The URL can be used to link to this page

2025/26 Cyber Liability Program - Great American - Primary PolicyNeed to file a Cyber claim? We make the process easy ard abess tree. At Great American, we understand that tiling a claim can be upsetting and stressful. That's why we wand you to be able to report your claim As quickly as possible. Before reporting your clam, please have ready: • Your policy number • Complete and accurate inflammation regarding the claim. WEmail our claims team CyberClaim0gaig.com Call our claims center 877-209-2009 Once you have reported your claim, it will be acknowledged! antl investigated by your claims professional. Thank you for choosing Great American Insurance Group! ,�..,.��v�...� n c.xmui.yn�.n. roa orrvmi INSURANCE GROUP Great American eRiskHub° Portal When a cyber event occurs, time is of the essence. Having a plan in place with access to the third -party resources you need can help you efficiently and cost- effectively respond and recover. Respond and recover quickly with eRiskHub As a Great American policyholder, you have access to the eRiskHub® portal, powered by NetDiligenc&. eRiskHub provides tools and resources to help you: • Understand your exposures • Establish a response plan • Minimize the effects of a breach on your organization How do I use eRiskHub? Registration is simple - go to eriskhub.com/greatamerican and enter 186488 in the Access Code field. You'll create your own username and password. Once registered, you can access tools that will help you assess risk, prepare for and/ or modify your response plan, and familiarize yourself with the service. What if I want to speak to a lawyer? Your policy includes Incident Consultation Coverage from a third -party law firm for actual or suspected privacy and network security incidents. There is no deducible or additional out of pocket expense to use this consultation and the coverage is in addition to your policy's limits of insurance. Not every suspected incident means you need to notify us. This consultation will help you decide what next steps are necessary including whether or not you need to notify us. The Incident Consultation Hotline can be found at eriskhub.com/greatamerican. Great American Insurance Group, 301 E. Fourth St., Cincinnati, OH 45202. Great American does not endorse the companies or services listed on eRiskHub.com and NetDiligence Inc. is solely responsible for all eRiskHub.com content. Unless otherwise indicated or approved, payment for services provided by these companies is your responsibility. Coverage description is summarized. Refer to the actual policy for a full description of applicable terms, conditions, limits and exclusions. Policies are underwritten by Great American Fidelity Insurance Company and Great American Spirit Insurance Company, authorized insurers in all 50 states and DC. The Great American Insurance Group eagle logo and the word marks Great American® and Great American Insurance Group® are registered service marks of Great American Insurance Company. © 2018 Great American Insurance Company. All rights reserved. 0002-CBR (1A9) eriskItub.com/greattamerican Tools and Breach Coaches are available 24 hours a day, seven days a week. GREATTTTTTTTTAMERICAN INSURANCE GROUP GAIG.com Cyber Loss Control Cyber Risk Division 301 E. Fourth Street What You Get Cincinnati, OH 45202 Great American is proud to offer EagleEye, a set of tools — the same ones we use to protect ourselves — to all cyber risk policyholders. To report a claim: Based on the industry standard NIST framework, this set of tools call (877) 209-2009 protects from three necessary angles. The toolkit includes: email cyberclaim(d)craia.com • Employee Insights — a shareable checklist to help avoid the most common security errors To contact loss control: • SecurityScorecard — an instant scan to assess your company's call y) 42 security from an outside viewpoint emait l cvbedossrlosscontrolCac aia.com • Security Roadmap — a detailed questionnaire that compares current cybersecurity practices to key protective measures eRiskHub provides tools and resources to help you and your client: • Understand cyber related exposures • Incorporate Cyber Risk Insurance into the client's response plan • Minimize the effects of a breach on your organization What's Next? To ensure that our communications are received by someone that will be able to act upon them, please send the name and contact information for your information security leader to cyberlosscontrolCcf)gaia.com. From here, cyber loss control will be in contact with your information security leader to discuss the suite of tools listed above and to provide aid in cyber risk management. Cyber Loss control consultation services are provided by Great Amencan Insurance Company and its affiliates to assist management of insured firms in fulfilling their responsibilities for the control of potential loss producing situations involving their information technology and/or operations. The information provided is intended to provide guidance and is not intended as G`�TAMEnICaiv a legal interpretation of any federal, state or local laws, rules or regulations applicable to your business. The cyber loss control information provided is intended only to assist policyholders in the management of potential loss producing conditions involving INSURANCE GROUP their information technology and/or operations based on best practices around cybersecurity controls. In providing such information, Great American does not warrant that all potential hazards or conditions have been evaluated or can be controlled. It is not intended as an offer to write insurance for such conditions or exposures. The liability of Great American Insurance Company and its affiliated insurers is limited to the terms, limits and conditions of the insurance policies underwritten by any of them. Great for all the►'ed you do® American Insurance Group, 301 E. Fourth St., Cincinnati, OH 45202.0036 CBR (01/23) GAIG.com CWSN (Ed. 04/23) SURPLUS LINES DISCLOSURES Please read the applicable surplus lines disclosure for the state in which your policy is executed. Alabama This contract is registered and delivered as a surplus line coverage under the Alabama Surplus Line Insurance Law. Alaska ALASKA POLICYHOLDER NOTICE 3 AAC 25.050 This policy is issued by a nonadmitted or surplus lines insurer. Insurance may only be purchased from nonadmitted insurers if the full amount, kind, or class of insurance cannot be obtained from insurers who are admitted to do business in the State of Alaska. Your broker or the surplus lines broker has determined that this was true on the date the policy was placed. Before issuing a renewal policy or extending this policy, remarketing is required. To avoid intentional or unintentional extension of coverage in the surplus lines market when an admitted market for that coverage exists, a nonadmitted insurer is prohibited from the automatic renewal or extension of a policy without remarketing by your broker or the surplus lines broker. In order to comply with the Alaska Administrative Code, the following notice is given: You are hereby notified that, under 3 AAC 25.050, your policy will terminate effective no later than the date and time of its expiration. We reserve the right to cancel this policy sooner than the expiration date by giving you notice of cancellation as required in AS 21.36.220. You may request through your broker that a new policy from the surplus lines broker be concurrent with the effective date of the termination of this policy. You are also notified that a new policy, if issued by us, is subject to rerating, which may result in a premium increase of more than ten percent (10%). As required by 3 AAC 25.050, you are hereby notified that any subsequent policy issued by us may be subject to a ten percent (10%) or more increase in premium. The actual premium will be based upon rates that apply at the time a subsequent policy, if any, is issued and will be made available to you before the effective date of the new policy, or the date subsequent coverage is bound, whichever occurs first. Arizona Pursuant to section 20-401.01, subsection B, paragraph 1, Arizona Revised Statutes, this policy is issued by an insurer that does not possess a certificate of authority from the director of the Arizona department of insurance and financial institutions. If the insurer that issued this policy becomes insolvent, insureds or claimants will not be eligible for insurance guaranty fund protection pursuant to title 20, Arizona Revised Statutes. Arkansas This contract is registered and delivered as a surplus line coverage under the Surplus Lines Insurance Law, and it may in some respects be different from contracts issued by insurers in the admitted markets, and, accordingly, it may, depending upon the circumstances, be more or less favorable to an insured than a contract from an admitted carrier might be. The protection of the Arkansas Property and Casualty Guaranty Act does not apply to this contract. A tax of four percent (4%) is required to be collected from the insured on all surplus lines premiums. California See pages 7 and 8 of the policy jacket. Colorado This contract is delivered as a surplus line coverage under the `Nonadmitted Insurance Act'. The insurer issuing this contract is not licensed in Colorado but is an eligible nonadmitted insurer. There is no protection under the provisions of the `Colorado Insurance Guaranty Association Act'. This policy is issued by an insurance company that is not regulated by the Colorado Division of Insurance. The insurance company may not provide claims service and may not be subject to service of process in Colorado. If the insurance company becomes insolvent, insureds or claimants will not be eligible for protection under Colorado insurance law. This policy is a claims -made policy which provides liability coverage only if a claim is made during the policy period or any applicable extended reporting eriod. Connecticut NOTICE THIS IS A SURPLUS LINES POLICY AND IS NOT PROTECTED BY THE CONNECTICUT INSURANCE GUARANTY ASSOCIATION OR SUBJECT TO REVIEW BY THE CONNECTICUT INSURANCE DEPARTMENT. IT IS IMPORTANT THAT YOU READ AND UNDERSTAND THIS POLICY. Delaware This insurance contract is issued pursuant to the Delaware Insurance Laws by an insurer neither licensed by nor under the jurisdiction of the Delaware Insurance Department. This insurer does not participate in insurance guaranty funds created by state law. In the event of the insolvency of the surplus lines insurer, losses will not be paid by the state insurance guaranty fund. SIGNATURE OF BROKER OR AUTHORIZED REPRESENTATIVE CWSN (Ed. 04/23) CWSN (Ed. 04/23) Florida THIS INSURANCE IS ISSUED PURSUANT TO THE FLORIDA SURPLUS LINES LAW. PERSONS INSURED BY SURPLUS LINES CARRIERS DO NOT HAVE THE PROTECTION OF THE FLORIDA INSURANCE GUARANTY ACT TO THE EXTENT OF ANY RIGHT OF RECOVERY FOR THE OBLIGATION OF AN INSOLVENT UNLICENSED INSURER. SURPLUS LINES INSURERS' POLICY RATES AND FORMS ARE NOT APPROVED BY ANY FLORIDA REGULATORY AGENCY. Georgia This contract is registered and delivered as a surplus line coverage under the Surplus Line Insurance Law, O.C.G.A. Chapter 33-5. FREQUENTLY ASKED QUESTIONS ABOUT YOUR SURPLUS LINES POLICY Your broker has placed the insurance you requested in the "surplus lines market" with one or more surplus lines insurers. By definition, such surplus lines insurers are not licensed in the state, but this does not mean that the transaction is not regulated. The surplus lines market is an insurance marketplace that is established for the purpose of insuring unique or hard to place risks. Some of the rules that apply to surplus lines insurance policies and surplus lines insurance companies differ from those that govern coverage obtained from insurance companies licensed in your state. In order for you to better understand the surplus lines market and the rights you have in a surplus lines transaction, the following material is provided. Please read this brochure carefully, and should you have any questions after reading the material, do not hesitate to ask your broker. If you wish further information, please contact the Regulatory Services Division, Room 604 West Tower, 2 Martin Luther King, Jr. Drive, Atlanta, Georgia 30334 or (404) 656-2074 or toll free at (800) 656-2298 (request Regulatory Services Division). WHAT IS A SURPLUS LINES POLICY? A surplus lines policy is a policy placed with an insurer that is not licensed (or'admitted') in this state, but is nonetheless eligible to provide insurance on property or liability insurance protection to citizens of this state through specially licensed agents or brokers known as surplus lines brokers. WHY AM I GETTING COVERAGE FROM A SURPLUS LINES INSURER? Your agent or broker may have been unable to obtain the coverage you requested from insurance companies licensed in this state, but was able to obtain coverage from an eligible surplus lines insurance company. The reason for your agent or broker's action is that the risk or property for which you sought coverage may be unique or have certain risk characteristics that caused licensed insurers to decline to write the policy. In circumstances where licensed insurers will not write the risk, your broker is authorized by state law or regulation to obtain the coverage from a'surplus lines' insurer. SINCE THE SURPLUS LINES INSURER IS UNLICENSED, IS THE TRANSACTION UNREGULATED? Surplus lines transactions are regulated by state law that require that surplus lines policies be procured only by specially licensed brokers. These are called surplus lines brokers and they are authorized to transact business with certain unlicensed insurers that meet financial and other eligibility standards set by the state. These insurers are known as surplus lines insurers. Your agent may have worked with a licensed surplus lines broker in securing your policy. Alternatively, your agent may hold a surplus lines broker's license. IS MY SURPLUS LINES POLICY COVERED BY THE STATE GUARANTY OR INSOLVENCY FUND? No. There is no guaranty fund for coverage for surplus lines policies. The guaranty fund, which provides payments in the event that your insurance company becomes insolvent, only covers policies of licensed insurers. HOW IS THE RATE OR PRICE OF A SURPLUS LINES POLICY DETERMINED? The rate or premium charged for a surplus lines policy is determined by the surplus lines insurer. As unlicensed insurers, surplus lines insurers do not file their rates or premiums with the state for review or approval. DOES THE GEORGIA DEPARTMENT OF INSURANCE REVIEW OR APPROVE THE TERMS AND CONDITIONS OF THIS POLICY? Pursuant to O.C.G.A. § 33-5-21.1, policies of surplus lines insurers are not reviewed or approved by the Georgia Department of Insurance. CAN MY POLICY BE RENEWED OR EXTENDED? Your surplus lines policy may or may not be renewed or extended when the policy expires. An extension of the policy coverage will be dependent upon the continued unavailability of the policy coverage from insurers licensed in this state and the willingness of the surplus lines insurer to continue to accept the risk. Since a surplus lines policy is generally not subject to the same notice requirements as a policy issued by a licensed insurer, notice of a premium increase for a new policy term or the company's intent not to extend the policy at the same terms and conditions might not be provided until CWSN (Ed. 04/23) CWSN (Ed. 04/23) close to the date the policy expires. Therefore, you should keep in contact with your agent or broker, particularly as the expiration of the policy term nears, to ascertain the status of the policy and to assure continuity of coverage. Hawaii This insurance contract is issued by an insurer which is not licensed by the State of Hawaii and is not subject to its regulation or examination. If the insurer is found insolvent, claims under this contract are not covered by any guaranty fund of the State of Hawaii. Idaho This surplus line contract is issued pursuant to the Idaho insurance laws by an insurer not licensed by the Idaho Department of Insurance. There is no coverage provided for surplus line insurance by either the Idaho Insurance Guaranty Association or by the Idaho Life and Health Insurance Guaranty