The URL can be used to link to this page

Home My WebLink About2023-08-21 I01J FY2024 Technology Liability InsuranceAGENDA ITEM: CITY OF WAUKEE, IOWA CITY COUNCIL MEETING COMMUNICATION MEETING DATE: August 21, 2023 AGENDA ITEM:Consideration of approval of a resolution authorizing issuance with Travelers Casualty and Surety Company of America (brokered through Holmes Murphy) for 07/01/2023 through 07/01/2024 Technology Liability insurance FORMAT:Resolution SYNOPSIS INCLUDING PRO & CON: The attached reports provide detail for the 2023/2024 insurance policy and annual billing. FISCAL IMPACT INCLUDING COST/BENEFIT ANALYSIS: $47,950.00 COMMISSION/BOARD/COMMITTEE COMMENT: STAFF REVIEW AND COMMENT: Staff recommends approving the total payment to Holmes Murphy. RECOMMENDATION: Approve the Resolution. ATTACHMENTS: Travelers Policy paperwork PREPARED BY:Rachel Bruns REVIEWED BY: PUBLIC NOTICE INFORMATION – NAME OF PUBLICATION: DATE OF PUBLICATION: I1J THE CITY OF WAUKEE, IOWA RESOLUTION 2023- APPROVING PAYMENT TO HOLMES MURPHY FOR 07/01/2023 – 07/01/2024 TECHNOLOGY LIABILITY INSURANCE IN THE AMOUNT OF $47,950.00 IN THE NAME AND BY THE AUTHORITY OF THE CITY OF WAUKEE, IOWA WHEREAS, the City of Waukee, Dallas County, State of Iowa, is a duly organized Municipal Organization; AND, WHEREAS, Travelers Casualty and Surety Company of America provides technology liability insurance services brokered through Holmes Murphy for the City; AND, WHEREAS, Travelers Casualty and Surety Company of America proposes an insurance policy for the period of July 1, 2023 through July 1, 2024 at a cost of $47,950.00 AND, WHEREAS, City staff recommend approval of the payment. NOW THEREFORE BE IT RESOLVED by the City Council of the City of Waukee, Iowa on this the 21st day of August, 2023, that it hereby approves payment to Holmes Murphy for 07/01/2023 – 07/01/2024 technology liability insurance in the amount of $47,950.00. ____________________________ Courtney Clarke, Mayor Attest: ___________________________________ Rebecca D. Schuett, City Clerk RESULTS OF VOTE: AYE NAY ABSENT ABSTAIN Anna Bergman Pierce R. Charles Bottenberg Chris Crone Larry R. Lyon Ben Sinclair LTR-4035 Ed. 06-09 © 2009 The Travelers Indemnity Company. All rights reserved. Page 1 of 1 PO Box 2950 Hartford, CT 06104-2950 June 27, 2023 City of Waukee 236 W Hickman Rd WAUKEE, IA 50263 Re: Important Information about Claims Information Line Dear City of Waukee Travelers Bond & Specialty Insurance is pleased to announce its 1-800-842-8496 Claims Information Line. This line is designed to provide insureds with an additional resource on how to report claims or those circumstances or events which may become claims. Policyholders will be able to obtain assistance on the following topics from the Claims Information Line: • The information that needs to be included with the claim notice • The address, electronic mail address and/or facsimile number to which the policyholder can send claims related information • Get questions on the claim process answered The Declarations Page of your policy sets forth where you should report claims and claims related information. You should also review the policy's reporting requirements to be aware of how much time you have to report a claim to Travelers. The sooner Travelers is notified, the sooner we can become involved in the process and offer assistance to our policyholder. A delay in reporting may result in all or part of a matter to fall outside of the coverage provided. The Claims Information Line should streamline the claim reporting process and allow policyholders to ask questions on what information is needed as well as other questions which will assist them in working with Travelers. While the Claims Information Line provides policyholders a valuable resource by answering questions and providing information, the line does not replace the reporting requirements contained in the Policy. We hope this improvement to customer service is something our policyholders will find helps them understand the claim process and provides them a resource for reporting. •® • • • • • © 2022 The Travelers Indemnity Company. All rights reserved. LTR-19027 Rev. 9-22 This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. CyberRisk Policyholder Benefits Travelers Cyber Coaches Three cybersecurity coach services are available to help your organization extend your team with expert guidance at no additional cost, as follows: –Breach Coach HCL Technologies Consulting Services - Boost your cybersecurity readiness with HCL Technologies solutions including HCL Technologies Cyber Security Incident Response Review, HCL Technologies Cyber Security Vulnerability Assessment and HCL Technologies Cyber Security Architecture Review. HCL Technologies Cyber Security Awareness Training Videos - Gain access to security awareness training videos as a method of defense against cybersecurity threats by promoting proactive employee behavior. These courses can be used to complement your employee training requirements. Should you experience a data breach event, you may choose to call the Breach Coach listed in the Travelers eRisk Hub portal for immediate triage assistance. Your initial consultation of up to one half-hour is at no additional charge. Please be aware that the Breach Coach service is provided by a third-party law firm. Therefore, contacting the Breach Coach does NOT satisfy the claim or first-party notification requirements of your policy. HIPAA Coach – To help your organization identify the cyber related issues HIPAA raises and help minimize potential exposures, you are entitled to consult with a HIPAA Coach listed in the Travelers eRisk Hub portal for up to one hour. Security Coach – Talk with a HCL Technologies security professional about general cybersecurity questions for up to one hour to help strengthen your organizations security posture with actionable advice and insights listed in the Travelers eRisk Hub portal. Pre-Breach Services provided by HCL Technologies: Preparation is key in helping to mitigate a potential cyber related event. To assist policyholders achieve a higher level of cybersecurity for their organizations Travelers offers the following pre-breach services from HCL Technologies, a global leader in cybersecurity solutions accessible through the Travelers eRisk Hub: HCL Technologies Cyber Resilience Readiness Assessment and Cyber Security Professional Consultation - An online assessment designed for an organization to quickly understand their current cybersecurity posture while receiving an official report and up to 1 hour consultation with a HCL Technologies security professional to help in improving areas of weakness or vulnerability. Certain services are being provided to you by HCL Technologies and in using them you must agree to HCL Technologies' terms of use & privacy policy. Travelers Casualty and Surety Company of America and its property casualty affiliates (“Travelers”) makes no warranty, guarantee, or representation as to the accuracy or sufficiency of any such services. The use of the services and the implementation of any product or practices suggested by HCL Technologies or NetDiligence is at your sole discretion. Travelers disclaims all warranties, express or implied. In no event will Travelers be liable in contract or in tort for any loss arising out of the use of the services or HCL Technologies' or any other vendor's products. eRisk Hub and Breach Coach are registered trademarks of NetDiligence. NTC-19036 Rev. 01-19 © 2019 The Travelers Indemnity Company. All rights reserved. Page 1 of 1 This notice provides no coverage, nor does it change any policy terms. To determine the scope of coverage and the insured’s rights and duties under the policy, read the entire policy carefully. For more information about the content of this notice, the insured should contact their agent or broker. If there is any conflict between the policy and this notice, the terms of the policy prevail. Independent Agent And Broker Compensation Notice For information on how Travelers compensates independent agents, brokers, or other insurance producers, please visit this website: www.travelers.com/w3c/legal/Producer_Compensation_Disclosure.html. Or write or call: Travelers, Agency Compensation P.O. Box 2950 Hartford, Connecticut 06104-2950 (866) 904.8348 AFE-15001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 1 of 2 Declarations Policy No. 107865426 This Policy consists of this Declarations and one or more Coverage Declarations and Coverage forms. It may also include one or more Common Conditions or endorsements. In consideration of the premium, the Insurer provides this Policy, which is the entire agreement between the Insurer and the Insured. Insurer Throughout this Policy, Insurer means Travelers Casualty and Surety Company of America, which is a capital stock company located in Hartford, Connecticut. Named Insured Throughout this Policy, Named Insured means: City of Waukee Principal Address 236 W Hickman Rd WAUKEE, IA 50263 Policy Period Inception: July 01, 2023 Expiration: July 01, 2024 12:01 A.M. local time both dates at Principal Address. Policy Premium $47,950.00 Total $47,950.00 Notices To The Insurer Mail: Travelers Bond & Specialty Insurance Claim P.O. Box 2989 Hartford, CT 06104-2989 Overnight Mail: Travelers Bond & Specialty Insurance Claim One Tower Square, S202A Hartford, CT 06183 Email:BSIclaims@travelers.com Fax:1-888-460-6622 For questions related to claim reporting or handling, please call 1-800-842-8496. Producer Information HOLMES MURPHY&ASSOC LLC P O BOX 9207 DES MOINES, IA 50306-9207 Phone: 515-223-6800 Authorized officers of the Insurer: President Corporate Secretary Countersigned By AFE-15001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 2 of 2 Forms attached at issuance: Form Number Form Title AFE-16001-0119 General Conditions AFE-19013-0119 State Inconsistency Endorsement AFE-19029-0719 Cap On Losses From Certified Acts Of Terrorism Endorsement AFE-19030-0920 Federal Terrorism Risk Insurance Act Disclosure Endorsement CYB-16001-0620 CyberRisk Coverage CYB-16001-TOC-0620 CyberRisk Table of Contents CYB-19101-0119 Per Impacted Parties And Computer And Legal Expert Costs Endorsement CYB-19102-0620 Dependent Business Interruption - System Failure Endorsement CYB-19104-0620 Dependent Business Interruption - Outsource Provider Endorsement CYB-19105-0119 Conviction Reward Endorsement CYB-19122-0519 Vendor Or Client Payment Fraud Endorsement CYB-19123-0519 Bricked Equipment Endorsement CYB-19166-1020 Preservation Of Governmental Immunity - Iowa Endorsement CYB-15001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 1 of 2 CyberRisk Declarations Claims-Made: The Liability Insuring Agreements are provided on a Claims-Made basis, and cover only Claims first made during the Policy Period, or any applicable extended reporting period. Please read the Policy. Defense Within Limits: The Limit available to pay settlements or judgments will be reduced, and may be completely exhausted, by Defense Costs, and any retention will be applied against Defense Costs. A limit left blank for a coverage means that such coverage is not included. An entry for any other provision left blank means that such provision does not apply. The Insurer has the duty to defend Claims. CyberRisk Aggregate Limit: $3,000,000 Liability Limit Retention Privacy and Security $3,000,000 $75,000 Payment Card Costs $3,000,000 Subject to Privacy and Security Retention Media $3,000,000 $75,000 Regulatory Proceedings $3,000,000 $75,000 Breach Response Limit Retention Privacy Breach Notification 1,000,000 impacted parties impacted parties threshold 100 Computer and Legal Experts $1,000,000 which is separate from the CyberRisk Aggregate Limit $50,000 Betterment $100,000 Cyber Extortion $3,000,000 $75,000 Data Restoration $3,000,000 $75,000 Public Relations $3,000,000 $75,000 Cyber Crime Limit Retention Computer Fraud Funds Transfer Fraud Social Engineering Fraud $100,000 $5,000 Telecom Fraud $100,000 $5,000 CYB-15001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 2 of 2 Business Loss Limit Retention Business Interruption $3,000,000 Dependent Business Interruption $1,000,000 Dependent Business Interruption - System Failure $1,000,000 Dependent Business Interruption - Outsource Provider $1,000,000 Dependent Business Interruption - Outsource Provider - System Failure $1,000,000 Reputation Harm $250,000 $5,000 System Failure $3,000,000 Additional First Party Provisions