The URL can be used to link to this page

Browse Search

Home My WebLink About000346.tiff CIS! S �t �obad�s �oui. Colorado Counties Casualty and Property Pool 2022 Network Security Policy Chubb/Ace Policy No . 625660328009 Summaries are brief outlines of the coverages afforded under the insurance policies . Since summaries are for informational purposes only, they should not be construed to constitute the entire insurance contracts . As the policies may contain additional coverages and restrictions , the exact wording should be consulted. Brief Summary of Liability Deductibles This information is provided to present counties with a simple overview of county deductibles in the pool. It does not provide information on limits. The pool insuring agreements contain actual coverages and limits. The county has $0 deductible for network security liability claims The pool pays the first $ 100 , 000 of each claim CAPP 's excess insurance carrier pays up to $ 1 million per claim I rCountiesn PropertyPool Co o ado and •JCORE 360 Named Insured Schedule Colorado Counties Casualty and Property Pool including the following members : • Alamosa • Gunnison • Phillips • Archuleta • Hinsdale • Prowers • Baca • Huerfano • Pueblo • Bent • Jackson • Rio Blanco • Chaffee • Kiowa • Rio Grande • Cheyenne • Kit Carson • Routt • Clear Creek • Lake • Saguache • Conejos • La Plata • San Juan • Costilla • Las Animas • San Miguel • Crowley • Lincoln • Sedgwick • Custer • Logan • Summit • Delta • Mineral • Teller • Dolores • Moffat • Washington • Elbert • Montrose • Weld • Fremont • Morgan • Yuma • Garfield • Otero • Gilpin • Ouray • Grand • Park 1 ,j Ga agher Insurance Risk Management Consulting es, Gallagher Colorado Counties Casualty and Property Pool Aso CORE 360 Cyber Enterprise Risk Management Pool Program for Members (Claims Made Policy) Current Carrier: ACE American Insurance Company (Admitted ) Policy Period : January 1 , 2022 to January 1 , 2023 Additional Insureds : • Member Counties (Schedule on File with Company) (Each Member is issued a Certificate) Policy Form : • Third Party Liability Insuring Agreement provide Claims-Made Coverage , which applies only to claims first made during the policy period or applicable Extended Reporting Period for any Incident taking place after the Retroactive Date but before the end of the Policy Period . Retroactive Date: • None Prior and Pending Proceeding Date: • January 1 , 2014 • Data Breach Coach , Computer Forensics , Public Relations or Crisis Communications , Law Firm to Determine Insured's Indemnification , Credit Monitoring , etc. Limits : Amount Maximum Pool Policy Limits of Insurance $ 1 ,000, 000 Maximum Pool Single Limits of Insurance under any one Insuring Agreement $ 1 ,000, 000 Maximum Pool Policy Aggregate Limit of Insurance Pool First Party Pool Aggregate Limit Cyber Incident Insuring Agreements for All Cyber Retention / Waiting Response Coach Incidents/ Aggregate Period Each Incident Retention Cyber Incident Response See below Fund Cyber Incident Response $ 1 ,000,000 $ 100,000 $ 100,000 Team Non-Panel Response Provider $ 250, 000 $ 100,000 $ 100,000 Business Interruption Loss and W 1 ,000,000 $ 100,000/ 24 hours N/A Extra Expenses Contingent Business Interruption and Extra Expense $ 1 ,0009000 $ 100,000/ 24 hours N/A Unscheduled Providers (50% Coinsurance) Digital Data Recovery $ 1 ,000,000 $ 100,000 N/A Network Extortion $ 1 ,000, 000 $ 100,000 N/A Pool Third Party Pool Aggregate Limit Retention / Waiting Retro-Date / Pending Insuring Agreements for All Cyber Period or Prior Proceeding Incidents/ Aggregate Each Incident Date Cyber, Privacy and $ 1 ,000, 000 $ 100,000 1 /1 /2014 Network Security Liability Payment Card Loss $ 1 ,000,000 $ 100,000 1 /1 /2014 Regulatory Proceedings $ 1 ,000,000 $ 100,000 1 /1 /2014 Electronic, Social and 1 ,000,000 $ 100,000 1 /1 /2014 Printed Media Liability 30 ©2022 Arthur J. Gallagher & Co. All rights reserved. 011 Gallagher Colorado Counties Casualty and Property Pool •a CORE 360 Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy ( Continued ) MEMBER DETAILS Member First Party Member Limits of Member Retention / Insuring Agreements Insurance Each Waiting Period Cyber Incident Response Incident/ Aggregate Each Incident Coach Retention Cyber Incident Response Fund Sidecar Cyber Incident Response 1 ,000,000 $ 100,000 $ 100,000 Team Non Panel Incident 100,000 $ 100,000 $ 100,000 Response Team Business Interruption Loss 1 ,000,000 $ 100,000 N/A and Extra Expenses Contingent Business Interruption and Extra °' 1 $ 100,000/ 24 hours ,000,000 N/A Expense Unscheduled (50% Coinsurance) Providers Digital Data Recovery $ 1 ,000,000 $ 100,000 N/A Network Extortion $ 1 ,000,000 $ 100,000 N/A Ransomware Encounter $ 1 ,000,000 $ 100,000 N/A (50°/0 Coinsurance) Period of Neglect air Coinsurance Limit per Policy Period 0 — 45 days 0% $ 1 ,000,000 46 - 90 days 5% $ 750,000 Neglected Software 91 - 180 days 10% $ 500,000 Exploits 181 — 365 days 25% $ 250,000 365 + days 50% $ 100,000 Member Third Party Per Member Limits of Insuring Agreements Insurance Each Member Retention Each Retro-Date / Pending or Incident/Aggregate Claim Prior Proceeding Date Cyber, Privacy and $ 1 ,000,000 $ 100,000 1 /1 /2014 Network Security Liability Payment Card Loss $ 1 ,000,000 $ 100,000 1 /1 /2014 Regulatory Proceedings $ 1 ,000,000 $ 100,000 1 /1 /2014 Electronic, Social and 1 ,000,000 $ 100,000 1 /1 /2014 Printed Media Liability Claims-Made • Should you elect to change carriers (if a new retro-active date is provided ) or non-renew this Coverage Note : policy, a supplemental extended reporting endorsement may be available subject to policy terms and conditions . You must request the extended reporting period in writing to the carrier within 30 days of the non-renewal or cancellation date of the policy and pay the additional premium by the due date specified on the premium invoice . The cost of this extended reporting period is 100% of the annual premium and is fully earned . The extended reporting period extends only to those claims that occurred prior to the expiration date and would have been covered by the policy. Claims must be reported to the carrier within 30 days of the end of the policy period . The extended reporting period does not increase the limits of liability and is subject to all policy terms , conditions and exclusions Minimum Premium : • None Auditable • Not subject to audit 31 ._._ -_ ©2022 Arthur J. Gallagher & Co. All rights reserved. *) Gallagher es, Gallagher Colorado Counties Casualty and Property Pool Aso CORE 360 Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy (Continued ) Definitions Definition of Claim means any: 1 . written demand against any Insured for monetary damages or non-monetary or injunctive relief; 2 . civil proceeding against any Insured seeking monetary damages or non-monetary or injunctive relief, commenced by the service of a complaint or similar pleading ; 3 . arbitration or mediation proceeding against any Insured seeking monetary damages or non- monetary or injunctive relief, commenced by the receipt of a written demand , or service of a complaint or similar pleading ; 4 . criminal proceeding against an Insured commenced by: (a ) an arrest, or (b) a return of an indictment, information or similar document; 5 . written request directed at an Insured to toll or waive a statute of limitations applicable to a Claim referenced in paragraphs 1 -4 immediately above ; or 6 . Regulatory Proceeding , including , where applicable , any appeal therefrom . Cyber Incident means : 1 . with respect to Insuring Agreement A, Cyber Incident Response Fund , a . any actual or reasonably suspected Network Security Failure ; b . any actual or reasonably suspected failure by an Insured , or any independent contractor for whom or for which an Insured is legally responsible , to properly handle , manage , store, destroy, protect, use or otherwise control Protected Information ; c. any unintentional violation by an Insured of any Privacy or Cyber Law, including the unintentional wrongful collection of Protected Information by an Insured ; d . any reasonably suspected Interruption in Service , provided a Limit of Insurance is shown in the Declarations applicable to Insuring Agreement B , Business Interruption And Extra Expenses ; or e . any reasonably suspected Network Extortion Threat, provided a Limit of Insurance is shown in the Declarations applicable to Insuring Agreement D , Network Extortion ; 2 . with respect to Insuring Agreement B , Business Interruption And Extra Expenses , an actual 3. Interruption in Service ; 4 . arbitration , mediation , or other alternative dispute resolution proceeding against any Insured seeking monetary damages or non-monetary or injunctive relief, commenced by the receipt of a written demand , or service of a complaint or similar pleading ; 6 . with respect to Insuring Agreement D , Network Extortion , an actual Network Extortion Threat; or with respect to Insuring Agreement E , Cyber, Privacy And Network Security Liability, any error, misstatement, misleading statement, act, omission , neglect, breach of duty or other offense actually or allegedly committed or attempted by any Insured in their capacity as such , resulting in or based upon a Cyber Incident as referenced in paragraphs 1 — 4 immediately above . 