Association. Illinois Notice to Policyholder: This contract is issued, pursuant to Section 445 of the Illinois Insurance Code, by a company not authorized and licensed to transact business in Illinois and as such is not covered by the Illinois Insurance Guaranty Fund. Iowa This policy is issued, pursuant to Iowa Code chapter 515I, by an eligible surplus lines insurer in Iowa and as such is not covered by the Iowa Insurance Guaranty Association. Kansas This policy is issued by an insurer not authorized to do business in Kansas and, as such, the form, financial condition and rates are not subject to review by the commissioner of insurance and the insured is not protected by any guarantyfund. Kentucky This insurance has been placed with an insurer not licensed to transact business in the Commonwealth of Kentucky but eligible as a surplus lines insurer. The insurer is not a member of the Kentucky Insurance Guaranty Association. Should the insurer become insolvent, the protection and benefits of the Kentucky Insurance Guaranty Association are not available. Louisiana See page 9 of the policy jacket. Maine This insurance contract is issued pursuant to the Maine Insurance Laws by an insurer neither licensed by nor under the jurisdiction of the Maine Bureau of Insurance. Maryland This insurance is issued by a nonadmitted insurer not under the jurisdiction of the Maryland Insurance Commissioner DISCLOSURE REGARDING SURPLUS LINES INSURANCE. Please Read the Following Carefully Before Purchasing Insurance From a Surplus Lines Insurer. This policy is issued by a surplus lines insurer that has been approved by the Maryland Insurance Administration to issue insurance policies in the surplus lines insurance market. Surplus lines insurers are not under the jurisdiction of the Maryland Insurance Administration and do not possess a certificate of authority to transact insurance business in the State of Maryland. Because surplus lines insurers are not under the jurisdiction of the Maryland Insurance Administration, your ability to seek assistance from the State if you have a problem with your insurance company is limited. Property and Casualty Insurance Guaranty Corporation and Maryland Life and Health Insurance Guaranty Corporation provide funds that permit certain claimants or policyholders to receive payment of covered claims if their insurance company becomes insolvent (i.e., bankrupt) and is unable to pay the claims. However, these funds do not apply to surplus lines insurers, as a surplus lines insurer is not a member insurer of the Property and Casualty Insurance Guaranty Corporation or the Maryland Life and Health Insurance Guaranty Corporation. If a surplus lines insurer becomes insolvent i.e. bankrupt), any claim that you have against the surplus lines insurer will CWSN (Ed. 04/23) CWSN (Ed. 04/23) not be covered by the funds administered by Property and Casualty Insurance Guaranty Corporation and Maryland Life and Health Insurance Guaranty Corporation. If you have any questions regarding this disclosure or surplus lines insurance, please contact the Maryland Insurance Administration at 410-468-2340. Massachusetts This policy is insured by a company which is not admitted to transact insurance in the commonwealth, is not supervised by the commissioner of insurance and, in the event of an insolvency of such company, a loss shall not be paid by the Massachusetts Insurers Insolvency Fund under chapter 175D. Michigan This insurance has been placed with an insurer that is not licensed by the state of Michigan. In case of insolvency, payment of claims may not be guaranteed. Minnesota THIS INSURANCE IS ISSUED PURSUANT TO THE MINNESOTA SURPLUS LINES INSURANCE ACT. THE INSURER IS AN ELIGIBLE SURPLUS LINES INSURER BUT IS NOT OTHERWISE LICENSED BY THE STATE OF MINNESOTA. IN CASE OF INSOLVENCY, PAYMENT OF CLAIMS IS NOT GUARANTEED. Mississippi NOTE: This insurance policy is issued pursuant to Mississippi law covering surplus lines insurance. The company issuing the policy is not licensed by the State of Mississippi, but is authorized to do business in Mississippi as a nonadmitted company. The policy is not protected by the Mississippi Insurance Guaranty Association in the event of the insurer's insolvency. Missouri This is evidence of insurance procured and developed under the Missouri Surplus Lines Laws. It is NOT covered by the Missouri Insurance Guaranty Association. This insurer is not licensed by the state of Missouri and is not subject to its supervision. Montana NOTICE: This coverage is issued by an unauthorized insurer that is an eligible surplus lines insurer. If this insurer becomes insolvent, there is no coverage by the Montana Insurance Guaranty Association under the Montana Insurance Guaranty Association Act. Signature of Surplus Lines Insurance Producer Nebraska This policy is issued by a nonadmitted insurer, and in the event of the insolvency of such insurer, this policy will not be covered by the Nebraska Property and Liability Insurance Guaranty Association. Nevada This insurance contract is issued pursuant to the Nevada insurance laws by an insurer neither licensed by nor under the supervision of the Division of Insurance of the Department of Business and Industry of the State of Nevada. If the insurer is found insolvent, a claim under this contract is not covered by the Nevada Insurance Guaranty Association Act. New The company issuing this policy is an eligible surplus lines insurer in the state of New Hampshire and the rates charged Hampshire and policy forms used have not been approved by the commissioner of insurance. If the company issuing this policy becomes insolvent, the New Hampshire insurance guaranty fund shall not be liable for any claims made against the policy. New Jersey This policy is written by a surplus lines insurer and is not subject to the filing or approval requirements of the New Jersey Department of Banking and Insurance. Such a policy may contain conditions, limitations, exclusions and different terms than a policy issued by an insurer granted a Certificate of Authority by the New Jersey Department of Banking and Insurance. The insurer has been approved by the Department as an eligible surplus lines insurer, but the policy is not covered by the New Jersey Insurance Guaranty Fund, and only a policy of medical malpractice liability insurance as defined in N.J.S.A. 17:30D-3d or a policy of property insurance covering owner -occupied dwellings of less than four dwelling units are covered by the New Jersey Surplus Lines Guaranty Fund. New Mexico This policy provides surplus lines insurance by an insurer not otherwise authorized to transact business in New Mexico. This policy is not subject to supervision, review or approval by the superintendent of insurance. The insurance so provided is not within the protection of any guaranty fund law of New Mexico designed to protect the public in the event of the insurer's insolvency. Surplus Lines Brokers Signature New York THE INSURER(S) NAMED HEREIN IS (ARE) NOT LICENSED BY THE STATE OF NEW YORK, NOT SUBJECT TO ITS SUPERVISION, AND IN THE EVENT OF THE INSOLVENCY OF THE INSURER(S), NOT PROTECTED BY THE NEW YORK STATE SECURITY FUNDS. THE POLICY MAY NOT BE SUBJECT TO ALL OF THE REGULATIONS OF THE DEPARTMENT OF FINANCIAL SERVICES PERTAINING TO POLICY FORMS. CWSN (Ed. 04/23) CWSN (Ed. 04/23) North The insurance company with which this coverage has been placed is not licensed by the State of North Carolina and is not subiect to its supervision. In the event of the insolvency of the Carolina insurance company, losses under this policy will not be paid by any State insurance guaranty or solvency fund. Ohio Surplus Lines Statement PART 1. STATEMENT OF SURPLUS LINE BROKER OR ORIGINATING AGENT The surplus lines broker acknowledges that he/she is a duly licensed full multiple line agent currently licensed with insurance companies, other than life, authorized to do business in Ohio or he/she is a duly licensed surplus line broker pursuant to section 3905.30 of the Ohio Revised Code and that after due diligence, he/she is unable to procure the insurance policy described below from insurers authorized to do business in Ohio to which he/she is a licensed agent. He/she acknowledges that he/she has complied with the applicable requirements of due diligence as set forth in section 3905.33 of the Ohio Revised Code, and has explained to the insured the meaning of the signed statements prior to binding coverage and received declinations for the reasons set forth below from the following authorized insurer(s) to which he/she is so licensed and which are known to him/her to customarily write the kind of insurance described above. Signature of Surplus Line Broker or Originating Agent PART 2. SIGNED STATEMENT OF INSURED AS REQUIRED BY SECTION 3905.33 OF THE OHIO REVISED CODE The named insured acknowledges that the insurance policy (other than life insurance) as described above is to be placed with an insurance company not authorized to do business in Ohio. The insured understands that the insurance company is not a member of the Ohio Insurance Guaranty Association and that Chapter 3955. of the Ohio Revised Code is not applicable to claimants or insureds of said insurance company. The surplus line broker shall collect the Ohio tax of five percent of the amount of the premium for the insurance policy at the time the insurance policy is delivered to the insured. Signature of Insured Oklahoma The protection of any guaranty association in the event of liquidation or receivership of the surplus lines insurer does not apply to this contract. Oregon This insurance was procured and developed under the Oregon surplus lines laws. It is NOT covered by the provisions of ORS 734.510 to 734.710 relating to the Oregon Insurance Guaranty Association. If the insurer issuing this insurance becomes insolvent, the Oregon Insurance Guaranty Association has no obligation to pay claims under this insurance. Pennsylvania The insurer which has issued this insurance is not licensed by the Pennsylvania Insurance Department and is subject to limited regulation. This insurance is NOT covered by the Pennsylvania Property and Casualty Insurance Guaranty Association. Rhode Island NOTICE THIS INSURANCE CONTRACT HAS BEEN PLACED WITH AN INSURER NOT LICENSED TO DO BUSINESS IN THE STATE OF RHODE ISLAND BUT APPROVED AS A SURPLUS LINES INSURER. THE INSURER IS NOT A MEMBER OF THE RHODE ISLAND INSURERS INSOLVENCY FUND. SHOULD THE INSURER BECOME INSOLVENT, THE PROTECTION AND BENEFITS OF THE RHODE ISLAND INSURERS INSOLVENCY FUND ARE NOT AVAILABLE. South This company has been approved by the director or his designee of the South Carolina Department of Insurance to write Carolina business in this State as an eligible surplus lines insurer, but it is not afforded guaranty fund protection. South Dakota THIS INSURANCE CONTRACT IS ISSUED BY A NONADMITTED INSURER WHICH IS NOT LICENSED BY NOR UNDER THE JURISDICTION OF THE SOUTH DAKOTA INSURANCE DIRECTOR. Tennessee This insurance contract is with an insurer not licensed to transact insurance in this state and is issued and delivered as a surplus lines coverage pursuant to the Tennessee insurance statutes. Texas This insurance contract is with an insurer not licensed to transact insurance in this state and is issued and delivered as surplus line coverage under the Texas insurance statutes. The Texas Department of Insurance does not audit the finances or review the solvency of the surplus lines insurer providing this coverage, and the insurer is not a member of the property and casualty insurance guaranty association created under Chapter 462, Insurance Code. Chapter 225, Insurance Code, requires payment of a 4.85 percent tax on gross premium. CWSN (Ed. 04/23) CWSN (Ed. 04/23) Utah The insurer issuing this policy does not hold a certificate of authority to do business in this state and thus is not fully subject to regulation by the Utah insurance commissioner. This policy receives no protection from any of the guaranty associations created under Title 31A, Chapter 28, Guaranty Associations. Vermont The company issuing this policy is a surplus lines insurer and the rates charged have not been approved by the Commissioner of Financial Regulation. Any default on the part of the insurer is not covered by the Vermont Insurance Guaranty Association. Virginia VIRGINIA FORM SLB-9 NOTICE TO INSURED THE INSURANCE POLICY THAT YOU HAVE APPLIED FOR HAS BEEN PLACED WITH OR IS BEING OBTAINED FROM AN INSURER APPROVED BY THE STATE CORPORATION COMMISSION FOR ISSUANCE OF SURPLUS LINES INSURANCE IN THE COMMONWEALTH, BUT NOT LICENSED OR REGULATED BY THE STATE CORPORATION COMMISSION OF THE COMMONWEALTH OF VIRGINIA. THEREFORE, YOU, THE POLICYHOLDER, AND PERSONS FILING A CLAIM AGAINST YOU ARE NOT PROTECTED UNDER THE VIRGINIA PROPERTY AND CASUALTY INSURANCE GUARANTY ASSOCIATION ACT (§§ 38.2-1600 et seq.) OF THE CODE OF VIRGINIA AGAINST DEFAULT OF THE COMPANY DUE TO INSOLVENCY. IN THE EVENT OF INSURANCE COMPANY INSOLVENCY YOU MAY BE UNABLE TO COLLECT ANY AMOUNT OWED TO YOU BY THE COMPANY REGARDLESS OF THE TERMS OF THIS INSURANCE POLICY, AND YOU MAY HAVE TO PAY FOR ANY CLAIMS MADE AGAINST YOU. Washington This contract is registered and delivered as a surplus line coverage under the insurance code of the state of Washington, Title 48 RCW. It is not protected by any Washington state guaranty association law. I have procured insurance from an unauthorized insurer or insurers, in accordance with the laws and regulations of the state of Washington under my surplus line broker's license. Details of such transaction are set forth above. The insurance could not be procured, after diligent effort was made to do so from among a majority of the insurers authorized to transact that kind of insurance in this state, and placing the insurance in such unauthorized insurer(s) was not done for the purpose of securing a lower premium rate than would be accepted by any authorized insurer. I certify that I am duly authorized to place this coverage on behalf of the insured, that the risk has been duly accepted by the insurer(s), and that the financial condition of the unauthorized insurer(s) before placing the insurance therewith meets or exceeds the financial requirements provided by law. I certify that under the penalty of the suspension or revocation of my surplus line broker's license that the facts contained in this certification are true and correct. Signature of Surplus Line Broker West Virginia THIS COMPANY IS NOT LICENSED TO DO BUSINESS IN WEST VIRGINIA AND IS NOT SUBJECT TO THE WEST VIRGINIA INSURANCE GUARANTY ACT. Wisconsin This insurance contract is with an insurer which has not obtained a certificate of authority to transact a regular insurance business in the state of Wisconsin, and is issued and delivered as a surplus line coverage pursuant to s. 618.41 of the Wisconsin Statutes. Section 618.43(1), Wisconsin Statutes, requires payment by the policyholder of 3 percent tax on gross premium. Wyoming This insurance contract is issued pursuant to the Wyoming Insurance Laws by an insurer neither licensed by nor under the jurisdiction of the Wyoming Insurance Department. In the event of insolvency of the surplus lines insurer, losses will not be paid by the Wyoming Insurance Guaranty Association. CWSN (Ed. 04/23) CWSN (Ed. 04/23) IMPORTANT CALIFORNIA NOTICE: 1. The insurance policy that you are applying to purchase or have purchased is being issued by an insurer that is not licensed by the State of California. These companies are called "nonadmitted" or "surplus line" insurers. 2. The insurer is not subject to the financial solvency regulation and enforcement that apply to California licensed insurers. 3. The insurer does not participate in any of the insurance guarantee funds created by California law. Therefore, these funds will not pay your claims or protect your assets if the insurer becomes insolvent and is unable to make payments as promised. 