepts, format rights or ideas or breach of a contractual warranty relating to intellectual property rights; 1 cfc c. breach of any intellectual property rights license acquired byyou; or d. failure to attribute authorship or provide credit; arising out of any media content. We will also pay costs and expenses on your behalf. INSURING CLAUSE 6: TECHNOLOGY ERRORS AND OMISSIONS We agree to pay on your behalf all sums which you become legally obliged to pay (including liability for claimants' costs and expenses) as a result of any claim first made against you during the period of the policy arising out of any act, error, omission or breach of contract in the provision of your technology services. We will also pay costs and expenses on your behalf. INSURING CLAUSE 7: COURT ATTENDANCE COSTS We agree to reimburse you for any reasonable sums necessarily incurred by you with our prior written agreement (which will not be unreasonably withheld) to attend court or any tribunal, arbitration, adjudication, mediation or other hearing in connection with any claim for which you are entitled to indemnity under this Policy. YOUR MAXIMUM LIMITS UNDER THIS POLICY The maximum amount payable by us under this Policy for any one claim or series of related claims is the policy limit plus the incident response limit. The maximum amount payable by us under any Insuring Clause for any one claim or series of related claims is the amount shown as the limit in the Declarations page for that Insuring Clause. The maximum amount payable by us under any Section for any one claim or series of related claims is the amount shown as the limit in the Declarations page for that Section. YOUR MAXIMUM LIMIT FOR RELATED INCIDENTS Where more than one claim arises from the same original cause or single source or event, all of those claims will be deemed to be one claim and only one policy limit and one incident response limit will apply in respect of that claim. In the event that cover is provided under multiple Insuring Clauses or multiple Sections for any one claim, only one policy limit and one incident response limit will apply in total for that claim. YOUR AGGREGATE LIMIT FOR LIABILITY CLAIMS ,,be, or ,a'.a En... r ,. ,31 # cfc In respect of INSURING CLAUSES 4, 5, 6 and 7, the maximum amount payable under this Policy in total aggregate will be the policy limit. In respect of INSURING CLAUSES 4, 5, 6 and 7, we may at any time pay to you in connection with any claim the amount of the policy limit (after deduction of any amounts already paid). Upon that payment being made we will relinquish the conduct and control of the claim and be under no further liability in connection with that claim except for the payment of costs and expenses incurred prior to the date of such payment (unless the policy limit is stated to be inclusive of costs and expenses). If costs and expenses are stated in the Declarations page to be in addition to the policy limit plus the incident response limit, or if the operation of local laws require costs and expenses to be paid in addition to the policy limit plus the incident response limit, and if a damages payment in excess of the policy limit plus the incident response limit has to be made to dispose of any claim, our liability for costs and expenses will be in the same proportion as the policy limit plus the incident response limit bears to the total amount of the damages payment. We will only be liable for that part of each and every claim which exceeds the amount of the deductible. If any expenditure is incurred by us which falls within the amount of the deductible, then you will reimburse that amount to us upon our request. Where more than one claim arises from the same original cause or single source or event all of those claims will be deemed to be one claim and only one deductible will apply. In respect of INSURING CLAUSE 3 (SECTIONS B and D only), a single waiting period, deductible and indemnity period will apply to each claim. Where the same original cause or single source or event causes more than one period of computer systems downtime these will be considered one period of computer systems downtime whose total duration is equal to the cumulative duration of each individual period of computer systems downtime. Where cover is provided under multiple Sections or multiple Insuring Clauses only one deductible will apply to that claim and this will be the highest deductible of the Sections under which cover is provided. 1. "Approved claims panel providers" means the approved claims panel providers stated in the Declarations page. 0 cfc 2. "Botnetting" means the unauthorized use of your computer systems by a third party for the purpose of launching a denial of service attack or hacking attack against another third party. 3. "Business operations" means the business operations stated in the Declarations page. 4. "Claim" means a. a written demand for compensation; b. a written request for a retraction or a correction; c. a threat or initiation of a lawsuit; or d. a disciplinary action or regulatory investigation. made against you. S. "Client" means any third party with whom you have a contract in place for the supply of your business services in return for a fee, or where a fee would normally be expected to be paid. 6. "Company" means the company named as the Insured in the Declarations page or any subsidiary. 