The URL can be used to link to this page

2020/21 Cyber Liability Program - Memorandum of CoverageWSG-084 (05/11) Illinois Union INSURANCE COMPANY 525 West Monroe Street, Suite 400 Chicago, IL 60661 NOTICE POLICY NO. G70164243 001 NAME OF INSURED: California Joint Powers Insurance Authority ADDRESS: 8081 Moody Street La Palma, CA 90623 We are pleased to enclose your policy for this account. Please be advised that by binding this risk with the above referenced Surplus Lines Insurance Company, you agree that as the Surplus Lines Broker responsible for the placement of this insurance policy, it is your obligation to comply with all States Surplus Lines Laws including completion of any declarations/affidavits that must be filed as well as payment of any and all Surplus Lines taxes that must be remitted to the State(s). We will look to you for indemnification if controlling Surplus Lines Laws are violated by you as the Surplus Lines broker responsible for the placement. You further confirm that any applicable state requirement concerning a diligent search for coverage by admitted carriers has been fulfilled in accordance with state law. Thank you for this placement and your regulatory compliance. Date: 07/01/2020 Illinois Union Insurance Company Chubb Cyber Enterprise Risk Management Pool Policy Declarations NOTICE: THE THIRD PARTY LIABILITY INSURING AGREEMENTS OF THIS POLICY PROVIDE CLAIMS-MADE COVERAGE, WHICH APPLIES ONLY TO CLAIMS FIRST MADE DURING THE POLICY PERIOD OR AN APPLICABLE EXTENDED REPORTING PERIOD FOR ANY INCIDENT TAKING PLACE AFTER THE RETROACTIVE DATE BUT BEFORE THE END OF THE POLICY PERIOD. AMOUNTS INCURRED AS CLAIMS EXPENSES UNDER THIS POLICY SHALL REDUCE AND MAY EXHAUST THE APPLICABLE LIMIT OF INSURANCE AND WILL BE APPLIED AGAINST ANY APPLICABLE RETENTION. IN NO EVENT WILL THE COMPANY BE LIABLE FOR CLAIMS EXPENSES OR THE AMOUNT OF ANY JUDGMENT OR SETTLEMENT IN EXCESS OF THE APPLICABLE LIMIT OF INSURANCE. TERMS THAT ARE UNDERLINED IN THIS NOTICE PROVISION HAVE SPECIAL MEANING AND ARE DEFINED IN SECTION II, DEFINITIONS. READ THE ENTIRE POLICY CAREFULLY. IF YOU NEED URGENT CRISIS MANAGEMENT OR LEGAL ADVICE, PLEASE CONTACT: Cyber Incident Response Coach Hotline at: 1(800) 817-2665 or cyberalert@chubb.com Policy No: G70164243 001 New Item 1. Named Insured California Joint Powers Insurance Authority Principal Address 8081 Moody Street La Palma, CA 90623 Item 2. Policy Period From: July 01, 2020 To: July 01, 2021 (12:01 AM local time at the address shown in Item 1.) Item 3. Maximum Policy Limits of Insurance. A. Pool Maximum Single Limit of Insurance $1,000,000 B. Pool Maximum Pool Policy Aggregate Limit of Insurance C. Maximum Member Policy Aggregate Limit of Insurance D. Member Maximum Single Limit of Insurance $10,000,000 $1,000,000 $1,000,000 Item 4. Limits of Insurance, Retentions and Insuring Agreement(s) Purchased. If any Limit of Insurance field for an Insuring Agreement is left blank or NOT COVERED is shown, there is no coverage for such Insuring Agreement. First Party Insuring Agreements A. Cyber Incident Response Fund Pool Each Cyber Incident Limit/Member Each Cyber Incident Limit Pool Aggregate Limit for all Cyber Incidents/Member Aggregate Limit for all Cyber Incidents Each Cyber Incident Retention MS-305005.1 (07/2020) Page 1 of 25 1.Cyber Incident Response Team Pool $1,000,000 Member $1,000,000 Pool $10,000,000 Member $1,000,000 $50,000 Except Cyber Incident Response Coach: $0 NOTE: The Insured is under no obligation to use or contract for services with the Cyber Incident Response Team. However, if the Insured elects not to use or contract with the Cyber Incident Response Team but elects to use or contract with a Non-Panel Response Provider, then the Pool Each Cyber Incident Limits and Pool Aggregate Limit for all Cyber Incidents specified in Item 4A2 below apply. 2.Non-Panel Response Provider Pool $250,000 Member $250,000 Pool $2,500,000 Member $250,000 $50,000 B. Business Interruption And Extra Expense Pool Each Cyber Incident Limit/Member Each Cyber Incident Limit Pool Aggregate Limit for all Cyber Incidents/Member Aggregate Limit for all Cyber Incidents Each Cyber Incident Retention 1.Business Interruption Loss And Extra Expenses Pool $1,000,000 Member $1,000,000 Pool $10,000,000 Member $1,000,000 $50,000 Waiting Period: 10 Hours 2.Contingent Business Interruption Loss And Extra Expenses Pool $1,000,000 Member $1,000,000 Pool $10,000,000 Member $1,000,000 $50,000 Waiting Period: 10 Hours C. Digital Data Recovery Pool $1,000,000 Member $1,000,000 Pool $10,000,000 Member $1,000,000 $50,000 D. Network Extortion Pool $1,000,000 Member $1,000,000 Pool $10,000,000 Member $1,000,000 $50,000 Third Party Liability Insuring Agreements Insuring Agreement Pool Each Claim Limit/Member Each Claim Limit Pool Aggregate Limit for all Claims/Member Aggregate Limit for all Claims Each Claim Retention E. Cyber, Privacy And Network Security Liability Pool $1,000,000 Member $1,000,000 Pool $10,000,000 Member $1,000,000 $50,000 1.Payment Card Loss Pool $1,000,000 Member $1,000,000 Pool $10,000,000 Member $1,000,000 $50,000 2.Regulatory Proceeding Pool $1,000,000 Member $1,000,000 Pool $10,000,000 Member $1,000,000 $50,000 F. Electronic, Social And Printed Media Liability Pool $1,000,000 Member $1,000,000 Pool $10,000,000 Member $1,000,000 $50,000 Item 5. Retroactive Date (only applicable to Third Party Liability Insuring Agreements) Full Prior Acts Item 6. Pending or Prior Proceedings Date July 01, 2020 MS-305005.1 (07/2020) Page 2 of 25 (only applicable to Third Party Liability Insuring Agreements) Item 7. Extended Reporting Period A. Additional Premium: 100% of Annual Premium B. Additional Period: 12 Months Item 8. Policy Premium Plus applicable taxes and fees (if any) $ 389,500 Item 9. Notice to Insurer A. Notice of Incident, Claim, or potential Claim as set forth in Section VIII, subsection C By Mail: Director of Claims Chubb P.O. BOX 5105 Scranton, PA 18505-0518 Fax Number: 877-746-4641 By Email: ChubbClaimsFirstNotice@chubb.com By Mobile App or Online: B. All Other Notices to the Insurer Chief Underwriting Officer Chubb – Financial Lines Attn: Chief Underwriting Officer 1133 Avenue of the Americas, 32nd Floor New York, NY 10036 WorkViewFLChubbIncoming@chubb.com MS-305005.1 (07/2020) Page 3 of 25 Chubb Cyber Enterprise Risk Management Pool Policy In consideration of the payment of the premium, in reliance upon the Application, and subject to the Declarations and the terms and conditions of this Policy, the Insureds and the Insurer agree as follows: I. INSURING AGREEMENTS Coverage is afforded pursuant to those Insuring Agreements purchased, as shown in Item 4 of the Declarations. FIRST PARTY INSURING AGREEMENTS A. CYBER INCIDENT RESPONSE FUND The Insurer will pay Cyber Incident Response Expenses incurred by an Insured in response to a Cyber Incident first discovered by any Control Group Member during the Policy Period. B. BUSINESS INTERRUPTION AND EXTRA EXPENSES The Insurer will pay: 1.the Business Interruption Loss and Extra Expenses incurred by an Insured during the Period of Restoration resulting directly from a Cyber Incident which first occurs during the Policy Period; and 2.the Contingent Business Interruption Loss and Extra Expenses incurred by an Insured during the Period of Restoration resulting directly from a Cyber Incident which first occurs during the Policy Period. C. DIGITAL DATA RECOVERY The Insurer will pay the Digital Data Recovery Costs incurred by an Insured resulting directly from a Cyber Incident first discovered by any Control Group Member during the Policy Period. D. NETWORK EXTORTION The Insurer will reimburse Extortion Expenses incurred by an Insured in response to a Cyber Incident first discovered by any Control Group Member during the Policy Period. THIRD PARTY LIABILITY INSURING AGREEMENTS E. CYBER, PRIVACY AND NETWORK SECURITY LIABILITY The Insurer will pay Damages and Claim Expenses by reason of a Claim first made against an Insured during the Policy Period for a Cyber Incident which first occurs on or after the applicable Retroactive Date and prior to the end of the Policy Period. F. ELECTRONIC, SOCIAL AND PRINTED MEDIA LIABILITY The Insurer will pay Damages and Claim Expenses by reason of a Claim first made against an Insured during the Policy Period for a Media Incident which first occurs on or after the applicable Retroactive Date and prior to the end of the Policy Period. II. DEFINITIONS When used in this Policy: Act of Cyber-Terrorism means: (i) any act, including force or violence, or the threat thereof, expressly directed against a Computer System operated by an Insured, by an individual or any group of individuals, whether acting alone, on behalf of or in connection with any entity or government to damage, destroy or access a Computer System without authorization; or, (ii) a targeted denial of service attack or transmittal of corrupting MS-305005.1 (07/2020) Page 4 of 25 or harmful software code at or into the Insured’s Computer System for social, ideological, religious, economic or political reasons, including intimidating or coercing a government, a civilian population or disrupting any segment of an economy. Application means all applications, including any attachments thereto, and all other information and materials submitted by or on behalf of the Insureds to the Insurer in connection with the Insurer underwriting this Policy or any policy of which this Policy is a direct renewal or replacement. All such applications, assessments, attachments, information and materials are deemed attached to and incorporated into this Policy. Bodily Injury means injury to the body, sickness, disease, or death. Bodily Injury also means mental injury, mental anguish, mental tension, emotional distress, pain and suffering, or shock, whether or not resulting from injury to the body, sickness, disease or death of any person. Business Interruption Loss means: 1. the Insured’s continuing normal operating and payroll expenses; and 2. the Insured’s net profit before income taxes that would have been earned had no Interruption in Service of the Insured’s Computer System occurred. Claim means any: 1. written demand against any Insured for monetary damages or non-monetary or injunctive relief; 2. civil proceeding against any Insured seeking monetary damages or non-monetary or injunctive relief, commenced by the service of a complaint or similar pleading; 3. arbitration, mediation, or other alternative dispute resolution proceeding against any Insured seeking monetary damages or non-monetary or injunctive relief, commenced by the receipt of a written demand, or service of a complaint or similar pleading; 4. criminal proceeding against an Insured commenced by: (a) an arrest, or (b) a return of an indictment, information or similar document; 5. written request directed at an Insured to toll or waive a statute of limitations applicable to a Claim referenced in paragraphs 1-4 immediately above; or 6. Regulatory Proceeding, including, where applicable, any appeal therefrom. Claims Expenses means the reasonable and necessary: 1. attorneys’ fees, mediation costs, arbitration expenses, expert witness fees and other fees and costs incurred by the Insurer, or by an Insured with the Insurer’s prior written consent, in the investigation and defense of a Claim; and 2. premiums for any appeal bond, attachment bond or similar bond, although the Insurer shall have no obligation to apply for or furnish such bond. Claims Expenses shall not include wages, salaries or other compensation of directors, officers, similar executives, or employees of the Insurer or any Insured. Computer System means computer hardware, software, Telephone System, firmware, and the data stored thereon, as well as associated input and output devices, data storage devices, mobile devices, networking equipment and storage area network or other electronic data backup facilities. The terms referenced herein include Industrial Control Systems. Consumer Redress Fund means a sum of money which an Insured is legally obligated to deposit in a fund as equitable relief for the payment of consumer claims due to an adverse judgment or settlement of a Regulatory Proceeding. Consumer Redress Fund shall not include any amounts paid which constitute taxes, fines, penalties, injunctive relief or sanctions. Contingent Business Interruption Loss means: 1. the Insured’s continuing normal operating and payroll expenses; and 2. the Insured’s net profit before income taxes that would have been earned had no Interruption in Service of a Shared Computer System occurred. MS-305005.1 (07/2020) Page 5 of 25 Control Group Member means, as applicable, a Member’s Chief Executive Officer, Chief Financial Officer, Chief Information Officer, Chief Information Security Officer, Chief Privacy Officer, Chief Technology Officer, General Counsel, Risk Manager, or the organizational or functional equivalent of such positions. Costs means: 1.Cyber Incident Response Expenses; 2.Business Interruption Loss; 3.Contingent Business Interruption Loss; 4.Extra Expenses; 5.Digital Data Recovery Costs; or 6.Extortion Expenses. Cyber Incident means: 1.with respect to Insuring Agreement A, Cyber Incident Response Fund, a. any actual or reasonably suspected Network Security Failure; b.any actual or reasonably suspected failure by an Insured, or any independent contractor for whom or for which an Insured is legally responsible, to properly handle, manage, store, destroy, protect, use or otherwise control Protected Information; c.any unintentional violation by an Insured of any Privacy or Cyber Law, including the unintentional wrongful collection of Protected Information by an Insured; d.any reasonably suspected Interruption in Service, provided a Limit of Insurance is shown in the Declarations applicable to Insuring Agreement B, Business Interruption And Extra Expenses; or e.any reasonably suspected Network Extortion Threat, provided a Limit of Insurance is shown in the Declarations applicable to Insuring Agreement D, Network Extortion; 2.with respect to Insuring Agreement B, Business Interruption And Extra Expenses, an actual Interruption in Service; 3.with respect to Insuring Agreement C, Digital Data Recovery, an actual Network Security Failure resulting in Digital Data Recovery Costs; 4.with respect to Insuring Agreement D, Network Extortion, an actual Network Extortion Threat; or 5.with respect to Insuring Agreement E, Cyber, Privacy And Network Security Liability, any error, misstatement, misleading statement, act, omission, neglect, breach of duty or other offense actually or allegedly committed or attempted by any Insured in their capacity as such, resulting in or based upon a Cyber Incident as referenced in paragraphs 1 – 4 immediately above. Cyber Incident Response Coach means the law firm within the Cyber Incident Response Team, designated for consultative and pre-litigation legal services provided to an Insured. Cyber Incident Response Expenses means those reasonable and necessary expenses paid or incurred by an Insured as a result of a Cyber