32 ©2022 Arthur J. Gallagher & Co. All rights reserved. tr) es, Gallagher Colorado Counties Casualty and Property Pool Aso CORE 360 Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy (Continued ) Definitions Damages mean compensatory damages , any award of prejudgment or post judgment interest, (continued) Payment Card Loss , Consumer Redress Fund , settlements , and amounts which an Insured becomes legally obligated to pay on account of any Claim . Damages shall not include : 1 . any amount for which an Insured is not financially liable or legally obligated to pay; 2 . taxes , fines , penalties or sanctions directly imposed against an Insured , except for Payment Card Loss or Regulatory Fines otherwise covered under Insuring Agreement E ; 3 . matters uninsurable under the laws pursuant to which this Policy is construed ; 4 . punitive or exemplary damages, or the multiple portion of any multiplied damage award , except to the extent that such punitive or exemplary damages , or multiplied portion of any multiplied damage award , are insurable under the applicable laws of any jurisdiction which most favors coverage for such damages and which has a substantial relationship to the Insured , Insurer, this Policy, or the Claim giving rise to such damages ; 5 . the cost to an Insured to comply with any injunctive , remedial , preventative, or other non-monetary or declaratory relief, including specific performance , or any agreement to provide such relief; 6 . consideration owed or paid by or to an Insured , including any royalties, restitution , reduction , disgorgement or return of any payment, charges, or fees ; or costs to correct or re-perform services , or for the reprint, recall , or removal of Media Content; 7 . liquidated damages pursuant to a contract, to the extent such amount exceeds the amount which the Insured would have been liable in the absence of such contract; or 8 . penalties against an Insured of any nature , however denominated , arising by contract, except for Payment Card Loss otherwise covered under Insuring Agreement E . Defense Provisions : Defense Costs and Expenses : Included in the Retention and within the Limits of Liability Defense Provisions : A. Except as provided in Subsection B of this Section IX, the Insurer shall have the right and duty to defend any Claim brought against an Insured even if such Claim is groundless , false or fraudulent. The Insurer shall consult and endeavor to reach an agreement with the Insured regarding the appointment of counsel , but shall retain the right to appoint counsel and to make such investigation and defense of a Claim as it deems necessary. B . The Insurer shall have the right, but not the duty, to defend any Regulatory Proceeding . For such Claims , the Insured shall select defense counsel from the Insurer's list of approved law firms , and the Insurer reserves the right to associate in the defense of such Claims . Other Provisions : Settlement : The Insurer shall not settle any Claim without the written consent of the Named Insured . If the Named Insured refuses to consent to a settlement recommended by the Insurer and acceptable to the claimant, then the Insurer's applicable Limit of Insurance under this Policy with respect to such Claim shall be reduced to : 1. the amount of Damages for which the Claim could have been settled plus all Claims Expenses incurred up to the time the Insurer made its recommendation to the Named Insured ; plus eighty percent (80% ) of all subsequent covered Damages and Claims Expenses in excess of such amount referenced in paragraph ( 1 ) immediately above , which amount shall not exceed that portion of any applicable Limit of Insurance that remains unexhausted by payment of Costs, Damages , and Claims Expenses . The remaining twenty percent (20% ) of all subsequent covered Damages and Claims Expenses shall be borne by the Insureds uninsured and at their own risk. However, this provision does not apply to any potential settlement that is within the Retention . Allocation : If a Claim includes both covered and uncovered matters, then coverage shall apply as follows : A. Claims Expenses: One hundred percent ( 100% ) of Claims Expenses incurred by any Insured on account of such Claim shall be considered covered provided that the foregoing shall not apply with respect to: (i ) a Regulatory Proceeding ; or, (ii ) any Insured for whom coverage is excluded pursuant to Exclusion III .A. 1 or Section XIV, Subsection C. With respect to a Regulatory Proceeding , amounts for covered Claims Expenses and for uncovered fees , costs and expenses shall be allocated based upon the relative legal and financial exposures of, and the relative benefits obtained by, the parties to such matters. B . Loss other than Claims Expenses: all remaining loss incurred by such Insured from such Claim shall be allocated between covered Damages and uncovered damages based upon the relative legal and financial exposures of, and the relative benefits obtained by, the parties to such matter 33 f, ©2022 Arthur J. Gallagher & Co. All rights reserved. es, Gallagher Colorado Counties Casualty and Property Pool Aso CORE 360 Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy (Continued ) Territory: • In the Universe . • Outside the U . S . , where legally permissible Terms and • Cyber Incident Response Fund Provisions Conditions : • Subrogation Clause • Action Against the Insurer and Bankruptcy Clause • Alternative Dispute Resolution Clause Endorsements and • Chubb Producer Compensation Practices & policies Notices : • Cyber Services for Incident Response — Notice to Policyholders • Cyber Services for Loss Mitigation • U . S . Foreign Account Tax Compliance Act — FACTA Notice • U . S . Treasury Department's Office of Foreign Assets Control (OFAC) Advisory Notice to Policyholders • Policyholder Disclosure Notice of Terrorism Insurance Coverage • Trace or Economic Sanctions Endorsement • Cap on Losses from Certified Acts of Terrorism • Service of Suit Endorsement • Signature Endorsement Exclusions including • Contract - for breach of any express , implied , actual or constructive contract, warranty, guarantee , or but not limited to : promise , including any actual or alleged liability assumed by an Insured , unless such liability would have attached to the Insured even in the absence of such contract, warranty, guarantee , or promise . However, this exclusion shall not apply to : a . an Insured 's contractual obligation to maintain the confidentiality or security of Protected Information ; b . an unintentional violation by an Insured to comply with an Organization 's Privacy Policy; c. solely with respect to Insuring Agreement E , Payment Card Loss ; or d . solely with respect to Insuring Agreement F , misappropriation of idea under implied contract. • Intellectual Property - alleging , based upon , arising out of or attributable to any infringement of, violation of, misappropriation of, or assertion of any right to or interest in a patent or Trade Secret by any Insured . However, this exclusion shall not apply to: a . solely with respect to Insuring Agreements A-D , the actual or alleged theft of a third party's Trade Secret resulting from a Cyber Incident; provided , however, this exclusion shall still nevertheless apply to any Costs , Damages or Claims Expenses on account of any Cyber Incident or Claim for the economic or market value of Trade Secrets ; or solely with respect to Insuring Agreement E , any Claim arising out of the actual or alleged disclosure or theft of Protected Information resulting from a Network Security Failure . • Unlawful Use or Collection of Protection Information as amended by General Enhancement Endorsement • Conduct Exclusion (with amendment) • Prior Knowledge • Pending or Prior Proceedings • Bodily Injury, Property Damage • Pollution • Infrastructure Outage • War, Nuclear • Fees or Chargebacks (with exception ) • Antitrust or Unfair Trade Practices • Consumer Protection Laws • Discrimination or Employment Practices • Governmental Shutdown • Insured V Insured (Agreements E and F) • Protective Safeguards (MFA for email & remote access and CVE-2014-3566, CVE-2016-0800, CVE-2020-3452, CVE-2020-7961 , VOPackage) 34 ©2022 Arthur J. Gallagher & Co. All rights reserved. 46IJ es, Gallagher Colorado Counties Casualty and Property Pool Aso CORE 360 Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy (Continued ) Extended Reporting • 100% of Annual Premium Additional 12 Months Period : 1 . Solely with respect to Insuring Agreements Al E, and F, if the Insurer terminates or does not renew this Policy (other than for failure to pay a premium when due), or if the Named Insured terminates or does not renew this Policy and does not obtain replacement coverage as of the effective date of such termination or nonrenewal , the Named Insured shall have the right, upon payment of the additional premium shown in Item 7A of the Declarations and subject to the terms specified in Subsections B-E directly below, to a continuation of the coverage granted by this Policy for an Extended Reporting Period shown in Item 7B of the Declarations following the effective date of such termination or non-renewal . 2 . Coverage for the Extended Reporting Period shall be only for Claims first made or Incidents first discovered during such Extended Reporting Period and arising from Incidents taking place prior to the effective date of such termination or non-renewal . This right to continue coverage shall lapse unless written notice of such election is given by the Named Insured to the Insurer, and the Insurer receives payment of the additional premium shown in Item 7A of the Declarations, within thirty (30) days following the effective date of termination or non-renewal . 3 . The Extended Reporting Period is non-cancelable and the entire premium for the Extended Reporting Period shall be deemed fully earned and non-refundable upon payment. 4 . The Extended Reporting Period shall not increase or reinstate any Limits of Insurance. The Limits of Insurance as shown in Item 3 and Item 4 of the Declarations shall apply to both the Policy Period and the Extended Reporting Period , combined . 5 . A change in Policy terms, conditions, exclusions or premiums shall not be considered a non-renewal for purposes of triggering the rights to the Extended Reporting Period . Notice : Notice : A. Urgent crisis management assistance by the Cyber Incident Response Coach is available at the hotline number shown in the Declarations . Use of the services of the Cyber Incident Response Coach for a consultation DOES NOT constitute notice under this Policy of a Cyber Incident or Claim . In order to provide notice under this Policy, such notice must be given in accordance with and is subject to Subsections B-D of this Section VIII . B . An Insured shall , as a condition precedent to such Insured 's rights under this Policy, give to the Insurer written notice of any Incident or Claim as soon as practicable after any Control Group Member discovers such Incident or becomes aware of such Claim , but in no event later than : 1 . if this Policy expires (or is otherwise terminated ) without being renewed with the Insurer, ninety (90) days after the effective date of such expiration or termination ; or 2 . the expiration of the Extended Reporting Period , if applicable , provided that if the Insurer sends written notice to the Named Insured , stating that this Policy is being terminated for nonpayment of premium , an Insured shall give to the Insurer written notice of such Claim prior to the effective date of such termination . C. If, during the Policy Period , any Control Group Member first becomes aware of any specific Incident which may reasonably give rise to a future Claim under this Policy, and written notice is given to the Insurer during the Policy Period , of the : 1 . nature of the Incident; 2. identity of the Insureds allegedly involved ; 3. circumstances by which the Insureds first became aware of the Incident; 4. identity of the actual or potential claimants ; 5. foreseeable consequences of the Incident; and 6. nature of the potential Damages ; then any Claim which arises out of such Incident shall be deemed to have been first made at the time such written notice was received by the Insurer. The Insurer will not pay for Damages or Claims Expenses incurred prior to the time such Incident results in a Claim .\ D . All notices under any provision of this Policy shall be given as follows : 1 . Notice to the Insureds may be given to the Named Insured at the address shown in Item 1 of the Declarations . 2 . Notice to the Insurer of any Incident or Claim shall be given to the Insurer at the physical address or email address shown in Item 9A of the Declarations. 3. All other notices to the Insurer under this Policy shall be given to the Insurer at the physical address shown in Item 9B of the Declarations . Notice given as set out above shall be deemed to be received and effective upon actual receipt thereof by the addressee , or one day following the date such notice is sent, whichever is earlier. When any such notices are sent to a physical address , such notices shall be sent by prepaid express courier or certified mail properly 35 ©2022 Arthur J. Gallagher & Co. All rights reserved. tr) es, Gallagher Colorado Counties Casualty and Property Pool Aso CORE 360 Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy (Continued ) Claims Reporting : Where/How to Report a Claim : If you need urgent crisis management or legal advice, contact : Cyber Incident Response Coach Hotline at: 1 -800-817-2665 or cyberalert@chubb . com Notice Incident, Claim, or Potential Claim as set for in Section VIII , Subsection C By Mail : Director of Claims Chubb P . O . BOX 5105 Scranton , PA 18505-0518 Fax Number: 877-201 -8787 By Email : aceclaimsfirstnotice@chubb. com Chubb cyber policyholders can download the Cyber AlertSM app from the Apple Store for iOS devices and the Android Store for Android devices . After downloading the application , you can enroll via the Cyber AlertSM app . Once enrollment is complete , commercial cyber policyholders can report a cyber incident by clicking the Report Incident button . All Other Notices to the Insurer: Chief Underwriting Officer Chubb — Financial Lines Attn : Chief Underwriting Officer 1133 Avenue of the Americas , 32nd Floor New York, NY 10036 Also Report Claim to: Arthur J Gallagher Risk Management Services Main Claims Email : GGB . NRCCIaimsCenter@ajg .com 36 ©2022 Arthur J. Gallagher & Co. All rights reserved. tr) ir I ' B r Chubb Cyber Enterprise Risk ACE American Insurance Company Management Policy Declarations NOTICE: THE THIRD PARTY LIABILITY INSURING AGREEMENTS OF THIS POLICY PROVIDE CLAIMS-MADE COVERAGE, WHICH APPLIES ONLY TO CLAIMS FIRST MADE DURING THE POLICY PERIOD OR AN APPLICABLE EXTENDED REPORTING PERIOD FOR ANY INCIDENT TAKING PLACE AFTER THE RETROACTIVE DATE BUT BEFORE THE END OF THE POLICY PERIOD. AMOUNTS INCURRED AS CLAIMS EXPENSES UNDER THIS POLICY SHALL REDUCE AND MAY EXHAUST THE APPLICABLE LIMIT OF INSURANCE AND WILL BE APPLIED AGAINST ANY APPLICABLE RETENTION. IN NO EVENT WILL THE COMPANY BE LIABLE FOR CLAIMS EXPENSES OR THE AMOUNT