Accounting Costs Limit:$25,000 Betterment Coparticipation:50% Period Of Restoration:180 days Period Of Indemnity:30 days Wait Period:12 hours Knowledge Date:July 01, 2023 P&P Date: July 01, 2023 Retro Date: N/A Extended Reporting Period Months Percentage of Annualized Premium 12 75% AFE-19029 Rev. 07-19 © 2019 The Travelers Indemnity Company. All rights reserved. Page 1 of 1 This endorsement modifies any Coverage Part or Coverage Form included in this Policy that is subject to the federal Terrorism Risk Insurance Act of 2002 as amended. Cap On Losses From Certified Acts Of Terrorism Endorsement The following is added to this Policy. This provision can limit coverage for any loss arising out of a Certified Act Of Terrorism if such loss is otherwise covered by this Policy. This provision does not apply if and to the extent that coverage for the loss is excluded or limited by an exclusion or other coverage limitation for losses arising out of Certified Acts Of Terrorism in another endorsement to this policy. If aggregate insured losses attributable to Certified Acts Of Terrorism exceed $100 billion in a calendar year and the Insurer has met its insurer deductible under TRIA, the Insurer will not be liable for the payment of any portion of the amount of such losses that exceeds $100 billion, and in such case, insured losses up to that amount are subject to pro rata allocation in accordance with procedures established by the Secretary of the Treasury. Certified Act Of Terrorism means an act that is certified by the Secretary of the Treasury, in accordance with the provisions of TRIA, to be an act of terrorism pursuant to TRIA. The criteria contained in TRIA for a Certified Act Of Terrorism include the following: 1.The act resulted in insured losses in excess of $5 million in the aggregate, attributable to all types of insurance subject to TRIA; and 2.The act is a violent act or an act that is dangerous to human life, property or infrastructure and is committed by an individual or individuals as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion. TRIA means the federal Terrorism Risk Insurance Act of 2002 as amended. Issuing Company:Travelers Casualty and Surety Company of America Policy Number:107865426 AFE-19030 Rev. 09-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 1 of 1 This endorsement modifies any Coverage Part or Coverage Form included in this Policy that is subject to the federal Terrorism Risk Insurance Act of 2002 as amended. Federal Terrorism Risk Insurance Act Disclosure Endorsement The federal Terrorism Risk Insurance Act of 2002 as amended (“TRIA”), establishes a program under which the Federal Government may partially reimburse “Insured Losses” (as defined in TRIA) caused by “Acts Of Terrorism” (as defined in TRIA). Act Of Terrorism is defined in Section 102(1) of TRIA to mean any act that is certified by the Secretary of the Treasury - in consultation with the Secretary of Homeland Security and the Attorney General of the United States - to be an act of terrorism; to be a violent act or an act that is dangerous to human life, property, or infrastructure; to have resulted in damage within the United States, or outside the United States in the case of certain air carriers or vessels or the premises of a United States Mission; and to have been committed by an individual or individuals as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion. The Federal Government's share of compensation for such Insured Losses is 80% of the amount of such Insured Losses in excess of each Insurer's “Insurer Deductible” (as defined in TRIA), subject to the “Program Trigger” (as defined in TRIA). In no event, however, will the Federal Government be required to pay any portion of the amount of such Insured Losses occurring in a calendar year that in the aggregate exceeds $100 billion, nor will any Insurer be required to pay any portion of such amount provided that such Insurer has met its Insurer Deductible. Therefore, if such Insured Losses occurring in a calendar year exceed $100 billion in the aggregate, the amount of any payments by the Federal Government and any coverage provided by this policy for losses caused by Acts Of Terrorism may be reduced. For each coverage provided by this policy that applies to such Insured Losses, the charge for such Insured Losses is no more than one percent of your premium, and does not include any charge for the portion of such Insured Losses covered by the Federal Government under TRIA. Please note that no separate additional premium charge has been made for coverage for Insured Losses covered by TRIA. The premium charge that is allocable to such coverage is inseparable from and imbedded in your overall premium. Policy Number:107865426 Issuing Company:Travelers Casualty and Surety Company of America AFE-16001 Ed. 01-19 © 2019 The Travelers Indemnity Company. All rights reserved Page 1 of 1 This form contains terms that apply to the Policy.General Conditions Authorization And Changes. The Named Insured will act on behalf of all Insureds regarding the payment of premium, receipt of return premium, change of coverage, and receipt of notices of cancelation or nonrenewal. Each Insured agrees that they have delegated such authority to the Named Insured. The Named Insured may change this Policy with the Insurer’s consent by endorsement to this Policy. No rights or duties under this policy may be transferred or assigned without the Insurer’s written consent. Conformity To Law. Any part of this Policy that conflicts with applicable statutory or regulatory law is changed to conform to such law. This Policy provides coverage and benefits only to the extent that it does not expose the Insurer, or any of its subsidiaries, or affiliated companies, to a trade or economic sanction, prohibition, or restriction under a U.N. resolution, trade or economic sanction, or E.U., U.K., or U.S. law or regulation. Consent And Cooperation. Where the Insurer’s consent is required, such consent will not be unreasonably withheld. The Insured agrees to give all information, assistance, and cooperation the Insurer reasonably requires. Representatives. In the event of an Insured Person’s death, incapacity, or bankruptcy, this Policy will afford coverage to his or her: 1.estate; 2.legal representative; 3.legal spouse, domestic partner, or party to a civil union; or 4.assignee, but only to the extent that it would have applied to such Insured Person. Suits Against The Insurer. No person or entity has the right under this Policy to join the Insurer as a party in an action against an Insured to determine such Insured’s liability, nor may the Insurer be impleaded by any Insured. No action will lie against the Insurer unless there has been full compliance with all the terms of this Policy. Territory And Valuation. This Policy applies anywhere in the world, but it does not apply to Loss incurred by an Insured residing or domiciled in a country or jurisdiction in which the Insurer is not licensed to provide this insurance, to the extent that providing this insurance would violate any applicable foreign law or regulation (“Foreign Loss”). If an Insured Entity incurs Foreign Loss, the Insurer will reimburse the Named Insured for such Foreign Loss because of the Named Insured’s financial interest in such Insured Entity. If an Insured Person incurs Foreign Loss not indemnified by an Insured Entity, such Foreign Loss will be paid in a country or jurisdiction mutually acceptable to such Insured Person and the Insurer, to the extent that doing so would not violate any applicable foreign law or regulation. All amounts in this Policy are stated in U.S.Dollars.If amounts are due under a liability coverage and are stated in a different currency,payment will be made in U.S.Dollars at the exchange rate published in The Wall Street Journal at the time the final amount is determined. Titles, Headings, And Defined Terms. The titles and headings in this Policy do not affect coverage. Where appearing in this Policy, in singular or plural, words and phrases appearing in italicized type have the meaning shown in the Definitions of the applicable Coverage. CYB-16001-TOC Rev. 6-20 Page 1 of 2 © 2020 The Travelers Indemnity Company. All rights reserved. CyberRisk Coverage Table Of Contents Liability Insuring Agreements .............................................1 Privacy And Security............................................................1 Media...................................................................................1 Regulatory Proceedings.......................................................1 Breach Response Insuring Agreements ...............................1 Privacy Breach Notification.................................................1 Computer And Legal Experts...............................................1 Betterment..........................................................................1 Cyber Extortion....................................................................1 Data Restoration..................................................................1 Public Relations...................................................................1 Cyber Crime Insuring Agreements .......................................1 Computer Fraud..................................................................1 Funds Transfer Fraud...........................................................1 Social Engineering Fraud.....................................................2 Telecom Fraud.....................................................................2 Business Loss Insuring Agreements .....................................2 Business Interruption..........................................................2 Dependent Business Interruption.......................................2 Reputation Harm.................................................................2 Definitions .........................................................................2 Accounting Costs.............................................................2 Additional Insured...........................................................2 Adverse Media Report.....................................................2 Approved Provider...........................................................2 Automatic ERP.................................................................2 Betterment Costs.............................................................2 Business Interruption Loss...............................................3 Change Of Control...........................................................3 Claim...............................................................................3 Client...............................................................................3 Computer And Legal Expert Costs...................................3 Computer Fraud..............................................................4 Computer System............................................................4 Confidential Information.................................................4 Covered Material.............................................................4 Cyber Extortion Costs......................................................4 Cyber Extortion Threat....................................................4 Defense Costs..................................................................4 Discover,Discovered,Discovery......................................5 Employee.........................................................................5 Executive Officer..............................................................5 Extra Expense..................................................................5 First Party Event..............................................................5 First Party Insuring Agreements......................................6 First Party Loss................................................................6 Funds Transfer Fraud.......................................................6 Impacted Parties.............................................................6 Income Loss.....................................................................6 Independent Contractor..................................................7 IT Provider Breach...........................................................7 Loss.................................................................................7 Media Act........................................................................8 Merchant Service