Incident. Such expenses are as follows: 1.retaining the services of the Cyber Incident Response Coach; 2. retaining the services of third party forensic firms, including a Payment Card Industry (PCI) Forensic Investigator, to determine the cause and scope of a Cyber Incident; 3.retaining the services of a public relations or crisis communications firm for the purpose of protecting or restoring the reputation of, or mitigating financial harm to, an Insured; 4.retaining the services of a law firm to determine the Insured’s rights under the indemnification provisions of a written agreement between the Insured and any other person or entity with respect to a Cyber Incident otherwise covered under Insuring Agreements A - E of this Policy; 5.expenses required to comply with Privacy or Cyber Laws, including: a.retaining the services of a law firm to determine the applicability of and actions necessary to comply with Privacy or Cyber Laws; MS-305005.1 (07/2020) Page 6 of 25 b.drafting notification letters, and to report and communicate as required with any regulatory, administrative or supervisory authority; c.call center services, mailing services or costs, and other related services for notification as required by law; or d.providing credit monitoring, credit freezing or credit thawing. For purposes of this paragraph 5, compliance with Privacy or Cyber Laws shall follow the law of the applicable jurisdiction that most favors coverage for such expenses; 6.expenses not required to comply with Privacy or Cyber Laws, and with the Insurer’s prior consent, for: a.notifying a natural person whose Protected Information has been wrongfully disclosed or otherwise compromised, including retaining a notification service or the services of a call center; b.providing credit monitoring, credit freezing, credit thawing, healthcare record monitoring (where available), social media monitoring, password management service, or fraud alert services for those natural persons who accept an offer made by or on behalf of the Insured for, and receive, such services; c.retaining the services of a licensed investigator or credit specialist to provide fraud consultation to the natural persons whose Protected Information has been wrongfully disclosed or otherwise compromised; d.retaining the services of third party identity restoration service to natural persons identified by a licensed investigator as victims of identity theft directly resulting from a Cyber Incident otherwise covered under Insuring Agreements A or E; e.paying any reasonable amount to an informant for information not otherwise available which leads to the arrest and conviction of a natural person or an entity responsible for a Cyber Incident; or f.other services that are deemed reasonable and necessary by the Insurer. Cyber Incident Response Expenses shall not include: i. costs or expenses incurred to update or improve privacy or network security controls, policies or procedures, or compliance with Privacy or Cyber Laws, to a level beyond that which existed prior to the applicable Cyber Incident; ii. taxes, fines, penalties, amounts for injunctive relief, or sanctions; iii.the Insured’s money or any money in the Insured’s care, custody, or control; or iv.wages, salaries, and other compensation of directors, officers, similar executives, or employees of a Member, or internal operating costs, expenses, or fees of any Member. Cyber Incident Response Team means Pre-Approved Response Providers who provide services as defined in Cyber Incident Response Expenses. Damages means compensatory damages, any award of prejudgment or post-judgment interest, Payment Card Loss, Regulatory Fines, Consumer Redress Fund, settlements, and amounts which an Insured becomes legally obligated to pay on account of any Claim. Damages shall not include: 1.any amount for which an Insured is not financially liable or legally obligated to pay; 2.taxes, fines, penalties or sanctions directly imposed against an Insured, except for Payment Card Loss or Regulatory Fines otherwise covered under Insuring Agreement E; 3. matters uninsurable under the laws pursuant to which this Policy is construed; 4.punitive or exemplary damages, or the multiple portion of any multiplied damage award, except to the extent that such punitive or exemplary damages, or multiplied portion of any multiplied damage award, are insurable under the applicable laws of any jurisdiction which most favors coverage for such damages and which has a substantial relationship to the Insured, Insurer, this Policy, or the Claim giving rise to such damages; 5.the cost to an Insured to comply with any injunctive, remedial, preventative, or other non-monetary or declaratory relief, including specific performance, or any agreement to provide such relief; MS-305005.1 (07/2020) Page 7 of 25 6.consideration owed or paid by or to an Insured, including any royalties, restitution, reduction, disgorgement or return of any payment, charges, or fees; or costs to correct or re-perform services, or for the reprint, recall, or removal of Media Content; 7.liquidated damages pursuant to a contract, to the extent such amount exceeds the amount which the Insured would have been liable in the absence of such contract; or 8.penalties against an Insured of any nature, however denominated, arising by contract, except for Payment Card Loss otherwise covered under Insuring Agreement E. Digital Data means software or other information in electronic form which is stored on an Insured’s Computer System or Shared Computer System. Digital Data shall include the capacity of an Insured’s Computer System or Shared Computer System to store information, process information, and transmit information over the Internet. Digital Data shall not include or be considered tangible property. Digital Data Recovery Costs means: 1.the reasonable and necessary costs incurred by an Insured to replace, restore, recreate, re-collect or recover Digital Data from written records or from partially or fully matching electronic records due to their corruption, theft, or destruction, caused by a Network Security Failure, including disaster recovery or computer forensic investigation efforts. However, in the event that it is determined that the Digital Data cannot be replaced, restored, recreated, re-collected, or recovered, Digital Data Recovery Costs shall be limited to the reasonable and necessary costs incurred to reach such determination; or 2.Telephone Fraud Financial Loss, including reasonable and necessary expenses incurred to mitigate or reduce any costs or loss in paragraphs 1 and 2 immediately above. Digital Data Recovery Costs shall not include: a. costs or expenses incurred to update, replace, restore, recreate or improve Digital Data to a level beyond that which existed prior to the applicable Cyber Incident; b. costs or expenses incurred to identify or remediate software program errors or vulnerabilities, or costs to update, replace, restore, upgrade, maintain, or improve a Computer System; c. costs incurred to research and develop Digital Data, including Trade Secrets; d. the economic or market value of Digital Data, including Trade Secrets; or e. any other consequential loss or damages. Extended Reporting Period means the period of time shown in Item 7B of the Declarations, subject to Section V, Extended Reporting Period. Extortion Expenses means reasonable and necessary expenses incurred by an Insured resulting directly from a Network Extortion Threat, including money, cryptocurrencies (including Bitcoin), or other consideration surrendered as payment by an Insured to a natural person or group believed to be responsible for a Network Extortion Threat. Extortion Expenses shall also include reasonable and necessary expenses incurred to mitigate or reduce any of the forgoing expenses. Extra Expenses means the reasonable and necessary: 1.expenses incurred by an Insured to the extent such expenses mitigate, reduce, or avoid an Interruption in Service, provided they are in excess of expenses that an Insured would have incurred had there been no Interruption in Service; 2.expenses incurred by an Insured to the extent such expenses reduce the Period of Restoration; 3.with the Insurer’s prior consent, costs incurred by an Insured to retain the services of a third party forensic accounting firm to determine the amount of Business Interruption Loss or Contingent Business Interruption Loss. Extra Expenses shall not include: a. costs or expenses incurred to prevent a loss or correct any deficiencies or problems with an Insured’s Computer System or Shared Computer System that might cause or contribute to a Claim; MS-305005.1 (07/2020) Page 8 of 25 b. costs or expenses incurred to update, restore, replace, upgrade, maintain, or improve any Computer System; or c. penalties of any nature, however denominated, arising by contract. Incident means Cyber Incident or Media Incident. Insured means: 1.the Member; 2.any Subsidiary of the Member, but only with respect to Incidents which occur while it is a Subsidiary; 3.any past, present, or future natural person principal, partner, officer, director, trustee, employee, leased employee or temporary employee of an Member, but only with respect to an Incident committed within the scope of such natural person’s duties performed on behalf of such Member; 4.any past, present or future independent contractor of an Member who is a natural person, agent, or single person entity, but only with respect to the commission of an Incident within the scope of such natural person’s, agent’s, or single person entity’s duties, performed on behalf of such Member; or 5.any past, present or future natural person intern or volunteer worker of an Member and who is registered or recorded as an intern or volunteer worker with such Member, but only with respect to an Incident within the scope of such natural person’s duties performed on behalf of such Member. Insured’s Computer System means a Computer System leased, owned or operated by an Insured or operated solely for the benefit of an Insured by a third party under written contract with an Insured. Insurer means the insurance company providing this insurance. Interrelated Incidents means all Incidents first discovered by a Control Group Member and Claims made against a Member that have as a common nexus any act, fact, circumstance, situation, event, transaction, cause or series of related acts, facts, circumstances, situations, events, transactions or causes. Interruption in Service means a detectable interruption or degradation in service of: 1.with respect to Insuring Agreement B1, an Insured’s Computer System; or 2.with respect to Insuring Agreement B2, a Shared Computer System; caused by a Malicious Computer Act. Malicious Computer Act means malicious or fraudulent: 1.unauthorized access to or use of a Computer System; 2.alteration, corruption, damage, manipulation, misappropriation, theft, deletion, or destruction of Digital Data; 3.creation, transmission, or introduction of a computer virus or harmful code into a Computer System; or 4. restriction or inhibition of access, including denial of service attacks, upon or directed against a Computer System. Media Content means any data, text, sounds, images, graphics, music, photographs, or advertisements, and shall include video, streaming content, webcasts, podcasts, blogs, online forums, and chat rooms. Media Content shall not include computer software, software technology, or the actual goods, products or services described, illustrated or displayed in such Media Content. Media Incident means any error, misstatement, misleading statement, act, omission, neglect or breach of duty actually or allegedly committed or attempted by any Insured, or by any person or entity for whom an Insured is legally responsible, in the public display of: 1.Media Content on an Insured’s website or printed material; or 2.Media Content posted by or on behalf of an Insured on any social media site or anywhere on the Internet, which results in the following: MS-305005.1 (07/2020) Page 9 of 25 a.copyright infringement, passing-off, plagiarism, piracy, or misappropriation of property rights; b.infringement or dilution of title, logo, slogan, domain name, metatag, trademark, trade name, service mark, or service name; c.defamation, libel, slander, or any other form of defamation or harm to the character, reputation or feelings of any person or entity, including product disparagement, trade libel, outrage, infliction of emotional distress, or prima facie tort; d.invasion or infringement of the right of privacy or publicity, including the torts of intrusion upon seclusion, publication of private facts, false light, or misappropriation of name or likeness; e.false arrest, detention or imprisonment, harassment, trespass, wrongful entry or eviction, eavesdropping, or other invasion of the right of private occupancy; f.improper deep linking or framing; or g.unfair competition or unfair trade practices, including misrepresentations in advertising, solely when alleged in conjunction with the alleged conduct referenced in items a–f immediately above. Member means the organization specified in the Member Endorsement and any Subsidiaries thereof. Named Insured means the entity shown in Item 1 of the Declarations. Network Extortion Threat means any credible threat or series of related threats directed at an Insured to: 1.release, divulge, disseminate, destroy or use Protected Information, or confidential corporate information of an Insured, as a result of the unauthorized access to or unauthorized use of an Insured’s Computer System or Shared Computer System; 2.cause a Network Security Failure; 3.alter, corrupt, damage, manipulate, misappropriate, encrypt, delete or destroy Digital Data; or 4.restrict or inhibit access to an Insured’s Computer System or Shared Computer System; where a demand is made for the Insured to make a payment or a series of payments, or otherwise meet a demand, in exchange for the mitigation or removal of such threat of series of related threats. Furthermore, Network Extortion Threat includes a threat or series of related threats connected to any of the acts above that have already commenced. Network Security means those activities performed by an Insured, or by others on behalf of an Insured, to protect an Insured’s Computer System or Shared Computer System. Network Security Failure means a failure in Network Security, including the failure to prevent a Malicious Computer Act. Non-Panel Response Provider means any firm providing the services shown in the definition of Cyber Incident Response Expenses to an Insured that is not a Pre-Approved Response Provider. Payment Card means an authorized account, or evidence of an account, for a credit card, debit card, charge card, fleet card or stored value card between the Payment Card Brand and its customer. Payment Card Brand means any payment provider whose payment method is accepted for processing, including Visa Inc. International, MasterCard Worldwide, Discover Financial Services, American Express Company, and JCB International. Payment