4. The insurer should be licensed either as a foreign insurer in another state in the United States or as a non -United States (alien) insurer. You should ask questions of your insurance agent, broker, or "surplus line" broker or contact the California Department of Insurance at the toll -free number 1-800-927-4357 or internet website www.insurance.ca.gov. Ask whether or not the insurer is licensed as a foreign or non -United States (alien) insurer and for additional information about the insurer. You may also visit the NAIC's internet website at www.naic.org. The NAIC-the National Association of Insurance Commissioners -is the regulatory support organization created and governed by the chief insurance regulators in the United States. 5. Foreign insurers should be licensed by a state in the United States and you may contact that state's department of insurance to obtain more information about that insurer. You can find a link to each state from this NAIC internet website: https:Hnaic.org/state_web_map.htm. 6. For non -United States (alien) insurers, the insurer should be licensed by a country outside of the United States and should be on the NAIC's International Insurers Department (IID) listing of approved nonadmitted non -United States insurers. Ask your agent, broker, or "surplus line" broker to obtain more information about that insurer. CWSN (Ed. 04/23) CWSN (Ed. 04/23) 7. California maintains a "List of Approved Surplus Line Insurers (LASLI)." Ask your agent or broker if the insurer is on that list, or view that list at the internet website of the California Department of Insurance: www.insurance.ca.gov/01-consumers/120-company/07-lasli/lasli.cfm. 8. If you, as the applicant, required that the insurance policy you have purchased be effective immediately, either because existing coverage was going to lapse within two business days or because you were required to have coverage within two business days, and you did not receive this disclosure form and a request for your signature until after coverage became effective, you have the right to cancel this policy within five days of receiving this disclosure. If you cancel coverage, the premium will be prorated and any broker's fee charged for this insurance will be returned to you. INSURED SIGNATURE DATE 8 CWSN (Ed. 04/23) CWSN (Ed. 04/23) LOUISIANA NOTICE: This insurance policy is delivered as surplus lines coverage under the Louisiana Insurance Code. In the event of insolvency of the company issuing this contract, the policyholder or claimant is not covered by the Louisiana Insurance Guaranty Association or the Louisiana Life and Health Insurance Guaranty Association, which guarantees only specific types of policies issued by insurance companies authorized to do business in Louisiana. This surplus lines policy has been procured by the following licensed Louisiana surplus lines broker: SIGNATURE OF BROKER OR AUTHORIZED REPRESENTATIVE NAME OF BROKER OR AUTHORIZED REPRESENTATIVE CWSN (Ed. 04/23) IMPORTANT INFORMATION TO POLICYHOLDERS CALIFORNIA TO OBTAIN INFORMATION OR TO MAKE A COMPLAINT In the event you need to contact someone about this Policy for any reason please contact your agent. If you have additional questions, you may contact the insurance company issuing this Policy at the following address and telephone number: Great American Insurance Group Administrative Offices 301 East 4th Street Cincinnati, OH 45202 Or you may call the toll -free telephone number for information or to make a complaint at: 1 - 800 - 972 — 3008 If you have a problem with your insurance company, its agent or representative that has not been resolved to your satisfaction, please call or write to the Department of Insurance. California Department of Insurance Consumer Services Division 300 South Spring Street, South Tower Los Angeles, California 90013 1 - 800 - 927 - 4357 213 - 897 - 8921 (if calling from within the Los Angeles area) 1 - 800 - 482 - 4833 (TDD Number) Written correspondence is preferable so that a record of your inquiry can be maintained. When contacting your agent, company or the Bureau of Insurance, have your Policy Number available. ATTACH THIS NOTICE TO YOUR POLICY This notice is for information only and does not become a part or condition of the attached document. SDM-705 (Ed. 11/08) IL 72 68 (Ed. 09/09) In Witness Clause In Witness Whereof, we have caused this Policy to be executed and attested, and, if required by state law, this Policy shall not be valid unless countersigned by our authorized representative. �f� PRESIDENT SECRETARY © Great American Insurance Co., 2009 IL 72 68 (Ed. 09/09) IL 73 24 (Ed. 07/21) THIS ENDORSEMENT CHANGES YOUR POLICY. PLEASE READ IT CAREFULLY. GLOBAL SANCTION ENDORSEMENT Notwithstanding any other provision of this Policy, this insurance cannot provide coverage and the Insurer shall not be liable to pay any claim or provide any benefit under this Policy to the extent that the provision of such coverage or benefit, or the payment of such claim, would violate, conflict with, or expose the Insurer to any sanction, prohibition or restriction under United Nations resolutions or any applicable economic or financial sanctions or other trade laws or regulations, including, but not limited to, of the United States of America, European Union, United Kingdom, or Canada. IL 73 24 (Ed. 07/21) (Page 1 of 1) IL 73 68 (Ed. 01/20) THIS ENDORSEMENT IS ATTACHED TO AND MADE PART OF YOUR POLICY IN RESPONSE TO THE DISCLOSURE REQUIREMENTS OF THE TERRORISM RISK INSURANCE ACT. THIS ENDORSEMENT DOES NOT GRANT ANY COVERAGE OR CHANGE THE TERMS AND CONDITIONS OF ANY COVERAGE UNDER THE POLICY. DISCLOSURE PURSUANT TO TERRORISM RISK INSURANCE ACT Schedule Schedule — Part I Terrorism Premium (Certified Acts) $0 This premium is the total Certified Acts premium attributable to the following Coverage Part(s), Coverage Form(s) and/or Policy(ies): CYP E859556-03 Additional information, if any, concerning the terrorism premium: Schedule — Part II Federal share of terrorism losses is 80% (Refer to Paragraph B. in this endorsement.) Information required to complete this Schedule, if not shown above, will be shown in the Declarations. A. Disclosure Of Premium In accordance with the federal Terrorism Risk Insurance Act, we are required to provide you with a notice disclosing the portion of your premium, if any, attributable to coverage for terrorist acts certified under the Terrorism Risk Insurance Act. The portion of your premium attributable to such coverage is shown in the Schedule of this endorsement or in the Policy Declarations. B. Disclosure Of Federal Participation in Payment of Terrorism Losses The United States Government, Department of the Treasury, will pay a share of terrorism losses insured under the federal program. The federal share equals a percentage (as shown in Part II of the Schedule of this endorsement) of that portion of the amount of such insured losses that exceeds the applicable insurer retention. However, if aggregate insured losses attributable to terrorist acts certified under the Terrorism Risk Insurance Act exceed $100 billion in a calendar year, the Treasury shall not make any payment for any portion of the amount of such losses that exceeds $100 billion. C. Cap On Insurer Participation in Payment of Terrorism Losses If aggregate insured losses attributable to terrorist acts certified under the Terrorism Risk Insurance Act exceed $100 billion in a calendar year and we have met our insurer deductible under the Terrorism Risk Insurance Act, we shall not be liable for the payment of any portion of the amount of such losses that exceeds $100 billion, and in such case insured losses up to that amount are subject to pro rata allocation in accordance with procedures established by the Secretary of the Treasury. Includes copyrighted material of Insurance Services Office, Inc., with its permission IL 73 68 (Ed. 01/20) (Page 1 of 1) IL 88 02 (Ed. 11/85) GENERALENDORSEMENT VOLUNTARY SHUTDOWN ENDORSEMENT It is understood and agreed that the following changes are made to the Policy: SECTION III. DEFINITIONS is amended as follows: F. Business Interruption Loss is deleted in its entirety and replaced with the following: Business Interruption Loss means Income Loss and Extra Expense incurred by the Insured Organization, during the Period of Recovery or Extended Business Interruption Loss Period which exceeds the Waiting Period and resulting from the actual and measurable interruption, suspension, or Voluntary Shutdown of the Computer System that arises out of a Network Security Incident or System Failure Incident. I. Contingent Business Interruption Loss is deleted in its entirety and replaced with the following: Contingent Business Interruption Loss means Income Loss and Extra Expense incurred by the Insured Organization, during the Period of Recovery or Extended Business Interruption Loss Period, which exceeds the Waiting Period and resulting from the actual and measurable interruption, suspension, or Voluntary Shutdown of a Third Party Network that arises out of a Network Security Incident or System Failure Incident. Contingent Business Interruption Loss is subject to a sublimit as indicated on the CY 0027, SCHEDULE OF PARTICIPATING MEMBERS. The following definition is added: Voluntary Shutdown means an intentional suspension of the Computer System or Third Party Network, but only to the extent that such intentional suspension serves to mitigate, reduce or avoid Business Interruption Loss or Contingent Business Interruption Loss. All other terms and conditions of this Policy remain unchanged. IL 88 02 (Ed. 11/85) Page 1 of 2 GENERALENDORSEMENT AMENDMENT TO DEFINITION OF PERIOD OF RECOVERY It is understood and agreed that SECTION III. DEFINITIONS PP. Period of Recovery of the Policy is deleted and replaced with the following: PP. Period of Recovery begins at the time of interruption or suspension of the Computer System and ends when the Computer System is restored, or in the exercise of due diligence and dispatch could have been restored, to the same functionality and level of service that existed prior to the interruption or suspension. In no event will the Period of Recovery exceed one hundred eighty (180) days. All other terms and conditions of this Policy remain unchanged. IL 88 02 (Ed. 11/85) Page 2 of 2 CY 6005 02 24 DECLARATIONS FOR RISK &BUSINESS CYBER LOSS AND LIABILITY INSURANCE POLICY Insurance is afforded by the company indicated below: (Each a capital stock corporation) Great American Fidelity Insurance Company Policy Number: CYP E859556-03 Policy Form Number: CY 4004 (Ed.10/23) Renewal Of: CYP E859556-02 Item 1. Named Insured: California Joint Powers Insurance Authority Mailing Address: 8081 Moody St LA PALMA, CA 90623 Item 2. Policy Period: Inception Date: 7/1/2025 Expiration Date: 7/1/2026 (Month, Day, Year) (Month, Day, Year) (Both dates at 12:01 a.m. Standard Time at the address as stated in Item 1.) Item 3. Limit(s) of Insurance for each Policy Period: (a) Refer to Schedule Per Member Aggregate Limit (b) $10,000,000 Risk Pool Policy Aggregate Limit Item 4 Retention: Item 5. Waiting Period: 12 hours Item 6. Premium Item 7. Endorsements Attached: Form and Edition ST 0009-CBR 01/19 CA 0002-CBR 01/19 CA 0036-CBR 01/23 CA CWSN 04/23 CA SDM705 11/08 CA IL7268 09/09 CA IL7324 07/21 CA I L7368 01 /20 CA I L8802 11 /85 CA CY6005 02/24 CA Refer to Schedule applicable to Business Interruption Loss or Contingent Business Interruption Loss $600,000 Date Added* or Date Deleted Form Description CYBER RISK DIVISION - CLAIMS ERISK HUB INFORMATION FOR POLICYHOLDERS CYBER LOSS CONTROL SURPLUS LINES DISCLOSURES IMPORTANT INFORMATION TO POLICYHOLDERS CALIFORNIA TO OBTAIN INFORMATION OR TO MAKE A COMPLAINT IN WITNESS CLAUSE GLOBAL SANCTION ENDORSEMENT DISCLOSURE PURSUANT TO TERRORISM RISK INSURANCE ACT GENERAL ENDORSEMENT-2 instances of form exists DECLARATIONS FOR RISK E-BUSINESS CYBER LOSS AND LIABILITY INSURANCE POLICY CY 6005 02 24 (Page 1 of 2) CY0027 02/24 CA SCHEDULE OF PARTICIPATING MEMBERS CY4004 10/23 CA RISK E-BUSINESS CYBER LOSS & LIABILITY INSURANCE POLICY CY0002 01/19 CA SERVICE OF PROCESS ENDORSEMENT CALIFORNIA CY0024 11/23 CA BROKERAGE INFORMATION CY0025 02/24 CA AMENDMENT TO SECTION III. DEFINITIONS - PUBLIC ENTITY RISK POOLS CY0026 02/24 CA AMENDMENT TO SECTION V. GENERAL TERMS AND CONDITIONS - PUBLIC ENTITY RISK POOLS CY0029 09/24 CA AMENDMENT TO DEFINITION OF COMPUTER SYSTEM (EMPLOYEE OWNED DEVICES) CY0030 09/24 CA AMENDMENT TO DEFINITION OF INSURED (INDEPENDENT CONTRACTORS) CY1102 10/24 CA AMENDMENT TO DEFINITION OF THIRD PARTY NETWORK TO INCLUDE NON -IT SERVICE PROVIDER ENDORSEMENT CY2014 04/23 CA DELETION OF COVERAGE FOR CYBER CRIME LOSS CY7001 01/19 CA TERRORISM COVERAGE ENDORSEMENT CAP ON LOSS FROM CERTIFIED ACTS Item 8. Notice to Insurer pursuant to SECTION V. GENERAL TERMS AND CONDITIONS C. Notice of this Policy shall be emailed to: CyberClaim(q-)_gaig.com or directed to: 877-209-2009. Additional information related to a previously reported Claim or Notice of Circumstances can be mailed to: Cyber Risk Division ATTN: Cyber Risk Division 301 E. Fourth St., 19'" Floor Cincinnati OH 45202 These Declarations along with the completed and signed Application and Policy Form shall constitute the entire contract between the Insured and the Insurer. THIS IS A CLAIMS MADE POLICY. PLEASE READ IT CAREFULLY. CY 6005 02 24 (Page 2 of 2) CY 0027 02 24 SCHEDULE OF PARTICIPATING MEMBERS It is hereby understood and agreed that this schedule governs the applicable Per Member Aggregate Limit, Retention and the respective sublimit (if applicable) for each Member on this Policy. Member Member Per Member Retention Contingent Cyber Crime Ransomware Address Aggregate Business Loss sublimit Event Limit Interruption sublimit Loss sublimit Agoura Hills and 27040 Malibu $2,000,000 $500,000 $500,000 no coverage $2,000,000 Calabasas Hills Road, provided Community CALABASAS, Center CA 91301 Area E Disaster 13700 La Mirada $2,000,000 $500,000 $500,000 no coverage $2,000,000 Management Blvd, LA provided M I RADA, CA 90638 Big Bear City PO BOX 558, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Community BIG BEAR CITY, provided Services District CA 92314 Big Bear Fire PO Box 2830, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Authority BIG BEAR provided LAKE, CA 92315 Black Gold 580 Camino $2,000,000 $500,000 $500,000 no coverage $2,000,000 Cooperative Mercado, provided Library System ARROYO GRANDE,CA 93420 California JPIA 8081 Moody $2,000,000 $500,000 $500,000 no coverage $2,000,000 Street, LA provided PALMA, CA 90623 City of Agoura 30001 Ladyface $2,000,000 $500,000 $500,000 no coverage $2,000,000 Hills Ct, AGOURA provided HILLS, CA 91301 City of Alhambra 111 S 1st St, $2,000,000 $500,000 $500,000 no coverage $2,000,000 ALHAMBRA, CA provided 91801 City of Aliso 12 Journey, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Viejo ALISO VIEJO, provided CA 92656 City of Arroyo 300 E Branch $2,000,000 $500,000 $500,000 no coverage $2,000,000 Grande Street, ARROYO provided GRANDE,CA 93420 City of Artesia 18747 Clarkdale $2,000,000 $500,000 $500,000 no coverage $2,000,000 Ave., ARTESIA, provided CA 90716 CY 0027 02 24 (Page 1 of 10) Member Member Per Member Retention Contingent Cyber Crime Ransomware Address Aggregate Business Loss sublimit Event Limit Interruption sublimit Loss sublimit City of 6500 Palma $2,000,000 $500,000 $500,000 no coverage $2,000,000 Atascadero Avenue, provided ATASCADERO, CA 93422 City of Azusa 213 E. Foothill $2,000,000 $500,000 $500,000 no coverage $2,000,000 Blvd., AZUSA, provided CA 91702 City of Bell 7100 Garfield $2,000,000 $500,000 $500,000 no coverage $2,000,000 Gardens Avenue, BELL provided GARDENS,CA 90201 City of Bellflower 16600 Civic $2,000,000 $500,000 $500,000 no coverage $2,000,000 Center Drive, provided BELLFLOWER, CA 90706 City of Big Bear PO Box 10000, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Lake BIG BEAR provided LAKE, CA 92315 City of Bishop 377 W. Line St., $2,000,000 $500,000 $500,000 no coverage $2,000,000 BISHOP, CA provided 93514 City of Bradbury 600 Winston $2,000,000 $500,000 $500,000 no coverage $2,000,000 Avenue, provided BRADBURY,CA 91008 City of Brawley 383 Main St, $2,000,000 $500,000 $500,000 no coverage $2,000,000 BRAWLEY, CA provided 92227 City of Buellton P.O. Box 1819, $2,000,000 $500,000 $500,000 no coverage $2,000,000 BUELLTON, CA provided 93427 City of 100 Civic Center $2,000,000 $500,000 $500,000 no coverage $2,000,000 Calabasas Way, provided CALABASAS, CA 91302 City of Camarillo PO Box 248, $2,000,000 $500,000 $500,000 no coverage $2,000,000 CAMARI LLO, provided