Agreement..........................................8 Money.............................................................................8 Notification.....................................................................8 Optional ERP...................................................................8 Other Property................................................................8 Payment Card Contract Penalties...................................8 Payment Card Security Standards...................................9 Period Of Indemnity........................................................9 Period Of Restoration......................................................9 Policy Period....................................................................9 Pollutant..........................................................................9 Potential Claim................................................................9 Privacy And Security Act..................................................9 Privacy Breach.................................................................9 Privacy Breach Notification Costs...................................9 Privacy Policy..................................................................9 Public Relations Costs...................................................10 Ransom.........................................................................10 Regulatory Costs...........................................................10 Regulatory Proceeding..................................................10 Reputation Harm..........................................................10 Restoration Costs..........................................................10 Run-Off Period...............................................................10 Securities.......................................................................10 Security Breach.............................................................10 Social Engineering Fraud...............................................11 Subsidiary......................................................................11 System Failure...............................................................11 Telecom Charges...........................................................11 Telecom Fraud...............................................................11 Vendor...........................................................................11 Virtual Currency............................................................11 Virus..............................................................................11 Wait Period...................................................................11 Wrongful Act.................................................................11 Exclusions .........................................................................12 Assumed Liability...............................................................12 Bodily Injury......................................................................12 Conduct.............................................................................12 Cyber Crime.......................................................................12 Government Action...........................................................13 Infrastructure....................................................................13 Insured vs.Insured............................................................13 Insured.............................................................................7 Insured Entity..................................................................7 Insured Person.................................................................7 IT Provider.......................................................................7 CYB-16001-TOC Rev. 06-20 Page 2 of 2 © 2020 The Travelers Indemnity Company. All rights reserved. Property Damage...............................................................14 Securities Laws..................................................................14 Unlawful Collection...........................................................15 Unsolicited Communications.............................................15 War....................................................................................15 Limits And Retentions ......................................................15 Limit Of Insurance..............................................................15 Retention...........................................................................15 Other Conditions ..............................................................16 Allocation...........................................................................16 Cancelation And Nonrenewal............................................16 Change Of Structure..........................................................16 Claim Defense....................................................................16 Cyber Crime And Business Loss Change............................17 ERP –Automatic................................................................17 ERP –Optional...................................................................17 Extended Discovery Period................................................17 Income Loss Appraisal.......................................................18 Notice Of Claim..................................................................18 Notice Of First Party Event................................................18 Other Insurance.................................................................18 Property Covered..............................................................18 Recovery And Subrogation................................................19 Related Claims...................................................................19 Representations................................................................19 Settlement.........................................................................19 Subsidiaries........................................................................19 Suits Against The Insurer –Cyber Crime............................20 Valuation Under First Party Insuring Agreements.............20 Intellectual Property.........................................................13 Labor Disputes...................................................................13 Licensing And Royalties.....................................................13 Ownership Rights..............................................................13 Physical Peril......................................................................13 Pollution............................................................................14 Prior Acts...........................................................................14 Prior Matters.....................................................................14 CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 1 of 20 CyberRisk Coverage Only the Insuring Agreements with Limits shown in the CyberRisk Declarations apply. Liability Insuring Agreements Privacy And Security.The Insurer will pay Loss on behalf of the Insured, resulting from a Claim that is first made during the Policy Period, or any applicable extended reporting period, for a Privacy And Security Act. Media.The Insurer will pay Loss on behalf of the Insured, resulting from a Claim that is first made during the Policy Period, or any applicable extended reporting period, for a Media Act. Regulatory Proceedings.The Insurer will pay Defense Costs and Regulatory Costs on behalf of the Insured, resulting from a Regulatory Proceeding that is first commenced during the Policy Period, or any applicable extended reporting period, for a Privacy And Security Act or Media Act. Breach Response Insuring Agreements Privacy Breach Notification.The Insurer will reimburse, or pay on behalf of, the Insured for Privacy Breach Notification Costs resulting from an actual or suspected Privacy Breach that is Discovered during the Policy Period, or any extended discovery period. Computer And Legal Experts. The Insurer will reimburse, or pay on behalf of, the Insured for Computer And Legal Expert Costs resulting from an actual or suspected: 1.Privacy Breach; 2.Security Breach; or 3.Cyber Extortion Threat, that is Discovered during the Policy Period, or any extended discovery period. Betterment.The Insurer will reimburse the Insured for Betterment Costs, following a Security Breach that is Discovered during the Policy Period. Cyber Extortion.The Insurer will reimburse, or pay on behalf of, the Insured for Cyber Extortion Costs, resulting from a Cyber Extortion Threat that is Discovered during the Policy Period. Data Restoration.The Insurer will reimburse, or pay on behalf of, the Insured for Restoration Costs, directly caused by a Security Breach that is Discovered during the Policy Period. Public Relations.The Insurer will reimburse, or pay on behalf of, the Insured for Public Relations Costs, resulting from an actual or suspected: 1.Privacy And Security Act; or 2.Media Act, that is Discovered during the Policy Period, or any extended discovery period. Cyber Crime Insuring Agreements Computer Fraud.The Insurer will pay the Insured Entity for its direct loss of Money, Securities, or Other Property, directly caused by Computer Fraud that is Discovered during the Policy Period. Funds Transfer Fraud.The Insurer will pay the Insured Entity for its direct loss of Money or Securities, directly caused by Funds Transfer Fraud that is Discovered during the Policy Period. Cyber Crime Insuring Agreements continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 2 of 20 Social Engineering Fraud.The Insurer will pay the Insured Entity for its direct loss of Money or Securities, directly caused by Social Engineering Fraud that is Discovered during the Policy Period. Telecom Fraud.The Insurer will pay the Insured Entity for its Telecom Charges, directly caused by Telecom Fraud that is Discovered during the Policy Period. Business Loss Insuring Agreements Business Interruption.The Insurer will pay the Insured for its Business Interruption Loss that is directly caused by any of the following, if Discovered during the Policy Period: 1.A Security Breach that results in a total or partial interruption of a Computer System. 2.A System Failure, if applicable. 3.The voluntary shutdown of a Computer System by the Insured, if it is reasonably necessary to minimize the Loss caused by a Security Breach or Privacy Breach in progress. Dependent Business Interruption. The Insurer will pay the Insured for its Business Interruption Loss, directly caused by an IT Provider Breach that is Discovered during the Policy Period. Reputation Harm.The Insurer will pay the Insured for its Reputation Harm, directly caused by an Adverse Media Report or Notification that: 1.first occurs during, or within 60 days after, the Policy Period; and 2.directly relates to a Privacy Breach or Security Breach that is Discovered during the Policy Period. Definitions Accounting Costs.Means the reasonable fees or costs of a forensic accounting firm, incurred by the Insured Entity, to calculate Income Loss, even if such calculation shows there has been no Income Loss. Additional Insured.Means a person or entity, not otherwise an Insured, with whom the Insured Entity has entered into a written agreement to include as an Insured, but only for Wrongful Acts: 1.by, or on behalf of, the Insured Entity under such agreement; and 2.that occur after the Insured Entity has executed such agreement. Adverse Media Report.Means any communication of an actual or potential Privacy Breach or Security Breach by a media outlet. Multiple Adverse Media Reports regarding the same Privacy Breach or Security Breach are deemed one Adverse Media Report. Approved Provider.Means a service provider approved by the Insurer in writing to the Insured. Automatic ERP.Means a 90-day extended reporting period starting on the effective date this Coverage is canceled or not renewed. Betterment Costs.1.Means the reasonable costs incurred and paid by the Insured, with the Insurer’s written consent, for hardware or software to improve a Computer System after a Security Breach, if: a.the Security Breach has been stopped or contained, and resulted in covered Computer And Legal Expert Costs; b.the Approved Provider that provided computer services in response to such Security Breach: i.has identified a weakness in a Computer System that caused, or contributed to, the Security Breach; and ii.recommends the improvements to prevent a future Security Breach from exploiting such weakness; and Definitions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 3 of 20 c.such improvements are incurred and paid for by the Insured within the earlier of 90 days after: i.the recommendation by the Approved Provider; or ii.the end of the Policy Period. Costs for improvements that are subject to a license, lease, or subscription will be limited to the pro rata portion of such costs for the first 12 months. 