Card Industry Data Security Standards means the rules, regulations, standards or guidelines adopted or required by the Payment Card Brand or the Payment Card Industry Data Security Standards Council relating to data security and the safeguarding, disclosure and handling of Protected Information. Payment Card Loss means monetary assessments, fines, penalties, chargebacks, reimbursements, and fraud recoveries, including card reissuance costs, which an Insured becomes legally obligated to pay as a result of an Insured’s actual or alleged failure: 1.of Network Security; or 2.to properly protect, handle, manage, store, destroy, or otherwise control Payment Card data, including Protected Information, MS-305005.1 (07/2020) Page 10 of 25 where such amount is determined pursuant to a payment card processing agreement between an Organization and a Payment Card Brand, or a merchant agreement between an Organization and a payment services provider, including for mobile payment services, or demanded in writing from an issuing or acquiring bank that processes Payment Card transactions, due to an Insured's actual or alleged non-compliance with applicable Payment Card Industry Data Security Standards, EMV specifications, or mobile payment security requirements. Payment Card Loss shall not include: a. subsequent fines or assessments for non-compliance with the Payment Card Industry Data Security Standards, EMV Specifications, or a mobile payment services merchant agreement unrelated to a specific Claim; or b. costs or expenses incurred to update or improve privacy or network security controls, policies or procedures to a level beyond that which existed prior to the applicable Cyber Incident or to be compliant with applicable Payment Card Industry Data Security Standards, EMV Specifications, or a mobile payment services merchant agreement. Period of Restoration means the continuous period of time that: 1. begins with the earliest date of an Interruption in Service; and 2. ends on the date when an Insured’s Computer System or Shared Computer System is or could have been repaired or restored with reasonable speed to the same functionality and level of service that existed prior to the Interruption in Service. In no event shall the Period of Restoration exceed sixty (60) days. Policy means, collectively, the Declarations, Application, this policy form and any endorsements attached hereto. Policy Period means the period of time shown in Item 2 of the Declarations, unless changed pursuant to Section XV, Termination of this Policy. Pollutants means any solid, liquid, gaseous or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals, asbestos, asbestos products or waste. Waste includes materials to be recycled, reconditioned or reclaimed. Pre-Approved Response Provider means any firm listed on the Insurer’s pre-approved response provider list available on request from the Insurer or on the pre-approved response provider list specified on the website shown in Item 9A of the Declarations. Privacy or Cyber Laws means any local, state, federal, and foreign identity theft and privacy protection laws, legislation, statutes, or regulations that require commercial entities that collect Protected Information to post privacy policies, adopt specific privacy or security controls, or notify individuals in the event that Protected Information has potentially been compromised. Property Damage means physical injury to, or destruction of, tangible property, including the resulting loss of use thereof. Protected Information means the following, in any format: 1. a natural person’s name, e-mail address, social security number, medical or healthcare data, other protected health information, driver’s license number, state identification number, credit card number, debit card number, address, telephone number, account number, account histories, personally identifiable photos, personally identifiable videos, Internet browsing history, biometric records, passwords or other non-public personal information as defined in any Privacy or Cyber Laws; or 2. any other third party confidential or proprietary information: a. that is not available to or known by the general public; or b. which a Member is legally responsible to maintain in confidence. Regulatory Fines means any civil monetary fine or penalty imposed by a federal, state, local or foreign governmental entity in such entity’s regulatory or official capacity as a result of a Regulatory Proceeding. Regulatory Fines shall not include any civil monetary fines or penalties that are not insurable by law, criminal fines, disgorgement, or the multiple portion of any multiplied damage award. MS-305005.1 (07/2020) Page 11 of 25 Regulatory Proceeding means a suit, civil investigation or civil proceeding by or on behalf of a government agency, government licensing entity, or regulatory authority, commenced by the service of a complaint, notice, or similar pleading based on an alleged or potential violation of Privacy or Cyber Laws as a result of a Cyber Incident, and which may reasonably be expected to give rise to a Claim under Insuring Agreement E. Retroactive Date means: (1) with respect to the Named Insured, the date shown in Item 5 of the Declarations; and (2) with respect to each Member, the Member Retroactive Date shown in Item 5 of the Declarations. If Item 5 of the Declarations is left blank or contains the phrases “Full Prior Acts”, “N/A”, “Not Applicable”, or “None”, then Retroactive Date means the beginning of time. If Item 5 of the Declarations is left blank, the Retroactive Date set forth in Item 5 of the Declarations shall apply. Shared Computer System means a Computer System, other than an Insured’s Computer System, operated for the benefit of an Insured by a third party under written contract with an Insured, including data hosting, cloud services or computing, co-location, data back-up, data storage, data processing, platforms, software, and infrastructure-as-a-service. Subsidiary means: 1. any entity while more than fifty percent (50%) of the outstanding securities representing the present right to vote for election of or to appoint directors, trustees, managers, members of the Board of Managers or equivalent positions of such entity are owned, or controlled, by a Member, directly or through one or more Subsidiaries; 2. any entity formed as a partnership while more than fifty percent (50%) of the ownership interests representing the present right to vote for election of or to appoint the management or executive committee members or equivalent positions of such entity are owned, or controlled, by a Member, directly or through one or more Subsidiaries; or 3. any entity while: a. exactly fifty percent (50%) of the voting rights representing the present right to vote for election of or to appoint directors, trustees, managers, members of the Board of Managers or equivalent positions of such entity are owned, or controlled, by a Member, directly or through one of more Subsidiaries; and b. a Member, pursuant to a written contract with the owners of the remaining and outstanding voting stock of such entity, solely controls the management and operation of such entity. Telephone Fraud Financial Loss means toll and line charges which an Insured incurs, solely as a result of the fraudulent infiltration and manipulation of the Insured’s Telephone System from a remote location to gain access to outbound long distance telephone service. Telephone System means PBX, CBX, Merlin, VoIP, remote access (including DISA), and all related peripheral equipment or similar systems owned or leased by an Insured for purposes of voice-based telecommunications. Trade Secret means information, including a formula, pattern, compilation, program, device, method, technique or process, that derives actual or potential economic value from not being generally known to or readily ascertainable by other persons who can obtain value from its disclosure or use, so long as reasonable efforts have been made to maintain its secrecy. Waiting Period means the number of hours shown in Item 4 of the Declarations. III. EXCLUSIONS A. EXCLUSIONS APPLICABLE TO ALL INSURING AGREEMENTS The Insurer shall not be liable for Costs, Damages, or Claims Expenses on account of any Incident or any Claim: 1. Conduct alleging, based upon, arising out of or attributable to: a. any fraudulent, criminal, malicious or intentional act, error or omission, or any intentional or knowing violation of the law by an Insured; or b. the gaining in fact of any profit, remuneration or financial advantage to which any Insured was not legally entitled. MS-305005.1 (07/2020) Page 12 of 25 However, this exclusion shall not apply to Claims Expenses or the Insurer’s duty to defend any such Claim, until there is a final, non-appealable adjudication against, binding arbitration against, adverse admission by, finding of fact against, or plea of nolo contendere or no contest by, the Insured as to such conduct or violation, at which time the Insured shall reimburse the Insurer for any Claims Expenses paid by the Insurer. Provided that: i. no conduct pertaining to any natural person Insured shall be imputed to any other natural person Insured; and ii. any conduct pertaining to any past, present, or future Control Group Member, other than a Rogue Actor, shall be imputed to a Member. For purposes of this exclusion, “Rogue Actor” means a Control Group Member acting outside his or her capacity as such. 2. Prior Knowledge alleging, based upon, arising out of or attributable to any Incident that first occurred, arose or took place prior to the earlier of the effective date of this Policy, or the effective date of any Policy issued by the Insurer of which this Policy is a continuous renewal or a replacement, and any Control Group Member knew of such Incident; and, with respect to Insuring Agreements E and F, any Control Group Member reasonably could have foreseen that such Incident did or could lead to a Claim. 3. Pending or Prior Proceedings alleging, based upon, arising out of, or attributable to: a. any pending or prior litigation, Claim, written demand, arbitration, administrative or regulatory proceeding or administrative or regulatory investigation filed or commenced on or before the Pending or Prior Proceedings Date: (1) shown in Item 6 of the Declarations with respect to the Named Insured; (2) or shown in Item 6 of the Declarations, with respect to the applicable Member; or alleging or derived from the same or substantially the same fact, circumstance or situation underlying or alleged therein; or b. any other Incident whenever occurring which, together with an Incident underlying or alleged in any pending or prior litigation, Claim, demand, arbitration, administrative or regulatory proceeding or administrative or regulatory investigation as set forth pursuant to paragraph a. immediately above, would constitute Interrelated Incidents. 4. Prior Notice alleging, based upon, arising out of, or attributable to: a. any Incident, fact, circumstance or situation which has been the subject of any written notice given and accepted under any other policy of which this Policy is a direct or indirect renewal or replacement; or b. any other Incident, whenever occurring, which, together with an Incident which has been the subject of such notice pursuant to paragraph a. immediately above, would constitute Interrelated Incidents. 5. Bodily Injury for any Bodily Injury. However, solely with respect to Insuring Agreement E and Insuring Agreement F, this exclusion shall not apply to mental injury, mental anguish, mental tension, emotional distress, pain and suffering, or shock resulting from an Incident. 6. Property Damage alleging, based upon, arising out of, or attributable to Property Damage. 7. Pollution alleging, based upon, arising out of or attributable to the actual, alleged or threatened discharge, release, escape, seepage, migration, or disposal of Pollutants, or any direction or request that any Insured test for, monitor, clean up, remove, contain, treat, detoxify or neutralize Pollutants, or any voluntary decision to do so. 8. Infrastructure Outage MS-305005.1 (07/2020) Page 13 of 25 alleging, based upon, arising out of or attributable to any electrical or mechanical failure or interruption, electrical disturbance, surge, spike, brownout, blackout, or outages to electricity, gas, water, Internet access service provided by the Internet service provider that hosts an Insured’s website, telecommunications or other infrastructure. However, this exclusion shall not apply to failures, interruptions, disturbances or outages of telephone, cable or telecommunications systems, networks or infrastructure: a. under an Insured’s operational control which are a result of a Network Security Failure; b. solely with respect to Insuring Agreement B, which are the result of a Cyber Incident impacting a Shared Computer System; or c. solely with respect to Insuring Agreement E, which are the result of a Cyber Incident. 9. War alleging, based upon, arising out of or attributable to war, invasion, acts of foreign enemies, terrorism, hijacking, hostilities or warlike operations (whether war is declared or not), military or usurped power, civil commotion assuming the proportions of or amounting to an uprising, strike, lock-out, riot, civil war, rebellion, revolution, or insurrection. However, this exclusion shall not apply to an Act of Cyber- Terrorism that results in a Cyber Incident. 10. Nuclear alleging, based upon, arising out of or attributable to the planning, construction, maintenance, operation or use of any nuclear reactor, nuclear waste, storage or disposal site, or any other nuclear facility, the transportation of nuclear material, or any nuclear reaction or radiation, or radioactive contamination, regardless of its cause. 11. Contract for breach of any express, implied, actual or constructive contract, warranty, guarantee, or promise, including any actual or alleged liability assumed by an Insured, unless such liability would have attached to the Insured even in the absence of such contract, warranty, guarantee, or promise. However, this exclusion shall not apply to: a. an Insured’s contractual obligation to maintain the confidentiality or security of Protected Information; b. an unintentional violation by an Insured to comply with an Organization’s Privacy Policy; c. solely with respect to Insuring Agreement E, Payment Card Loss; or d. solely with respect to Insuring Agreement F, misappropriation of idea under implied contract. 