7. "Computer systems" means all electronic computers used directly by you, including operating systems, software, hardware and all communication and open system networks and any data or websites wheresoever hosted, off-line media libraries and data back-ups and mobile devices including but not limited to smartphones, Phones, tablets or personal digital assistants. 8. "Continuity date" means the inception date or if you have maintained uninterrupted insurance of the same type with us, the date this insurance was first incepted with us. 9. "Costs and expenses" means a. third party legal and professional expenses (including disbursements) reasonably incurred in the defense of claims or circumstances which could reasonably be expected to give rise to a claim or in quashing or challenging the scope of any injunction, subpoena or witness summons; b. any post judgment interest; and c. the cost of appeal, attachment and similar bonds including bail and penal bonds. Subject to all costs and expenses being incurred with the cyber incident manager's prior written agreement. OCfC 10. "Cryptojacking" means the unauthorized use of your computer systems by a third party for the sole purpose of cryptocurrency mining activities. 11. "Cyber event" means any actual or suspected unauthorized system access, electronic attack or privacy breach, including denial of service attack, cyber terrorism, hacking attack, Trojan horse, phishing attack, man -in -the -middle attack, application -layer attack, compromised key attack, malware infection (including spyware or Ransomware) or computer virus. "Cyber event" does not mean system failure. 12. "Cyber incident manager" means the company or individual named as the cyber incident manager in the Declarations page. 13. "Cyber incident response line" means the telephone number stated as the cyber incident response line in the Declarations page. 14. "Cyber war" means any unauthorized access to or electronic attack on computer systems, carried out by or on behalf of a state, that directly results in another state becoming an impacted state. 15. "Deductible" means the amount stated as the deductible in the Declarations page. 16. "Employee" means any employee of the company, any volunteer working for the company and any individual working for the company as an independent contractor. "Employee" does not mean any senior executive officer. 17. "Expiry date" means the expiry date stated in the Declarations page. 18. "Extra expense" means your reasonable sums necessarily incurred in addition to your normal operating expenses to mitigate an interruption to and continue your business operations, provided that the costs are less than your expected income loss sustained had these measures not been taken. 19. "Impacted state" means any state that suffers a major detrimental impact on its: a. ability to function; or b. defense and security capabilities; Ocfc as a direct result of any unauthorized access to or electronic attack on computer systems, carried out by or on behalf of another state. 20. "Inception date" means the inception date stated in the Declarations page. 21. "Incident response limit" means the highest individual limit available where cover is applicable under INSURING CLAUSE 1 as stated in the Declarations page. 22. "Income loss" means your income that, had the cyber event or system failure which gave rise to the claim not occurred, would have been generated directly from your business operations (less sales tax) during the indemnity period or reputational harm period, less: a. actual income (less sales tax) generated directly from your business operations during the indemnity period or reputational harm period; and b. any cost savings achieved as a direct result of the reduction in income. 23. "Indemnity period" means the period starting from the first occurrence of: a. the computer systems downtime; or b. the downtime of computer systems used directly by a supply chain partner; and lasting for the period stated as the indemnity period in the Declarations page. 24. "Loss" means any direct financial loss sustained by the company. 25. "Media content" means any content created or disseminated by you or on your behalf, including but not limited to content disseminated through books, magazines, brochures, social media, billboards, websites, mobile applications, television and radio. "Media content" does not include any: a. tangible product design; b. industrial design; c. architectural or building services; d. any advertisement created byyou for a third party; e. business, company, product or trading name; f. product packaging or labeling; or g. software products. •, its Fr:L . ,. ,_, cfc 26. "Payment card breach" means an actual or suspected unauthorized disclosure of payment card data stored or processed by you arising out of an electronic attack, accidental disclosure or the deliberate actions of a rogue employee. "Payment card breach" does not mean a situation where payment card data is deliberately shared with or sold to a third party with the knowledge and consent of a senior executive officer. 27. "Period of the policy" means the period between the inception date and the expiry date or until the Policy is canceled in accordance with CONDITION 5 28. "Policy limit" means the highest individual limit available where cover is applicable under any Insuring Clause or Section as stated in the Declarations page. 29. "Premium" means the amount stated as the premium in the Declarations page and any subsequent adjustments. 