2.Does not include wages, benefits, or overhead of any Insured. Business Interruption Loss.1.Means: a.Income Loss and Extra Expense incurred or paid by the Insured Entity during the Period Of Restoration; and b.Accounting Costs, if the Insured Entity’s business operations are interrupted beyond the Wait Period. 2.Does not include loss arising out of harm to the Insured Entity’s reputation. Change Of Control.Means when: 1.more than 50% of the Named Insured’s assets are acquired; or 2.the Named Insured is merged with, or consolidated into, another entity, and the Named Insured is not the surviving entity. Claim.Means: 1.a written demand for monetary or nonmonetary relief, including injunctive relief, commenced by an Insured’s receipt of such written demand; 2.a civil proceeding, commenced by the service of a complaint or similar pleading; 3.an arbitration, mediation, or similar alternative dispute resolution proceeding, commenced by the service of an arbitration petition or similar legal document; 4.a written request to toll or waive a statute of limitations relating to a potential civil or administrative proceeding, commenced by an Insured’s receipt of such written request; or 5.for the Regulatory Proceedings Insuring Agreement only, a Regulatory Proceeding, commenced by: a.the filing of charges; b.the filing of an investigative order; c.the service of a summons; or d.the service or filing of a similar document, against an Insured for a Wrongful Act. Except under Other Conditions, Notice Of Claim, a Claim is deemed made when commenced. Client.Means a person or entity to whom the Insured Entity: 1.provides goods; or 2.performs services, for a fee, or under a written agreement. Computer And Legal Expert Costs. 1.Means the reasonable fees or costs incurred or paid by the Insured for services recommended and provided by an Approved Provider, to: a.conduct a forensic analysis to determine the existence and cause of a Privacy Breach, Security Breach, or Cyber Extortion Threat; b.determine whose Confidential Information was lost or stolen; or accessed or disclosed without authorization; c.contain or stop a Privacy Breach or Security Breach in progress; d.certify the Computer System meets Payment Card Security Standards, if a Security Breach Discovered during the Policy Period results in noncompliance with such standards, but only for the first certification; or Definitions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 4 of 20 e.provide legal services to respond to a Privacy Breach or Security Breach. 2.Does not include Defense Costs or Privacy Breach Notification Costs. Computer Fraud.1.Means an intentional, unauthorized, and fraudulent entry or change of data or computer instructions, directly into or within, a Computer System, that: a.is not made by an Insured Person, an Independent Contractor, or any other person under the direct supervision of the Insured; and b.causes Money, Securities, or Other Property to be transferred, paid, or delivered from inside the Insured Entity’s premises or the Insured Entity’s financial institution premises to a place outside of such premises. 2.Does not include Social Engineering Fraud. Computer System.Means a computer and connected input, output, processing, storage, or communication device, or related network, operating system, website, or application software, that is: 1.under the operational control of, and owned by, licensed to, or leased to: a.the Insured Entity; or b.an Insured Person, while authorized by, and transacting business on behalf of, the Insured Entity, except under the Betterment or Data Restoration Insuring Agreements, or any Cyber Crime Insuring Agreement; or 2.operated by an IT Provider, but only the portion of such computer system used to provide hosted computer resources to the Insured Entity, except under the Betterment or Business Interruption Insuring Agreements. Confidential Information.Means a third party’s or Insured Person’s private or confidential information that is in the care, custody, or control of the Insured Entity, or a service provider acting on behalf of the Insured Entity. Covered Material.1.Means content that is created or disseminated, via any form or expression, by, or on behalf of, the Insured Entity. 2.Does not include: a.tangible product designs; or b.content created or disseminated by the Insured Entity on behalf of a third party. Cyber Extortion Costs.1.Means, with the Insurer’s prior written consent: a.Ransom, in direct response to a Cyber Extortion Threat; b.reasonable amounts incurred or paid by the Insured in the process of paying, or attempting to pay, Ransom; or c.reasonable amounts incurred or paid by the Insured, recommended by an Approved Provider, to mitigate Ransom. 2.Does not include Computer And Legal Expert Costs or Restoration Costs. Cyber Extortion Threat.Means a threat to: 1.access or disclose: a.Confidential Information; or b.an Insured Entity’s information without authorization; or 2.commit or continue a Security Breach, made against the Insured Entity for Ransom. Defense Costs.1.Means reasonable fees and costs incurred by the Insurer, or the Insured with the Insurer’s prior written consent, in the: a.investigation; b.defense; c.settlement; or Definitions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 5 of 20 d.appeal, of a Claim. 2.Includes up to $1,000 per day for loss of earnings due to an Insured Person’s attendance in court, if at the Insurer’s request. 3.Does not include wages, benefits, or overhead of the Insurer or of the Insured. Discover, Discovered, Discovery. Means when an Executive Officer first becomes aware of facts that would cause a reasonable person to assume that a First Party Loss has been or will be incurred, regardless of when the act or acts causing or contributing to such First Party Loss occurred, even though the exact amount or details of such First Party Loss may not then be known. Employee.1.Means a natural person while their labor is engaged and directed by the Insured Entity, and who is: a.a full-time, part-time, seasonal, or temporary worker compensated directly by the Insured Entity through wages, salaries, or commissions; b.a volunteer, student, or intern; or c.a worker whose services have been leased to the Insured Entity by a labor leasing firm under a written agreement. 2.Does not include any: a.agent; b.broker; c.consignee; d.independent contractor; or e.representative, of the Insured Entity. Executive Officer.Means a natural person while acting as the Insured Entity’s: 1.chief executive officer; 2.chief financial officer; 3.chief information security officer; 4.risk manager; 5.in-house general counsel; or 6.the functional equivalent of 1 through 5. Extra Expense.Means reasonable costs incurred by the Insured Entity, with the Insurer’s written consent, that: 1.result from a First Party Event; 2.are in excess of the Insured Entity’s normal operating costs; 3.are intended to reduce Income Loss; and 4.would not have been incurred had there been no First Party Event. First Party Event.1.Means: a.Computer Fraud; b.Cyber Extortion Threat; c.Funds Transfer Fraud; d.IT Provider Breach; e.Media Act; f.Privacy Breach; g.Security Breach; h.Social Engineering Fraud; i.System Failure; or j.Telecom Fraud. Definitions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 6 of 20 2.First Party Events that have a common: a.nexus; b.set of facts; c.circumstance; d.situation; e.event; or f.decision, are deemed a single First Party Event. First Party Insuring Agreements. Means the: 1.Breach Response Insuring Agreements; 2.Business Loss Insuring Agreements; and 3.Cyber Crime Insuring Agreements. First Party Loss.1.Means: a.Betterment Costs; b.Business Interruption Loss; c.Computer And Legal Expert Costs; d.Cyber Extortion Costs; e.Money; f.Other Property; g.Privacy Breach Notification Costs; h.Public Relations Costs; i.Reputation Harm; j.Restoration Costs; k.Securities; or l.Telecom Charges. 2.Other than Accounting Costs, does not include amounts: a.to establish First Party Loss; or b.to prepare the Insured Entity’s Proof of Loss. Funds Transfer Fraud.1.Means a fraudulent instruction that: a.is electronically sent to a financial institution that is not an Insured, at which the Insured Entity maintains an account; b.directs the transfer, payment, or delivery of Money or Securities from the Insured Entity’s account; c.is purportedly sent by the Insured Entity; d.is sent by someone, other than an Insured; and e.is sent without the Insured Entity’s knowledge or consent. 2.Does not include Social Engineering Fraud. Impacted Parties.Means the persons or entities whose Confidential Information was, or is suspected to have been, stolen or lost, or accessed or disclosed without authorization. Income Loss.1.Means pretax net profit the Insured Entity did not earn, and net loss the Insured Entity incurred, because of a First Party Event. Continuing normal and necessary operating expenses and payroll are part of the pretax net profit or net loss calculation. 2.Does not include: a.Extra Expense; b.contractual penalties; Definitions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 7 of 20 c.costs incurred to replace or improve a Computer System to a level of functionality beyond what existed prior to the First Party Event; d.costs incurred to identify or remediate computer system errors or vulnerabilities; e.interest or investment income; or f.loss incurred due to unfavorable business conditions not related to the First Party Event. Independent Contractor.Means a natural person, other than an Employee, while performing services for the Insured Entity under a written agreement. Insured.Means: 1.Insured Persons; 2.Insured Entities; or 3.for the Liability Insuring Agreements only, also includes Additional Insureds. Insured Entity.Means: 1.the Named Insured; or 2.Subsidiaries. Insured Person.Means: 1.Employees; 2.natural persons while: a.officers; b.partners; c.the sole proprietor; d.in-house general counsel; or e.members of a board of directors, trustees, or governors, of the Insured Entity; or 3.for the Liability Insuring Agreements only, also includes Independent Contractors. IT Provider.Means an entity while under a written agreement with the Insured Entity to provide it with: 1.hosted computer application services; 2.cloud services or computing; 3.electronic data hosting, back-up, storage, and processing; 4.co-location services; 5.platform-as-a-service; or 6.software-as-a-service. IT Provider Breach.Means: 1.unauthorized access to; 2.use of authorized access to cause intentional harm to; 3.a denial-of-service attack against; or 4.the introduction of a Virus into, an IT Provider’s computer system, resulting in total or partial interruption. Loss.1.Means: a.Defense Costs; b.damages, judgments, settlements, or prejudgment or postjudgment interest, that an Insured is legally obligated to pay as a result of a Claim, including: i.court awarded legal fees; and Definitions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 8 of 20 ii.punitive or exemplary damages, or the multiple portion of a multiplied damage award, to the extent insurable under the most favorable applicable law; c.Payment Card Contract Penalties; d.for the Regulatory Proceedings Insuring Agreement, means Regulatory Costs; or e.for First Party Insuring Agreements, means First Party Loss. 2.Loss does not include voluntary payments made by the Insured with respect to a Claim. 