12. Fees or Chargebacks alleging, based upon, arising out of or attributable to: a. any fees, expenses, or costs paid to or charged by an Insured; or b. chargebacks, chargeback fees, interchange fees or rates, transfer fees, transaction fees, discount fees, merchant service fees, or prospective service fees. However, solely with respect to Insuring Agreement E, this exclusion shall not apply to Payment Card Loss. 13. Intellectual Property alleging, based upon, arising out of or attributable to any infringement of, violation of, misappropriation of, or assertion of any right to or interest in a patent or Trade Secret by any Insured. However, this exclusion shall not apply to: a. solely with respect to Insuring Agreements A-D, the actual or alleged theft of a third party’s Trade Secret resulting from a Cyber Incident; provided, however, this exclusion shall still nevertheless apply to any Costs, Damages or Claims Expenses on account of any Cyber Incident or Claim for the economic or market value of Trade Secrets; or MS-305005.1 (07/2020) Page 14 of 25 b.solely with respect to Insuring Agreement E, any Claim arising out of the actual or alleged disclosure or theft of Protected Information resulting from a Network Security Failure. 14.Antitrust or Unfair Trade Practices alleging, based upon, arising out of or attributable to any price fixing, restraint of trade, monopolization, interference with economic relations (including interference with contractual relations or with prospective advantage), unfair competition, unfair business or unfair trade practices, or any violation of the Federal Trade Commission Act, the Sherman Anti-Trust Act, the Clayton Act, or any other federal statutory provision involving anti-trust, monopoly, price fixing, price discrimination, predatory pricing, restraint of trade, unfair competition, unfair business or unfair trade practices, and any amendments thereto or any rules or regulations promulgated thereunder, amendments thereof, or any similar federal, state, or common law. However, this exclusion shall not apply to: a.solely with respect to Insuring Agreement E, a Claim resulting directly from a violation of Privacy or Cyber Laws; or b.solely with respect to Insuring Agreement F, a Claim for a Media Incident as defined in paragraph g of such definition. 15.Consumer Protection Laws alleging, based upon, arising out of or attributable to any violation by an Insured of the Truth in Lending Act, Fair Debt Collection Practices Act, or the Fair Credit Reporting Act or any amendments thereto or any rules or regulations promulgated thereunder, including the Fair and Accurate Credit Transactions Act, and any amendments thereto or any rules or regulations promulgated thereunder, amendments thereof, or any similar federal, state or common law. However, solely with respect to Insuring Agreement E, this exclusion shall not apply to a Claim arising out of the actual or alleged disclosure or theft of Protected Information resulting from a Cyber Incident. 16.Securities Law Violation alleging, based upon, arising out of or attributable to an Insured’s violation of the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Company Act of 1940, the Investment Advisors Act, or any other federal, state or local securities law, and any amendments thereto or any rules or regulations promulgated thereunder, amendments thereof, or any similar federal, state or common law. 17.Discrimination or Employment Practices alleging, based upon, arising out of or attributable to any illegal discrimination of any kind, or any employment relationship, or the nature, terms or conditions of employment, including claims for workplace torts, wrongful termination, dismissal or discharge, or any discrimination, harassment, breach of employment contract or defamation. However, solely with respect to Insuring Agreement E, this exclusion shall not apply to that part of any Claim alleging employee-related invasion of privacy or employee–related wrongful infliction of emotional distress in the event such Claim arises out of the actual or alleged disclosure or theft of Protected Information resulting from a Cyber Incident. 18.Unsolicited Communications alleging, based upon, arising out of or attributable to any unsolicited electronic dissemination of faxes, e- mails or other communications by or on behalf of an Insured, including actions brought under the Telephone Consumer Protection Act, any federal or state anti-spam statutes, or any other federal or state statute, law, rule, regulation or common law relating to a person’s or entity’s right of seclusion. However, solely with respect to Insuring Agreement E, this exclusion shall not apply to a Claim resulting from a Cyber Incident as defined under subparagraphs 1(a) or 1(c) of such definition. 19.Unlawful Use or Collection of Protected Information alleging, based upon, arising out of or attributable to: a.the unlawful collection or unlawful intentional use of Protected Information; or b.the failure to provide adequate notice that Protected Information is being collected or used, by an Insured, with knowledge of any Control Group Member at the time of the Incident. B. EXCLUSIONS APPLICABLE TO SPECIFIC INSURING AGREEMENTS MS-305005.1 (07/2020) Page 15 of 25 In addition to the Exclusions in Section IIIA above, the Insurer shall not be liable for Costs, Damages, or Claims Expenses on account of any Incident or any Claim: 1.Force Majeure solely with respect to Insuring Agreements B and C, alleging, based upon, arising out of or attributable to fire, smoke, explosion, lightning, wind, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, act of God (which does not include acts by actors purporting to be God), nature or any other physical event, however caused and whether contributed to, made worse by, or in any way results from any such events. This exclusion applies regardless of any other contributing or aggravating cause or event that contributes concurrently with or in any sequence to the Costs, Damages, or Claims Expenses on account of any Incident or any Claim. 2.Governmental Authority solely with respect to Insuring Agreements C and D, alleging, based upon, arising out of, or attributable to any action of a public or governmental authority, including the seizure, confiscation or destruction of an Insured’s Computer System, a Shared Computer System or an Insured’s Digital Data. 3.Insured v. Insured solely with respect to Insuring Agreements E and F, brought or maintained by, on behalf of, or in the right of any Insured. Provided, however, solely with respect to Insuring Agreement E, this exclusion shall not apply to that part of any Claim alleging employee-related invasion of privacy or employee–related wrongful infliction of emotional distress in the event such Claim arises out of the loss of Protected Information resulting from a Cyber Incident. 4.Licensing Entities solely with respect to Insuring Agreement F, alleging, based upon, arising out of or attributable to any action brought by or on behalf of the Federal Trade Commission, the Federal Communications Commission, or any other federal, state, or local government agency or ASCAP, SESAC, BMI or other licensing or rights entities in such entity’s regulatory, quasi-regulatory, or official capacity, function or duty. 5.False Advertising or Misrepresentation solely with respect to Insuring Agreement F, alleging, based upon, arising out of or attributable to any inaccurate, inadequate, or incomplete description of the price of goods, products or services, disclosure of fees, representations with respect to authenticity of any product, or the failure of any goods, product or services to conform with advertised quality or performance. 6.Contest or Game of Chance solely with respect to Insuring Agreement F, alleging, based upon, arising out of or attributable to any gambling, contest, game of chance or skill, lottery, or promotional game, including tickets or coupons or over-redemption related thereto. IV.SPOUSES, COMMON LAW PARTNERS, ESTATES AND LEGAL REPRESENTATIVES Coverage under this Policy shall extend to any Claim for any Incident made against: A. the lawful spouse or domestic partner of a natural person Insured solely by reason of such spouse’s or domestic partner’s status as a spouse or domestic partner, or such spouse’s or domestic partner’s ownership interest in property which the claimant seeks as recovery in such Claim; or B. the estate, heirs, legal representatives or assigns of a natural person Insured if such natural person Insured is deceased, or the legal representatives or assigns of a natural person Insured if such natural person Insured is legally incompetent, insolvent or bankrupt, provided that: 1.no coverage is provided for any act, error, or omission of an estate, heir, legal representative, assign, spouse or domestic partner; and 2.all of the terms and conditions of this Policy including, without limitation, all applicable Retentions shown in Item 4 of the Declarations apply to such Claim. MS-305005.1 (07/2020) Page 16 of 25 V. EXTENDED REPORTING PERIOD A. Solely with respect to Insuring Agreements A, E, and F, if the Insurer terminates or does not renew this Policy (other than for failure to pay a premium when due), or if the Named Insured terminates or does not renew this Policy and does not obtain replacement coverage as of the effective date of such termination or nonrenewal, the Named Insured shall have the right, upon payment of the additional premium shown in Item 7A of the Declarations and subject to the terms specified in Subsections B-E directly below, to a continuation of the coverage granted by this Policy for an Extended Reporting Period shown in Item 7B of the Declarations following the effective date of such termination or non-renewal. B. Coverage for the Extended Reporting Period shall be only for Claims first made or Incidents first discovered during such Extended Reporting Period and arising from Incidents taking place prior to the effective date of such termination or non-renewal. This right to continue coverage shall lapse unless written notice of such election is given by the Named Insured and on behalf of all Insureds to the Insurer, and the Insurer receives payment of the additional premium shown in Item 7A of the Declarations, within thirty (30) days following the effective date of termination or non-renewal. C. The Extended Reporting Period is non-cancelable and the entire premium for the Extended Reporting Period shall be deemed fully earned and non-refundable upon payment. D. The Extended Reporting Period shall not increase or reinstate any Limits of Insurance. The Limits of Insurance as shown in Item 3 and Item 4 of the Declarations shall apply to both the Policy Period and the Extended Reporting Period, combined. E. A change in Policy terms, conditions, exclusions or premiums shall not be considered a non-renewal for purposes of triggering the rights to the Extended Reporting Period. VI.LIMITS OF INSURANCE_____________________________________________________ Regardless of the number of Insuring Agreements purchased under this Policy, or the number of Incidents, Insureds against whom Claims are brought, Claims made or persons or entities making Claims: A. MAXIMUM POOL POLICY AGGREGATE LIMIT OF INSURANCE The Insurer’s maximum limit of insurance under all Insuring Agreements resulting from all Claims first made and Incidents first discovered during the Policy Period, regardless of the number of Members involved in any such Incidents or Claims, is shown in Item 3B of the Declarations PoolMaximum Policy Aggregate Limit of Insurance. B. AGGREGATE POOL LIMIT FOR ALL INCIDENTS OR CLAIMS UNDER ANY ONE INSURING AGREEMENT The Insurer’s maximum limit of insurance for all Incidents or Claims, regardless of the number of Members involved in any such Incidents or Claims, under any one Insuring Agreement shall be the applicable Pool Aggregate Limit for all Incidents or Claims shown in Item 4 of the Declarations, which shall be part of, and not in addition to, the Pool Maximum Policy Aggregate Limit of Insurance shown in Item 3B of the Declarations. C. MAXIMUM POOL LIMIT OF INSURANCE FOR EACH INCIDENT OR CLAIM UNDER ANY ONE INSURING AGREEMENT The Insurer’s maximum limit of insurance for each Incident or Claim, under any one Insuring Agreement shall be the applicable Pool Each Incident or Claim Limit shown in Item 4 of the Declarations, which shall be part of, and not in addition to, the applicable Pool Aggregate Limit for all Incidents or Claims shown in Item 4 of the Declarations, and the Pool Maximum Policy Aggregate Limit of Insurance shown in Item 3B of the Declarations. D. MAXIMUM LIMIT OF INSURANCE FOR ALL INTERRELATED INCIDENTS AND CLAIMS All Claims arising out of the same Incident and all Interrelated Incidents shall be deemed to be one Claim, and such Claim shall be deemed to be first made on the date the earliest of such Claims is first made, regardless of whether such date is before or during the Policy Period. MS-305005.1 (07/2020) Page 17 of 25 All Interrelated Incidents shall be deemed to be one Incident, and such Incident shall be deemed to be first discovered, on the date the earliest of such Incidents is first discovered, regardless of whether such date is before or during the Policy Period. The maximum limit of insurance for all Interrelated Incidents and Claims arising out of such Interrelated Incidents shall be the Maximum Single Incident or Claim Limit of Insurance shown in Item 3A of the Declarations, regardless of whether Costs, Damages or Claims Expenses from a single Incident or Claim are covered under more than one Insuring Agreement, and regardless of the number of Members involved in any such Incident or Claim. Notwithstanding anything in this paragraph to the contrary, in no event shall the Insurer pay more than the applicable: 1.Pool Maximum Policy Aggregate Limit of Insurance shown in Item 3B of the Declarations, 2.Pool Aggregate Limit for all Incidents or Claims under any one Insuring Agreement shown in Item 4 of the Declarations, 3.Pool Each Incident or Claim Limit under any one Insuring Agreement shown in Item 4 of the Declarations, 4.Member Maximum Policy Aggregate Limit of Insurance shown in Item 3C of the Declarations, as to the applicable Member only; 5.Member Aggregate Limit for all Incidents or Claims under any one Insuring Agreement shown in Item 4 of the Declarations, as to the applicable Member only; 6.Member Each Incident or Claim Limit under any one Insuring Agreement shown in Item 4 of the Declarations, as to the applicable Member only. E. Costs, Damages and Claims Expenses shall be part of and not in addition to the applicable Limit of Insurance shown in the Declarations, and shall reduce such applicable Limit of Insurance. If the applicable Limit of Insurance is exhausted by payment of Costs, Damages and Claims Expenses, the obligations of the Insurer under this Policy shall be completely fulfilled and extinguished. F. Any sub-limits shown in the Declarations of this Policy or added by endorsement to this Policy shall be part of and not in addition to the applicable Limit of Insurance shown in the Declarations, and shall reduce such applicable Limit of Insurance. G. MAXIMUM MEMBER AGGREGATE LIMIT OF INSURANCE The Member Maximum Single Limit of Insurance under all Insuring Agreements shall be the amount set forth in Item 3D of the Declarations and shall be shall be the Insurer’s maximum limit of insurance under all Insuring Agreements resulting from all Claims first made and Incidents first discovered during the Policy Period, with respect to the applicable Member