CA 93010 City of 5775 Carpinteria $2,000,000 $500,000 $500,000 no coverage $2,000,000 Carpinteria Avenue, provided CARPINTERIA, CA 93013 City of Cerritos 18125 $2,000,000 $500,000 $500,000 no coverage $2,000,000 Bloomfield Ave, provided CERRITOS, CA 90703 City of Chino 14000 City $2,000,000 $500,000 $500,000 no coverage $2,000,000 Hills Center Drive, provided CHINO HILLS, CA 91709 City of P.O. Box 880, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Claremont CLAREMONT, provided CA 91711 CY 0027 02 24 (Page 2 of 10) Member Member Per Member Retention Contingent Cyber Crime Ransomware Address Aggregate Business Loss sublimit Event Limit Interruption sublimit Loss sublimit City of 2535 Commerce $2,000,000 $500,000 $500,000 no coverage $2,000,000 Commerce Way, provided COMMERCE, CA 90040 City of Dana 33282 Golden $2,000,000 $500,000 $500,000 no coverage $2,000,000 Point Lantern, Suite provided 203, DANA POINT, CA 92629 City of Diamond 21810 COPLEY $2,000,000 $500,000 $500,000 no coverage $2,000,000 Bar DR, DIAMOND provided BAR, CA 91765 City of Duarte 1600 Huntington $2,000,000 $500,000 $500,000 no coverage $2,000,000 Dr, DUARTE, provided CA 91010 City of El Centro 1275 W Main St, $2,000,000 $500,000 $500,000 no coverage $2,000,000 EL CENTRO, provided CA City of Fillmore 250 Central $2,000,000 $500,000 $500,000 no coverage $2,000,000 Avenue, provided FILLMORE, CA 93015 City of Fountain 10200 Slater $2,000,000 $500,000 $500,000 no coverage $2,000,000 Valley Avenue, provided FOUNTAIN VALLEY, CA 92708 City of Goleta 130 Cremona $2,000,000 $500,000 $500,000 no coverage $2,000,000 Drive, Suite B, provided GOLETA, CA 93117 City of Grand 22795 Barton $2,000,000 $500,000 $500,000 no coverage $2,000,000 Terrace Road, GRAND provided TERRACE,CA 93117 City of Grover 154 S. 8th St, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Beach GROVER provided BEACH,CA 93433 City of 918 Obispo $2,000,000 $500,000 $500,000 no coverage $2,000,000 Guadalupe Street, provided GUADALUPE, CA 93434 City of Hawaiian 21815 Pioneer $2,000,000 $500,000 $500,000 no coverage $2,000,000 Gardens Blvd, HAWAIIAN provided GARDENS, CA 90716 City of Hermosa 1315 Valley $2,000,000 $500,000 $500,000 no coverage $2,000,000 Beach Drive, provided HERMOSA BEACH,CA 90254 CY 0027 02 24 (Page 3 of 10) Member Member Per Member Retention Contingent Cyber Crime Ransomware Address Aggregate Business Loss sublimit Event Limit Interruption sublimit Loss sublimit City of Hidden 6165 Spring $2,000,000 $500,000 $500,000 no coverage $2,000,000 Hills Valley Rd., provided HIDDEN HILLS, CA 91302 City of Imperial 420 South $2,000,000 $500,000 $500,000 no coverage $2,000,000 Imperial Avenue, provided IMPERIAL, CA 92251 City of Indian 44950 Eldorado $2,000,000 $500,000 $500,000 no coverage $2,000,000 Wells Drive, INDIAN provided WELLS, CA 92210 City of Indio 100 Civic Center $2,000,000 $500,000 $500,000 no coverage $2,000,000 Mall, INDIO, CA provided 92201 City of Irwindale 5050 N Irwindale $2,000,000 $500,000 $500,000 no coverage $2,000,000 Ave, provided IRWINDALE, CA 91706 City of La One Civic $2,000,000 $500,000 $500,000 no coverage $2,000,000 Canada Center Drive, LA provided Flintridge CANADA FLINTRIDGE, CA 91011 City of La Habra 1245 N. $2,000,000 $500,000 $500,000 no coverage $2,000,000 Heights Hacienda Road, provided LA HABRA HEIGHTS, CA 90631 City of La 13700 La Mirada $2,000,000 $500,000 $500,000 no coverage $2,000,000 Mirada Blvd, LA provided M I RADA, CA 90638 City of La Palma 7822 Walker $2,000,000 $500,000 $500,000 no coverage $2,000,000 Street, LA provided PALMA, CA 90623 City of La 15900 E. Main $2,000,000 $500,000 $500,000 no coverage $2,000,000 Puente Street, LA provided PUENTE, CA 91744 City of La Quinta 78495 Calle $2,000,000 $500,000 $500,000 no coverage $2,000,000 Tampico, LA provided QUINTA, CA 92253 City of La Verne 3660 D street, $2,000,000 $500,000 $500,000 no coverage $2,000,000 LA VERNE, CA provided 91750 City of Laguna 24035 El Toro $2,000,000 $500,000 $500,000 no coverage $2,000,000 Hills Road, LAGUNA provided HILLS, CA 92653 CY 0027 02 24 (Page 4 of 10) Member Member Per Member Retention Contingent Cyber Crime Ransomware Address Aggregate Business Loss sublimit Event Limit Interruption sublimit Loss sublimit City of Laguna 30111 Crown $2,000,000 $500,000 $500,000 no coverage $2,000,000 Niguel Valley Parkway, provided LAGUNA NIGUEL, CA 92677 City of Laguna 24264 El Toro $2,000,000 $500,000 $500,000 no coverage $2,000,000 Woods Road, LAGUNA provided WOODS, CA 92637 City of Lake 130 S. Main $2,000,000 $500,000 $500,000 no coverage $2,000,000 Elsinore Street, LAKE provided ELSINORE, CA 92530 City of Lake 100 Civic Center $2,000,000 $500,000 $500,000 no coverage $2,000,000 Forest Drive, LAKE provided FOREST, CA 92630 City of 5050 Clark $2,000,000 $500,000 $500,000 no coverage $2,000,000 Lakewood Avenue, provided LAKEWOOD, CA 90712 City of Lawndale 14717 Burin $2,000,000 $500,000 $500,000 no coverage $2,000,000 Ave, provided LAWNDALE, CA 90260 City of Lemon 3232 Main $2,000,000 $500,000 $500,000 no coverage $2,000,000 Grove Street, LEMON provided GROVE, CA 91945 City of Loma 25541 Barton $2,000,000 $500,000 $500,000 no coverage $2,000,000 Linda Rd., LOMA provided LINDA, CA 92354 City of Lomita 24300 Narbonne $2,000,000 $500,000 $500,000 no coverage $2,000,000 Ave, LOMITA, provided CA 90717 City of Malibu 23825 Stuart $2,000,000 $500,000 $500,000 no coverage $2,000,000 Ranch Rd, provided MALIBU, CA 90265 City of Mission 200 Civic $2,000,000 $500,000 $500,000 no coverage $2,000,000 Viejo Center, provided MISSION VIEJO, CA 92691 City of Monrovia 415 South Ivy $2,000,000 $500,000 $500,000 no coverage $2,000,000 Avenue, provided MONROVIA, CA 91016 City of Moorpark 799 Moorpark $2,000,000 $500,000 $500,000 no coverage $2,000,000 Ave., provided MOORPARK, CA 93021 CY 0027 02 24 (Page 5 of 10) Member Member Per Member Retention Contingent Cyber Crime Ransomware Address Aggregate Business Loss sublimit Event Limit Interruption sublimit Loss sublimit City of Morro 595 Harbor $2,000,000 $500,000 $500,000 no coverage $2,000,000 Bay Street, MORRO provided BAY, CA 93442 City of Needles 817 Third St, $2,000,000 $500,000 $500,000 no coverage $2,000,000 NEEDLES, CA provided 92363 City of Norwalk 12700 $2,000,000 $500,000 $500,000 no coverage $2,000,000 NORWALK provided BLVD, NORWALK, CA 90650 City of Ojai 401 S Ventura $2,000,000 $500,000 $500,000 no coverage $2,000,000 St, OJAI, CA provided 93023 City of Pacific 300 Forest $2,000,000 $500,000 $500,000 no coverage $2,000,000 Grove Avenue, provided PACIFIC GROVE, CA 93950 City of Palm 73510 Fred $2,000,000 $500,000 $500,000 no coverage $2,000,000 Desert Waring Drive, provided PALM DESERT, CA 92260 City of Palos 340 Palos $2,000,000 $500,000 $500,000 no coverage $2,000,000 Verdes Estates Verdes Dr. W, provided PALOS VERDES ESTATES, CA 90274 City of 16400 Colorado $2,000,000 $500,000 $500,000 no coverage $2,000,000 Paramount Avenue, provided PARAMOUNT, CA 90723 City of Paso 1000 Spring $2,000,000 $500,000 $500,000 no coverage $2,000,000 Robles Street, PASO provided ROBLES, CA 93446 City of Pismo 760 Mattie $2,000,000 $500,000 $500,000 no coverage $2,000,000 Beach Road, PISMO provided BEACH, CA 93449 City of Port 250 N. Ventura $2,000,000 $500,000 $500,000 no coverage $2,000,000 Hueneme Rd, PORT provided HUENEME,CA 93041 City of Poway 13325 Civic $2,000,000 $500,000 $500,000 no coverage $2,000,000 Center Drive, provided POWAY, CA 92064 City of Rancho 30940 $2,000,000 $500,000 $500,000 no coverage $2,000,000 Palos Verdes Hawthorne provided Blvd., RANCHO PALOS VERDES,CA 90275 CY 0027 02 24 (Page 6 of 10) Member Member Per Member Retention Contingent Cyber Crime Ransomware Address Aggregate Business Loss sublimit Event Limit Interruption sublimit Loss sublimit City of Rolling 2 Portuguese $2,000,000 $500,000 $500,000 no coverage $2,000,000 Hills Bend Road, provided ROLLING HILLS, CA 90274 City of Rolling 4045 Palos $2,000,000 $500,000 $500,000 no coverage $2,000,000 Hills Estates Verdes Dr N, provided ROLLING HILLS ESTATES, CA 90274 City of 8838 E. Valley $2,000,000 $500,000 $500,000 no coverage $2,000,000 Rosemead Blvd, provided ROSEMEAD, CA 91770 City of San 910 Calle $2,000,000 $500,000 $500,000 no coverage $2,000,000 Clemente Negocio, SAN provided CLEMENTE, CA 92673 City of San 245 East Bonita $2,000,000 $500,000 $500,000 no coverage $2,000,000 Dimas Avenue, SAN provided DIMAS, CA 91773 City of San 425 S. Mission $2,000,000 $500,000 $500,000 no coverage $2,000,000 Gabriel Drive, SAN provided GABRIEL, CA 91776 City of San Juan 32400 Paseo $2,000,000 $500,000 $500,000 no coverage $2,000,000 Capistrano Adelanto, SAN provided JUAN CAPISTRANO, CA 92675 City of San Luis 990 Palm Street, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Obispo SAN LUIS provided OBISPO, CA 93401 City of San 1 Civic Center $2,000,000 $500,000 $500,000 no coverage $2,000,000 Marcos Drive, SAN provided MARCOS,CA 92069 City of San 2200 Huntington $2,000,000 $500,000 $500,000 no coverage $2,000,000 Marino Drive, SAN provided MARINO, CA 91108 City of Santa 23920 Valencia $2,000,000 $500,000 $500,000 no coverage $2,000,000 Clarita Blvd., Suite 120, provided VALENCIA, CA 91355 City of Santa Fe 11710 Telegraph $2,000,000 $500,000 $500,000 no coverage $2,000,000 Springs Road, SANTA provided FE SPRINGS, CA 90670 City of Santa PO Box 569, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Paula SANTA PAULA, provided CA 93060 CY 0027 02 24 (Page 7 of 10) Member Member Per Member Retention Contingent Cyber Crime Ransomware Address Aggregate Business Loss sublimit Event Limit Interruption sublimit Loss sublimit City of Seal 211 Eighth $2,000,000 $500,000 $500,000 no coverage $2,000,000 Beach Street, SEAL provided BEACH,CA 90740 City of Seaside 440 Harcourt $2,000,000 $500,000 $500,000 no coverage $2,000,000 Ave, SEASIDE, provided CA 93955 City of Signal 2075 Cherry $2,000,000 $500,000 $500,000 no coverage $2,000,000 Hill Ave, SIGNAL provided HILL, CA 90755 City of Solvang 1644 Oak Street, $2,000,000 $500,000 $500,000 no coverage $2,000,000 SOLVANG, CA provided 93463 City of South El 1415 Santa $2,000,000 $500,000 $500,000 no coverage $2,000,000 Monte Anita Avenue, provided SOUTH EL MONTE, CA 91733 City of Stanton 7800 Katella $2,000,000 $500,000 $500,000 no coverage $2,000,000 Ave., provided STANTON,CA 90680 City of Temple 9701 Las Tunas $2,000,000 $500,000 $500,000 no coverage $2,000,000 City Dr., TEMPLE provided CITY, CA 91780 City of Villa Park 17855 Santiago $2,000,000 $500,000 $500,000 no coverage $2,000,000 Blvd., CITY OF provided VILLA PARK, CA 92861 City of Vista 200 Civic Center $2,000,000 $500,000 $500,000 no coverage $2,000,000 Drive, VISTA, provided CA 92084 City of Walnut 21201 La $2,000,000 $500,000 $500,000 no coverage $2,000,000 Puente Road, provided WALNUT, CA 91789 City of West 1444 S Garvey, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Covina WEST COVINA, provided CA 91790 City of West 8300 Santa $2,000,000 $500,000 $500,000 no coverage $2,000,000 Hollywood Monica Blvd., provided WEST HOLLYWOOD, CA 90069 City of Westlake 31200 Oak Crest $2,000,000 $500,000 $500,000 no coverage $2,000,000 Village Drive, provided WESTLAKE VILLAGE, CA 91361 Coachella Valley 73710 Fred $2,000,000 $500,000 $500,000 no coverage $2,000,000 Association of Waring Dr., provided Governments PALM DESERT, CA 92260 CY 0027 02 24 (Page 8 of 10) Member Member Per Member Retention Contingent Cyber Crime Ransomware Address Aggregate Business Loss sublimit Event Limit Interruption sublimit Loss sublimit Coachella Valley 74 El Paseo, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Conservation Suite 100, PALM provided Commission DESERT, CA 92260 Coastal Animal 221 Avenida $2,000,000 $500,000 $500,000 no coverage $2,000,000 Services Fabricante, SAN provided Authority CLEMENTE, CA 92672 Desert 45-305 Oasis $2,000,000 $500,000 $500,000 no coverage $2,000,000 Recreation Street, INDIO, provided District CA 92201 Eastern Sierra 565 Airport Rd, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Transportation BISHOP, CA provided Authority 93514 Foothills Transit 100 S. Vincent $2,000,000 $500,000 $500,000 no coverage $2,000,000 Ave, WEST provided COVINA, CA 91790 Gateway Cities 16401 $2,000,000 $500,000 $500,000 no coverage $2,000,000 Council of Paramount provided Governments Boulevard, PARAMOUNT, CA 90723 LA IMPACT 5700 S. Eastern $2,000,000 $500,000 $500,000 no coverage $2,000,000 Ave., provided COMMERCE, CA 91101 LA-RICS 2525 Corporate $2,000,000 $500,000 $500,000 no coverage $2,000,000 Place, Suite 100, provided MONTEREY PARK, CA 91754 Midpeninsula 330 Distel Circle, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Regional Open LOS ALTOS, CA provided Space District 94022 Monterey PO Box 223340, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Peninsula CARMEL, CA provided Regional Park 93923 District Mountain Area PO Box 1501, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Regional Transit BIG BEAR CITY, provided Authority CA 92315 Orange County 3972 Barranca $2,000,000 $500,000 $500,000 no coverage $2,000,000 Council of Pkwy., Ste J127, provided Governments IRVINE, CA 92606 Palos Verdes 38 Crest Road $2,000,000 $500,000 $500,000 no coverage $2,000,000 Peninsula West, ROLLING provided Transit Authority HILLS, CA 90274 Pomona Valley 2120 Foothill $2,000,000 $500,000 $500,000 no coverage $2,000,000 Transportation Blvd. #116, LA provided Authority VERNE, CA 91750 CY 0027 02 24 (Page 9 of 10) Member Member Per Member Retention Contingent Cyber Crime Ransomware Address Aggregate Business Loss sublimit Event Limit Interruption sublimit Loss sublimit Rossmoor 3001 Blume $2,000,000 $500,000 $500,000 no coverage $2,000,000 Community Drive, provided Services District ROSSMOOR, CA 90720 Seaside County 440 Harcourt $2,000,000 $500,000 $500,000 no coverage $2,000,000 Sanitation Ave, SEASIDE, provided District CA 93955 Southeast Area 9777 Seaaca $2,000,000 $500,000 $500,000 no coverage $2,000,000 Animal Control Street, provided Authority DOWNEY, CA 90241 Southern 900 Wilshire $2,000,000 $500,000 $500,000 no coverage $2,000,000 California Blvd. Ste 1700, provided Association of LOS ANGELES, Governments CA 95814 Town of Apple 14955 Dale $2,000,000 $500,000 $500,000 no coverage $2,000,000 Valley Evans Pkwy, provided APPLE VALLEY, CA 92307 Town of PO Box 1609, $2,000,000 $500,000 $500,000 no coverage $2,000,000 Mammoth Lakes MAMMOTH provided LAKES, CA 93546 Ventura Port 1603 Anchors $2,000,000 $500,000 $500,000 no coverage $2,000,000 District Way Drive, provided VENTURA,CA 93001 West Cities 911 Seal Beach $2,000,000 $500,000 $500,000 no coverage $2,000,000 Police Blvd, SEAL provided Communications BEACH, CA Center 90740 It is further understood and agreed that: 1. In the event any Member's scheduled sublimit is listed as, "no coverage provided", all reference to the respective coverage and related definitions are hereby deleted from this Policy, solely with respect to that specific Member. 2. The Retention identified above applies to each Privacy Incident, Network Security Incident, System Failure Incident, Cyber Crime Incident or Media Incident. All other terms and conditions of this Policy remain unchanged. CY 0027 02 24 (Page 10 of 10) CY 4004 (Ed. 10/23) RISK E-BUSINESS CYBER LOSS & LIABILITY INSURANCE POLICY TABLE OF CONTENTS SECTION I. — INSURING AGREEMENTS............................................................................................. 2 SECTION II. — SUPPLEMENTAL COVERAGE....................................................................................... 2 SECTION III. — DEFINITIONS.............................................................................................................. 3 SECTION IV. — EXCLUSIONS.............................................................................................................. 8 SECTION V. — GENERAL TERMS AND CONDITIONS............................................................................. 9 A. Limit of Insurance and Retention....................................................................................... 9 B. Defense and Settlement.................................................................................................. 10 C. Notice.......................................................................................................................... 