3.Loss, other than Defense Costs, does not include: a.civil or criminal fines, penalties, sanctions, or taxes, except for: i. Payment Card Contract Penalties; or ii. Regulatory Costs; b.amounts uninsurable under applicable law; c.restitution, return, or disgorgement of any profits; d.liquidated damages in excess of the amount for which the Insured would be liable absent the liquidated damages provision of a contract; or e.the cost of complying with injunctive or nonmonetary relief. Media Act.Means, in Covered Material: 1.the unauthorized use of copyright, title, slogan, trademark, trade dress, service mark, domain name, logo, or service name; 2.the unauthorized use of a literary or artistic format, character, or performance; 3.a violation of an individual’s right of privacy or publicity; 4.defamation, libel, slander, trade libel, or other tort related to disparagement or harm to the reputation or character of any person or entity; 5.the misappropriation of ideas under an implied contract; 6.improper deep-linking or framing; or 7.unfair competition, when alleged in connection with 1 through 6. Merchant Service Agreement. Means a contract between the Insured Entity and an acquiring bank, or other acquiring institution, that establishes the terms and conditions for accepting and processing payment card transactions. Money.1.Means: a.currency, coins, or bank notes in circulation; b.bullion; c.Virtual Currency; d.traveler’s checks; e.certified or cashier’s checks; or f.money orders. 2.Does not include Securities. Notification.Means written notice to Impacted Parties about a Privacy Breach or Security Breach. Multiple Notifications about the same Privacy Breach or Security Breach are deemed one Notification. Optional ERP.Means an extended reporting period for the time shown in the Optional ERP Endorsement starting on the effective date this Coverage is: 1.canceled; or 2.not renewed. Other Property.Means tangible property, other than Money or Securities that has intrinsic value. Payment Card Contract Penalties. Means fines, penalties, or assessments imposed under a Merchant Service Agreement against an Insured Entity for noncompliance with Payment Card Security Standards. Definitions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 9 of 20 Payment Card Security Standards. Means the Payment Card Industry Data Security Standard (PCI-DSS), or similar standard, to which the Insured Entity has agreed in a Merchant Service Agreement. Period Of Indemnity.Means the Period Of Indemnity shown in the CyberRisk Declarations. It begins on the earlier of the date of the first: 1.Notification; or 2.Adverse Media Report, whichever is earlier. Period Of Restoration.Means the period of time that begins after the Wait Period ends, and ends on the earlier of: 1.the expiration of the Period Of Restoration shown in the CyberRisk Declarations; or 2.when the Insured Entity’s business operations have been restored for a consecutive 24-hour period to the level of operation that existed immediately before the First Party Event. Policy Period.Means the Policy Period shown in the Declarations, which is subject to the cancelation of this Policy. Pollutant.Means a solid, liquid, gaseous, or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals, and waste. Waste includes materials to be recycled, reconditioned, or reclaimed. Potential Claim.Means conduct or circumstances that could reasonably be expected to give rise to a Claim. Privacy And Security Act.Means: 1.the failure to prevent a Privacy Breach; 2.the failure to destroy Confidential Information; 3.a violation of law, when alleged in connection with 1 or 2; 4.the failure to provide Notification required by law; 5.the failure to comply with a Privacy Policy; 6.the unauthorized, unlawful, or wrongful collection of Confidential Information; or 7.the failure to prevent a Security Breach, directly resulting in the: a.alteration or deletion of Confidential Information; b.transmission of a Virus into a computer or network system that is not a Computer System; c.participation in a denial-of-service attack directed against a computer or network system that is not a Computer System; or d.failure to provide an authorized user with access to a Computer System. Privacy Breach.Means the loss or theft of, or unauthorized access to or disclosure of, Confidential Information. Privacy Breach Notification Costs. Means reasonable costs or fees incurred or paid by an Insured Entity, voluntarily or as required by agreement or law, for: 1.printing and delivering notice to; 2.providing credit or identity monitoring for up to 24 months, or longer where required by law, to; 3.call center services for; 4.the costs to purchase an identity fraud insurance policy to benefit natural persons who are; or 5.with the Insurer’s prior written consent, other services to mitigate Loss or provide notice to, Impacted Parties, if recommended and provided by an Approved Provider. Privacy Policy.Means the Insured Entity’s publicly available written policies or procedures regarding Confidential Information. Definitions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 10 of 20 Public Relations Costs.Means reasonable costs or fees for public relations services recommended and provided by an Approved Provider to mitigate or prevent negative publicity. Ransom.1.Means: a.Money; b.Securities; or c.the fair market value of property or services, paid or surrendered by, or on behalf of, the Insured. 2.Will be valued as of the date paid or surrendered. Regulatory Costs.Means: 1.civil money fines; 2.civil penalties; or 3.amounts deposited in a consumer redress fund, imposed in a Regulatory Proceeding, to the extent insurable under the most favorable applicable law. Regulatory Proceeding.Means an administrative or regulatory proceeding, or a civil investigative demand, brought by a domestic or foreign governmental entity. Reputation Harm.Means damage to the Insured Entity’s reputation incurred during the Period Of Indemnity that results in Income Loss, other than the value of: 1.coupons; 2.price discounts; 3.prizes; 4.awards; or 5.consideration given by the Insured in excess of the contracted or expected amount. Restoration Costs.1.Means the reasonable amounts incurred or paid by the Insured, with the Insurer’s prior written consent: a.to restore or recover damaged or destroyed computer programs, software, or electronic data stored within a Computer System, to its condition immediately before a Security Breach; or b.to determine that such computer programs, software, or electronic data cannot reasonably be restored or recovered. 2.Does not include: a.costs to recover or replace computer programs, software, or electronic data that the Insured did not have a license to use; b.costs to design, update, or improve the operation of computer programs or software; c.costs to recreate work product, research, or analysis; or d.wages, benefits, or overhead of the Insured. Run-Off Period.Means the period starting on the date of the Change Of Control to the end of the Policy Period. Securities.Means written agreements representing Money or property, other than Virtual Currency. Security Breach.Means: 1.the unauthorized access to; 2.the use of authorized access to cause intentional harm to; 3.a denial-of-service attack against; or 4.the introduction of a Virus into, a Computer System. Definitions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 11 of 20 Social Engineering Fraud.Means intentionally misleading an Insured Person, by providing an instruction that: 1.is not made by an Insured; 2.is purportedly from a Vendor, Client, or Insured Person; 3.directs the Insured Person to transfer, pay, or deliver Money or Securities; 4.contains a misrepresentation of material fact; and 5.is relied upon by the Insured Person, believing the material fact to be true. Subsidiary.Means: 1.an entity while the Named Insured owns more than 50% of the outstanding securities or voting rights representing the right to select the entity’s board of directors, or functional equivalent; 2.a nonprofit entity while the Named Insured exercises management control over such entity; or 3.an entity while the Named Insured owns exactly 50%, as a joint venture, and while an Insured Entity controls the entity’s management and operations under a written agreement. System Failure.Means an accidental, unintentional, and unplanned total or partial interruption of a Computer System, not caused by: 1.a Security Breach; or 2.a total or partial interruption of a third party computer system or network. Telecom Charges.Means amounts charged to the Insured Entity for telephone services by its telephone service provider. Telecom Fraud.Means the unauthorized access to, or use of, the Insured Entity’s telephone system by a person or entity other than an Insured Person. Vendor.Means a person or entity that provides goods or services to the Insured Entity under an agreement. Virtual Currency.1.Means a publicly available digital or electronic medium of exchange used and accepted as a means of payment. 2.Does not include: a.coupons; b.discounts; c.gift cards; d.rebates; e.reward points; or f.similar mediums of exchange. Virus.Means malicious code that could destroy, or change the integrity or performance of, electronic data, software, or operating systems. Wait Period.Means the Wait Period shown in the CyberRisk Declarations. It begins when a total or partial interruption to an Insured Entity’s business operations is caused by a First Party Event. A separate Wait Period applies to each unrelated First Party Event. Wrongful Act.1.Means any: a.Media Act; or b.Privacy And Security Act. 2.All Wrongful Acts that share a common: a.nexus; b.set of facts; c.circumstance; Definitions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 12 of 20 d.situation; e.event; or f.decision, are deemed a single Wrongful Act that occurred at the time the first such Wrongful Act occurred. Exclusions Assumed Liability.1.The Insurer will not pay Loss arising out of liability assumed by an Insured. 2.This does not apply: a.when the Insured would have been liable in the absence of such assumption of liability; b.to a Claim for Payment Card Contract Penalties; c.to Privacy Breach Notification Costs; or d.to any privacy or confidentiality obligation that the Insured has agreed to under a Privacy Policy or nondisclosure agreement. Bodily Injury.1.The Insurer will not pay Loss for: a.bodily injury; b.sickness; c.disease; d.death; or e.loss of consortium. 2.This does not apply to: a.emotional distress; b.mental anguish; c.humiliation; or d.loss of reputation. Conduct.1.The Insurer will not pay Loss arising out of an Insured’s: a.intentionally dishonest or fraudulent act or omission; or b.willful violation of law or regulation. 2.This does not apply to: a.Defense Costs; or b.Loss other than Defense Costs, unless a final nonappealable adjudication in the underlying action establishes such conduct occurred. 3.In applying this exclusion, knowledge or conduct of an Insured will not be imputed to another Insured, except that knowledge or conduct of an Executive Officer will be imputed to the Insured Entity. Cyber Crime.The Cyber Crime Insuring Agreements do not apply to: 1.indirect or consequential loss; 2.potential income, including interest and dividends, not realized by an Insured or Client; 3.loss of confidential information; 4.loss of intellectual property; 5.loss resulting from the use or purported use of credit, debit, charge, access, convenience, identification, or other cards; 6.loss resulting from a fraudulent instruction, if the sender or anyone acting in collusion with the sender, ever had authorized access to the Insured's password, PIN, or other security code; 7.amounts the Insured incurs without a legal obligation to do so; Exclusions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 13 of 20 8.loss resulting from forged, altered, or fraudulent negotiable instruments, securities, documents, or instructions used as source documentation to enter electronic data or send instructions, provided this does not apply to the Social Engineering Fraud Insuring Agreement; 9.loss resulting from the failure of any party to perform under any contract; or 10.loss due to any nonpayment of, or default upon, any loan, extension of credit, or similar promise to pay. Government Action.The Insurer will not pay Loss arising out of: 1.seizure; 2.confiscation; 3.nationalization; 4.requisition; or 5.destruction of property, by or under the order of domestic or foreign government authority. Infrastructure.The Insurer will not pay Loss arising out of a total or partial interruption or failure of any: 1.satellite; 2.electrical or mechanical system; 3.electric, gas, water, or other utility; 4.cable, telecommunications, or Internet service provider; or 5.other infrastructure, except when such is under the Insured’s control. Insured vs. Insured.1.The Insurer will not pay Loss for a Claim brought by or on behalf of: a.an Insured; or b.an entity that, at the time the Wrongful Act occurs, or the date the Claim is made: i.is owned, operated, or controlled by any Insured; or ii.owns, operates, or controls any Insured. 