30. "Privacy breach" means an actual or suspected unauthorized disclosure of information arising out of an electronic attack, accidental disclosure, theft or the deliberate actions of a rogue employee or third party. "Privacy breach" does not mean a situation where information is deliberately shared with or sold to a third party with the knowledge and consent of a senior executive officer. 31. "Regulatory investigation" means a formal hearing, official investigation, examination, inquiry, legal action or any other similar proceeding initiated by a governmental, regulatory, law enforcement, professional or statutory body against you. 32. "Reputational harm period" means the period starting from when the cyber event is first discovered and lasting for the period stated as the reputational harm period in the Declarations page. 33. "Senior executive officer" means board members, C-level executives, in-house lawyers and risk managers of the company. 34. "State" means sovereign state. cfc 35. "Subsidiary" means any entity in which the company has majority ownership of on or before the inception date. 36. "Supply chain partner" means a ny: a. third party that provides you with hosted computing services including infrastructure, platform, file storage and application level services; or b. third party listed as a supply chain partner in an endorsement attaching to this policy which we have issued. 37. "System failure" means any sudden, unexpected and continuous downtime of your computer systems which renders them incapable of supporting their normal business function and is caused by an application bug, an internal network failure or hardware failure. However, in respect of INSURING CLAUSE 3 (SECTION D only), system failure also means any sudden, unexpected and continuous downtime of computer systems used directly by a supply chain partner which renders them incapable of supporting their normal business function and is caused by an application bug, an internal network failure or hardware failure. "System failure" does not mean a cyber event. 38. "Technology services" means the supply by you of technology services to your client, including but not limited to hardware, software, data processing, internet services, data and application hosting, computer systems analysis, consulting, training, programming, installation, integration, support and network management. 39. 'Third party" means any person who is not an employee or any legal entity that is not the company. 40. "Waiting period" means the number of hours stated as the waiting period in the Declarations page. 41. "War" means any physical: a. war, invasion, acts of foreign enemies, hostilities or warlike operations (whether war is declared or not), civil war, rebellion, insurrection, civil commotion assuming the proportions of or amounting to an uprising, military or usurped power; or b. action taken in controlling, preventing, suppressing or in any way relating to a. above. I iuy, D, ..-,re F Ita,r, . .,. ! cfc 42. "We/our/us" means the underwriters stated in the Declarations page. 43. "You/your" means the company, employees and senior executive officers solely acting in the normal course of the company's business operations. We will not make any payment under this Policy: EXCLUSIONS RELATING TO SYSTEM DAMAGE AND BUSINESS INTERRUPTION In respect of INSURING CLAUSE 3 only: 1. Business interruption liability for that part of any claim that constitutes actual or alleged liability to a third party, or legal costs in the defense of any claim, including customer compensation. EXCLUSIONS RELATING TO ALL INSURING CLAUSES 2. Antitrust in respect of INSURING CLAUSES 5 and 6, for or arising out of any actual or alleged antitrust violation, restraint of trade, unfair competition, false, deceptive or unfair trade practices, violation of consumer protection laws or false or deceptive advertising. 3. Associated companies a. in respect of any claim made by any company, firm or partnership in which the company has greater than a 10% executive or financial interest, unless the claim emanates from an independent third party,- b. in respect of any claim made by any company, firm, partnership or individual which has greater than a 10% executive or financial interest in the company, unless the claim emanates from an independent third party; c. arising out of or resulting from any of your activities as a trustee, partner, officer, director or employee of any employee trust, charitable organization, corporation, company or business other than that of the company; or d. in respect of any claim made by or on behalf of the company against a third party. 4. Betterment which results in you being in a better financial position or you benefitting from upgraded versions of your computer systems as a direct result of the event which gave rise to the claim under this policy. 