OF ANY JUDGMENT OR SETTLEMENT IN EXCESS OF THE APPLICABLE LIMIT OF INSURANCE. TERMS THAT ARE UNDERLINED IN THIS NOTICE PROVISION HAVE SPECIAL MEANING AND ARE DEFINED IN SECTION II, DEFINITIONS. READ THE ENTIRE POLICY CAREFULLY. IF YOU NEED URGENT CRISIS MANAGEMENT OR Cyber Incident Response Coach Hotline at: LEGAL ADVICE, PLEASE CONTACT: 1 (8o0) 817-2665 or cyberalert@chubb.com Policy No : EON G2566o328 009 Renewal of: EON G2566o328 oo8 Item 1. Named Insured Colorado Counties Casualty and Property Pool Principal Address 800 Grant Street , Suite 400 Denver, CO 80203 Item 2. Policy Period From : 01/01/2022 To : 01/01/2023 (12 : 01 AM local time at the address shown in Item 1 .) I Item 3 . Maximum Policy Limits of Insurance. A. Maximum Single Limit of Insurance $ 1,000 ,000 B. Maximum Policy Aggregate Limit of Insurance $ 1,000 ,000 Item 4. Limits of Insurance, Retentions and Insuring Agreement(s) Purchased. If any Limit of Insurance field for an Insuring Agreement is left blank or NOT COVERED is shown, there is no coverage for such Insuring Agreement. First Party Insuring Agreements A. Cyber Incident Response Each Cyber Incident Aggregate Limit for all Each Cyber Incident Fund Limit Cyber Incidents Retention 1. Cyber Incident $ 1,000 ,000 $ 1,000,000 $ 1oo ,000 Response Team Except Cyber Incident $ 100 ,000 Response Coach: PF-48168 (10/16) Page 1 of 3 First Party Insuring Agreements NOTE : The Insured is under no obligation to use or contract for services with the Cyber Incident Response Team. However, if the Insured elects not to use or contract with the Cyber Incident Response Team but elects to use or contract with a Non-Panel Response Provider, then the Each Cyber Incident Limits and Aggregate Limit for all Cyber Incidents specified in Item 4A2 below apply. 2. Non-Panel $ 250 ,000 $ 250,000 $ 100 ,000 Response Provider Insuring Agreement Each Cyber Aggregate Limit for all Each Cyber Incident Incident Limit Cyber Incidents Retention B. Business Interruption and Extra Expenses 1. Business $ 1,000,000 $ 1,000,000 $ 100 ,000 Interruption Loss And Extra Expenses Waiting Period: 24 Hours 2. Contingent $ 1,000,000 $ 1,000,000 $ 100 ,000 Business Interruption Loss Waiting Period: 24 Hours And Extra Expenses a. Scheduled N/A N/A N/A Providers Limit (if scheduled by Waiting Period: N/A Hours endorsement) C. Digital Data Recovery $ 1,000,000 $ 1,000,000 $ 100 ,000 D. Network Extortion $ 1,000,000 $ 1,000,000 $ 100 ,000 Third Party Liability Insuring Agreements Insuring Agreement Each Claim Limit Aggregate Limit for all Each Claim Retention Claims E. Cyber, Privacy And $ 1,000,000 $ 1,000,000 $ 100 ,000 Network Security Liability 1. Payment Card Loss $ 1,000,000 $ 1,000,000 $ 100 ,000 2. Regulatory $ 1,000,000 $ 1,000,000 $ 100 ,000 Proceeding F. Electronic, Social And $ 1,000,000 $ 1,000,000 $ 100 ,000 Printed Media Liability Item 5. Retroactive Date 01/01/2014 (only applicable to Third Party Liability Insuring Agreements) Item 6 . Pending or Prior Proceedings Date 01/01/2014 (only applicable to Third Party Liability Insuring Agreements) PF-48168 (io/i6) Page 2 of 3 Third Party Liability Insuring Agreements Item 7. Extended Reporting Period A. Additional Premium: 100 % of Annual Premium B. Additional Period: 12 Months Item 8 . Policy Premium Plus applicable taxes and fees (if any) $ 220 ,001 [Item 9 . Notice to Insurer A. Notice of Incident, Claim, or potential Claim By Mail : as set forth in section VIII, subsection C Director of Claims Chubb P.O. BOX 51O5 Scranton, PA 18505-0518 Fax Number: 877-201-8787 By Email : ChubbClaimsFirstNotice@Chubb.com By Mobile App or Online: Visit the Policyholder Services Website at www.chubbcyber.com and `submit claim'OR Press your `Report Cyber Incident' button on the Chubb Cyber Alert Mobile application. B. All Other Notices to the Insurer Chief Underwriting Officer Chubb - Financial Lines Attn : Chief Underwriting Officer 1133 Avenue of the Americas, 32nd Floor New York, NY 10036 Chubb, in filled: PF-48168 (io/i6) Page 3 of 3 CHUBS Chubb Cyber Enterprise Risk Management Policy In consideration of the payment of the premium, in reliance upon the Application, and subject to the Declarations and the terms and conditions of this Policy, the Insureds and the Insurer agree as follows : I . INSURING AGREEMENTS Coverage is afforded pursuant to those Insuring Agreements purchased, as shown in Item 4 of the Declarations. FIRST PARTY INSURING AGREEMENTS A. CYBER INCIDENT RESPONSE FUND The Insurer will pay Cyber Incident Response Expenses incurred by an Insured in response to a Cyber Incident first discovered by any Control Group Member during the Policy Period. B . BUSINESS INTERRUPTIONAND EXTRA EXPENSES The Insurer will pay: 1. the Business Interruption Loss and Extra Expenses incurred by an Insured during the Period of Restoration resulting directly from a Cyber Incident which first occurs during the Policy Period; and 2 . the Contingent Business Interruption Loss and Extra Expenses incurred by an Insured during the Period of Restoration resulting directly from a Cyber Incident which first occurs during the Policy Period. C. DIGITAL DATA RECOVERY The Insurer will pay the Digital Data Recovery Costs incurred by an Insured resulting directly from a Cyber Incident first discovered by any Control Group Member during the Policy Period. D . NETWORK EXTORTION The Insurer will reimburse Extortion Expenses incurred by an Insured in response to a Cyber Incident first discovered by any Control Group Member during the Policy Period. THIRD PARTY LIABILITY INSURING AGREEMENTS E. CYBER, PRIVACY AND NETWORK SECURITY LIABILITY The Insurer will pay Damages and Claim Expenses by reason of a Claim first made against an Insured during the Policy Period for a Cyber Incident which first occurs on or after the Retroactive Date and prior to the end of the Policy Period. F. ELECTRONIC, SOCIAL AND PRINTED MEDIA LIABILITY The Insurer will pay Damages and Claim Expenses by reason of a Claim first made against an Insured during the Policy Period for a Media Incident which first occurs on or after the Retroactive Date and prior to the end of the Policy Period. II . DEFINITIONS When used in this Policy: Act of Cyber-Terrorism means : (i) any act, including force or violence, or the threat thereof, expressly directed against a Computer System operated by an Insured, by an individual or any group of individuals, whether acting alone, on behalf of or in connection with any entity or government to damage, destroy or access a Computer System without authorization; or, (ii) a targeted denial of service attack or transmittal of corrupting or harmful software code at or into the Insured's Computer System for social, ideological, religious, economic or political reasons, including intimidating or coercing a government, a civilian population or disrupting any segment of an economy. PF-48169 (1016) Page 1 of 21 Application means all applications, including any attachments thereto, and all other information and materials submitted by or on behalf of the Insureds to the Insurer in connection with the Insurer underwriting this Policy or any policy of which this Policy is a direct renewal or replacement. All such applications, assessments, attachments, information and materials are deemed attached to and incorporated into this Policy. Bodily Injury means injury to the body, sickness, disease, or death. Bodily Injury also means mental injury, mental anguish, mental tension, emotional distress, pain and suffering, or shock, whether or not resulting from injury to the body, sickness, disease or death of any person. Business Interruption Loss means : 1. the Insured's continuing normal operating and payroll expenses; and 2 . the Insured's net profit before income taxes that would have been earned had no Interruption in Service of the Insured's Computer System occurred. Claim means any: 1. written demand against any Insured for monetary damages or non-monetary or injunctive relief; 2 . civil proceeding against any Insured seeking monetary damages or non-monetary or injunctive relief, commenced by the service of a complaint or similar pleading; 3 . arbitration or mediation proceeding against any