10 D. Cooperation and Non-Disclosure....................................................................................... 10 E. Funds Transfer Verification of Authenticity........................................................................... 11 F. Proof of Loss................................................................................................................ 11 G. Extended Reporting Period............................................................................................... 11 H. Cancellation and Non-Renewal......................................................................................... 12 I. Spouses, Domestic Partners, Estates and Legal Representatives ............................................. 12 J. Application, Representations and Severability...................................................................... 12 K. Subrogation.................................................................................................................. 12 L. Other Insurance............................................................................................................. 13 M. Territory........................................................................................................................ 13 N. Currency...................................................................................................................... 13 O. Material Change............................................................................................................ 13 P. Assignment.................................................................................................................. 13 Q. Conformity to Law.......................................................................................................... 13 R. Legal Action Against the Insurer and Bankruptcy.................................................................. 14 S. Representative of any Insured......................................................................................... 14 T. Entire Agreement.......................................................................................................... 14 NOTICE OF IMPORTANT PROVISIONS The forms and endorsements listed on the FORMS AND ENDORSEMENT SCHEDULE attached to this policy are important provisions and modify coverages or conditions under this Policy. PLEASE READ THEM CAREFULLY. Great American Insurance Group CY 4004 (Ed. 10/23) (Page 1 of 14) RISK &BUSINESS CYBER LOSS & LIABILITY INSURANCE POLICY THIS POLICY PROVIDES BOTH LOSS EXPENSE COVERAGE FOR INCIDENTS DISCOVERED AND LIABILITY EXPENSE COVERAGE FOR CLAIMS MADE DURING THE POLICY PERIOD. ANY SUCH INCIDENTS OR CLAIMS MUST ALSO BE REPORTED IN WRITING TO THE INSURER DURING THE POLICY PERIOD AND IN ACCORDANCE WITH ALL OTHER TERMS AND CONDITIONS OF THIS POLICY. DEFENSE EXPENSES ARE PAYABLE WITHIN, AND NOT IN ADDITION TO, THE LIMIT OF INSURANCE. PLEASE READ THE ENTIRE POLICY CAREFULLY. In consideration of the payment of premium and in reliance upon all statements made and information furnished to the Insurer, including the statements made in the Application, and subject to all terms, conditions and limitations in this Policy, the Insured and Insurer agree as follows: SECTION I. INSURING AGREEMENTS A. LOSS EXPENSE COVERAGE The Insurer will pay on behalf of the Insured all Loss Expense directly resulting from a Privacy Incident, Network Security Incident, System Failure Incident or Cyber Crime Incident, first discovered by any Insured during the Policy Period, and reported to the Insurer pursuant to SECTION V. GENERAL TERMS AND CONDITIONS, C., Notice. B. LIABILITY EXPENSE COVERAGE The Insurer will pay on behalf of the Insured all Liability Expense for a Claim first made against any Insured and reported to the Insurer during the Policy Period or Extended Reporting Period (if applicable) directly resulting from a Privacy Incident, Network Security Incident, or Media Incident, first discovered by any Insured during the Policy Period and reported to the Insurer pursuant to SECTION V. GENERAL TERMS AND CONDITIONS, C., Notice. SECTION II. SUPPLEMENTAL COVERAGE A. BETTERMENT EXPENSE If the Insured Organization is required to create or improve internal policies or practices as part of PCI Costs or Regulatory Costs, then the Insurer will pay on behalf of the Insured Organization the reasonable and necessary costs incurred by the Insured Organization, with the Insurer's prior consent and which consent will not be unreasonably withheld, to create or improve the Insured Organization's internal policies or practices. Such costs must be incurred as a direct result of a Privacy Incident or Network Security Incident. Betterment Expense is subject to a maximum limit of $25,000 which is part of the policy aggregate limit as indicated in the Declarations. B. REWARD EXPENSE The Insurer will pay on behalf of the Insured Organization reward money offered for information that leads to the arrest and conviction of person(s) responsible for making a covered Extortion Threat. Such coverage does not apply to any reward money offered or paid to any Insured(s); to external auditors or investigators working under contract with the Insured Organization; to law enforcement; or in connection with an Extortion Threat made by any entity that is directly or indirectly controlled, operated, or managed by the Insured Organization or with whom the Insured Organization has entered into any agreement. Reward Expense is subject to a maximum limit of $25,000 which is part of the policy aggregate limit as indicated in the Declarations. CY 4004 (Ed. 10/23) (Page 2 of 14) C. ATTENDANCE EXPENSE — HEARINGS AND TRIALS The Insurer will pay, subject to the Insurer's prior consent, and which consent will not be unreasonably withheld, the salaries, wages, and other expenses required for a past, present or future director, officer board member, trustee, owner, partner, principal, manager, employee (including full time, part time, temporary, leased, and seasonal) or volunteer of the Insured Organization to attend, at the Insurer's request, any consultation with defense counsel, mediation, arbitration, hearing, depositions, or trial in connection with the investigation and defense of a Claim. Attendance Expense -- Hearings and Trials is subject to a maximum limit of $25,000 which is part of the policy aggregate limit as indicated in the Declarations. SECTION III. DEFINITIONS A. Application means the application accepted for the issuance of this Policy by the Insurer, including any and all materials and information submitted to the Insurer in connection with such application. B. Botnet Attack means the unauthorized use of any Insured's Computer System by a third party solely for the purpose of launching a denial of service attack upon another third party. C. Bricking Costs means the necessary costs incurred by the Insured Organization, with the Insurer's prior written consent, such consent will not be unreasonably withheld, to replace physical, tangible components of the Computer System which have been impaired and cannot function as intended directly caused by a Network Security Incident. Provided however, the Insurer, at its sole discretion, has determined such replacement is: (1) more practical and cost effective than to repair or restore such affected components of the Computer System or (2) such affected components of the Computer System are permanently unstable or vulnerable to another Network Security Incident. Bricking Costs does not include Restoration. D. Business Impersonation means fraudulent communications from a third party (including communications transmitted by website, email, or phone call) designed to impersonate the Insured Organization or any Insured, with the goal of deceiving any individual, or any vendor or supplier of the Insured Organization, into sharing credentials or Protected Information with such third party. E. Business Impersonation Costs means costs to inform potentially impacted individuals, vendors, or suppliers of a Business Impersonation. F. Business Interruption Loss means Income Loss and Extra Expense incurred by the Insured Organization, during the Period of Recovery or Extended Business Interruption Loss Period which exceeds the Waiting Period and resulting from the actual and measurable interruption or suspension of the Computer System that arises out of a Network Security Incident or System Failure Incident. G. Claim means any: (1) written demand for money or non -monetary relief, written demand for arbitration or written request to toll or waive a statute of limitations received by any Insured; (2) civil proceeding in a court of law or equity, including any appeal therefrom, which is commenced by the filing of a complaint, motion for judgment or similar pleading against any Insured; (3) administrative or regulatory investigation, inquiry, proceeding, prosecution or governmental action against any Insured solely with respect to a Privacy Incident; or (4) written notice received by any Insured for PCI Costs from a third party, with whom the Insured Organization has entered into a Payment Card Services Agreement, as a result of actual or alleged non-compliance with the PCI DSS. H. Computer System means (1) computer hardware, software, firmware and associated input and output devices; (2) wireless devices, voice based telecommunication systems; (3) operating systems and associated input, output, processing, data storage, and mobile devices; (4) networks, networking equipment, application software, storage area networks; (5) other electronic data storage or backup facilities and peripheral communication equipment and systems; which are leased, owned or operated by the Insured Organization in support of its business operations. Contingent Business Interruption Loss means Income Loss and Extra Expense incurred by the Insured Organization during the Period of Recovery or Extended Business Interruption Loss Period, which exceeds the Waiting Period and resulting from the actual and measurable interruption or suspension of a Third Party CY 4004 (Ed. 10/23) (Page 3 of 14) Network that arises out of a Network Security Incident or System Failure Incident. Contingent Business Interruption Loss is subject to a policy aggregate limit as indicated in Item 3(a.1.) of the Declarations. J. Control Group means: (1) the Owner, (2) President, (3) Chief Executive Officer, (4) Chief Operating Officer, (5) Chief Financial Officer, (6) Chief Information Officer, (7) Chief Technology Officer, (8) Chief Security Officer, (9) Chief Privacy Officer, (10) General Counsel, (11) Partner, (12) Director of Risk Management or any individual in a position functionally equivalent to any of the aforementioned positions. K. Crisis Management means public relations or crisis communication services for the purpose of protecting or restoring the reputation of, or mitigating financial harm to, any Insured. L. Cyber Crime Incident means: (1) Telecommunications Hack, (2) Social Engineering Attack, (3) Botnet Attack, (4) Cryptojacking Attack, or (5) Invoice Manipulation. M. Cyber Crime Loss means: (1) charges incurred by the Insured Organization from its telecommunications provider directly resulting from a Telecommunications Hack, a Botnet Attack or Cryptojacking Attack; (2) loss of funds directly resulting from a Social Engineering Attack; or (3) accounts receivable for which the Insured Organization is unable to collect payment directly resulting from an Invoice Manipulation. Cyber Crime Loss due to Invoice Manipulation is limited to the Insured Organization's variable input costs associated with the provision of its products or services, and therefore does not include any gross profit margin associated with such products or services. Cyber Crime Loss does not include any amounts reimbursed or reversed by a financial institution and is subject to a policy aggregate limit as indicated in Item 3 (a.2.) of the Declarations. N. Cryptojacking Attack means the unauthorized use of or access to the Computer System by a third party solely to mine for digital currency, including cryptocurrency. O. Defense Expenses means reasonable and necessary legal fees and expenses incurred on behalf of any Insured for the investigation or defense of a Claim. P. Extortion Costs means: (1) reasonable and necessary expenses to investigate the cause of an Extortion Threat and to discover if a Privacy Incident has occurred; or (2) payment amounts, including the actual costs to execute such payment amounts (whether in digital currency or traditional currency) in response to an Extortion Threat. Q. Extortion Threat means a credible threat to cause a Privacy Incident or Network Security Incident and includes a Ransomware Event. R. Extended Business Interruption Loss Period means the period of ninety (90) days following expiration of the Period of Recovery during which the Insured Organization incurs Reputational Harm Loss. S. Extra Expense means the reasonable and necessary costs incurred by the Insured Organization, with the Insurer's consent, and which consent will not to be unreasonably withheld, in excess of its normal operating expenses to reduce or avoid Income Loss. Extra Expense does not include: (1) Restoration; (2) Bricking Costs; (3) costs to identify or remove software program errors, or to establish, implement or improve network or data security practices, policies or procedures, other than coverage provided in SECTION II, SUPPLMENTAL COVERAGE, A., Betterment Expense; (4) costs or expenses that exceed the amount of Income Loss that is thereby reduced or avoided; or (5) consequential damages or penalties of any nature, however denominated, arising by contract. T. Forensics means investigation and analysis of the Computer System to determine the cause and scope of a Privacy Incident or a Network Security Incident. Forensics does not include Incident Response. U. Identity Monitoring Services means credit monitoring, identity monitoring or identity restoration services for a period of up to two years (or more if required by law) for individuals whose Protected Information was or may have been impacted as a direct result of a Privacy Incident. CY 4004 (Ed. 10/23) (Page 4 of 14) V. Incident Response means the costs and expenses charged by any law firm designated by the Insurer to coordinate the investigation and response efforts following a Privacy Incident or a Network Security Incident. W. Income Loss means the Insured Organization's net profit before income taxes that the Insured Organization would have earned, or the net loss before income taxes that the Insured Organization is unable to avoid, in addition to operating costs that necessarily continue (including payroll) during the Period of Recovery. X. Insured means the Insured Organization as well as any past, present or future directors, officers, board members, trustees, owners, partners, principals, managers, employees (including full time, part time, temporary, leased, and seasonal) and volunteers but only for acts performed within the scope of their duties on behalf of the Insured Organization. Y. Insured Organization means the Named Insured and any Subsidiary of the Named Insured. Z. Insurer means the entity issuing the Policy listed on the Declarations. AA. Interrelated Incident means any Privacy Incident, Network Security Incident, Cyber Crime Incident, Media Incident or Systems Failure Incident that have a common nexus of any: (1) fact, circumstance, situation, event, transaction or cause; or (2) series of causally connected facts, circumstances, situations, events, transactions or causes. BB. Invoice Manipulation means the release or distribution of any fraudulent payment instructions or fraudulent invoice to a third party as a direct result of a Network Security Incident. CC. Liability Expense means: (1) Defense Expenses; (2) monetary damages any Insured becomes legally obligated to pay including pre -judgment interest, post -judgment interest, judgments, or settlements; (3) punitive, exemplary, or multiplied damages but only to the extent such damages are insurable under the applicable law most favorable to the insurability of such damages; (4) Regulatory Costs; or (5) PCI Costs. Liability Expense does not include: (1) Loss Expense; (2) taxes, the return or repayment of fees, deposits, commissions, royalties, future profits or charges for goods or services; (3) the costs incurred in the recall, re -performance or correction of services, content, goods or activities; costs to comply with injunctive or other non -monetary relief, including specific performance or any agreement to provide such relief; (4) liquidated damages pursuant to a contract, to the extent such amount exceeds the amount for which the Insured Organization would have been liable in the absence of such contract; or (5) matters which are uninsurable pursuant to the law applicable to the Policy. DD. Loss Expense means the reasonable and necessary costs charged by third party service providers and incurred by the Insured Organization with the Insurer's consent, and which consent will not be unreasonably withheld, for Bricking Costs, Business Impersonation Costs, Crisis Management, Extortion Costs, Forensics, Identity Monitoring Services, Incident Response, Notification or Restoration. Loss Expense also means reimbursement of Business Interruption Loss, Contingent Business Interruption Loss or Cyber Crime Loss. Loss Expense does not include Liability Expense. EE. Malicious Cyber Incident means the intentional (1) unauthorized access to or use of the Computer System or Third Party Network; (2) alteration, corruption, damage, manipulation, misappropriation, theft, deletion or destruction of the Computer System or Third Party Network, or data stored in either of them; (3) creation, transmission, or introduction of a computer virus or harmful code directed against the Computer System or Third Party Network; or (4) restriction or inhibition of access, including denial of service attacks, upon or directed against the Computer System or Third Party Network. FF. Malicious Cyber Operation means the intentional use of computer hardware, software, firmware and associated input and output devices, by a sovereign state or an organization designated as a Specially Designated Global Terrorist under the U.S. Department of the Treasury Specially Designated Nationals List, to disrupt, deny, degrade, manipulate, or destroy another's information. GG. Media Content means any data, text, sounds, images, graphics, music, photographs, or advertisements, and CY 4004 (Ed. 10/23) (Page 5 of 14) includes video, streaming content, webcasts, podcasts, blogs, online forums, and chat rooms. However, Media Content does not include computer software, software technology, or the actual goods, products, or services described, illustrated, or displayed in such Media Content. HH. Media Incident means any actual or alleged: (1) Defamation, slander, libel, or product disparagement of a person, organization or product; provided, that the Claim is made by the person or organization that claims to have been defamed, slandered or libeled, or by a person or organization that claims that his, her or its products have been disparaged; (2) Misappropriation of a person's name or likeness; publicity that places a person in a false light; or the public disclosure of private facts about a person; (3) Infringement of slogan, trademark, trade name, trade dress, service mark or service name; (4) Copyright infringement, plagiarism, passing off, piracy, or other misappropriation of intellectual property rights; or (5) Improper deep linking or framing; directly resulting from publication of Media Content on the Insured Organization's website, in its printed material, or posted by or on behalf of, and authorized by, the Insured Organization on any social media site. II. Named Insured means the organization stated in Item. 1 of the Declarations. JJ. Negative Publicity means adverse media coverage which follows a Privacy Incident, Network Security Incident, System Failure Incident or Cyber Crime Incident. Negative Publicity does not include substitute notice of a Privacy Incident. KK. Network Security Incident means: (1) unauthorized access to or use of the Computer System; (2) denial of service attack upon or directed at the Computer System; or (3) malicious code or computer virus created or transmitted by or introduced into the Computer System. Solely with respect to, Business Interruption Loss, Contingent Business Interruption Loss and Restoration, Network Security Incident also means: (1) unauthorized access to or use of a Third Party Network; (2) denial of service attack upon or directed at a Third Party Network; or (3) malicious code or computer virus created or introduced into a Third Party Network. LL. Notification means sending notice and providing call center services for individuals whose Protected Information was or may have been impacted as a direct result of a Privacy Incident. MM. Payment Card Services Agreement means a written agreement between the Insured Organization and a financial institution, a payment card company or payment card processor which enables the Insured Organization to accept credit, debit, prepaid or other payment cards as donations accepted by the Insured Organization or as payment for goods or services provided by the Insured Organization. NN. PCI Costs means amounts the Insured Organization is legally obligated to pay under a Payment Card Services Agreement including: (1) monetary assessments; (2) fines; (3) penalties; (4) chargebacks; (5) reimbursements; (6) fraud recoveries; (7) forensic investigation costs; or (8) costs or expenses incurred in connection with a PCI DSS compliance audit. PCI Costs does not include any amount levied against the Insured Organization for non- compliance with PCI DSS that continues after the Insured Organization has notice of such non-compliance. 00. PCI DSS means the Payment Card Industry Data Security Standards now in effect or as amended. PP. Period of Recovery begins at the time of interruption or suspension of the Computer System and ends when the CY 4004 (Ed. 10/23) (Page 6 of 14) Computer System is restored, or in the exercise of due diligence and dispatch could have been restored, to the same functionality and level of service that existed prior to the interruption or suspension. In no event will the Period of Recovery exceed ninety (90) days. QQ. Policy Period means the period of time from the inception date of this Policy shown in the Declarations to the expiration date shown in the Declarations, or its earlier cancellation or termination date. RR. Privacy Incident means failure to prevent unauthorized access, unauthorized use, unauthorized disclosure, theft, or misappropriation of Protected Information by: (1) any Insured; (2) a third party for whom the Insured Organization is legally responsible; or (3) a service provider under written contract with the Insured Organization to process, store, or maintain Protected Information on behalf of the Insured Organization. Privacy Incident also means the violation of the Insured Organization's privacy policy unintentionally committed by any Insured. SS. Protected Information means: (1) any non-public personally identifiable information (including personal health information), whether in electronic form, paper or otherwise, as defined in any federal, state, local or foreign privacy protection law; and (2) any confidential or proprietary information of a third party provided to the Insured Organization and protected under a previously executed confidentiality agreement for which the Insured Organization is legally responsible to maintain in confidence. TT. Ransomware Event means a monetary demand made subsequent to a Network Security Incident or a Privacy Incident which, if satisfied, would terminate such Network Security Incident or Privacy Incident. UU. Regulatory Costs means: (1) amounts paid to a consumer -redress fund; (2) fines; or (3) penalties imposed by a federal, state, local or foreign governmental entity in such entity's regulatory or official capacity due to a Privacy Incident. W. Reputational Harm Loss means Income Loss and Extra Expense incurred during the Extended Business Interruption Period due to Negative Publicity. WW. Restoration means recovery of the Computer System and re-creation, re -collection or recover of electronic data that is collected, transmitted, processed, stored, or backed up on the Computer System or Third Party Network, that is compromised as a direct result of a Network Security Incident. If such Computer System cannot be recovered or electronic data cannot be re-created, re -collected, or recovered, then Restoration is limited to the costs to make this determination. In no case will the Restoration extend beyond twelve (12) months from the start of efforts to recover the Computer System or re-create, re -collect or recover electronic data. Restoration does not include Bricking Costs. XX. Social Engineering Attack means the manipulation or deception, by an unauthorized third party of a director, officer, board member, trustee, owner, partner, principal, manager, or employee of the Insured Organization, who is authorized to request or make payments on behalf of the Insured Organization. The manipulation or deception must be accomplished by the transmission of fraudulent communications by the unauthorized third party, and cause the director, officer, board member, trustee, owner, partner, principal, manager, or employee to transfer, pay or deliver the Insured Organization's money to an unintended third party recipient. YY. Subsidiary means any entity while the Named Insured: (1) owns more than 50% of such entity's outstanding voting securities, partnership or membership interests; (2) has the right to elect or appoint a majority of such entity's directors, officers, managers or trustees; or (3) has sole control over such entity's management structure pursuant to a written contract. Subsidiary also means any entity that is acquired by the Named Insured during the Policy Period and whose annual revenues or Protected Information record count do not exceed 15% of the Named Insured's. ZZ. System Failure Incident means any actual and measurable unintentional, unplanned, or unexpected Computer System or Third Party Network disruption, damage or outage that arises from a cause other than: (1) a Network Security Incident; (2) loss of or damage to any physical equipment or property; or (3) planned or scheduled outage or maintenance of any Computer System or Third Party Network. CY 4004 (Ed. 10/23) (Page 7 of 14) AAA. Telecommunications Hack means the infiltration and manipulation by a third party of the Insured Organization's telephone or fax system in connection with its normal business operations. BBB. Third Party Network means computer hardware, software and networking equipment owned, leased or operated by a person or organization, other than the Insured Organization, and who is operating under contract with the Insured Organization to provide business -process outsourcing services or information technology services in support of the Insured Organization's business operations. CCC. Waiting Period means the number of consecutive hours specified in Item 5. of the Declarations that immediately follows the interruption or suspension of the Computer System or a Third Party Network and will apply to each Period of Recovery. SECTION IV. EXCLUSIONS The Insurer will not make any payment for any Loss Expense, Liability Expense, Betterment Expense, Reward Expense or Attendance Expense — Hearings and Trials Expense, arising out of: A. Any actual or alleged dishonest, fraudulent, criminal, or malicious, act, error or omission or willful violation of any statute or regulation by or with the knowledge of the Control Group of the Insured Organization; provided, however, that this exclusion does not apply to Defense Expenses until there is an admission, plea of no contest, a final non -appealable adjudication, binding arbitration, or judgment in a proceeding establishing such conduct. B. Any failure or termination of: (1) any core element of the internet, telecommunications, or global positioning system infrastructure that results in a regional, countrywide or global outage of such infrastructure; (2) any suspension, cancellation, revocation or failure to renew any domain names or uniform resource locators; (3) any failure of power supply, utilities, or electrical or mechanical failure, unless such services are under the Insured Organization's direct control; or (4) any government shut down of systems or services. C. Any bodily injury, sickness, disease, or death, and includes mental injury, mental anguish, mental tension, emotional distress, pain and suffering or shock resulting from bodily injury, sickness, disease or death to any person. D. Any physical injury to or destruction of tangible property and includes any resulting loss of use of such tangible property, provided, however, this exclusion does not apply to Bricking Costs. E. Any actual or alleged loss, transfer or theft of monies, cryptocurrency, securities, non -fungible tokens, or tangible properties; provided, however, this exclusion does not apply to an otherwise covered Cyber Crime Loss. The Insurer also has no obligation to make any payment for a Social Engineering Attack arising out of any failure of any Insured to comply with SECTION V. GENERAL TERMS AND CONDITIONS, E., Funds Transfer Verification of Authenticity. F. Any Liability Expense arising out of any actual or alleged violation of the Illinois Biometric Information Privacy Act ("BIPA") or any similar federal, state, local or foreign law. Nor will the Insurer make any payment for any Liability Expense arising out of a Claim alleging any Privacy Incident, Network Security Incident or Media Incident that is alleged in a Claim that also alleges any actual or alleged violation of the Illinois Biometric Information Privacy Act ("BIPA") or any similar local, state, federal or foreign law. G. Any actual or alleged fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, act of God or any other physical event. H. Any actual or alleged discharge, dispersal, release or escape of toxic chemicals, liquids or gases, waste materials, pollutants, or any other contaminants. I. Any actual or alleged violation of the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Company Act of 1940, the Investment Advisors Act of 1940, the Organized Crime Control Act of 1970, the Employee Retirement Income Security Act of 1974, the Communications Decency Act of 1996 or any other similar local, state, federal, or foreign law including any amendments thereto or any rules or regulations promulgated in connection therewith, or any derivative suit. CY 4004 (Ed. 10/23) (Page 8 of 14) J. Any actual or alleged infringement or violation of the following intellectual property rights: patent, trade secret, or software copyright. Nor will the Insurer make any payment for any Liability Expense arising out of a Claim alleging any Privacy Incident, Network Security Incident or Media Incident that is alleged in a Claim that also alleges infringement or violation of patent, trade secret or software copyright. K. Any actual or alleged remuneration, profit, or other advantage to which the Insured Organization is not legally entitled or any actual or alleged reduction in economic or market value of data. L. Any actual or alleged unsolicited communication, false advertising, deceptive trade practice, restraint of trade, unfair competition or antitrust violation including violation of any local, state, federal, or foreign law governing the foregoing. Nor will the Insurer make any payment for any Liability Expense arising out of a Claim alleging any Privacy Incident, Network Security Incident or Media Incident that is alleged in a Claim that also alleges any actual or alleged unsolicited communication, false advertising, deceptive trade practice, restraint of trade, unfair competition, or antitrust violation, including violation of any local, state, federal, or foreign law governing the foregoing. M. Any Claim arising out of discrimination of any kind; any employment practices; or any employment relationship, including wrongful termination, dismissal or discharge, or any discrimination, harassment, or breach of an employment contract. However, this exclusion will not apply to an otherwise covered Claim, arising out of any actual or alleged disclosure or theft of