and any Insureds of such Member as defined in paragraph 3, 4 and 5 of the definition of Insured, and shall be part of and not in addition to the applicable amount shown in Item 4 of the Declarations, which amount is further part of and not in addition to the amount shown in Item 3B of the Declarations, Pool Maximum Policy Aggregate Limit of Insurance. H. AGGREGATE MEMBER LIMIT FOR ALL INCIDENTS OR CLAIMS UNDER ANY ONE INSURING AGREEMENT The Insurer’s maximum limit of insurance for all Incidents or Claims, with respect to the applicable Member, and any Insureds of such Member as defined in paragraph 3, 4 and 5 of the definition of Insured, under any one Insuring Agreement shall be the applicable Member Aggregate Limit for all Incidents or Claims shown in Item 4 of Declarations, which shall be part of, and not in addition to: 1. the Member Maximum Policy Aggregate Limit of Insurance set forth in Item 3C of the Declarations; and 2. the applicable Pool Aggregate Limit for All Incidents or Claims set forth in Item 4 of the Declarations, which amount is further part of and not in addition to the amount shown in in Item 3B of the Declarations, Pool Maximum Policy Aggregate Limit of Insurance. I. MAXIMUM MEMBER LIMIT OF INSURANCE FOR EACH INCIDENT OR CLAIM UNDER ANY ONE INSURING AGREEMENT The Insurer’s maximum limit of insurance for each Incident or Claim, with respect to applicable the Member, and any Insureds of such Member as defined in paragraph 3, 4 and 5 of the definition of Insured, under any one Insuring Agreement shall be the applicable Member Each Incident or Claim Limit shown in Item 4 of the Declarations, which shall be part of, and not in addition to: 1. The applicable Member Aggregate Limit for All Incidents or Claims show in Item 4 of the Declarations, which amount is MS-305005.1 (07/2020) Page 18 of 25 further part of and not in addition to the Member Maximum Policy Aggregate Limit of Insurance set forth in Item 3C of the Declarations; and 2. the applicable Pool Aggregate Limit for all Incidents or Claims shown in Item 4 of the Declarations, which amount is further part of and not in addition to the amount shown in Item 3B of the Declarations, the Pool Maximum Policy Aggregate Limit of Insurance. VII. RETENTION A. The liability of the Insurer shall apply only to that part of Costs, Damages, and Claims Expenses which is in excess of the applicable Retention amounts shown in Item 4 of the Declarations. Such Retentions shall be borne uninsured by each Member and at the risk of all Insureds. B. With respect to Insuring Agreement B, the Insurer will pay: 1. the actual Business Interruption Loss and Contingent Business Interruption Loss incurred by an Insured: a. once the applicable Waiting Period shown in Item 4B of the Declarations has expired; and b. which is in excess of the applicable Retention amount shown in Item 4B of the Declarations; and 2. Extra Expenses incurred by an Insured: a. as of the start of the Interruption In Service; and b. which are in excess of the applicable Retention amount showed in Item 4B of the Declarations. The Waiting Period and Retention amounts shall be computed as of the start of the Interruption in Service. Any Business Interruption Loss, Contingent Business Interruption Loss, or Extra Expenses incurred by an Insured during the Waiting Period shall reduce and may exhaust any applicable Retention. D. If a single Incident or Claim, or Interrelated Incidents are subject to different Retentions, the applicable Retention shall be applied separately to each part of the Costs, Damages, and Claim Expenses, but the sum of such retentions, as to each Member, shall not exceed the largest applicable Retention; provided however that each Member shall be responsible for its own Retention applicable to the Incident or Claim. VIII. NOTICE A. Urgent crisis management assistance by the Cyber Incident Response Coach is available at the hotline number shown in the Declarations. Use of the services of the Cyber Incident Response Coach for a consultation DOES NOT constitute notice under this Policy of a Cyber Incident or Claim. In order to provide notice under this Policy, such notice must be given in accordance with and is subject to Subsections B-D of this Section VIII. B. An Insured shall, as a condition precedent to such Insured’s rights under this Policy, give to the Insurer written notice of any Incident or Claim as soon as practicable after any Control Group Member discovers such Incident or becomes aware of such Claim, but in no event later than: 1. if this Policy expires (or is otherwise terminated) without being renewed with the Insurer, ninety (90) days after the effective date of such expiration or termination; or 2. the expiration of the Extended Reporting Period, if applicable, provided that if the Insurer sends written notice to the Named Insured, stating that this Policy is being terminated for nonpayment of premium, an Insured shall give to the Insurer written notice of such Claim prior to the effective date of such termination. If the Insured is unable to provide notification required under this Policy due a prohibition by any law enforcement or governmental authority, the Insured will use its best efforts to provide the Insurer with information to make the Insurer aware of a potential or actual Incident or Claim until written notice can actually be provided. Notwithstanding the foregoing, there shall be no coverage for any such Incident or Claim if the information withheld relating to such Incident or Claim was: MS-305005.1 (07/2020) Page 19 of 25 a. both (i) known to the Insured prior to the Policy Inception Date set forth in Item 2 of the Declarations, and if Item 2 of the Declarations is left blank, Item 2 of the Declarations; and (ii) not disclosed in the Application; or b. not disclosed in writing to the Insurer within a reasonable time period after the prohibition on disclosing the information was revoked or no longer necessary. C. If, during the Policy Period, any Control Group Member first becomes aware of any specific Incident which may reasonably give rise to a future Claim under this Policy, and written notice is given to the Insurer during the Policy Period, of the: 1. nature of the Incident; 2. identity of the Insureds allegedly involved; 3. circumstances by which the Insureds first became aware of the Incident; 4. identity of the actual or potential claimants; 5. foreseeable consequences of the Incident; and 6. nature of the potential Damages; then any Claim which arises out of such Incident shall be deemed to have been first made at the time such written notice was received by the Insurer. The Insurer will not pay for Damages or Claims Expenses incurred prior to the time such Incident results in a Claim. D. All notices under any provision of this Policy shall be given as follows: 1. Notice to the Insureds may be given to the Named Insured at the address shown in Item 1 of the Declarations. 2. Notice to the Insurer of any Incident or Claim shall be given to the Insurer at the physical address or email address shown in Item 9A of the Declarations. 3. All other notices to the Insurer under this Policy shall be given to the Insurer at the physical address shown in Item 9B of the Declarations. Notice given as set out above shall be deemed to be received and effective upon actual receipt thereof by the addressee, or one day following the date such notice is sent, whichever is earlier. When any such notices are sent to a physical address, such notices shall be sent by prepaid express courier or certified mail properly addressed to the appropriate party. IX. DEFENSE AND SETTLEMENT A. Except as provided in Subsection B of this Section IX, the Insurer shall have the right and duty to defend any Claim brought against an Insured even if such Claim is groundless, false or fraudulent. The Insurer shall consult and endeavor to reach an agreement with the Insured regarding the appointment of counsel, but shall retain the right to appoint counsel and to make such investigation and defense of a Claim as it deems necessary. B. The Insurer shall have the right, but not the duty, to defend any Regulatory Proceeding. For such Claims, the Insured shall select defense counsel from the Insurer’s list of approved law firms, and the Insurer reserves the right to associate in the defense of such Claims. C. No Insured shall settle any Claim, incur any Claims Expenses, or otherwise assume any contractual obligation or admit any liability with respect to any Claim without the Insurer’s written consent, which shall not be unreasonably withheld. D. The Insurer shall not settle any Claim without the written consent of the Named Insured. If the Named Insured refuses to consent to a settlement recommended by the Insurer and acceptable to the claimant, then the Insurer’s applicable Limit of Insurance under this Policy with respect to such Claim shall be reduced to: 1. the amount of Damages for which the Claim could have been settled plus all Claims Expenses incurred up to the time the Insurer made its recommendation to the Named Insured; plus MS-305005.1 (07/2020) Page 20 of 25 2.eighty percent (80%) of all subsequent covered Damages and Claims Expenses in excess of such amount referenced in paragraph (1) immediately above, which amount shall not exceed that portion of any applicable Limit of Insurance that remains unexhausted by payment of Costs, Damages, and Claims Expenses. The remaining twenty percent (20%) of all subsequent covered Damages and Claims Expenses shall be borne by the Insureds uninsured and at their own risk. However, this provision does not apply to any potential settlement that is within the Retention. E. The Insurer shall not be obligated to investigate, defend, pay or settle, or continue to investigate, defend, pay or settle any Claim after any applicable Limit of Insurance has been exhausted by payment of Costs, Damages, or Claims Expenses, or by any combination thereof, or after the Insurer has deposited the remainder of any unexhausted applicable Limit of Insurance into a court of competent jurisdiction. In either such case, the Insurer shall have the right to withdraw from the further investigation, defense, payment or settlement of such Claim by tendering control of such Claim to the Insured. F. The Insureds shall cooperate with the Insurer and provide to the Insurer all information and assistance which the Insurer reasonably requests including attending hearings, depositions and trials and assistance in effecting settlements, securing and giving evidence, obtaining the attendance of witnesses and conducting the defense of any Claim covered by this Policy. The Insured shall do nothing that may prejudice the Insurer’s position. The Insureds shall immediately forward to the Insurer, at the address shown in Item 9A of the Declarations, every demand, notice, summons, or other process or pleading received by an Insured or its representatives. G. With the exception of paragraph 6 of the Cyber Incident Response Expenses definition, an Insured has the right to incur Cyber Incident Response Expenses without the Insurer’s prior consent. However, the Insurer shall, at its sole discretion and in good faith, pay only for such expenses that the Insurer deems to be reasonable and necessary. X. PROOF OF LOSS FOR FIRST PARTY INSURING AGREEMENTS A. Requests for payment or reimbursement of Costs incurred by an Insured shall be accompanied by a proof of loss with full particulars as to the computation of such Costs. Such proof of loss will include in detail how the Costs were calculated, and what assumptions have been made, and shall include documentary evidence, including any applicable reports, books of accounts, bills, invoices and other vouchers or proofs of payment made by an Insured in relation to such Costs. Furthermore, the Insureds shall cooperate with, and provide any additional information reasonably requested by, the Insurer in its review of Costs, including the right to investigate and audit the proof of loss and inspect the records of an Insured. B. With respect to Insuring Agreement B, the Business Interruption Loss or Contingent Business Interruption Loss will be determined taking full account and due consideration of an Insured’s proof of loss and in addition, the trends or circumstances which affect the profitability of the business and would have affected the profitability of the business had the Business Interruption Loss or Contingent Business Interruption Loss not occurred, including all material changes in market conditions or adjustment expenses which would affect the net profit generated. However, the Insurer’s adjustment will not include the Insured’s increase in income that would likely have been earned as a result of an increase in the volume of business due to favorable business conditions caused by the impact of a Malicious Computer Act on others. MS-305005.1 (07/2020) Page 21 of 25 XI. ALLOCATION If a Claim includes both covered and uncovered matters, then coverage shall apply as follows: A. Claims Expenses: One hundred percent (100%) of Claims Expenses incurred by any Insured on account of such Claim shall be considered covered provided that the foregoing shall not apply with respect to: (i) a Regulatory Proceeding; or, (ii) any Insured for whom coverage is excluded pursuant to Exclusion III.A.1 or Section XIV, Subsection C. With respect to a Regulatory Proceeding, amounts for covered Claims Expenses and for uncovered fees, costs and expenses shall be allocated based upon the relative legal and financial exposures of, and the relative benefits obtained by, the parties to such matters. B. Loss other than Claims Expenses: all remaining loss incurred by such Insured from such Claim shall be allocated between covered Damages and uncovered damages based upon the relative legal and financial exposures of, and the relative benefits obtained by, the parties to such matters. XII. OTHER INSURANCE If any Costs, Damages or Claims Expenses covered under this Policy are covered under any other valid and collectible insurance, then this Policy shall cover such Costs, Damages or Claims Expenses, subject to the Policy terms and conditions, only to the extent that the amount of such Costs, Damages or Claims Expenses are in excess of the amount of such other insurance whether such other insurance is stated to be primary, contributory, excess, contingent or otherwise, unless such other insurance is written only as specific excess insurance over the Limits of Insurance provided by this Policy. XIII. MATERIAL CHANGES IN EXPOSURE A. ACQUISITION OR CREATION OF ANOTHER ENTITY If, during the Policy Period, the Named Insured: 1. acquires voting securities in another entity or creates another entity, which as a result of such acquisition or creation becomes a Subsidiary; 2. acquires any entity by merger into or consolidation with the Named Insured; or 3. accepts any additional Members; the Named Insured, as a condition precedent to coverage with respect to such Insureds, shall, no later than 60 days after the effective date of such acquisition, creation