0 cfc However, in the event of a hacking attack, malware infection or computer virus, when rebuilding your computer systems we will pay the additional costs and expenses incurred to install a more secure and efficient version of the affected computer system, provided that the maximum amount we will pay is 25% more than the cost that would have been incurred to repair or replace the original model or license. Under no circumstances will we pay the cost of acquiring or installing computer systems which did not form a part of your computer systems immediately prior to the incident which gave rise to the claim. This Exclusion will not apply to INSURING CLAUSES 1 (SECTION G only) and 3 (SECTION G only). S. Bodily injury and property damage arising directly or indirectly out of bodily injury, or tangible property damage. However, this Exclusion will not apply to INSURING CLAUSES 4 (SECTIONS A, B and C only) and 5 for any claim as a direct result of mental injury or emotional distress. 6. Chargebacks for any credit card company or bank, wholly or partially, reversing or preventing a payment transaction, unless specifically covered under INSURING CLAUSE 4 (SECTION E only) for which you have purchased coverage. 7. Core internet infrastructure failure arising directly from a failure, material degradation or termination of any core element of the internet, telecommunications or GPS infrastructure that results in a regional, countrywide or global outage of the internet or core telecommunications network, including a failure of the core DNS root servers, satellite network or the IP addressing system or an individual state or non -state actor turning off all or part of the internet. 8. Domain name suspension or revocation arising directly or indirectly from the suspension, cancellation, revocation or failure to renew any of your domain names or uniform resource locators. 9. Insolvency arising out of or relating directly or indirectly to your insolvency or bankruptcy, or the insolvency or bankruptcy of any third party. However, your insolvency will not relieve us of any of our legal obligations under this contract of insurance where this insolvency does not give rise to a claim under this Policy. 10. Known claims and circumstances arising out of any actual or suspected cyber event, claim or circumstance which might give rise to a claim under this Policy which a senior executive officer was aware of, or ought , r o. _A t m , c 3' 6 cfc reasonably to have been aware of, prior to the continuity date, including any claim or circumstance notified to any other insurer. 11. Liquidated damages, service credits and penalty clauses for liquidated damages or service credits, or arising out of penalty clauses unless you would have been liable in the absence of any contract stipulating the liquidated damages or service credits or penalty clauses. 12. Loss of economic value for the reduction in economic or market value (including loss of potential future sales) of any of your intellectual property assets. 13. Management liability for any sums that your senior executive officers become legally obliged to pay, including costs and expenses, as a result of any claim made against them arising out of a cyber event. However, this Exclusion will not apply to INSURING CLAUSE 4 (SECTION C only). 14. Misleading advertising arising directly or indirectly from any advertisement, promotion or product description that is actually or alleged to be false or misleading. 15. Nuclear arising directly or indirectly from or contributed to by: a. ionizing radiations or contamination by radioactivity from any nuclear fuel or from any nuclear waste from the combustion of nuclear fuel; or b. the radioactive, toxic, explosive or other hazardous properties of any explosive nuclear assembly or nuclear component. 16. Patent infringement arising directly or indirectly out of the actual or alleged infringement of any patent or inducing the infringement of any patent. 17. Payment card industry related fines, penalties and assessments for fines, penalties and card brand assessments, including fraud recoveries, operational reimbursements, non -cooperation costs and case management fees which you become legally obliged to pay your acquiring bank or payment processor as a direct result of a payment card breach. However, this Exclusion will not apply to INSURING CLAUSE 4 (SECTION E only). 18. Power and utility failure arising directly or indirectly from any: 1 cfc a. failure in the power supply, including that caused by any surge or spike in voltage, electrical current or transferred energy; or b. failure, disruption or reduction in the supply of utilities, including but not limited to gas and water infrastructure or services. 19. Product IP infringement arising directly or indirectly from the actual or alleged theft or misappropriation of any trade secret by an employee from a former employer of theirs or infringement of any intellectual property right by any product manufactured, designed, formulated, licensed, distributed, or sold by you or the misappropriation of any trade secret by you or a third party. 20. Professional liability arising directly out of any negligent advice or professional services provided to a client for a fee except when arising directly from a cyber event. However, this Exclusion will not apply to INSURING CLAUSE 6. 21. Property and hardware costs for any tangible property repair or replacement including the cost of repairing any hardware or replacing any tangible property or equipment that forms part of your computer systems. However, this Exclusion will not apply to INSURING CLAUSE 3 (SECTION G only). 22. Regular hours staff costs for contracted salary and bonus costs paid to employees or senior executive officers. 