Insured seeking monetary damages or non-monetary or injunctive relief, commenced by the receipt of a written demand, or service of a complaint or similar pleading; 4. criminal proceeding against an Insured commenced by: (a) an arrest, or (b) a return of an indictment, information or similar document; 5 . written request directed at an Insured to toll or waive a statute of limitations applicable to a Claim referenced in paragraphs 1-4 immediately above ; or 6. Regulatory Proceeding, including, where applicable, any appeal therefrom. Claims Expenses means the reasonable and necessary: 1. attorneys' fees, mediation costs, arbitration expenses, expert witness fees and other fees and costs incurred by the Insurer, or by an Insured with the Insurer's prior written consent, in the investigation and defense of a Claim; and 2 . premiums for any appeal bond, attachment bond or similar bond, although the Insurer shall have no obligation to apply for or furnish such bond. Claims Expenses shall not include wages, salaries or other compensation of directors, officers, similar executives, or employees of the Insurer or any Insured. Computer System means computer hardware, software, Telephone System, firmware, and the data stored thereon, as well as associated input and output devices, data storage devices, networking equipment and storage area network or other electronic data backup facilities. Consumer Redress Fund means a sum of money which an Insured is legally obligated to deposit in a fund as equitable relief for the payment of consumer claims due to an adverse judgment or settlement of a Regulatory Proceeding. Consumer Redress Fund shall not include any amounts paid which constitute taxes, fines, penalties, injunctive relief or sanctions. Contingent Business Interruption Loss means : 1 . the Insured's continuing normal operating and payroll expenses; and 2. the Insured's net profit before income taxes that would have been earned had no Interruption in Service of a Shared Computer System occurred. Control Group Member means, as applicable, an Organization's Chief Executive Officer, Chief Financial Officer, Chief Information Officer, Chief Information Security Officer, Chief Privacy Officer, Chief Technology Officer, General Counsel, Risk Manager, or the organizational or functional equivalent of such positions. PF-48169 (10/16) Page 2 of 21 Costs means : 1. Cyber Incident Response Expenses ; 2. Business Interruption Loss ; 3 . Contingent Business Interruption Loss ; 4. Extra Expenses ; 5 . Digital Data Recovery Costs ; or 6 . Extortion Expenses . Cyber Incident means : 1. with respect to Insuring Agreement A, Cyber Incident Response Fund, a. any actual or reasonably suspected Network Security Failure; b. any actual or reasonably suspected failure by an Insured, or any independent contractor for whom or for which an Insured is legally responsible, to properly handle, manage, store, destroy, protect, use or otherwise control Protected Information; c. any unintentional violation by an Insured of any Privacy or Cyber Law, including the unintentional wrongful collection of Protected Information by an Insured; d. any reasonably suspected Interruption in Service, provided a Limit of Insurance is shown in the Declarations applicable to Insuring Agreement B, Business Interruption And Extra Expenses; or e. any reasonably suspected Network Extortion Threat, provided a Limit of Insurance is shown in the Declarations applicable to Insuring Agreement D , Network Extortion; 2 . with respect to Insuring Agreement B, Business Interruption And Extra Expenses, an actual Interruption in Service ; 3 . with respect to Insuring Agreement C, Digital Data Recovery, an actual Network Security Failure resulting in Digital Data Recovery Costs; 4. with respect to Insuring Agreement D, Network Extortion, an actual Network Extortion Threat; or 5 . with respect to Insuring Agreement E, Cyber, Privacy And Network Security Liability, any error, misstatement, misleading statement, act, omission, neglect, breach of duty or other offense actually or allegedly committed or attempted by any Insured in their capacity as such, resulting in or based upon a Cyber Incident as referenced in paragraphs 1 - 4 immediately above. Cyber Incident Response Coach means the law firm within the Cyber Incident Response Team, designated for consultative and pre-litigation legal services provided to an Insured. Cyber Incident Response Expenses means those reasonable and necessary expenses paid or incurred by an Insured as a result of a Cyber Incident. Such expenses are as follows : 1. retaining the services of the Cyber Incident Response Coach; 2 . retaining the services of a third party computer forensics firm to determine the cause and scope of a Cyber Incident; 3 . retaining the services of a public relations or crisis communications firm for the purpose of protecting or restoring the reputation of, or mitigating financial harm to, an Insured; 4. retaining the services of a law firm to determine the Insured's rights under the indemnification provisions of a written agreement between the Insured and any other person or entity with respect to a Cyber Incident otherwise covered under Insuring Agreements A - E of this Policy; 5 . expenses required to comply with Privacy or Cyber Laws, including : a. retaining the services of a law firm to determine the applicability of and actions necessary to comply with Privacy or Cyber Laws; b. drafting notification letters, and to report and communicate as required with any regulatory, administrative or supervisory authority; PF-48169 (10/16) Page 3 of 21 c. retaining call center and other related services for notification as required by law; or d. providing credit monitoring, credit freezing or credit thawing. For purposes of this paragraph 5, compliance with Privacy or Cyber Laws shall follow the law of the applicable jurisdiction that most favors coverage for such expenses; 6. expenses not required to comply with Privacy or Cyber Laws, and with the Insurer's prior consent, for: a. notifying a natural person whose Protected Information has been wrongfully disclosed or otherwise compromised, including retaining a notification service or the services of a call center; b. providing credit monitoring, credit freezing, credit thawing, healthcare record monitoring (where available) , social media monitoring, password management service, or fraud alert services for those natural persons who accept an offer made by or on behalf of the Insured for, and receive, such services; c. retaining the services of a licensed investigator or credit specialist to provide fraud consultation to the natural persons whose Protected Information has been wrongfully disclosed or otherwise compromised; d. retaining the services of third party identity restoration service to natural persons identified by a licensed investigator as victims of identity theft directly resulting from a Cyber Incident otherwise covered under Insuring Agreements A or E; e. paying any reasonable amount to an informant for information not otherwise available which leads to the arrest and conviction of a natural person or an entity responsible for a Cyber Incident; or f. other services that are deemed reasonable and necessary by the Insurer. Cyber Incident Response Expenses shall not include : i. costs or expenses incurred to update or improve privacy or network security controls, policies or procedures, or compliance with Privacy or Cyber Laws, to a level beyond that which existed prior to the applicable Cyber Incident; ii. taxes, fines, penalties, amounts for injunctive relief, or sanctions; iii. the Insured's money or any money in the Insured's care, custody, or control; or iv. wages, salaries, and other compensation of directors, officers, similar executives, or employees of an Organization, or internal operating costs, expenses, or fees of any Organization . Cyber Incident Response Team means Pre-Approved Service Providers who provide services as defined in Cyber Incident Response Expenses. Damages means compensatory damages, any award of prejudgment or post judgment interest, Payment Card Loss, Consumer Redress Fund, settlements, and amounts