or acceptance: a. give written notice of such acquisition, creation or acceptance to the Insurer; b. pay any additional premium required by the Insurer; and c. agree to any additional terms and conditions of this Policy as required by the Insurer. B. ACQUISITION OF THE NAMED INSURED If, during the Policy Period, any of the following events occurs: 1. the acquisition of the Named Insured, or of all or substantially all of its assets, by another entity, or the merger or consolidation of the Named Insured into or with another entity such that the Named Insured is not the surviving entity; or 2. the obtaining by any person, entity or affiliated group of persons or entities of the right to elect, appoint or designate at least fifty percent (50%) of the directors, trustees, managers, members of the Board of Managers, management or executive committee members or equivalent positions of the Named Insured; then coverage under this Policy will continue in full force and effect until termination of this Policy, but only with respect to Claims for Incidents, or Incidents, as applicable, taking place before such event. Coverage under this Policy will cease as of the effective date of such event with respect to Claims for Incidents, or Incidents, as applicable, taking place after such event. This Policy may not be cancelled after the effective time of the event, and the entire premium for this Policy shall be deemed earned as of such time. C. TERMINATION OF A SUBSIDIARY OR MEMBER MS-305005.1 (07/2020) Page 22 of 25 If, before or during the Policy Period, an entity ceases to be a Subsidiary or a Member, coverage with respect to such Subsidiary or Member, and any Insured (as defined in paragraphs 3, 4 and 5 of such definition) of the Subsidiary or Member, shall continue until termination of this Policy. Such coverage continuation shall apply only with respect to Claims for Incidents, or Incidents, as applicable, taking place prior to the date such entity ceased to be a Subsidiary or a Member and the entire premium for this Policy shall be deemed earned as of such time. XIV.REPRESENTATIONS A. In granting coverage to any Insured, the Insurer has relied upon the declarations and statements in the Application for this Policy. Such declarations and statements are the basis of the coverage under this Policy and shall be considered as incorporated in and constituting part of this Policy. B. The Application for coverage shall be construed as a separate Application for coverage by each Insured. With respect to the declarations and statements in such Application, no knowledge possessed by a natural person Insured shall be imputed to any other natural person Insured. C. However, in the event that such Application contains any misrepresentations made with the actual intent to deceive or contains misrepresentations which materially affect either the acceptance of the risk or the hazard assumed by the Insurer under this Policy, then no coverage shall be afforded for any Incident or Claim based upon, arising from or in consequence of any such misrepresentations with respect to: 1.any natural person Insured who knew of such misrepresentations (whether or not such natural person knew such Application contained such misrepresentations); or 2.a Member, if any past or present Control Group Member knew of such misrepresentations (whether or not such Control Group Member knew such Application contained such misrepresentations). D. The Insurer shall not be entitled under any circumstances to void or rescind this Policy with respect to any Insured. XV.TERMINATION OF THIS POLICY A. This Policy shall terminate at the earliest of the following times: 1.sixty (60) days after receipt by the Named Insured of a written notice of termination from the Insurer for any reason allowed by applicable insurance laws or regulations, other than failure to pay premium when due; 2.upon expiration of the Policy Period as shown in Item 2 of the Declarations; or 3.at such other time as may be agreed upon by the Insurer and the Named Insured. B. If the Policy is terminated by the Named Insured, the Insurer shall refund the unearned premium computed pro rata. Payment or tender of any unearned premium by the Insurer shall not be a condition precedent to the effectiveness of such termination, but such payment shall be made as soon as practicable. XVI.TERRITORY AND VALUATION A. Coverage provided under this Policy shall extend to Incidents and Claims taking place, brought or maintained anywhere in the universe. Any provision in this Policy pertaining to coverage for Incidents or Claims made or Damages or Claims Expenses sustained anywhere outside the United States of America shall only apply where legally permissible. B. All premiums, limits, retentions, Costs, Damages, Claims Expenses and other amounts under this Policy are expressed and payable in the currency of the United States of America. If judgment is rendered, settlement is denominated or another element of loss under this Policy is stated in a currency other than United States of America dollars, or if Extortion Expenses are stated in a currency, including Bitcoin or other crypto- currency(ies), other than United States of America dollars, payment under this Policy shall be made in United States dollars at the applicable rate of exchange as published in The Wall Street Journal as of the date the final judgment is reached, the amount of the settlement is agreed upon or the other element of loss is due, respectively, or, if not published on such date, the next date of publication of The Wall Street Journal. If there is no applicable rate of exchange published in the Wall Street Journal, then payment under this Policy shall be made in the equivalent of United States of America dollars at the actual rate of exchange for such currency. XVII.CYBER INCIDENT RESPONSE FUND PROVISIONS A. With respect to the Cyber Incident Response Team or a Non-Panel Response Provider: MS-305005.1 (07/2020) Page 23 of 25 1.The Insureds are under no obligation to contract for services with the Cyber Incident Response Team. However, if an Insured elects to use any Non-Panel Response Providers for any Cyber Incident Response Expenses, the applicable Limits of Insurance shown in Item 4A2 of the Declarations will apply. 2. The Insurer shall not be a party to any agreement entered into between any Cyber Incident Response Team service provider and an Insured. 3.Cyber Incident Response Team service providers are independent contractors, and are not agents of the Insurer. The Insureds agree that the Insurer assumes no liability arising out of any services rendered by a Cyber Incident Response Team service provider. The Insurer shall not be entitled to any rights or subject to any obligations or liabilities set forth in any agreement entered into between any Cyber Incident Response Team service provider and an Insured. Any rights and obligations with respect to such agreement, including billings, fees and services rendered, are solely for the benefit of, and borne solely by such Cyber Incident Response Team service provider and such Insured, and not the Insurer. 4. The Insurer has no obligation to provide any of the services provided by the Cyber Incident Response Team. B. With respect to any other third party vendor, the Insurer may provide the Insured with a list of third-party privacy and network security loss mitigation vendors whom the Insured, at its own election and at the Insured’s own expense, may retain for cyber risk management to inspect, assess, and audit the Insured’s property, operations, systems, books, and records, including the Insured’s network security, employee cyber security awareness, incident response plans, services provider contracts, and regulatory compliance. Any loss mitigation inspection, assessment, or audit purchased by the Insured’s, and any report or recommendation resulting therefrom, shall not constitute an undertaking at the request of or for the benefit of the Insurer. XVIII.SUBROGATION A. The Insurer shall have no rights of subrogation against any Insured under this Policy unless Exclusion III.A.1 or Section XIV, Subsection C, applies. B. In the event of payment under this Policy, the Insureds must transfer to the Insurer any applicable rights to recover from another person or entity all or part of any such payment. The Insureds shall execute all papers required and shall do everything necessary to secure and preserve such rights, including the execution of such documents necessary to enable the Insurer to effectively bring suit or otherwise pursue subrogation rights in the name of the Insureds. C. If prior to the Incident or Claim connected with such payment an Insured has agreed in writing to waive such Insured’s right of recovery or subrogation against any person or entity, such agreement shall not be considered a violation of such Insured’s duties under this Policy. XIX.ACTION AGAINST THE INSURER AND BANKRUPTCY Except as provided in Section XXII, Alternative Dispute Resolution, no action shall lie against the Insurer. No person or entity shall have any right under this Policy to join the Insurer as a party to any action against any Insured to determine the liability of such Insured nor shall the Insurer be impleaded by any Insured or its legal representatives. Bankruptcy or insolvency of any Insured or of the estate of any Insured shall not relieve the Insurer of its obligations nor deprive the Insurer of its rights or defenses under this Policy. XX.AUTHORIZATION CLAUSE By acceptance of this Policy, the Named Insured agrees to act on behalf of all Insureds with respect to the giving of notice of Incident or Claim, the giving or receiving of notice of termination or non-renewal, the payment of premiums, the receiving of any premiums that may become due under this Policy, the agreement to and acceptance of endorsements, consenting to any settlement, exercising the right to the Extended Reporting Period, and the giving or receiving of any other notice provided for in this Policy, and all Insureds agree that the Named Insured shall so act on their behalf. XXI. ALTERATION, ASSIGNMENT, AND HEADINGS A. Notice to any agent or knowledge possessed by any agent or by any other person shall not affect a waiver or a change in any part of this Policy nor prevent the Insurer from asserting any right under the terms of this Policy. MS-305005.1 (07/2020) Page 24 of 25 B. No change in, modification of, or assignment of interest under this Policy shall be effective except when made by a written endorsement to this Policy which is signed by an authorized representative of the Insurer. C. The titles and headings to the various parts, sections, subsections and endorsements of the Policy are included solely for ease of reference and do not in any way limit, expand, serve to interpret or otherwise affect the provisions of such parts, sections, subsections or endorsements. D. Any reference to the singular shall include the plural and vice versa. XXII.ALTERNATIVE DISPUTE RESOLUTION A. The Insureds and the Insurer shall submit any dispute or controversy arising out of or relating to this Policy or the breach, termination or invalidity thereof to the alternative dispute resolution (“ADR”) process set forth in this Section. B. Either an Insured or the Insurer may elect the type of ADR process discussed below. However, such Insured shall have the right to reject the choice by the Insurer of the type of ADR process at any time prior to its commencement, in which case the choice by such Insured of ADR process shall control. C. There shall be two choices of ADR process: 1.non-binding mediation administered by any mediation facility to which the Insurer and an Insured mutually agree, in which such Insured and the Insurer shall try in good faith to settle the dispute by mediation in accordance with the then-prevailing commercial mediation rules of the mediation facility; or 2.arbitration submitted to any arbitration facility to which an Insured and the Insurer mutually agree, in which the arbitration panel shall consist of three disinterested individuals. In either mediation or arbitration, the mediator or arbitrators shall have knowledge of the legal, corporate management, or insurance issues relevant to the matters in dispute. In the event of arbitration, the decision of the arbitrators shall be final and binding and provided to both parties, and the award of the arbitrators shall not include attorneys’ fees or other costs. In the event of mediation, either party shall have the right to commence a judicial proceeding. However, no such judicial proceeding shall be commenced until at least sixty (60) days after the date the mediation shall be deemed concluded or terminated. In all events, each party shall share equally the expenses of the ADR process. D. Either ADR process may be commenced in New York or in the state shown in Item 1 of the Declarations as the principal address of the Named Insured. The Named Insured shall act on behalf of each and every Insured in connection with any ADR process under this Section. XXIII.COMPLIANCE WITH TRADE SANCTIONS This insurance does not apply to the extent that trade or economic sanctions or other similar laws or regulations prohibit the providing of such insurance. MS-305005.1 (07/2020) Page 25 of 25 Forms Schedule Form Form Form Number Edition Title PF-48152 (09/16) Forms Schedule LD-5S23j (02/18) Signature Endorsement PF-46422 (07/15) Trade or Economic Sanctions Endorsement TRIA11d (03/16) Policyholder Disclosure Notice of Terrorism Insurance Coverage MS-305005.2 (07/20) Member Endorsement MS-305005.4 (07/20) Non-Malicious Computer Act – System Failure – Business Interruption and Contingent Business Interruption – Preventative Shutdown MS-305005.3 (07/20) Hardware or Equipment Replacement / Betterment Endorsement PF-49494 (02/19) Extended Period of Attrition Endorsement PF-50959 (02/19) Failure to Supply Exclusion MS-303005.5 (07/20) CCPA Sublimit Endorsement ALL-20887a (03/16) Chubb Producer Compensation Practices & Policies PF-48259 (02/19) Cyber Services for Incident Response – Notice to Policyholders PF-17914a (04/16) U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) Advisory Notice to Policyholders PF-48152 (09/16) © 2016 Page 1 of 1 SIGNATURES THE ONLY SIGNATURES APPLICABLE TO THIS POLICY ARE THOSE REPRESENTING THE COMPANY NAMED ON THE FIRST PAGE OF THE DECLARATIONS. By signing and delivering the policy to you, we state that it is a valid contract. I LLINOIS UNION INSURANCE COMPANY (A stock company) 525 W. Monroe Street, Suite 400, Chicago, Illinois 60661 WESTCHESTER SURPLUS LINES INSURANCE COMPANY (A stock company) Royal Centre Two, 11575 Great Oaks Way, Suite 200, Alpharetta, GA 30022 ____________________________________ A uthorized Representative LD-5 S23j (03/1 4 ) PF-46422 (07/15) Page 1 of 1 TRADE OR ECONOMIC SANCTIONS ENDORSEMENT THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This insurance does not apply to the extent that trade or economic sanctions or similar laws or regulations prohibit us fr om providing insurance, including, but not limited