Protected Information arising out of a Network Security Incident or a Privacy Incident. N. Any Liability Expense for a Claim brought or maintained by or on behalf of any Insured. Provided, however, this exclusion will not apply to an otherwise covered Claim, arising out of a Privacy Incident. O. Any: (1) Claim, Privacy Incident, Network Security Incident, Cyber Crime Incident, Media Incident, System Failure Incident, Interrelated Incident fact, circumstance, transaction or event which has been the subject of any written notice given under any other policy before the inception date of this Policy; (2) prior or pending litigation, regulatory or administrative proceeding or any Claim of which any member of the Control Group of the Insured Organization had knowledge or received notice prior to the inception date of this Policy or, if this Policy is a renewal of another policy issued by the Insurer, the first such insurance policy issued to the Named Insured by the Insurer and continuously renewed until the inception date of this Policy; or (3) any matter that prior to the inception date of this Policy, or if this Policy is a renewal of another policy issued by the Insurer, the first such insurance policy issued to the Named Insured by the Insurer and continuously renewed until the inception date of this Policy, any member of the Control Group of the Insured Organization knew or reasonably should have known could lead to a Claim, Loss Expense or Liability Expense. P. Any: (1) armed conflict, or the use of force by a sovereign state against another sovereign state (regardless of whether war is declared or not); (2) civil war, rebellion, revolution, or insurrection; (3) Malicious Cyber Operation; or (4) Malicious Cyber Incident committed in the course, furtherance or support of the events listed in (1), (2) or (3) above. SECTION V. GENERAL TERMS AND CONDITIONS A. Limit of Insurance and Retention The aggregate limit of insurance as indicated in Item 3(a) of the Declarations is the maximum the Insurer is obligated to pay for all Loss Expense covered by the Policy. The aggregate limit of insurance as indicated in Item 3(b) of the Declarations is the maximum the Insurer is obligated to pay for all Liability Expense covered by the Policy. The aggregate policy limit as indicated in Item 3(c) of the Declarations is the maximum the Insurer is obligated to pay under the Policy for all Loss Expense, Liability Expense and SUPPLEMENTAL COVERAGE combined. The Insurer has no obligation to pay any Loss Expense, Liability Expense or SUPPLEMENTAL COVERAGE until the applicable Retention as indicated in Item 4 of the Declarations has been satisfied. CY 4004 (Ed. 10/23) (Page 9 of 14) B. Defense and Settlement The Insurer has the right and duty to defend, and the right to select counsel to defend any Insured against any Claim, even if the allegations of the Claim are groundless, false, or fraudulent. The Insurer's duty to defend will cease upon the exhaustion of the Liability Expense aggregate limit of liability as indicated in Item 3(b) of the Declarations. The Insured Organization agrees not to make any payment, participate in any settlement, admit liability, assume obligation, or incur any Loss Expense or Liability Expense without the prior written consent of the Insurer, which consent will not be unreasonably withheld. C. Notice 1. Notice to Insurer As a condition precedent to coverage under this Policy, the Insured must provide written notice to the Insurer of any Privacy Incident, Network Security Incident, System Failure Incident or Cyber Crime Incident as soon as possible after any Insured is made aware of such Privacy Incident, Network Security Incident, System Failure Incident or Cyber Crime Incident but in no event more than sixty (60) days after the Privacy Incident, Network Security Incident, System Failure Incident or Cyber Crime Incident is discovered by any Insured. However, an Extortion Threat must be reported immediately but in no case later than thirty-six (36) hours after the incident is discovered by the Control Group of the Insured Organization. The Insured may not incur any Loss Expense without the Insurer's prior consent and such consent will not be unreasonably withheld. As a condition precedent to coverage under this Policy, the Insured must provide written notice to the Insurer of any Claim as soon as possible after the Control Group of the Insured Organization is made aware of such Claim but no later than sixty (60) days after the end of the Policy Period or end the Extended Reporting Period (if applicable). The Insured may not incur any Liability Expense, Loss Expense, Betterment Expense, Reward Expense or Attendance Expense — Hearings and Trials, without the Insurer's prior consent and such consent will not be unreasonably withheld. 2. Notice of Circumstance If, during the Policy Period or Extended Reporting Period (if applicable), any Insured first becomes aware of a Privacy Incident, Network Security Incident or Media Incident which may reasonably give rise to a future Claim under this Policy and gives written notice to the Insurer of: a) the nature of the Privacy Incident, Network Security Incident or Media Incident; b) the parties involved; c) the injury or damages that has or may result therefrom; and d) the circumstances by which the Insured first became aware thereof; then any Claim arising out of an Interrelated Incident that involves a Privacy Incident, Network Security Incident or Media Incident that is subsequently made against the Insured will relate back to and be deemed to have been made at the time any Insured gave such written notice of circumstances to the Insurer. The Insured will provide written notice to the Insurer either to the mailing or email address set forth in Item 8. of the Declarations. D. Cooperation and Non -Disclosure The Insured Organization must provide the Insurer with full assistance and cooperation and must provide all information deemed necessary to investigate any Privacy Incident, Network Security Incident, Systems Failure Incident, Cyber Crime Incident or Media Incident; settle any Claim; or pay any Loss Expense or Liability Expense. In the event of a Privacy Incident, Network Security Incident, System Failure Incident, Cyber Crime Incident or CY 4004 (Ed. 10/23) (Page 10 of 14) Media Incident the Insured Organization will take every reasonable step to mitigate the loss, continue operations, preserve any contractual rights or remedies, and protect and preserve any property, Computer System, logs, books, records, reports or evidence which may be reasonably necessary in the adjustment of a Claim or Loss Expense or Liability Expense. In addition, as a condition precedent to any Insured's rights under this coverage, the Insured will use their best efforts to ensure that neither the existence of this coverage, nor the associated limits of insurance are disclosed, without the Insurer's consent and such consent will not to be unreasonably withheld. E. Funds Transfer Verification of Authenticity As a condition precedent to coverage under SECTION I. INSURING AGREEMENTS, A. LOSS EXPENSE COVERAGE, for Loss Expense arising out of a Cyber Crime Incident, prior to changing automated clearing house instructions, changing instructions for wire transfer of funds or changing any similar instructions, the Insured shall verify the authenticity of the instruction received from a purported employee, owner, vendor, customer, supplier, or other third party, including but not limited to routing numbers and account numbers, by calling the employee, owner, vendor, customer, supplier, or other third party via a method other than the original means of the request to verify the authenticity or validity of the request. F. Proof of Loss Requests for payment or reimbursement of Loss Expense incurred by the Insured Organization will be accompanied by a proof of loss. Such proof of loss must include, in detail, how the costs were calculated and what assumptions have been made, and will include any applicable reports, books of accounts, bills, invoices and other vouchers or proofs of payment made by the Insured Organization in relation to such Loss Expense. Furthermore, the Insured Organization will cooperate with, and provide any additional information reasonably requested by, the Insurer in its investigation of Loss Expense, including but not limited to the exercise of the Insurer's right to investigate and audit the proof of loss and inspect the records of the Insured Organization. Business Interruption Loss or Contingent Business Interruption Loss will be determined by taking full account and due consideration of the Insured Organization's proof of loss in addition to business conditions affecting the Insured Organization's net profit, including net profit gained during the same period in the prior year, had the Network Security Incident or System Failure Incident not occurred. Under no circumstances will the determination include a potential increase in net profit the Insured Organization may have earned as a result of an increase in the volume of the Insured Organization's business due to potential favorable business conditions. We may examine any Insured under oath, while not in the presence of any other Insured and at such times as may be reasonably required, about any matter relating to this insurance including the Insured Organization's books and records. In the event of an examination, the Insured's answers must be signed. G. Extended Reporting Period 1. Automatic Extended Reporting Period If this Policy is cancelled or non -renewed for any reason other than non-payment of premium, the Named Insured will have an automatic Extended Reporting Period, for a period of sixty (60) days after the end of the Policy Period. 2. Additional Extended Reporting Period If this Policy is cancelled or non -renewed for any reason other than non-payment of premium, provided the Named Insured does not obtain replacement coverage as of the effective date of such cancellation or non -renewal, the Named Insured will have the right to purchase an Additional Extended Reporting Period within sixty (60) days after the end of the Policy Period. Such Additional Extended Reporting period will be for a period up to thirty-six (36) months after the end of the Automatic Extended Reporting Period and will be subject to an additional premium to be calculated based upon the annualized premium. The Additional Extended Reporting Period is non -cancelable and the additional premium for the Additional Extended Reporting Period will be fully earned at the time of purchase. CY 4004 (Ed. 10/23) (Page 11 of 14) The Extended Reporting Period does not increase or reinstate any limits of insurance and does not provide coverage for Loss Expense, Liability Expense, Betterment Expense, Reward Expense, or Attendance Expense — Hearings and Trials, from any Privacy Incident, Network Security Incident, System Failure Incident, Cyber Crime Incident or Media Incident which first takes place after the end of the Policy Period. A change in terms, conditions, exclusions, or premiums of this Policy will not be considered a non -renewal for purposes of triggering the Named Insured's right to purchase an Additional Extended Reporting Period. H. Cancellation and Non -Renewal This Policy may be cancelled by the Named Insured at any time by written notice to the Insurer requesting such cancellation and the effective date. Upon cancellation, the Insurer will return any unearned premium on a prorata basis. The Policy may be cancelled by the Insurer only if the Named Insured does not pay the premium when due. Any such cancellation shall become effective no sooner than thirty (30) days after the date the notice is mailed to the Named Insured. If the Insurer elects not to renew this Policy, the Insurer will provide notice to the Named Insured no less than seventy five (75) days, no more than one hundred and twenty (120) days, in advance of the expiration date of the Policy Period. Additionally, such notice will include the reason for the nonrenewal and the Named Insured's loss information for the period the policy has been in force with the Insurer. With respect to all notices above, the Insurer will mail either: (1) registered or (2) first-class, written notice, to the Named Insured at the last known address. A copy of such notices will also be provided to the Named Insured's insurance agent or broker of record. A post office certificate of mailing such notices to the Named Insured at the last known mailing address will be conclusive proof of receipt of notice. I. Spouses, Domestic Partners, Estates and Legal Representatives Coverage under this Policy will extend to any Claim resulting from any Privacy Incident, Network Security Incident or Media Incident made against the lawful spouse or domestic partner of any Insured as well as the estate, heir or legal representative of any Insured who is deceased or legally incompetent, insolvent or bankrupt; however, no coverage is provided for any act, error or omission of said spouse, domestic partner, estate, heir or legal representative. It is further understood that all terms and conditions of this Policy apply to such Claim made against any Insured's spouse, domestic partner, estate, heir, or legal representative. J. Application, Representations and Severability The Named Insured represents that the particulars and statements contained in the Application are true, complete, and accurate. The Named Insured agrees that the Policy was issued in reliance upon the truth of those representations and such particulars and statements, which are deemed to be incorporated into and constitute part of this Policy and are the basis of this Policy. In the event there is any material misrepresentation, untruth, or omission in connection with any of the statements of facts in the Application then this Policy will be void with respect to: (1) any Insured who knew of such misrepresentation, untruth or omission; and (2) the Insured Organization but only if any member of the Control Group of the Insured Organization knew of such misrepresentation, untruth or omission. K. Subrogation In the event of any payment under this Policy, and there is the ability to recover against any third party, it is agreed that the Insured Organization tenders its rights of recovery to the Insurer. The Insured Organization also agrees to assist the Insurer in exercising such rights. If prior to the Privacy Incident, Network Incident, System Failure Incident, Cyber Crime Incident or Media Incident connected with such payment, the Insured Organization has agreed in writing to waive such rights of recovery against a third party, then the Insurer will not pursue its rights of recovery against said third party. CY 4004 (Ed. 10/23) (Page 12 of 14) L. Other Insurance If any Loss Expense, other than Cyber Crime Loss, covered by this Policy is also covered by any other valid and collectible insurance, with an applicable sublimit that is lower than the available limit under this Policy, then this Policy will apply as the primary policy. This Policy will be excess over any other valid and collectible insurance providing Cyber Crime Loss or similar coverage. If any Claim covered by this Policy is also covered by any other valid and collectible insurance, then this Policy will only apply to the Liability Expense in excess of the amount of any Retention or limit of insurance under such other insurance whether such other insurance is stated to be primary, contributory, excess, contingent or otherwise, unless such other insurance is written specifically excess of this Policy. M. Territory The coverage provided under this Policy applies worldwide. However, coverage provided under this Policy does not apply to the extent that trade or economic sanctions, OFAC restrictions or sanctions or any other similar laws or regulations prohibit the Insurer from providing coverage. N. Currency All Loss Expense, Liability Expense, Betterment Expense, Reward Expense, or Attendance Expense — Hearings and Trials, premium, limits of liability, Retention and any other amounts under this Policy are expressed and payable in the currency of the United States of America. If any settlement, judgement, Loss Expense, Liability Expense, Betterment