which an Insured becomes legally obligated to pay on account of any Claim. Damages shall not include : 1. any amount for which an Insured is not financially liable or legally obligated to pay; 2 . taxes, fines, penalties or sanctions imposed against an Insured, except for Payment Card Loss or Regulatory Fines otherwise covered under Insuring Agreement E ; 3 . matters uninsurable under the laws pursuant to which this Policy is construed; 4. punitive or exemplary damages, or the multiple portion of any multiplied damage award, except to the extent that such punitive or exemplary damages, or multiplied portion of any multiplied damage award, are insurable under the applicable laws of any jurisdiction which most favors coverage for such damages and which has a substantial relationship to the Insured, Insurer, this Policy, or the Claim giving rise to such damages; 5 . the cost to an Insured to comply with any injunctive, remedial, preventative, or other non-monetary or declaratory relief, including specific performance, or any agreement to provide such relief; PF-48169 (10/16) Page 4 of 21 6. consideration owed or paid by or to an Insured, including any royalties, restitution, reduction, disgorgement or return of any payment, charges, or fees; or costs to correct or re-perform services, or for the reprint, recall, or removal of Media Content; 7. liquidated damages pursuant to a contract, to the extent such amount exceeds the amount which the Insured would have been liable in the absence of such contract; or 8 . penalties against an Insured of any nature, however denominated, arising by contract, except for Payment Card Loss otherwise covered under Insuring Agreement E. Digital Data means software or other information in electronic form which is stored on an Insured's Computer System or Shared Computer System. Digital Data shall include the capacity of an Insured's Computer System or Shared Computer System to store information, process information, and transmit information over the Internet. Digital Data shall not include or be considered tangible property. Digital Data Recovery Costs means : 1. the reasonable and necessary costs incurred by an Insured to replace, restore, recreate, re-collect or recover Digital Data from written records or from partially or fully matching electronic records due to their corruption, theft, or destruction, caused by a Network Security Failure, including disaster recovery or computer forensic investigation efforts. However, in the event that it is determined that the Digital Data cannot be replaced, restored, recreated, re-collected, or recovered, Digital Data Recovery Costs shall be limited to the reasonable and necessary costs incurred to reach such determination; or 2. Telephone Fraud Financial Loss, including reasonable and necessary expenses incurred to mitigate or reduce any costs or loss in paragraphs 1 and 2 immediately above. Digital Data Recovery Costs shall not include: a. costs or expenses incurred to update, replace, restore, recreate or improve Digital Data to a level beyond that which existed prior to the applicable Cyber Incident; b. costs or expenses incurred to identify or remediate software program errors or vulnerabilities, or costs to update, replace, restore, upgrade, maintain, or improve a Computer System; c. costs incurred to research and develop Digital Data , including Trade Secrets; d. the economic or market value of Digital Data, including Trade Secrets ; or e. any other consequential loss or damages. Extended Reporting Period means the period of time shown in Item 7B of the Declarations, subject to Section V, Extended Reporting Period. Extortion Expenses means reasonable and necessary expenses incurred by an Insured resulting directly from a Network Extortion Threat, including money, cryptocurrencies (including Bitcoin) , or other consideration surrendered as payment by an Insured to a natural person or group believed to be responsible for a Network Extortion Threat. Extortion Expenses shall also include reasonable and necessary expenses incurred to mitigate or reduce any of the forgoing expenses. Extra Expenses means the reasonable and necessary: 1. expenses incurred by an Insured to the extent such expenses mitigate, reduce, or avoid an Interruption in Service, provided they are in excess of expenses that an Insured would have incurred had there been no Interruption in Service; 2. expenses incurred by an Insured to the extent such expenses reduce the Period of Restoration ; 3 . with the Insurer's prior consent, costs incurred by an Insured to retain the services of a third party forensic accounting firm to determine the amount of Business Interruption Loss or Contingent Business Interruption Loss. Extra Expenses shall not include: a. costs or expenses incurred to prevent a loss or correct any deficiencies or problems with an Insured's Computer System or Shared Computer System that might cause or contribute to a Claim; PF-48169 (10/16) Page 5 of 21 b. costs or expenses incurred to update, restore, replace, upgrade, maintain, or improve any Computer System; or c. penalties of any nature, however denominated, arising by contract. Incident means Cyber Incident or Media Incident. Insured means : 1. the Named Insured; 2. any Subsidiary of the Named Insured, but only with respect to Incidents which occur while it is a Subsidiary; 3 . any past, present, or future natural person principal, partner, officer, director, trustee, employee, leased employee or temporary employee of an Organization, but only with respect to an Incident committed within the scope of such natural person's duties performed on behalf of such Organization ; 4. any past, present or future independent contractor of an Organization who is a natural person, agent, or single person entity, but only with respect to the commission of an Incident within the scope of such natural person's, agent's, or single person entity's duties, performed on behalf of such Organization; or 5 . any past, present or future natural person intern or volunteer worker of an Organization and who is registered or recorded as an intern or volunteer worker with such Organization, but only with respect to an Incident within the scope of such natural person's duties performed on behalf of such Organization. Insured's Computer System means a Computer System leased, owned or operated by an Insured or operated solely for the benefit of an Insured by a third party under written contract with an Insured. Insurer means the insurance company providing this insurance. Interrelated Incidents means all Incidents that have as a common nexus any act, fact, circumstance, situation, event, transaction, cause or series of related acts, facts, circumstances, situations, events, transactions or causes. Interruption in Service means a detectable interruption or degradation in service of: 1. with respect to Insuring Agreement Bi, an Insured's Computer System; or 2 . with respect to Insuring Agreement B2, a Shared Computer System; caused by a Malicious Computer Act. Malicious Computer Act means malicious or fraudulent: 1. unauthorized access to or use of a Computer System; 2 . alteration, corruption, damage, manipulation, misappropriation, theft, deletion, or destruction of Digital Data ; 3 . creation, transmission, or introduction of a computer virus or harmful code into a Computer System; or 4. restriction or inhibition of access, including denial of service attacks, upon or directed against a Computer System. Media Content means any data, text, sounds, images, graphics, music, photographs, or advertisements, and shall include video, streaming content, webcasts, podcasts, blogs, online forums, and chat rooms. Media Content shall not include computer software, software technology, or the actual goods, products or services described, illustrated or displayed in such Media Content. Media Incident means any error, misstatement, misleading statement, act, omission, neglect or breach of duty actually or allegedly committed or attempted by any Insured, or by any person or entity for whom an Insured is legally responsible, in the public display of: 1. Media Content on an Insured's website or printed material ; or 2 . Media Content posted by or on behalf of an Insured on any social media site or anywhere on the Internet, PF-48169 (10/16) Page 6 of 21 which results in the following : a. copyright infringement, passing-off, plagiarism, piracy, or misappropriation of property rights ; b. infringement or dilution of title, logo, slogan, domain name, metatag, trademark, trade name, service mark, or service name; c. defamation, libel, slander, or any other form of defamation or harm to the character, reputation or feelings of any person or entity, including product disparagement, trade libel, outrage, infliction of emotional distress, or prima facie tort; d. invasion or infringement of the right of privacy or publicity, including the torts of intrusion upon seclusion, publication of private facts, false light, or misappropriation of name or likeness; e. false arrest, detention or imprisonment, harassment, trespass, wrongful entry or eviction, eavesdropping, or other invasion of the right of private occupancy; f. improper deep linking or framing; or g. unfair competition or unfair trade practices, including misrepresentations in advertising, solely when alleged in conjunction with the alleged conduct referenced in items a—f immediately above. Named Insured means the entity shown in Item 1 of the Declarations. Network Extortion Threat means any credible threat or series of related threats directed at an Insured to: 1. release, divulge, disseminate, destroy or use Protected Information or confidential corporate information of an Insured taken from an Insured as a result of the unauthorized access to or unauthorized use of an Insured's Computer System or Shared Computer System; 2 . cause a Network Security Failure; 3 . alter, corrupt, damage, manipulate, misappropriate, delete or destroy Digital Data ; or 4. restrict or inhibit access to an Insured's Computer System or Shared Computer System; where the Insured makes a payment or a series of payments, or otherwise meets a demand, in exchange for the mitigation or removal of such threat or series of related threats. Network Security means those activities performed by an Insured, or by others on behalf of an Insured, to protect an Insured's Computer System or Shared Computer System. Network Security Failure means a failure in Network Security, including the failure to prevent a Malicious Computer Act. Non-Panel Response Provider means any firm providing the services shown in the definition of Cyber Incident Response Expenses to an Insured that is not a Pre-Approved Response Provider. Organization means the Named Insured and any Subsidiary. Payment Card means an authorized account, or evidence of an account, for a credit card, debit card, charge card, fleet card or stored value card between the Payment Card Brand and its customer. Payment Card Brand means any payment provider whose payment method is accepted for processing, including Visa Inc. International, MasterCard Worldwide, Discover Financial Services, American Express Company, and JCB International. Payment Card Industry Data Security Standards means the rules, regulations, standards or guidelines adopted or required by the Payment Card Brand or the Payment Card Industry Data Security Standards Council relating to data security and the safeguarding, disclosure and handling of Protected Information. Payment Card Loss means monetary assessments, fines, penalties, chargebacks, reimbursements, and fraud recoveries which an Insured becomes legally obligated to pay as a result of an Insured's actual or alleged failure : 1. of Network Security; or 2 . to properly protect, handle, manage, store, destroy, or otherwise control Payment Card data, including Protected Information, PF-48169 (10/16) Page 7 of 21 where such amount is determined pursuant to a payment card processing agreement between an Organization and a Payment Card Brand, or a merchant agreement between an Organization and a payment services provider, including for mobile payment services, or demanded in writing from an issuing or acquiring bank that processes Payment Card transactions, due to an Insured's actual or alleged non-compliance with applicable Payment Card Industry Data Security Standards, EMV specifications, or mobile payment security requirements. Payment Card Loss shall not include : 1. subsequent fines or assessments for continued non-compliance with the Payment Card Industry Data Security Standards, EMV Specifications, or a mobile payment services merchant agreement; or 2 . costs or expenses incurred to update or improve privacy or network security controls, policies or procedures to a level beyond that which existed prior to the applicable Cyber Incident or to be compliant with applicable Payment Card Industry Data Security Standards, EMV Specifications, or a mobile payment services merchant agreement. Period of Restoration means the continuous period of time that: 1. begins with the earliest date of an Interruption in Service; and 2 . ends on the date when an Insured's Computer System or Shared Computer System is or could have been repaired or restored with reasonable speed to the same functionality and level of service that existed prior to the Interruption in Service. In no event shall the Period of Restoration exceed sixty (60) days. Policy means, collectively, the Declarations, Application, this policy form and any endorsements attached hereto. Policy Period means the period of time shown in Item 2 of the Declarations, unless changed pursuant to Section XV, Termination of this Policy. Pollutants means any solid, liquid, gaseous or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals, asbestos, asbestos products or waste. Waste includes materials to be recycled, reconditioned or reclaimed. Pre-Approved Response Provider means any firm listed on the Insurer's pre-approved service provider list available on request from the Insurer or on the pre-approved service provider list specified on the website shown in Item 9A of the Declarations. Privacy or Cyber Laws means any local, state, federal, and foreign identity theft and privacy protection laws, legislation, statutes, or regulations that require commercial entities that collect Protected Information to post privacy policies, adopt specific privacy or security controls, or notify individuals in the event that Protected Information has potentially been compromised. Property Damage means physical injury to, or loss or destruction of, tangible property, including the loss of use thereof whether or not it is damaged or destroyed. Protected Information means the following, in any format: 1. a natural person's name, e-mail address, social security number, medical or healthcare data, other protected health information, driver's license number, state identification number, credit card number, debit card number, address, unpublished telephone number, account number, account histories, personally identifiable photos, personally identifiable videos, Internet browsing history, biometric records, passwords or other non-public personal information as defined in any Privacy or Cyber Laws; or 2 . any other third party confidential or proprietary information : a. provided to an Insured and protected under a nondisclosure agreement or similar contract; or b. which an Organization is legally responsible to maintain in confidence. Regulatory Fines means any civil monetary fine or penalty imposed by a federal, state, local or foreign governmental entity in such entity's regulatory or official capacity as a result of a Regulatory Proceeding. Regulatory Fines shall not include any civil monetary fines or penalties that are not insurable by law, criminal fines, disgorgement, or the multiple portion of any multiplied damage award. PF-48169 (10/16) Page 8 of 21 Regulatory Proceeding means a suit, civil investigation or civil proceeding by or on behalf of a government agency, government licensing entity, or regulatory authority, commenced by the service of a complaint or similar pleading based on an alleged or potential violation of Privacy or Cyber Laws as a result of a Cyber Incident, and which may reasonably be expected to give rise to a Claim under Insuring Agreement E. Retroactive