2.This does not apply to a Claim: a.by an Insured Person for contribution or indemnity, if resulting from another covered Claim; or b.by or on behalf of an Insured Person or Additional Insured who did not commit or participate in the Wrongful Act. Intellectual Property.The Insurer will not pay Loss arising out of an Insured’s misappropriation, infringement, or violation of: 1.copyrighted software; 2.patent rights or laws; or 3.trade secret rights or laws. Labor Disputes.The Insurer will not pay Loss under the Business Loss Insuring Agreements arising out of labor disputes. Licensing And Royalties.The Insurer will not pay Loss arising out of any obligation to pay licensing fees or royalties. Ownership Rights.The Insurer will not pay Loss for a Claim by, or on behalf of, an independent contractor, joint venturer, or venture partner arising out of disputes over ownership rights in Covered Material. Physical Peril.The Insurer will not pay Loss arising out of: 1.fire, smoke, or explosion; 2.lightning, wind, rain, or hail; Exclusions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 14 of 20 3.surface water, waves, flood, or overflow of any body of water; 4.earthquake, earth movement, or earth sinking; 5.mudslide, landslide, erosion, or volcanic eruption; 6.collapse, wear and tear, rust, corrosion, or deterioration; 7.magnetic or electromagnetic fields; 8.extremes of temperature or humidity; or 9.any similar physical event or peril. Pollution.The Insurer will not pay Loss arising out of: 1.the actual, alleged, or threatened discharge, dispersal, seepage, migration, release, or escape of a Pollutant; 2.a request, demand, order, or statutory, or regulatory requirement that an Insured or others test for, monitor, clean up, remove, contain, treat, detoxify, or neutralize, or in any way respond to, or assess, the effects of, a Pollutant; or 3.testing for, monitoring, cleaning up, removing, containing, treating, detoxifying, or neutralizing, or in any way responding to, or assessing the effects of, a Pollutant. Prior Acts.The Insurer will not pay Loss arising out of a Wrongful Act that occurs prior to the Retro Date shown in the CyberRisk Declarations. Prior Matters.The Insurer will not pay Loss arising out of any fact, circumstance, situation, event, or Wrongful Act: 1.that is, or reasonably would be regarded as, the basis for a Claim under the Liability Insuring Agreements about which any Executive Officer had knowledge prior to the Knowledge Date shown in the CyberRisk Declarations; 2.that, prior to the Inception date shown in the Declarations, was the subject of any notice of claim, or circumstance, given by or on behalf of any Insured and accepted under any policy of insurance that this Coverage directly renews, replaces, or succeeds in time; or 3.previously alleged in a civil, criminal, administrative, or regulatory proceeding against any Insured prior to the P&P Date shown in the CyberRisk Declarations. Property Damage.1.The Insurer will not pay Loss under the Liability or Breach Response Insuring Agreements for the: a.damage to; b.destruction of; c.loss of; or d.loss of use of, any tangible property. 2.The Insurer will not pay Loss under the Cyber Crime or Business Loss Insuring Agreements arising out of the: a.damage to; b.destruction of; c.loss of; or d.loss of use of, any tangible property, other than loss of Other Property covered under the Computer Fraud Insuring Agreement. Securities Laws.The Insurer will not pay Loss arising out of: 1.a violation of a securities law or regulation; or 2.except under the Cyber Crime Insuring Agreements: a.the ownership of; b.the sale or purchase of; or c.the offer to sell or purchase, stock or other securities. Exclusions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 15 of 20 Unlawful Collection.1.The Insurer will not pay Loss arising out of the collection of Confidential Information in violation of law. 2.This does not apply to Defense Costs. Unsolicited Communications. 1.The Insurer will not pay Loss arising out of a violation of a law that restricts or prohibits unsolicited communications. 2.This does not apply to a Security Breach under the Breach Response Insuring Agreements. War.1.The Insurer will not pay Loss arising out of: a.war, including undeclared or civil war; b.warlike action, including action in hindering or defending against an actual or expected attack, by any government, military force, sovereign, or other authority using military personnel or other agents; or c.insurrection, rebellion, revolution, usurped power, or action taken by governmental authority in hindering or defending against any of these. 2.This does not apply to an actual or threatened attack against a Computer System with intent to cause harm, or further social, ideological, religious, political, or similar objectives, except when in support of 1a through 1c. Limits And Retentions Limits Of Insurance.1.The most the Insurer will pay for all Loss is the CyberRisk Aggregate Limit shown in the CyberRisk Declarations. 2.The most the Insurer will pay for all Loss under an Insuring Agreement is the applicable Limit for such Insuring Agreement shown in the CyberRisk Declarations; but: a.The most the Insurer will pay for all Payment Card Contract Penalties is the Payment Card Costs Limit shown in the CyberRisk Declarations, which is within and will reduce the Privacy And Security Limit. b.The most the Insurer will pay for all Business Interruption Loss that results from a System Failure is the System Failure Limit shown in the CyberRisk Declarations, which is within and will reduce the Business Interruption Limit. c.Payment of Loss under the Dependent Business Interruption Insuring Agreement and Reputation Harm Insuring Agreement is within and will reduce, the remaining Business Interruption Limit. d.The most the Insurer will pay for all Accounting Costs is the Accounting Costs Limit shown in the CyberRisk Declarations, which is within and will reduce the Limit for the applicable Business Loss Insuring Agreement. e.If a Betterment Coparticipation percentage is shown in the CyberRisk Declarations, such percentage of Betterment Costs will be paid by the Insured. The Insurer will pay the remaining Betterment Costs, up to the Betterment Limit shown in the CyberRisk Declarations. 3.The most the Insurer will pay for all Loss with respect to an Additional Insured is the limit agreed to in the agreement between such Additional Insured and the Insured Entity, or the applicable Limit shown in the CyberRisk Declarations, whichever is less. 4.If the CyberRisk Declarations indicates that a Shared Limit applies, the most the Insurer will pay under all Shared Coverages is the Shared Limit shown in the Shared Limit Declarations. 5.Once the CyberRisk Aggregate Limit or Shared Limit is exhausted, the premium is fully earned, and all obligations of the Insurer, including any duty to defend, will cease. Retention.1.The Insurer will only pay Loss once the applicable Retention shown in the CyberRisk Declarations has been paid by the Insured. 2.Except for the Betterment Insuring Agreement, if multiple Retentions apply to: Limits And Retentions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 16 of 20 a.a Claim; b.a First Party Event; or c.Claims and First Party Events that share a common nexus, set of facts, circumstance, situation, event, or decision, the Insured will not pay more than the amount of the largest applicable Retention. 3.The Insured Person is deemed indemnified by the Insured Entity to the extent permitted or required by law, written agreement, or the by-laws of the Insured Entity. For the Liability Insuring Agreements, no Retention will apply to an Insured Person if indemnification by the Insured Entity is: a.not permitted by law; or b.not possible due to the financial insolvency of such Insured Entity. 4.The Insurer may pay any amount of Retention. In such event, the Insured agrees to repay the Insurer such amounts. Other Conditions Allocation.1.Subject to Other Conditions, Settlement, if an Insured incurs: a.Loss jointly with others who are not covered for a Claim; or b.Loss covered and loss not covered by this Coverage because a Claim includes both covered and uncovered matters, then the Insured and the Insurer will use their best efforts to allocate such amount between covered Loss and uncovered loss based upon the relative legal and financial exposures of the parties to covered and uncovered matters. 2.If the CyberRisk Declarations shows that the Insurer has the duty to defend Claims, all Defense Costs will be allocated to covered Loss. Cancelation And Nonrenewal. 1.The Insurer will cancel this Coverage only if premium is not paid when due. If nonpayment occurs, the Insurer will give at least 20 days written notice of cancelation to the Named Insured. Unless payment is received when due, this Coverage will be canceled. 2.The Named Insured may cancel any part of this Coverage by giving advanced written notice to the Insurer, stating when such cancelation will be effective. 3.If any part of this Coverage is canceled, the Insurer will refund the unearned premium on a pro rata basis. 4.The Insurer is not required to renew this Coverage upon its expiration. If the Insurer elects not to renew, it will provide the Named Insured written notice to that effect at least 60 days before the Expiration date shown in the Declarations. Change Of Structure.1.Under the Liability and Breach Response Insuring Agreements, if a Change Of Control occurs during the Policy Period, the coverage will continue for the Run-Off Period. 2.Coverage during the Run-Off Period is only for Wrongful Acts or First Party Events occurring before such Change Of Control. 3.Under the Cyber Crime and Business Loss Insuring Agreements, if an entity ceases to be an Insured Entity during the Policy Period, First Party Loss is only covered if: a.such First Party Loss is sustained; and b.the applicable First Party Event is Discovered, prior to the time such entity ceased to be an Insured Entity. 4.The Named Insured may request to extend the time of the Run-Off Period. Claim Defense.1.If the CyberRisk Declarations shows that the Insurer has the duty to defend Claims, the Insurer: a.has the right and duty to defend covered Claims, even if groundless or false; b.has the right to select defense counsel for such Claims; and Other Conditions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 17 of 20 c.has no duty to defend, or to continue to defend, Claims after the applicable Limit has been exhausted. 2.If the CyberRisk Declarations shows that the Insurer does not have the duty to defend Claims: a.the Insured has the duty to defend Claims; b.the Insurer has the right to participate in the selection of defense counsel; c.the Insurer has the right to participate in the investigation, defense, and settlement of such Claims; d.subject to the applicable Limit, the Insurer will reimburse the Insured for Defense Costs; e.upon written request, the Insurer will advance Defense Costs; and f.advanced Defense Costs will be repaid to the Insurer to the extent that the Insured is not entitled to such payment. 3.With respect to a Claim, the Insured will not, without the Insurer’s prior written consent: a.make an offer to settle, or settle, a Claim; b.admit liability; or c.except at the Insured’s own cost, make a voluntary payment, pay or incur Defense Costs or other expense, or assume any obligation. Cyber Crime And Business Loss Change. The Cyber Crime and Business Loss Insuring Agreements will end upon: 1.a Change Of Control; or 2.the voluntary liquidation or dissolution of the Named Insured. ERP –Automatic.1.The Automatic ERP applies without additional premium. 2.Claims resulting from Wrongful Acts that occur prior to cancelation or nonrenewal can be made and reported to the Insurer during the Automatic ERP. Such Claim is deemed reported on the last day of the Policy Period. 3.The most the Insurer will pay for Loss resulting from Claims reported during the Automatic ERP is the remaining portion of the applicable Limit shown in the CyberRisk Declarations as of the effective date of cancelation or nonrenewal. ERP –Optional.1.The Named Insured may elect to purchase an Optional ERP shown in the CyberRisk Declarations for any reason other than nonpayment of premium. The Optional ERP will only take effect if: a.the Insurer receives written notice of such election no later than 90 days after cancelation or nonrenewal; and b.the additional premium for the Optional ERP is paid when due. 2.Claims or Potential Claims resulting from Wrongful Acts that occur prior to cancelation or nonrenewal can be made and reported to the Insurer during the Optional ERP. Such Claim or Potential Claim is deemed reported on the last day of the Policy Period. 