23. Sanctions or will be deemed to provide any cover, to the extent that the provision of such payment or cover will expose us to any sanction, prohibition or restriction under the United Nations resolutions or the trade or economic sanctions, laws or regulations of Australia, Canada, the European Union, United Kingdom or United States of America. 24. Terrorism arising directly or indirectly out of: a. any act or threat of force or violence by an individual or group, whether acting alone or on behalf of or in connection with any organization or government, committed for political, religious, ideological or similar purposes including the intention to influence any government or to put the public, or any section of the public, in fear; or b. any action taken in controlling, preventing, suppressing or in any way relating to a. above. However, this Exclusion does not apply to a cyber event affecting your computer systems or a supply chain partner's computer systems. 25. Theft of funds held in escrow for theft of money or other financial assets belonging to a third party from a bank account held by you on their behalf. However, this Exclusion will not apply to INSURING CLAUSE 2 (SECTION B only). 26. Uninsurable fines for fines, penalties, civil or criminal sanctions or multiple, punitive or exemplary damages, unless insurable by law. 27. Unlawful surveillance in respect of any actual or alleged eavesdropping, wiretapping, or unauthorized audio or video recording committed by you or by a third party on your behalf with the knowledge and consent of your senior executive officers. 28. Unsolicited communications arising directly or indirectly from any actual or alleged violation of: a. the CAN-SPAM Act of 2003 or any subsequent amendments to that Act; b. the Telephone Consumer Protection Act (TCPA) of 1991 or any subsequent amendments to that Act; or c. any other law, regulation or statute relating to unsolicited communication, distribution, sending or transmitting of any communication via telephone or any other electronic or telecommunications device. However, this Exclusion will not apply to INSURING CLAUSE 4 (SECTION A only). 29. War and cyber war arising directly or indirectly out of: a. war; or b. cyber war. However, part b. above will not apply to: a. INSURING CLAUSE 1 (SECTION A only); and b. that part of any claim relating to any computer systems which are physically located outside of an impacted state. 30. Willful or dishonest acts of senior executive officers arising directly or indirectly out of any willful, criminal, malicious or dishonest act, error or omission by a senior executive officer as determined by final adjudication, arbitral tribunal or written admission. • cfc 1. What you must do if an incident takes place If any senior executive officer becomes aware of any incident which may reasonably be expected to give rise to a claim under this Policy, you must: a. other than in accordance with CONDITION 2, notify the cyber incident manager as soon as is reasonably practicable and follow their directions. However, this notification must be made no later than the end of any applicable extended reporting period. A telephone call to our cyber incident response line or confirmed notification via our cyber incident response app will constitute notification to the cyber incident manager; b. in respect of INSURING CLAUSE 2 (SECTIONS A, B and C only), report the incident to the appropriate law enforcement authorities; and c. in respect of INSURING CLAUSES 4, 5 and 6, not admit liability for or settle or make or promise any payment or incur any costs and expenses without our prior written agreement (which will not be unreasonably withheld). Due to the nature of the coverage offered by this Policy, any unreasonable delay by you in notifying the cyber incident manager could lead to the size of the claim increasing or to our rights of recovery being restricted. We will not be liable for that portion of any claim that is due to any unreasonable delay in you notifying the cyber incident manager of any incident in accordance with this clause. However, if you are prevented from notifying us by a legal or regulatory obligation then your rights under this Policy will not be affected. If you discover a cyber event you may only incur costs without our prior written consent within the first 72 hours following the discovery and any third party costs incurred must be with a company forming part of the approved claims panel providers. All other costs may only be incurred with the prior written consent of the cyber incident manager (which will not be unreasonably withheld). 2. What you must do in the event of a circumstance which could give rise to a claim In respect of INSURING CLAUSES 5 and 6, should a senior executive officer become aware of: a. a situation during the period of the policy that could give rise to a claim; or b. an allegation or complaint made or intimated against you during the period of the policy; then you have the option of whether to report this circumstance to us or not. However, if you choose not to report this circumstance we will not be liable for that portion of any claim that is greater than it would have been had you reported this circumstance. 