Expense, Reward Expense, or Attendance Expense — Hearings and Trials, or any other amounts under this Policy are incurred, stated, determined or adjudicated in a currency other than United States dollars then payment shall be made in United States dollars at the rate of exchange published in the Wall Street Journal on the date by which the Insurer is obligated to pay. O. Material Change If during the Policy Period, the Named Insured merges with or is acquired by another entity or a receiver, conservator, trustee, liquidator or rehabilitator is appointed to take control of, supervise, manage or liquidate the Named Insured, then the premium for the Policy is deemed to be fully earned and the Policy will continue in full effect until the expiration date of the Policy but only as respects a Privacy Incident, Network Security Incident, System Failure Incident, Cyber Crime Incident or Media Incident that first took place prior to the effective date of such merger, acquisition or appointment. If during the Policy Period, an entity ceases to be a Subsidiary then coverage for such Subsidiary will continue in full effect until the expiration date of the Policy but only as respects a Privacy Incident, Network Security Incident, System Failure Incident, Cyber Crime Incident or Media Incident that first took place prior to the date the entity ceased to be a Subsidiary. P. Assignment Assignment of any Insured's interest under this Policy will not bind the Insurer unless its consent is endorsed hereon. Q. Conformity to Law Any terms of this Policy in conflict with the terms of any applicable laws are hereby amended to conform to such laws. CY 4004 (Ed. 10/23) (Page 13 of 14) R. Legal Action Against the Insurer and Bankruptcy No action may be taken against the Insurer unless, as a condition precedent thereto, there has been full compliance with all the terms of this Policy and the amount of any Insured's obligation to pay has been finally determined either by judgment against the Insured after adjudicatory proceedings, or by written agreement of the Named Insured, the claimant and the Insurer. No legal action can be brought under this Policy against anyone other than by the Named Insured. Bankruptcy or insolvency of any Insured or the estate of any Insured will not relieve the Insurer of its obligations under this Policy. S. Representative of any Insured By acceptance of this Policy, the first Named Insured listed in the Declarations will be designated to act on behalf of all Insureds for all purposes including the giving and receiving of all notices and correspondence, the cancellation or non -renewal of this Policy, the payment of premiums and the receipt of any return premiums that may be due under this Policy. T. Entire Agreement This Policy (including the Declarations, Application and any information provided therewith) and any written endorsements attached hereto constitute the entire agreement between the parties. The terms, conditions and limitations of this Policy can be waived or changed only by written endorsement. CY 4004 (Ed. 10/23) (Page 14 of 14) CY 0002 (Ed. 01/19) SERVICE OF PROCESS ENDORSEMENT CALIFORNIA Pursuant to any statute of any state or district of the United States of America, which makes provisions therefore, the Insurer hereby designates the Commissioner, Superintendent or Director of Insurance or other officer specified for that purpose in the statute and his or her successors in office and duly authorized deputies in the state where this Policy is issued, as the Insurer's true and lawful attorney for service of legal process in any action, suit or proceeding brought in the state where this Policy is issued by or on behalf of an Insured or beneficiary against the Insurer arising out of the insurance issued under this Policy. Any legal process received by such attorney for service of legal process shall be forwarded to the Insurer to the attention of: Sue Erhart General Counsel and Senior Vice President Great American Insurance Group 301 E. Fourth Street Cincinnati, OH 45202 and CT Corporation System 818 West Seventh Street, 2nd Floor Los Angeles, California 90017 Please note that the address stated above is only to be used in case of suits against the Insurer and by no means amends the provisions of the Policy for notice of Claim which is specified in Section V.0 of the Policy. Please use the address specified in the aforementioned section of the Policy for notice of all Claims. Other than as stated above, nothing herein contained shall be held to vary, alter, waive or extend any of the terms, conditions, provisions, agreements or limitations of the Policy to which this endorsement is attached. CY 0002 (Ed. 01/19) (Page 1 of 1) CY 0024 11 23 BROKERAGE INFORMATION Brokerage Name: Guy Carpenter Brokering, Inc. Brokerage Address: 155 N Wacker Dr, FI 15, Chicago, IL, 60606 Broker/Brokerage License Number: OG80271 All other terms and conditions of this Policy remain unchanged. CY 0024 11 23 (Page 1 of 1) CY 0025 02 24 AMENDMENT TO SECTION III. DEFINITIONS - PUBLIC ENTITY RISK POOLS It is hereby understood and agreed that SECTION III. DEFINITIONS of the Policy is amended as follows: 1. Definition I. Contingent Business Interruption Loss is deleted in its entirety and replaced with the following: Contingent Business Interruption Loss means Income Loss and Extra Expense incurred by the Insured Organization during the Period of Recovery or Extended Business Interruption Loss Period, which exceeds the Waiting Period and resulting from the actual and measurable interruption or suspension of a Third Party Network that arises out of a Network Security Incident or System Failure Incident. Contingent Business Interruption Loss is subject to a sublimit indicated in CY 0027, SCHEDULE OF PARTICIPATING MEMBERS. 2. Definition M. Cyber Crime Loss is deleted in its entirety and replaced with the following: Cyber Crime Loss means: (1) charges incurred by the Insured Organization from its telecommunications provider directly resulting from a Telecommunications Hack, a Botnet Attack or Cryptojacking Attack; (2) loss of funds directly resulting from a Social Engineering Attack; or (3) accounts receivable for which the Insured Organization is unable to collect payment directly resulting from an Invoice Manipulation. Cyber Crime Loss due to Invoice Manipulation is limited to the Insured Organization's variable input costs associated with the provision of its products or services, and therefore does not include any gross profit margin associated with such products or services. Cyber Crime Loss does not include any amounts reimbursed or reversed by a financial institution and is subject to a sublimit as indicated on CY 0027, SCHEDULE OF PARTICIPATING MEMBERS. 3. Definition II. Named Insured is deleted in its entirety and replaced with the following: Named Insured means each Member of the organization stated in Item. 1 of the Declarations that is listed on CY 0027, SCHEDULE OF PARTICIPATING MEMBERS. 4. The following has been added to SECTION III. DEFINITIONS: Member means each entity scheduled on CY 0027, SCHEDULE OF PARTICIPATING MEMBERS. All other terms and conditions of this Policy remain unchanged. CY 0025 02 24 CY 0026 02 24 AMENDMENT TO SECTION V. GENERAL TERMS & CONDITIONS - PUBLIC ENTITY RISK POOLS It is hereby understood and agreed that SECTION V. GENERAL TERMS AND CONDITIONS of the Policy is amended as follows: 1. A. Limit of Insurance and Retention is deleted in its entirety and replaced with the following: The Per Member Aggregate Limit as indicated in Item 3(a) of the Declarations is the maximum the Insurer is obligated to pay on behalf of any Member for all combined Loss Expense, Liability Expense, and SUPPLEMENTAL COVERAGE incurred by that Member and covered by the Policy. It is further understood and agreed that any sublimit applicable to a Member for Ransomware Event, Contingent Business Interruption Loss, or Cyber Crime Loss is stated on CY 0027, SCHEDULE OF PARTICIPATING MEMBERS. The Risk Pool Policy Aggregate Limit as indicated in Item 3(b) of the Declarations is the maximum the Insurer is obligated to pay under the Policy for all Loss Expense, Liability Expense and SUPPLEMENTAL COVERAGE combined. The Insurer has no obligation to pay any Loss Expense, Liability Expense or SUPPLEMENTAL COVERAGE until the applicable Retention as indicated on CY 0027, SCHEDULE OF PARTICIPATING MEMBERS has been satisfied. 2. B. Defense and Settlement is deleted in its entirety and replaced with the following: The Insurer has the right and duty to defend, and the right to select counsel to defend any Insured against any Claim, even if the allegations of the Claim are groundless, false, or fraudulent. The Insurer's duty to defend will cease upon the exhaustion of the Per Member Aggregate Limit as indicated on CY 0027, SCHEDULE OF PARTICIPATING MEMBERS. The Insured Organization agrees not to make any payment, participate in any settlement, admit liability, assume obligation, or incur any Loss Expense or Liability Expense without the prior written consent of the Insurer, which consent will not be unreasonably withheld. 3. S. Representative of any Insured is deleted in its entirety and replaced with the following: By acceptance of this Policy, the Members agree that California Joint Powers Insurance Authority is designated to act on behalf of all Insureds for all purposes including the giving and receiving of all notices and correspondence, the cancellation or non -renewal of this Policy, the payment and the receipt of any return premiums that may be due under this Policy. All other terms and conditions of this Policy remain unchanged. CY 0026 02 24 (Page 1 of 1) CY 0029 09 24 AMENDMENT TO DEFINITION OF COMPUTER SYSTEM (EMPLOYEE OWNED DEVICES) It is understood and agreed that SECTION III. DEFINITIONS H. Computer System of the Policy is deleted and replaced with the following: H. Computer System means (1) computer hardware, software, firmware and associated input and output devices; (2) wireless devices, voice based telecommunication systems; (3) operating systems and associated input, output, processing, data storage, and mobile devices; (4) networks, networking equipment, application software, storage area networks; (5) other electronic data storage or backup facilities and peripheral communication equipment and systems (including but not limited to employee owned mobile devices); which are leased, owned or operated by an Insured in support of the Insured Organization's business operations. All other terms and conditions of this Policy remain unchanged. CY 0029 09 24 CY 0030 09 24 AMENDMENT TO DEFINITION OF INSURED (INDEPENDENT CONTRACTORS) It is understood and agreed that SECTION III. DEFINITIONS X. Insured of the Policy is deleted and replaced with the following: X. Insured means the Insured Organization as well as any past, present or future directors, officers, board members, trustees, owners, partners, principals, managers, independent contractors, employees (including full time, part time, temporary, leased, and seasonal) and volunteers but only for acts performed within the scope of their duties on behalf of the Insured Organization. All other terms and conditions of this Policy remain unchanged. CY 0030 09 24 CY 1102 10 24 AMENDMENT TO DEFINITION OF THIRD PARTY NETWORK TO INCLUDE NON -IT SERVICE PROVIDER ENDORSEMENT It is understood and agreed that SECTION III. DEFINITIONS of the Policy is amended as follows: 1. WW. Restoration is deleted and replaced with the following: Restoration means recovery of the Computer System and re-creation, re -collection, or recovery of electronic data that is collected, transmitted, processed, stored, or backed up on the Computer System or Third Party Network, that is compromised as a direct result of a Network Security Incident. If such Computer System cannot be recovered or electronic data cannot be re-created, re -collected, or recovered, then Restoration is limited to the costs to make this determination. In no case will the Restoration extend beyond twelve (12) months from the start of the efforts to recover the Computer System or re-create, re -collect or recover electronic data. Restoration does not include Bricking Costs or any cost to upgrade, improve, restore, repair, redesign, reconfigure or maintain a Third Party Network. 2. BBB. Third Party Network is deleted and replaced with the following: Third Party Network means computer hardware, software and networking equipment owned, leased or operated by a person or organization, other than the Insured Organization, and who is operating under contract with the Insured Organization to provide services in support of the Insured Organization's business operations, provided that Third Party Network does not include any of the following: 1. An internet service provider (including any provider of internet connectivity); 2. Utility providers, including, but not limited to, electricity, gas, water, telephone, cable, satellite or telecommunications providers; 3. A provider of financial market infrastructure, including, but not limited to, securities exchanges, payment processors, central clearing houses or central securities depositories; 4. Shipping or freight company; or 5. Courier or package or mail delivery company. All other terms and conditions of this Policy remain unchanged. CY 1102 10 24 CY 2014 (Ed. 04/23) DELETION OF COVERAGE FOR CYBER CRIME LOSS It is understood and agreed the following changes are made to the policy: 1. SECTION I. INSURING AGREEMENT, A. is deleted and replaced with the following: A. LOSS EXPENSE COVERAGE The Insurer will pay on behalf of the Insured all Loss Expense directly resulting from a Privacy Incident, Network Security Incident or System Failure Incident, first discovered by any Insured during the Policy Period, and reported to the Insurer pursuant to SECTION V. GENERAL TERMS AND CONDITIONS, C., Notice. 2. SECTION III. DEFINITIONS is amended by the deletion of definitions L. and M. 3. Reference to Cyber Crime Incident is deleted from SECTION III. DEFINITIONS, AA and JJ. 4. Reference to Cyber Crime Loss is deleted from SECTION III. DEFINITION, DD. 5. SECTION IV. EXCLUSIONS E. is deleted and replaced with the following: E. Any actual or alleged loss, transfer or theft of monies, cryptocurrency, securities, non -fungible tokens, or tangible properties. 6. Reference to Cyber Crime Incident is deleted from SECTION IV. EXCLUSIONS, O. 7. Reference to Cyber Crime Incident and Cyber Crime Loss is deleted from SECTION V. GENERAL TERMS AND CONDITIONS. All other terms and conditions of this Policy remain unchanged. CY 2014 (Ed. 04/23) CY 7001 (Ed. 01/19) TERRORISM COVERAGE ENDORSEMENT CAP ON LOSS FROM CERTIFIED ACTS It is understood and agreed Section V of the Policy is amended to include the following: CAP ON LOSSES FROM CERTIFIED ACTS OF TERRORISM 1. If aggregate insured losses attributable to terrorist acts certified under the federal Terrorism Risk Insurance Act exceed $100 billion in a calendar year and we have met our insurer deductible under the Terrorism Risk Insurance Act, we shall not be liable for the payment of any portion of the amount of such losses that exceeds $100 billion, and in such case insured losses up to that amount are subject to pro rata allocation in accordance with procedures established by the Secretary of the Treasury. "Certified act of terrorism" means an act that is certified by the Secretary of the Treasury, in accordance with the provisions of the federal Terrorism Risk Insurance Act, to be an act of terrorism pursuant to such Act. The criteria contained in the Terrorism Risk Insurance Act for a "certified act of terrorism" include the following: a. The act resulted in insured losses in excess of $5 million in the aggregate, attributable to all types of insurance subject to the Terrorism Risk Insurance Act; and b. The act is a violent act or an act that is dangerous to human life, property or infrastructure and is committed by an individual or individuals as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion. 2. The terms and limitations of any terrorism exclusion, or the inapplicability or omission of a terrorism exclusion, do not serve to create coverage that is otherwise excluded under this Policy. CY 7001 (Ed. 01/19) (Page 1 of 1)