3.For the Privacy Breach Notification, Computer And Legal Experts, and Public Relations Insuring Agreements, First Party Loss that results from a First Party Event occurring prior to cancelation or nonrenewal can be Discovered during the Optional ERP. Such First Party Event is deemed Discovered on the last day of the Policy Period. 4.The premium due for the Optional ERP is shown in the CyberRisk Declarations. Such premium is fully earned at the start of the Optional ERP. 5.The most the Insurer will pay for Loss resulting from Claims made, or First Party Events Discovered, during the Optional ERP is the remaining portion of the applicable Limit shown in the CyberRisk Declarations as of the effective date of cancelation or nonrenewal. 6.When the Optional ERP applies, it replaces the Automatic ERP and the Extended Discovery Period for the Privacy Breach Notification, Computer And Legal Experts, and Public Relations Insuring Agreements. Extended Discovery Period.1.For the First Party Insuring Agreements, the Insured has an extended period of time to Discover a First Party Loss arising out of a First Party Event that occurred prior to the effective date of cancelation. Such First Party Event will be deemed Discovered on the last day of the Policy Other Conditions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 18 of 20 Period. This period begins on the effective date such First Party Insuring Agreement is canceled. It ends on the earlier of: a.90 days; or b.the effective date of similar coverage purchased by the Insured, even if such insurance does not provide coverage for loss sustained prior to its effective date. 2.When Optional ERP is purchased, it replaces the Extended Discovery Period for the Privacy Breach Notification, Computer And Legal Experts, and Public Relations Insuring Agreements. Income Loss Appraisal.If, after submission of the Proof of Loss, the Insurer and Insured do not agree on the amount of Income Loss, each party will select an appraiser. If the appraisers do not agree, they will select an umpire. Each appraiser will submit the amount of Income Loss to the umpire. Agreement by the umpire and at least one of the appraisers as to the amount of Income Loss is binding. Each party will: 1.pay its own appraiser, except when covered as Accounting Costs, and 2.share the fees and costs of the umpire equally. Notice Of Claim.1.If an Insured gives the Insurer written notice of a Potential Claim during the Policy Period, or any extended reporting period, then a Claim subsequently arising from such Potential Claim will be deemed made on the last day of the Policy Period. Such notice must include a description of the anticipated allegations of Wrongful Acts, potential damages, and the names of potential claimants and Insureds involved. 2.Once an Executive Officer becomes aware that a Claim has been made, the Insured must give the Insurer written notice of such Claim as soon as practicable. If such Claim involves facts that are subject to a court order or law enforcement hold, the Insured must give the Insurer written notice of such Claim as soon as practicable once such order or hold is not in effect. Such notice must include a copy of the Claim or description of its particulars. 3.All notices under this section must be sent to the Insurer at an address shown in the Declarations. Notice Of First Party Event.1.Upon the Discovery of a First Party Event, the Insured must give the Insurer written notice of the particulars of such event, as soon as practicable. 2.If such First Party Event causes First Party Loss under the Cyber Crime or Business Loss Insuring Agreements in an amount more than 25% of the applicable Retention, the Insured must: a.give the Insurer a detailed, sworn Proof of Loss within 120 days; b.submit to an examination Under Oath, and give the Insurer a signed statement of the Insured’s answers; and c.notify law enforcement, if such First Party Event violates law. 3.Demands for payment of First Party Loss must be provided to the Insurer by the Insured Entity. 4.All notices and demands must be sent to the Insurer at an address shown in the Declarations. Other Insurance.1.The Breach Response and Business Loss Insuring Agreements are primary insurance. 2.The Liability and Cyber Crime Insuring Agreements are excess over, and will not contribute with, any other valid and collectible insurance available to the Insured. This applies even if such other insurance is stated to be primary, excess, or otherwise, unless such other insurance states by specific reference that it is excess over this Coverage. Property Covered.Coverage under the Cyber Crime Insuring Agreements is limited to property: 1.the Insured Entity: a.owns; b.leases; or c.holds for others; or 2.for which the Insured Entity is legally liable, except property located inside premises of the Insured Entity’s client or such client’s financial institution. Other Conditions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 19 of 20 Recovery And Subrogation.1.The Insurer has no duty to recover amounts paid under this Coverage. 2.Amounts recovered from a third party, less costs incurred in obtaining such recovery, will be applied in this order: a.to the Insurer for any Retention it paid on behalf of an Insured; b.to the Insured for Loss the Insurer did not pay because the applicable Limit was exhausted; c.to the Insurer for Loss it paid; d.to the Insured for any Retention it paid; and then e.to the Insured for any uncovered loss it paid. 3.Recoveries do not include amounts from insurance or reinsurance. 4.The Insurer is subrogated to, and the Insured must transfer to the Insurer, all of the Insured’s rights of recovery against any person or organization for Loss the Insurer has paid under this Coverage. The Insured agrees to: a.execute and deliver instruments and papers; b.do everything necessary to secure such rights; and c.do nothing to impair or prejudice those rights. 5.Subrogation will not apply if the Insured, prior to the date of a Wrongful Act or a First Party Event, waived its rights to recovery. 6.Any of the Insured Entity’s property that the Insurer pays for becomes the Insurer’s property. Related Claims.Multiple Claims arising out of the same Wrongful Act are a single Claim that is deemed first made on the date the earliest of such Claims is made, whether before or during the Policy Period. Representations.1.The Insurer has issued this coverage in reliance on the accuracy and completeness of the representations that the Insured made to the Insurer. 2.If any such representation is untrue, and: a.was material to the acceptance of the risk; and b.is material to a covered Loss, then this coverage will not apply to such Loss with respect to: i.an Insured Person who knew; or ii.an Insured Entity, if an Executive Officer knew, that such representation was untrue on the Inception date shown in the Declarations. Settlement.The Insurer may, with the written consent of the Insured, settle a Claim. If the Insurer and claimant agree to settle a Claim but the Insured withholds its consent, the Insured will be responsible for 20% of all: 1.Defense Costs incurred after the date the Insured withheld its consent; and 2.Loss, other than Defense Costs, in excess of such settlement offer. Subsidiaries.If a Subsidiary is acquired or created by an Insured Entity during the Policy Period, and its revenues are: 1.less than 35% of the total annual revenues of such Insured Entity, then it will be covered for Wrongful Acts or First Party Events that occur after its acquisition or creation; or 2.are at least 35% of the total annual revenues of such Insured Entity, then it will be covered for: a.Wrongful Acts that occur after its acquisition or creation, for Claims made; or b.First Party Events that occur after its acquisition or creation and that are Discovered and reported, within 90 days of its acquisition or creation, or the end of the Policy Period, whichever is earlier. Additional coverage may be negotiated at the time of acquisition or creation. Other Conditions continued from previous page. CYB-16001 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 20 of 20 Suits Against The Insurer – Cyber Crime. The Insured Entity may not bring any legal action against the Insurer involving a First Party Event covered under the Cyber Crime Insuring Agreements: 1.until 60 days after the Insured Entity has filed Proof of Loss; and 2.unless such legal action is commenced within two years from the date the Insured Entity Discovers the First Party Event. Valuation Under First Party Insuring Agreements. 1.Money, except Virtual Currency, is valued in the U.S. dollar equivalent determined at the rate of exchange published by The Wall Street Journal: a.for the Cyber Crime Insuring Agreements, on the date the First Party Event was Discovered; and b.for the Breach Response and Business Loss Insuring Agreements, on the date of payment of First Party Loss. 2.Securities are valued at market value as of the close of business on the date the First Party Event was Discovered; and at its discretion, the Insurer will: a.pay the Insured Entity such value; b.replace such Securities in kind, in which case the Insured Entity must assign to the Insurer all rights, title, and interest in such Securities; or c.pay the cost of a Lost Securities Bond required when issuing duplicates of the Securities. Such Lost Securities Bond will have a penalty no more than the value of the Securities at the close of business on the date the First Party Event was Discovered. 3.Virtual Currency is valued in the U.S. dollar equivalent determined at the rate of exchange: a.for the Cyber Crime Insuring Agreements, on the date the First Party Event was Discovered; and b.for the Breach Response and Business Loss Insuring Agreements, on the date of payment of First Party Loss. 4.Other Property is valued for the lesser of: a.the actual cash value of the Other Property on the date the First Party Event was Discovered; or b.the cost to replace Other Property with comparable property, but only after such property is actually replaced. CYB-19101 Ed. 01-19 © 2019 The Travelers Indemnity Company. All rights reserved. Page 1 of 2 This endorsement changes the CyberRisk Coverage. Per Impacted Parties And Computer And Legal Expert Costs Endorsement There are three changes described below: 1.The following is added to Definitions: Additional Response Costs. Means the amount the Insurer will pay for: 1.Computer And Legal Expert Costs incurred by the Insured Entity, but only the amount of such that exceeds the Computer And Legal Expert Limit shown on the CyberRisk Declarations; and 2.Privacy Breach Notification Costs incurred by the Insured Entity, but only such costs applicable to the number of Impacted Parties that exceed the number of Impacted Parties shown as the Privacy Breach Notification Limit on the CyberRisk Declarations. 2.The following replaces Limits And Retentions, Limit Of Insurance: Limits Of Insurance. 1.The most the Insurer will pay for Additional Response Costs under the Computer and Legal Expert or Privacy Breach Notification Insuring Agreement and all Loss under all other Insuring Agreements is the CyberRisk Aggregate Limit shown in the CyberRisk Declarations. 