6- cfc If you choose to report this circumstance you must do so no later than the end of any applicable extended reporting period for it to be considered under this Policy and we will require you to provide full details of the circumstance, including but not limited to: a. the time, place and nature of the circumstance; b. the manner in which you first became aware of this circumstance; c. the reasons why you believe that this circumstance could give rise to a claim; d. the identity of the potential claimant; and e. an indication as to the size of the claim that could result from this circumstance. Any subsequent claim arising directly from this circumstance will be deemed to have been made at the time this circumstance was notified to us and we will regard this claim as having been notified under this Policy. 3. Additional insureds We will indemnify any third party as an additional insured under this Policy, but only in respect of sums which they become legally obliged to pay (including liability for claimants' costs and expenses) as a result of a claim arising solely out of an act, error or omission committed by you, provided that: a. you contracted in writing to indemnify the third party for the claim prior to it first being made against them; and b. had the claim been made against you, then you would be entitled to indemnity under this Policy. Before we indemnify any additional insured they must: a. prove to us that the claim arose solely out of an act, error or omission committed by you; and b. fully comply with CONDITION 1 as if they were you. Where a third party is treated as an additional insured as a result of this Condition, any claim made by that third party against you will be treated by us as if they were a third party and not as an insured. 4. Agreement to pay claims (duty to defend) We have the right and duty to take control of and conduct in your name the investigation, settlement or defense of any claim. We will not have any duty to pay costs and expenses for any part of a claim that is not covered by this Policy. You may ask the cyber incident manager to consider appointing your own lawyer to defend the claim on your behalf and the cyber incident manager may grant your request if they consider your lawyer is suitably qualified by experience, taking into account the subject matter of the claim, and the cost to provide a defense. fcfc We will endeavor to settle any claim through negotiation, mediation or some other form of alternative dispute resolution and will pay on your behalf the amount we agree with the claimant. If we cannot settle using these means, we will pay the amount which you are found liable to pay either in court or through arbitration proceedings, subject to the policy limit and incident response limit. We will not settle any claim without your consent. If you refuse to provide your consent to a settlement recommended by us and elect to continue legal proceedings in connection with the claim, any further costs and expenses incurred will be paid by you and us on a proportional basis, with 80% payable by us and 20% payable by you. As a consequence of your refusal, our liability for the claim, excluding costs and expenses, will not be more than the amount for which the claim could have been settled. 5. Cancellation This Policy may be canceled with 30 days written notice by either you or us. If you give us notice of cancellation, the return premium will be in proportion to the number of days that the Policy is in effect. However, if you have made a claim under this Policy there will be no return premium. If we give you notice of cancellation, the return premium will be in proportion to the number of days that the Policy is in effect. We also reserve the right of cancellation in the event that any amount due to us by you remains unpaid more than 60 days beyond the inception date. If we exercise this right of cancellation it will take effect from 14 days after the date the written notice of cancellation is issued. The Policy Administration Fee will be deemed fully earned upon inception of the Policy. 6. Continuous cover If you have neglected, through error or oversight only, to report an incident discovered by you that might give rise to a claim under this Policy during the period of a previous renewal of this Policy issued to you by us, then provided that you have maintained uninterrupted insurance of the same type with us since the expiry of that earlier Policy, then, notwithstanding EXCLUSION 10, we will permit the matter to be reported under this Policy and we will indemnify you, provided that: a. the indemnity will be subject to the applicable limit of liability of the earlier Policy under which the matter should have been reported or the policy limit plus the incident response limit, whichever is the lower; b. we may reduce the indemnity entitlement by the monetary equivalent of any prejudice which has been suffered as a result of the delayed notification; and ber r�:)r are � ;�, 0 cfc c. the indemnity will be subject to all of the terms, Conditions, Definitions and Exclusions of this Policy, other than a) above. 