to, the payment of claims. All other terms and conditions of policy remain unchanged. TRIA11d (03/16) Includes copyrighted material of Insurance Services office, Inc., with its permission. DISCLOSURE PURSUANT TO TERRORISM RISK INSURANCE ACT THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. Disclosure Of Premium In accordance with the federal Terrorism Risk Insurance Act, we are required to provide you with a notice disclosing the portion of your premium, if any, attributable to coverage for terrorist acts certified under the Terrorism Risk Insurance Act. The portion of your premium attributable to such coverage is shown in this endorsement or in the policy Declarations. Disclosure Of Federal Participation In Payment Of Terrorism Losses The United States Government, Department of the Treasury, will pay a share of terrorism losses insured under the federal program. The federal share equals 85% for y ear 2015, 84% beginning on January 2016; 83% beginning on January 1 2017 , 82% beginning on January 1, 2018; 81% beginning on January 1, 2019 and 80% beginning on January 1, 2020 of that portion of the amount of such insured losses that exceeds the applicable insurer retention. However, if aggregate insured losses attributable to terrorist acts certified under the Terrorism Risk Insurance Act exceed $100 billion in a calendar year, the Treasury shall not make any payment for any portion of the amount of such losses that exceeds $100 billion. Cap On Insurer Participation In Payment Of Terrorism Losses If aggregate insured losses attributable to terrorist acts certified under the Terrorism Risk Insurance Act exceed $100 billion in a calendar year and we have met our insurer deductible under the Terrorism Risk Insurance Act, we shall not be liable for the payment of any portion of the amount of such losses that exceeds $100 billion, and in such case insured losses up to that amount are subject to pro rata allocation in accordance with procedures established by the Secretary of the Treasury. COVERAGE OF “ACTS OF TERRORISM” AS DEFINED BY THE REAUTHORIZATION ACT WILL BE PROVIDED FOR THE PERIOD FROM THE EFFECTIVE DATE OF YOUR NEW OR RENEWAL POLICY THROUGH THE EARLIER OF THE POLICY EXPIRATION DATE OR DECEMBER 31, 20 20. EFFECTIVE DECEMBER 31, 2020 THE TERRORISM RISK INSURANCE PROGRAM REAUTHORIZATION ACT EXPIRES. Terrorism Risk Insurance Act premium: $0 Member Endorsement THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: Chubb Cyber Enterprise Risk Management Pool Policy It is agreed that, effective as of the date of this endorsement, the Policy is amended as follows, Section II, Definitions, Member, is deleted in its entirety and replaced with the following: Member means the individual entities set forth in the Member Schedule below. Member Schedule: Member Agoura Hills AHCCC Alhambra Aliso Viejo Apple Valley Area E Disaster Management Arroyo Grande Artesia Atascadero Azusa Bell Gardens Bellflower Big Bear City Community Services District Big Bear Fire Authority Big Bear Lake Bishop Black Gold Cooperative Library System Bradbury Brawley Buellton Calabasas California JPIA Camarillo Carpinteria CASA Cerritos Chino Hills Claremont MS-305005.2 (07/2020) Commerce CVAG CVCC Dana Point Desert Rec Diamond Bar Duarte El Centro ESTA Fillmore Gateway Cities COG Goleta Grand Terrace Grover Beach Guadalupe Hawaiian Gardens Hemet Hidden Hills Imperial Indian Wells Indio Irwindale La Canada Flintridge La Habra Heights LA IMPACT La Mirada La Palma La Puente La Quinta La Verne LA-RICS Laguna Niguel Laguna Woods Lake Elsinore Lake Forest Lakewood Lawndale Lemon Grove Loma Linda Lomita Malibu Mammoth Lakes Midpeninsula ROSD Mission Viejo Monrovia Monterey Peninsula RPD MS-305005.2 (07/2020) Moorpark Morro Bay Mountain Area RTA Needles Norwalk Ojai Orange County Council of Governments Pacific Grove Palm Desert Palos Verdes Estates Palos Verdes PTA Paramount Paso Robles Pismo Beach Pomona Valley TA Port Hueneme Poway Rancho Palos Verdes Rolling Hills Rolling Hills Estates Rosemead Rossmoor San Clemente San Dimas San Gabriel San Juan Capistrano San Luis Obispo San Marcos San Marino Santa Fe Springs Santa Paula SCAG SEAACA Seal Beach Seaside Seaside County Sanitation Sierra Madre Signal Hill Solvang South El Monte Stanton Temple City Ventura Port District Villa Park Vista MS-305005.2 (07/2020) Walnut West Covina West Hollywood West-Comm Westlake Village All other terms and conditions of this policy remain unchanged. MS-305005.2 (07/2020) Non-Malicious Computer Act – System Failure – Business Interruption and Contingent Business Interruption – Preventative Shutdown THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY This endorsement modifies insurance provided under the following: Chubb Cyber Enterprise Risk Management Pool Policy It is agreed that the Policy is amended as follows: 1.Section II, Definitions, Interruption in Service, is amended by deleting it in its entirety and replacing it with the following: Interruption in Service means a detectable interruption or degradation in service of: 1.with respect to Insuring Agreement B1, an Insured’s Computer System; 2.with respect to Insuring Agreement B2, a Shared Computer System; caused by a Malicious Computer Act, Non-Malicious Computer Related Act, or Preventative Shutdown. 2.Section II, Definitions is amended by adding: •Non-Malicious Computer Related Act means: 1.Human Error; 2.Programming Error; or 3.Power failure, surge or diminution of an electrical system controlled by an Insured, and not arising from Property Damage •Human Error means an operating error or omission, including the choice of the program used, an error in setting parameters, or any inappropriate single intervention by an employee or a third party providing services to the Insured. •Preventative Shutdown means an Insured’s reasonable and necessary intentional shut down of: 1.with respect to Insuring Agreement B1, an Insured’s Computer System, but only to the extent that such shut down: a.is in response to an actual or credible threat of a Malicious Computer Act expressly directed against such Insured’s Computer System which may reasonably be expected to cause an Interruption in Service in the absence of such shut down; and b.serves to mitigate, reduce, or avoid Business Interruption Loss as a result of the actual or credible threat of such Malicious Computer Act; or 2.with respect to Insuring Agreement B2, the Insured’s access or connectivity to a Shared Computer System, but only to the extent that such shut down: a.is in response to an actual Malicious Computer Act against such Shared Computer System which may reasonably be expected to cause an Interruption in Service in the absence of such shut down; and b.serves to mitigate, reduce, or avoid Contingent Business Interruption Loss as a result of such Malicious Computer Act. Notwithstanding anything to the contrary in the Policy, and solely with respect to an Interruption in Service caused by a Preventative Shutdown, the Period of Restoration MS-305005.4 (07/2020) © 2016 Page 1 of 2 shall not exceed the lesser of 14 days or the number of days otherwise set forth in paragraph 2 of the Period of Restoration definition. •Programming Error means error that occurs during the development or encoding of a program, application or operating system that would, once in operation, result in the malfunction of the computer system, an interruption of operations or an incorrect result. Programming Error does not include integration, installation, upgrade, or patching of any software, hardware or firmware of the Insured’s Computer System unless the Insured can evidence that the Programming Error arises from a program that has been fully developed, successfully tested and proved successful in its operational environment for thirty (30) days. All other terms, conditions and limitations of this Policy remain unchanged. MS-305005.4 (07/2020) © 2016 Page 2 of 2 Hardware Or Equipment Replacement/Betterment Endorsement THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: Chubb Cyber Enterprise Risk Management Pool Policy It is agreed that the Policy is amended as follows: 1.Section II, Definitions, Digital Data Recovery Costs is deleted and replaced with the following: Digital Data Recovery Costs means: 1.the reasonable and necessary costs incurred by an Insured to replace, restore, recreate, re-collect or recover Digital Data from written records or from partially or fully matching electronic records due to their corruption, theft, or destruction, caused by a Network Security Failure, including disaster recovery or computer forensic investigation efforts. However, in the event that it is determined that the Digital Data cannot be replaced, restored, recreated, re-collected, or recovered, Digital Data Recovery Costs shall be limited to the reasonable and necessary costs incurred to reach such determination; 2.Telephone Fraud Financial Loss; or 3.the replacement or repair costs of physical hardware or equipment that are part of an Insured’s Computer System which have been damaged electronically but for which there is no Property Damage, and which have been determined by the Insurer, at its sole discretion, to: i.be more practical and cost-effective to physically replace or repair such hardware or equipment than to repair or restore through the replacement, restoration, recreation, re- collection, or recovery of Digital Data formerly thereon; or ii.be permanently vulnerable or unstable due to the corruption or destruction of firmware formerly thereon, including reasonable and necessary expenses incurred to mitigate or reduce any costs or loss in paragraphs 1 through 3 immediately above. However, Digital Data Recovery Costs shall not include: a.costs or expenses incurred to update, replace, upgrade, recreate, or improve Digital Data or a Computer System to a level beyond that which existed prior to the applicable Cyber Incident, except to the extent that Betterment Costs are covered; b.costs or expenses incurred to identify or remediate software program errors or vulnerabilities; c.costs incurred to research and develop Digital Data, including Trade Secrets; d.the economic or market value of Digital Data, including Trade Secrets; or e.any other consequential loss or damages. 2.Section II, Definitions, is amended to include the following definition: Betterment Costs means costs or expenses incurred to update, replace, upgrade, recreate, or improve Digital Data or a Computer System to a level beyond that which existed prior to the applicable Cyber Incident, but only if such costs or expenses are: 1.equal to or less than the costs or expenses to repair, replace, restore, recreate, re-collect, or recover such Digital Data or a Computer System; or MA-305005.3 (07/2020) Page 1 of 3 2.necessary because of a security vulnerability that cannot otherwise be corrected, fixed, or repaired, and if left unmitigated, could reasonably and foreseeably result in a similar Cyber Incident occurring again in the future. Betterment Costs shall not include any costs or expenses described above which exceed the lesser of either: a.$100,000; or b.100% of the total amount spent on Digital Data Recovery Costs. 3.Section VI, Limits of Insurance, is amended by adding the following: •Betterment Costs shall be part of and not in addition to: a.the Each Cyber Incident Limit; and b.the Aggregate Limit for all Cyber Incidents, MA-305005.3 (07/2020) Page 2 of 3 set forth in Item 4.C. of the Declarations for this Policy. Betterment Costs shall also be part of and not in addition to the Maximum Policy Aggregate Limit of Insurance set forth in Item 3B of the Declarations and will in no way serve to increase the Insurer’s maximum liability under the Policy. All other terms and conditions of this Policy remain unchanged. MA-305005.3 (07/2020) Page 3 of 3 PF-49494 (02/19) Page 1 of 3 EXTENDED PERIOD OF ATTRITION ENDORSEMENT THIS ENDORSEMEN T CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: CHUBB CYBER ENTERPRISE RISK MANAGEMENT POLICY CHUBB DIGITECH® ENTERPRISE RISK MANAGEMENT POLICY CHUBB PROFESSIONAL ENTERPRISE RISK MANAGEMENT POLICY It is agreed that the Policy is amended as follows: 1.Section I, Insuring Agreements, Insuring Agreement B, Business Interruption and Extra Expenses, is deleted and replaced with the following: B. BUSINESS INTERRUPTION AND EXTRA EXPENSES The Insurer will pay: 1.the Business Interruption Loss and Extra Expenses incurred by an Insured during the Period of Restoration resulting directly from a Cyber Incident which first occurs during the Policy Period, plus after the expiration of the Observation Period, any resulting Customer Attrition Expenses and Customer Attrition Loss incurred by the Insured during the Period of Attrition; and 2.the Contingent Business Interruption Loss and Extra Expenses incurred by an Insured during the Period of Restoration resulting directly from a Cyber Incident which first occurs during the Policy Period . 2.Section II, Definitions, is amended as follows: A. The definition of Costs is amended by adding the following: 7.Customer Attrition Expenses; or 8.Customer Attrition Loss. B. The following definitions are added: Customer Attrition Loss means the difference between the amount of the Insured’s net profit actually earned before income taxes and the amount of the Insured’s net profit that would have been earned before income taxes had no Interruption in Service occurred, but only if such difference can be proven by a quantifiable reduction in seasonally-adjusted daily revenue amounts caused by damage to the Insured’s reputation as a direct result of the Interruption in Service, and provided that: A. the Insured provides Evidence that the Customer Attrition Loss is a direct result of an Interruption in Service under Insuring Agreement B.1.; and B. the calculation of Customer Attrition Loss will be reduced by any quantifiable increase in the Insured’s net profit actually earned before income taxes within the Observation Period which is in excess of the net profit that would have been earned before income taxes during the same time period had no Interruption in Service occurred. Customer Attrition Loss shall not include: 1.loss arising out of the diminution in value of money, securities, property, or any other item of value; 2.loss arising out of any liability to any third party as a result of a Cyber Incident, including Damages; PF-49494 (02/19) Page 2 of 3 3.loss arising out of unfavorable business conditions, loss of market value, or any other consequential loss; 4.Claims Expenses; 5.Cyber Incident Response Expenses; 6.Extra Expenses; or 7.wages, salaries, or other compensation of directors, officers, similar executives, or employees of any Insured. Customer Attrition Expenses means costs incurred by an Insured, with the Insurer’s prior consent, to retain the services of a third party forensic accounting firm to determine the amount of Customer Attrition Loss. Evidence means: 1.written, posted, or printed media material displayed, shared, or published in the public domain (either online or hardcopy) that details or discusses the Insured’s Cyber Incident; or 2.any other written material demonstrating a direct link between the Insured’s Cyber Incident and Customer Attrition Loss, such as communications from the Insured’s customers, but only if such other written material is deemed by an independent forensic adjustor to be legitimately created by a third party not related to the Insured. Observation Period means the continuous period of time that begins on the date which immediately follows the last date of the Period of Attrition, and continues for the same amount of days that are stated in paragraph 2.b. of the Period of Attrition definition, regardless of when the Period of Attrition actually ends. For purposes of calculating the continuous period of time, the date that immediately follows the Period of Attrition is considered day 1. Period of Attrition means the continuous period of time that: 1.begins with the date which immediately follows the last date of the Period of Restoration; and 2.ends on the earliest date of either: a.the earliest date that the Insured’s customer counts and seasonally-adjusted daily revenue amounts recover to the same level that would have existed had there been no Interruption in Service, so long as such recovery is subsequently sustained on an average daily basis over the course of at least ten business days. Such ten-day period shall not be considered part of the Period of Attrition; or b.Sixty (60) days after the Period of Attrition has begun. 