2.The most the Insurer will pay for all Loss under an Insuring Agreement is the applicable Limit for such Insuring Agreement shown in the CyberRisk Declarations, but: a.The most the Insurer will pay for all Payment Card Contract Penalties is the Payment Card Limit shown in the CyberRisk Declarations, which is within the Privacy and Security Limit. b.The most the Insurer will pay for all Business Interruption Loss that results from a System Failure is the System Failure Limit shown in the CyberRisk Declarations, which is within the Business Interruption Limit. c.Payment of Loss under the Dependent Business Interruption Insuring Agreement and Reputation Harm Insuring Agreement is subject to, and will reduce, the remaining Business Interruption Limit. d.The most the Insurer will pay for all Accounting Costs is the Accounting Costs Limit shown in the CyberRisk Declarations, which is within the Limit for the applicable Business Loss Insuring Agreement. e.If a Betterment Co-insurance percentage is shown in the CyberRisk Declarations, the Insurer and the Insured will share the payment of Betterment Costs. The Insured’s share of payment will be such percentage shown. The Insurer will pay the remaining percentage of Betterment Costs, up to the Betterment Limit shown in the CyberRisk Declarations. f.For Computer And Legal Experts Costs, the most the Insurer will pay is the Computer And Legal Experts Insuring Agreement Limit shown in the CyberRisk Declarations, which is outside of, and will not reduce, the CyberRisk Aggregate Limit or any Shared Limit. g.For Privacy Breach Notification Costs , the maximum number of Impacted Parties for whom the Insurer will pay to notify is the number of Impacted Parties shown as the Privacy Breach Notification Limit in the CyberRisk Declarations, which is outside of, and will not reduce, the CyberRisk Aggregate Limit or any Shared Limit. 3.The most the Insurer will pay for all Loss with respect to an Additional Insured is the limit agreed to in the contract between such Additional Insured and the Insured Entity, or the applicable Limit shown in the CyberRisk Declarations, whichever is less. 4.The most the Insurer will pay for Additional Response Costs under the Computer And Legal Experts or Privacy Breach Notification Insuring Agreements, and all Loss under all other Insuring Agreements, if the CyberRisk Declarations indicates that a Shared Limit applies, is the Shared Limit shown in the Shared Limit Declarations. 5.Once the CyberRisk Aggregate Limit or Shared Limit is exhausted the premium is fully earned, and all obligations of the Insurer, including any duty to defend, will cease. Issuing Company:Travelers Casualty and Surety Company of America Policy Number:107865426 CYB-19101 Ed. 01-19 © 2019 The Travelers Indemnity Company. All rights reserved. Page 2 of 2 3.For the Privacy Breach Notification Insuring Agreement only, the following is added to Limits And Retentions, Retention, 1: The Insurer will only pay Privacy Breach Notification Costs if the number of Impacted Parties equals or exceeds the number of Impacted Parties shown as the Privacy Breach Notification Threshold on the CyberRisk Declarations. Once the Privacy Breach Notification Threshold is met, Privacy Breach Notification Costs will be paid for all Impacted Parties, subject to the applicable Limit. CYB-19105 Ed. 01-19 © 2019 The Travelers Indemnity Company. All rights reserved. Page 1 of 1 This endorsement changes the CyberRisk Coverage.Conviction Reward Endorsement There are three changes described below: 1.The following is added to Cyber Crime Insuring Agreements: Conviction Reward. The Insurer will pay the Insured Entity for Conviction Reward Costs following a First Party Event that is Discovered during the Policy Period. 2.The following is added to Definitions: Conviction Reward Costs. Means the reasonable amount paid by the Insured Entity, with the Insurer’s prior written consent, for information that leads to the arrest and conviction of a natural person responsible for a First Party Event. 3.The following is added to the CyberRisk Declarations: Limit Retention Conviction Reward: Issuing Company:Travelers Casualty and Surety Company of America Policy Number:107865426 $25,000 0 CYB-19123 Ed. 05-19 © 2019 The Travelers Indemnity Company. All rights reserved. Page 1 of 1 This endorsement changes the CyberRisk Coverage.Bricked Equipment Endorsement There are three changes described below: 1.The following is added to Definitions, Extra Expense: Includes such reasonable costs incurred by the Insured Entity, with the Insurer’s written consent, to replace any Bricked Equipment with functionally equivalent equipment, if such Bricked Equipment is inoperable: 1.directly as a result of a Security Breach; and 2.if reasonable attempts to restore such Bricked Equipment fail. Such costs may include newer versions or models of such Bricked Equipment. 2.The following is added to Definitions: Bricked Equipment. Means any inoperable computer, input, output, processing, storage, or communication device: 1.owned by; 2.leased to; 3.licensed to; or 4.under the direct operational control of, the Insured Entity , or an Insured Person, while authorized by, and transacting business on behalf of, the Insured Entity. 3.The following is added to Exclusions, Property Damage 2: This does not apply to Business Interruption Loss resulting from the loss of use of a Computer System. Issuing Company:Travelers Casualty and Surety Company of America Policy Number:107865426 CYB-19122 Ed. 05-19 © 2019 The Travelers Indemnity Company. All rights reserved. Page 1 of 2 This endorsement changes the CyberRisk Coverage. Vendor Or Client Payment Fraud Endorsement There are ten changes described below: 1.The following is added to Cyber Crime Insuring Agreements: Vendor Or Client Payment Fraud. The Insurer will pay the Insured Entity for Vendor Or Client Payment Fraud Loss that arises out of a Security Breach that is discovered during the Policy Period. 2.The following is added to Definitions: Vendor Or Client Payment Fraud. Means an instruction that intentionally misleads a Vendor or Client, when such instruction: 1.is not made by an Insured; 2.is purportedly from an Insured; 3.directs such Vendor to perform services or deliver goods, or such Client to deliver payment to, an unintended recipient; 4.contains a misrepresentation of material fact; and 5.is relied upon by such Vendor or Client, believing the material fact to be true. Vendor Or Client Payment Fraud Loss. Means: 1.Money owed to the Insured Entity but not collected for services rendered or goods delivered to a Client, or 2.the amount the Insured Entity paid a Vendor for goods or services the Insured Entity did not receive; directly caused by Vendor Or Client Payment Fraud. 3.The following is added to Definitions, Computer Fraud: Does not include Vendor Or Client Payment Fraud. 4.The following is added to Definitions, First Party Event: Includes Vendor Or Client Payment Fraud. 5.The following is added to Definitions, First Party Loss: Includes Vendor Or Client Payment Fraud Loss. 6.The following is added to Definitions, Funds Transfer Fraud: Does not include Vendor Or Client Payment Fraud. 7.The following replaces Exclusions, Cyber Crime, 8: loss resulting from forged, altered, or fraudulent negotiable instruments, securities, documents, or instructions used as source documentation to enter electronic data or send instructions, provided this does not apply to the Social Engineering Fraud or the Vendor Or Client Payment Fraud Insuring Agreements. 8.The following is added to Other Conditions, Property Covered: This does not apply to the Vendor Or Client Payment Fraud Insuring Agreement. 9.The following is added to Other Conditions: Property Covered – Vendor Or Client Payment Fraud Coverage under the Vendor Or Client Payment Fraud Insuring Agreement is limited to: 1.Money owed to the Insured Entity but not collected for services rendered or goods delivered to a Client, or 2.the amount the Insured Entity paid a Vendor for goods or services the Insured Entity did not receive. Issuing Company:Travelers Casualty and Surety Company of America Policy Number:107865426 CYB-19122 Ed.05-19 Page 2 of 2 ©2019 The Travelers Indemnity Company.All rights reserved. 10.The following is added to the Declarations: Vendor Or Client Payment Fraud Limit Vendor Or Client Payment Fraud Retention $100,000 $5,000 CYB-19102 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 1 of 1 This endorsement changes the CyberRisk Coverage. Dependent Business Interruption – System Failure Endorsement 1.The following is added to Business Loss Insuring Agreements, Dependent Business Interruption: The Insurer will also pay the Insured for its Business Interruption Loss, directly caused by an IT Provider System Failure that is Discovered during the Policy Period. There are five changes described below: 2.The following is added to Definitions, First Party Event: Includes an IT Provider System Failure. 3.The following is added to Definitions: IT Provider System Failure. Means an accidental, unintentional, and unplanned total or partial interruption of an IT Provider’s computer system not caused by an IT Provider Breach. 4.The following is added to Exclusions, Property Damage, 2: This does not apply to Business Interruption Loss resulting from the loss of use of an IT Provider’s computer system. 5.The following is added to Limits And Retentions, Limits Of Insurance, 2: The most the Insurer will pay for Business Interruption Loss that results from an IT Provider System Failure is the Dependent Business Interruption - System Failure Limit shown in the CyberRisk Declarations, which is within and will reduce the Dependent Business Interruption Limit. Issuing Company:Travelers Casualty and Surety Company of America Policy Number:107865426 CYB-19104 Rev. 06-20 © 2020 The Travelers Indemnity Company. All rights reserved. Page 1 of 1 This endorsement changes the CyberRisk Coverage. Dependent Business Interruption - Outsource Provider With System Failure Endorsement There are five changes described below: 1.The following is added to Business Loss Insuring Agreements, Dependent Business Interruption: Dependent Business Interruption - Outsource Provider - System Failure. The Insurer will pay the Insured for its Business Interruption Loss, directly caused by an Outsource Provider Breach or Outsource Provider System Failure that is Discovered during the Policy Period. 2.The following is added to Definitions, First Party Event: Includes an Outsource Provider Breach and Outsource Provider System Failure. 3.The following are added to Definitions: Outsource Provider. Means a provider, other than an IT Provider, that: 1.provides goods to, or performs services for, the Insured under a written contract; and 2.the Insured does not own, operate, or control. Outsource Provider Breach. Means: 1.the unauthorized access to; 2.the use of authorized access to cause intentional harm to; 3.a denial-of-service attack against; or 4.the introduction of a Virus into, an Outsource Provider’s computer system, resulting in an interruption of such computer system. Outsource Provider System Failure. Means an accidental, unintentional, and unplanned interruption of an Outsource Provider’s computer system not caused by an Outsource Provider Breach. 4.The following is added to Exclusions, Property Damage, 2: This does not apply to Business Interruption Loss resulting from the loss of use of an Outsource Provider’s computer system. 5.The following is added to Limits And Retentions, Limits Of Insurance, 2: The most the Insurer will pay for all Business Interruption Loss that results from an Outsource Provider Breach or Outsource Provider System Failure is the Dependent Business Interruption - Outsource Provider - System Failure Limit shown in the CyberRisk Coverage Declarations, which is within and will reduce the Dependent Business Interruption Limit. Issuing Company:Travelers Casualty and Surety Company of America Policy Number:107865426 CYB-19166 Ed. 10-20 Page 1 of 1 © 2020 The Travelers Indemnity Company. All rights reserved. This endorsement changes the CyberRisk Coverage. Preservation Of Governmental Immunity – Iowa Endorsement There are two changes described below: 1. The following is added to the Definitions, Loss: Loss does not include amounts imposed by law against an Insured in the absence of any contract or agreement, to the extent such amounts are subject to any defense of governmental immunity under Iowa law. 2. The following is added to Conditions: Preservation Of Governmental Immunity. The purchase of this Coverage is not a waiver under Iowa Code Section 670.7, or any amendments to such section, of any governmental immunity that would be available to the Insured absent the purchase of this Coverage. Issuing Company:Travelers Casualty and Surety Company of America Policy Number:107865426 AFE-19013 Ed. 01-19 © 2019 The Travelers Indemnity Company. All rights reserved. Page 1 of 1 This endorsement changes the Policy.State Inconsistency Endorsement State Inconsistency. If there is inconsistency between the state changes endorsement and any other conditions of coverage, then it is agreed that, where permitted by law, the Insurer will apply those conditions that are more favorable to the Insured. Policy Number:107865426 Issuing Company:Travelers Casualty and Surety Company of America