7. Dispute resolution All disputes or differences between you and us will be referred to mediation or arbitration and will take place in the country of registration of the company named as the insured in the Declarations page. In respect of any arbitration proceeding we will follow the applicable rules of the arbitration association in the country where the company stated as the insured in the Declarations page is registered, the rules of which are deemed incorporated into this Policy by reference to this Condition. Unless the applicable arbitration association rules state otherwise, a single arbitrator will be appointed who will be mutually agreed between you and us. If you and we cannot agree on a suitable appointment then we will refer the appointment to the applicable arbitration association. Each party will bear its own fees and costs in connection with any mediation or arbitration proceeding but the fees and expenses of the arbitrator will be shared equally between you and us unless the arbitration award provides otherwise. Nothing in this Condition is intended to remove your rights under CONDITION 18. However, if a determination is made in any mediation or arbitration proceeding, CONDITION 18 is intended only as an aid to enforce this determination. 8. Extended reporting period An extended reporting period of 60 days following the expiry date will be automatically granted at no additional premium. This extended reporting period will cover, subject to all other terms, conditions and exclusions of this Policy: a. any claim first made against you during the period of the policy and reported to us during this extended reporting period; b. any cyber event, loss or system failure first discovered by you during the period of the policy and reported to us during this extended reporting period; and c. any circumstance that a senior executive officer became aware of during the period of the policy and reports to us during this extended reporting period. No claim will be accepted by us in this 60 day extended reporting period if you are entitled to indemnity under any other insurance, or would be entitled to indemnity under such insurance if its limit of liability was not exhausted. 9. Optional extended reporting period If we or you decline to renew or cancel this Policy then you will have the right to have issued an endorsement providing an optional extended reporting period for the duration stated in the Declarations page which will be effective from the cancellation or non -renewal date. This OCfC optional extended reporting period will cover, subject to all other terms, conditions and exclusions of this Policy: a. any claim first made against you and reported to us during this optional extended reporting period, provided that the claim arises out of any act, error or omission committed prior to the date of cancellation or non -renewal; and b. any cyber event, loss or system failure first discovered by you during this optional extended reporting period, provided that the cyber event, loss or system failure occurred during the period of the policy. If you would like to purchase the optional extended reporting period you must notify us and pay us the optional extended reporting period premium stated in the Declarations page within 30 days of cancellation or non -renewal. The right to the optional extended reporting period will not be available to you where cancellation or non -renewal by us is due to non-payment of the premium or your failure to pay any amounts in excess of the applicable policy limit and incident response limit or within the amount of the applicable deductible as is required by this Policy in the payment of claims. At the renewal of this Policy, our quotation of different premium, deductible, limits of liability or changes in policy language will not constitute non -renewal by us. 10. Fraudulent claims If it is determined by final adjudication, arbitral tribunal or written admission by you, that you notified us of any claim knowing it to be false or fraudulent in any way, we will have no responsibility to pay that claim, we may recover from you any sums paid in respect of that claim and we reserve the right to terminate this Policy from the date of the fraudulent act. If we exercise this right we will not be liable to return any premium to you. However, this will not affect any claim under this Policy which has been previously notified to us. 11. Innocent non -disclosure We will not seek to avoid the Policy or reject any claim on the grounds of non -disclosure or misrepresentation except where the non -disclosure or misrepresentation was reckless or deliberate. 12. Mergers and acquisitions If you acquire an entity during the period of the policy whose annual revenue does not exceed 20% of the company's annual revenue, as stated in its most recent financial statements, cover is automatically extended under this Policy to include the acquired entity as a subsidiary. If you acquire an entity during the period of the policy whose annual revenue exceeds 20% of the company's annual revenue, as stated in its most recent financial statements, cover is _"bei. Pr -ire Fnterpnse Y3' fcfc automatically extended under this Policy to include the acquired entity as a subsidiary for a period of 45 days. We will consider providing cover for the acquired entity after the period of 45 days if: a. you give us full details of the entity within 45 days of its acquisition; and b. you accept any amendment to the terms and conditions of this Policy or agree to pay any additional premium required by us. In the event you do not comply with a. or b. above, cover will automatically terminate for the entity 45 days after the date of its acquisition. Cover for any acquired entity is only provided under this Policy for any act, error or omission committed on or after the date of its acquisition. No cover