3.Section VI, Limits of Insurance, is amended by adding the following: MAXIMUM LIMIT OF INSURANCE FOR CUSTOMER ATTRITION LOSS AND CUSTOMER ATTRITION EXPENSES RESULTING FROM AN INTERRUPTION IN SERVICE A. Subject to Section VI, LIMITS OF INSURANCE, the Insurer’s maximum limit of insurance for all Customer Attrition Loss and Customer Attrition Expenses resulting directly from an Interruption in Service under Insuring Agreement B.1. shall be: This Interruption in Service Customer Attrition Sublimit shall be part of and not in addition to: a.the Each Cyber Incident Limit; and b.the Aggregate Limit for all Cyber Incidents, set forth in Item 4.B.1. of the Declarations for this Policy. $1,000,000 (the “Interruption in Service Customer Attrition Sublimit”). PF-49494 (02/19) Page 3 of 3 The Interruption in Service Customer Attrition Sublimit shall also be part of and not in addition to the Maximum Policy Aggregate Limit of Insurance set forth in Item 3B of the Declarations and will in no way serve to increase the Insurer’s maximum liability under the Policy. The Insurer’s obligation to reimburse Customer Attrition Loss or Customer Attrition Expenses because of an Interruption in Service under Insuring Agreement B.1. is in excess of the Insured’s applicable Retention amount as set forth in Item 4.B.1., and once the applicable Waiting Period shown in Item 4.B.1. of the Declarations has expired. B. Notwithstanding the foregoing, if the field above in paragraph A of this subsection is left blank or N/A is shown, then the Limits of Insurance shown in Item 4.B.1. of the Declarations shall apply to the sum of all Customer Attrition Loss and Customer Attrition Expenses resulting directly from an Interruption in Service. C. There shall be no coverage for Customer Attrition Loss or Customer Attrition Expenses as a direct result of an Interruption in Service other than with respect to Insuring Agreement B.1. 4.Section X, Proof of Loss for First Party Insuring Agreements, subsection B, is deleted and replaced with the following: B. In addition to an Insured’s proof of loss as set forth in Subsection A above, with respect to Insuring Agreement B, the Business Interruption Loss, Contingent Business Interruption Loss, and Customer Attrition Loss will be determined taking full account and due consideration of such Insured’s proof of loss and the trends or circumstances which affect the profitability of the business and would have affected the profitability of the business had the Business Interruption Loss, Contingent Business Interruption Loss, or Customer Attrition Loss not occurred, including all material changes in market conditions or adjustment expenses which would affect the net profit generated , as well as income derived from substitute methods, facilities, or personnel used by the Insured to maintain its revenue stream. However, the Insurer’s adjustment will not include the Insured’s increase in income that would likely have been earned as a result of an increase in the volume of b usiness due to favorable business conditions caused by the impact of a Malicious Computer Act on others. All other terms, conditions and limitations of this Policy remain unchanged. FAILURE TO SUPPLY EXCLUSION THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: CHUBB CYBER ENTERPRISE RISK MANAGEMENT POLICY CHUBB DIGITECH® ENTERPRISE RISK MANAGEMENT POLICY CHUBB PROFESSIONAL ENTERPRISE RISK MANAGEMENT POLICY It is agreed that Section III, Exclusions, is amended as follows: 1.Subsection B, Exclusions Applicable To Specific Insuring Agreements, is amended by adding the following exclusion: •Failure to Supply solely with respect to Insuring Agreement E, and if applicable, Insuring Agreement P or Insuring Agreement T, alleging, based upon, arising out of, or attributable to the failure to supply or produce the following scheduled products, commodities, or services, whether or not such failure is caused by or results from a Cyber Incident: 2.Solely with respect to this endorsement, subsection A, Exclusions Applicable To All Insuring Agreements, Exclusion 8, Infrastructure Outage, is deleted in its entirety and replaced with the following: 8.Infrastructure Outage alleging, based upon, arising out of, or attributable to any electrical or mechanical failure or interruption, electrical disturbance, surge, spike, brownout, blackout, or outages to electricity, gas, water, Internet access service provided by the Internet service provider that hosts an Insured’s website, telecommunications, or other infrastructure. However, solely with respect to Insuring Agreement B, this exclusion shall not apply to failures, interruptions, disturbances, or outages of telephone, cable or telecommunications systems, networks, or infrastructure under an Insured’s operational control which are a result of a Network Security Failure. All other terms, conditions and limitations of this Policy remain unchanged. Water Supply PF-50959 (02/19) Page 1 of 1 CCPA Sublimit Endorsement THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY This endorsement modifies insurance provided under the following: Chubb Cyber Enterprise Risk Management Pool Policy It is agreed that the Policy is amended as follows, Section III, Exclusions, subsection A, Exclusions Applicable to All Insuring Agreements, is amended to include the following exclusion: •alleging, based upon, arising out of or attributable to any violation of the California Consumer Privacy Act of 2018 (“CCPA”), CAL. CIV. CODE § 1798.198(a) (2018); provided however, subject to a limit of insurance of $250,000, in the aggregate, per Member, subject to pool aggregate of $10,000,000 for all such Claims under this Policy, this exclusion shall not apply to Costs, Damages, or Claims Expenses, including each such Claim alleging Interrelated Incidents. This sublimit shall be part of, and not in addition to: (i) the otherwise applicable limits of insurance set forth in Item 4 of the Declarations; (ii) the Maximum Member Policy Aggregate Limit of Insurance set forth in Item 3.C of the Declarations; and (iii) the Maximum Pool Policy Aggregate Limit of Insurance set forth in Item 3.B of the Declarations, and will in no way serve to increase the Insurer’s maximum liability under the Policy. All other terms, conditions and limitations of this Policy remain unchanged. MS-305005.5 (07/2020) © 2016 Page 1 of 1 ALL-20887a (03/16) Chubb Producer Compensation Practices & Policies Chubb believes that policyholders should have access to information about Chubb's practices and policies related to the payment of compensation to brokers and independent agents. You can obtain that information by accessing our website at chubbproducercompensation.com or by calling the following toll-free telephone number: 1-866-512-2862. Policyholder Notice Cyber Services for Incident Response This Policyholder Notice shall be construed as part of your Policy but no coverage is provided by this Policyholder Notice nor can it be construed to replace any provisions of your Policy . While no coverage is provided by this Policyholder Notice, bolded terms in this Policyholder Notice shall have the meaning set forth in your Policy . You should read your Policy and review your Declarations page for complete information on the coverages you are provided. This Notice provides information concerning access to cyber services for incident response. Cyber Incident Response Team The Cyber Incident Response Team is a list of approved service providers available to provide the services set forth in the definition of C yber I ncident Response E xpenses in your Policy . The list of approved service providers is available on the Chubb website. These providers have been carefully selected by Chubb and are revie wed on a periodic basis. The service providers have capabilities in various disciplines for a Cyber I ncident response that include, but are not limited to, the following: 1.Computer Forensics 2.Public Relations 3.Notification and Identity Services 4.Call Center Services 5.Cyber Extortion and Ransom Services 6.Legal and Regulatory Communications 7. Business Interruption Services In the event of a C yber I ncident, a copy of the Cyber Incident Response Team list can also be obtained from any Cyber Incident Response Coach. In the event of a C yber I ncident , contact the Cyber Incident Response Coach as indicated on the Declarations Page and referenced throughout the Policy . Please note the following: 1.Shou ld you experience a cyber related incident, you may choose to call the Cyber Incident Response Team Hotli ne listed in your Policy for immediate triage assistance. Please be aware that the hotline service is provided by a third-party law firm. If you engage this service, it is billable to you at the standard rate per hour outlined in the Chubb Cyber Incident Response Team Panel Guidelines. Calling the hotline does NOT satisfy the claim notification requirements of your Policy . 2.Chubb shall not be a party to any agreement entered into between any Cyber Incident Response Team service provider and the policyholder. It is understood that Cyber Incident Response Team service providers are independent contractors, and are not agents of Chubb . The policyholder agrees that Chubb assumes no liability arising out of any services rendered by a Cyber Incident Response Team service provider. Chubb shall not be entitled to any rights or subject to any obligations or liabilities set forth in any agreement entered into between any Cyber Incident Response Team service provider and the policyholder. Any rights and obligations with respect to such agreement, including but limited to billings, fees and services rendered, are solely for the benefit of, and borne solely by such Cyber Incident Response Team service provider and the policyholder, and not Chubb . PF-48259 (10/16) © 2016 Page 1 of 2 3.Chubb has no obligation to provide any of the legal, c omputer forensics , public r elations , notification and identity services, call center s ervices, cyber extortion and r ansom, legal and regulatory c ommunications, and business interruption advice and services provided by the Cyber Incident Response Team . 4.The policyholder is under no obligation to contract for services with Cyber Incident Response Team service providers, except as may be amended by the Policy . 5.Solely with respect to the services provided by the Cyber Incident Response Team : a.Failure to comply with any one or more of the requirements of the Cyber Incident Response Team will preclude coverage under the applicable limit(s). b.Chubb may, at its sole discretion and only as evidenced by Chubb ’s prior written approval, on or before the effective date of the Policy , permit the policyholder to retain alternative service providers to provide services comparable to the services and rates offered by the Cyber Incident Response Team . c.If, during the Policy Period , either (i) any of the Cyber Incident Response Team service providers is unable to or does not provide the services covered and as defined in the definition of Cyber Incident Response Expenses or (ii) there is a change of law or regulation that prevents service providers selected exclusively from the Cyber Incident Response Team from providing the legal, computer forensic, notification, call center, public relations, crisis communications, fraud consultation, credit monitoring, and identity restoration advice and services sought by the policyholder, Chubb may, at its sole discretion and only as evidenced by Chubb ’s prior written approval, permit the policyholder to retain alternative service providers to provide services comparable to the services offered by the Cyber Incident Response Team . d.The maximum rate Chubb will pay for Cyber Incident Response Expenses shall be no more than the rates outlined in the ‘Chubb Cyber Incident Response Team Panel Guidelines’ for such services. PF-48259 (10/16) © 2016 Page 2 of 2 U.S. Treasury Department’s Office Of Foreign Assets Control (“OFAC”) Advisory Notice to Policyholders This Policyholder Notice shall not be construed as part of your policy and no coverage is provided by this Policyholder Notice nor can it be construed to replace any provisions of your policy. You should read your policy and review your Declarations page for complete information on the coverages you are provided. This Notice provides information concerning possible impact on your insurance coverage due to directives issued by OFAC. Please read this Notice carefully. The Office of Foreign Assets Control (OFAC) administers and enforces sanctions policy, based on Presidential declarations of "national emergency". OFAC has identified and listed numerous: Foreign agents; Front organizations; Terrorists; Terrorist organizations; and Narcotics traffickers; as "Specially Designated Nationals and Blocked Persons". This list can be located on the United States Treasury's web site – http//www.treas.gov/ofac. In accordance with OFAC regulations, if it is determined that you or any other insured, or any person or entity claiming the benefits of this insurance has violated U.S. sanctions law or is a Specially Designated National and Blocked Person, as identified by OFAC, this insurance will be considered a blocked or frozen contract and all provisions of this insurance are immediately subject to OFAC. When an insurance policy is considered to be such a blocked or frozen contract, no payments nor premium refunds may be made without authorization from OFAC. Other limitations on the premiums and payments also apply. PF-17914a (04/16) Reprinted, in part, with permission of Page 1 of 1 ISO Properties, Inc.