will be automatically provided under this Policy for any acquired entity: a. whose business activities are materially different from your business activities; b. that has been the subject of any lawsuit, disciplinary action or regulatory investigation in the 3 year period prior to its acquisition; or c. that has experienced a cyber event in the 3 year period prior to its acquisition, if the cyber event cost more than the highest deductible of this Policy. If during the period of the policy you consolidate, merge with or are acquired by another entity then all coverage under this Policy will terminate at the date of the consolidation, merger or acquisition unless we have issued an endorsement extending coverage, and you have agreed to any additional premium and terms of coverage required by us. 13. Our rights of recovery You must maintain all of your rights of recovery against any third party and make these available to us where possible. We will not exercise any rights of recovery against any employee or senior executive officer, unless this is in respect of any fraudulent or dishonest acts or omissions as proven by final adjudication, arbitral tribunal or written admission byyou. Any recoveries will be applied in proportion to the amounts paid byyou and us. 14. Prior subsidiaries Should an entity cease to be a subsidiary after the inception date, cover in respect of the entity will continue as if it was still a subsidiary during the period of the policy, but only in respect of an act, error, omission or event occurring prior to the date that it ceased to be a subsidiary. 15. Process for adjustment of business interruption losses In order to determine the amount of loss following an interruption to your business operations covered under INSURING CLAUSE 3 (SECTIONS B, C, D and E only), the cyber incident manager will appoint an independent expert agreed between you and us which will be paid for by us in accordance with INSURING CLAUSE 3 (SECTION F only). If an independent expert cannot be agreed upon, one will be appointed by an arbitrator mutually agreed between you and us whose decision will be final and binding. Once an independent expert has been appointed, their calculation of loss will be final and binding. 16. Process for paying privacy breach notification costs Any privacy breach notification transmitted by you or on your behalf must be done with our prior written consent. We will ensure that notification is compliant with any legal or regulatory requirements and contractual obligations. No offer must be made for financial incentives, gifts, coupons, credits or services unless with our prior written consent which will only be provided if the offer is commensurate with the risk of harm. We will not be liable for any portion of the costs you incur under INSURING CLAUSE 1 (SECTION E only) that exceed the costs that you would have incurred had you gained our prior written consent. In the absence of our prior written consent we will only be liable to pay you the equivalent cost of a notification made using the most cost effective means permissible under the governing law. 17. Supply chain interruption events In respect of INSURING CLAUSE 3 (SECTION D only), it is a condition precedent to liability under this Policy that you submit to us a written report from the supply chain partner confirming the root cause and length of the outage. 18. Choice of law and service of suit In the event of a dispute between you and us regarding this Policy, the dispute will be governed by the laws of the State of the United States of America shown as the choice of law stated in the Declarations page. We agree, at your request, to submit to the jurisdiction of a court of competent jurisdiction within the United States of America. Nothing in this Condition constitutes or should be understood to constitute a waiver of our rights to commence an action in any court of competent jurisdiction in the United States of America, to move an action to a United States District Court, or to seek a transfer of a case to another court as permitted by the laws of the United States of America or the laws of any State of the United States of America. i Cyber, Private Enterprise v3.1 It is further agreed that service of process in such suit may be made upon the law firm stated in the Declarations page and that in any suit instituted against us, we will abide by the final decision of such court or of any appellate court in the event of an appeal. The law firm stated in the Declarations page is authorized and directed to accept service of process on our behalf in any such suit and, at your request, to give a written undertaking to you that they will enter a general appearance on our behalf in the event such suit is instituted. Additionally, in accordance with the statute of any state, territory or district of the United States which makes such a provision, we hereby designate the Superintendent, Commissioner or Director of Insurance or other officer specified for that purpose in the statute, or his successor or successors in office, as our true and lawful attorney upon whom may be served any lawful process in any action, suit or proceeding instituted by you arising out of this Policy. The law firm stated in the Declarations page is hereby designated as the firm to whom the above mentioned officer is authorized to mail such process or a copy thereof.