Date means the date shown in Item 5 of the Declarations. Shared Computer System means a Computer System, other than an Insured's Computer System, operated for the benefit of an Insured by a third party under written contract with an Insured, including data hosting, cloud services or computing, co-location, data back-up, data storage, data processing, platforms, software, and infrastructure-as-a-service. Subsidiary means : 1. any entity while more than fifty percent (50%) of the outstanding securities representing the present right to vote for election of or to appoint directors, trustees, managers, members of the Board of Managers or equivalent positions of such entity are owned, or controlled, by the Named Insured, directly or through one or more Subsidiaries ; 2 . any entity formed as a partnership while more than fifty percent (so%) of the ownership interests representing the present right to vote for election of or to appoint the management or executive committee members or equivalent positions of such entity are owned, or controlled, by the Named Insured, directly or through one or more Subsidiaries; or 3 . any entity while : a. exactly fifty percent (so%) of the voting rights representing the present right to vote for election of or to appoint directors, trustees, managers, members of the Board of Managers or equivalent positions of such entity are owned, or controlled, by the Named Insured, directly or through one of more Subsidiaries; and b. the Named Insured, pursuant to a written contract with the owners of the remaining and outstanding voting stock of such entity, solely controls the management and operation of such entity. Telephone Fraud Financial Loss means toll and line charges which an Insured incurs, solely as a result of the fraudulent infiltration and manipulation of the Insured's Telephone System from a remote location to gain access to outbound long distance telephone service. Telephone System means PBX, CBX, Merlin, VoIP, remote access (including DISA) , and all related peripheral equipment or similar systems owned or leased by an Insured for purposes of voice-based telecommunications. Trade Secret means information, including a formula, pattern, compilation, program, device, method, technique or process, that derives actual or potential economic value from not being generally known to or readily ascertainable by other persons who can obtain value from its disclosure or use, so long as reasonable efforts have been made to maintain its secrecy. Waiting Period means the number of hours shown in Item 4 of the Declarations. III . EXCLUSIONS A. EXCLUSIONS APPLICABLE TO ALL INSURING AGREEMENTS The Insurer shall not be liable for Costs, Damages, or Claims Expenses on account of any Incident or any Claim: 1. Conduct alleging, based upon, arising out of or attributable to: a. any dishonest, fraudulent, criminal, malicious or intentional act, error or omission, or any intentional or knowing violation of the law by an Insured; or b. the gaining in fact of any profit, remuneration or financial advantage to which any Insured was not legally entitled. PF-48169 (10/16) Page 9 of 21 However, this exclusion shall not apply to Claims Expenses or the Insurer's duty to defend any such Claim, until there is a final, non-appealable adjudication against, binding arbitration against, adverse admission by, finding of fact against, or plea of nolo contendere or no contest by, the Insured as to such conduct or violation, at which time the Insured shall reimburse the Insurer for any Claims Expenses paid by the Insurer. Provided that: i. no conduct pertaining to any natural person Insured shall be imputed to any other natural person Insured; and ii. any conduct pertaining to any past, present, or future Control Group Member, other than a Rogue Actor, shall be imputed to an Organization . For purposes of this exclusion, "Rogue Actor" means a Control Group Member acting outside his or her capacity as such. 2 . Prior Knowledge alleging, based upon, arising out of or attributable to any Incident that first occurred, arose or took place prior to the earlier of the effective date of this Policy, or the effective date of any Policy issued by the Insurer of which this Policy is a continuous renewal or a replacement, and any Control Group Member knew of such Incident; and, with respect to Insuring Agreements E and F, any Control Group Member reasonably could have foreseen that such Incident did or could lead to a Claim. 3 . Pending or Prior Proceedings alleging, based upon, arising out of, or attributable to: a. any pending or prior litigation, Claim, demand, arbitration, administrative or regulatory proceeding or administrative or regulatory investigation filed or commenced on or before the Pending or Prior Proceedings Date shown in Item 6 of the Declarations, or alleging or derived from the same or substantially the same fact, circumstance or situation underlying or alleged therein; or b. any other Incident whenever occurring which, together with an Incident underlying or alleged in any pending or prior litigation, Claim, demand, arbitration, administrative or regulatory proceeding or administrative or regulatory investigation as set forth pursuant to paragraph a. immediately above, would constitute Interrelated Incidents. 4. Prior Notice alleging, based upon, arising out of, or attributable to: a. any Incident, fact, circumstance or situation which has been the subject of any written notice given and accepted under any other policy before the effective date of this Policy; or b. any other Incident whenever occurring which, together with an Incident which has been the subject of such notice, would constitute Interrelated Incidents. 5 . Bodily Injury for any Bodily Injury. However, solely with respect to Insuring Agreement E and Insuring Agreement F, this exclusion shall not apply to mental injury, mental anguish, mental tension, emotional distress, pain and suffering, or shock resulting from an Incident. 6. Property Damage alleging, based upon, arising out of, or attributable to Property Damage. 7. Pollution alleging, based upon, arising out of or attributable to the actual, alleged or threatened discharge, release, escape, seepage, migration, or disposal of Pollutants, or any direction or request that any Insured test for, monitor, clean up, remove, contain, treat, detoxify or neutralize Pollutants, or any voluntary decision to do so. PF-48169 (10/16) Page 10 of 21 8 . Infrastructure Outage alleging, based upon, arising out of or attributable to any electrical or mechanical failure or interruption, electrical disturbance, surge, spike, brownout, blackout, or outages to electricity, gas, water, Internet access service provided by the Internet service provider that hosts an Insured's website, telecommunications or other infrastructure. However, this exclusion shall not apply to failures, interruptions, disturbances or outages of telephone, cable or telecommunications systems, networks or infrastructure: a. under an Insured's operational control which are a result of a Network Security Failure; b. solely with respect to Insuring Agreement B, which are the result of a Cyber Incident impacting a Shared Computer System; or c. solely with respect to Insuring Agreement E, which are the result of a Cyber Incident. 9 . War alleging, based upon, arising out of or attributable to war, invasion, acts of foreign enemies, terrorism, hijacking, hostilities or warlike operations (whether war is declared or not) , military or usurped power, civil commotion assuming the proportions of or amounting to an uprising, strike, lock-out, riot, civil war, rebellion, revolution, or insurrection. However, this exclusion shall not apply to an Act of Cyber- Terrorism that results in a Cyber Incident. 10. Nuclear alleging, based upon, arising out of or attributable to the planning, construction, maintenance, operation or use of any nuclear reactor, nuclear waste, storage or disposal site, or any other nuclear facility, the transportation of nuclear material, or any nuclear reaction or radiation, or radioactive contamination, regardless of its cause. 11. Contract for breach of any express, implied, actual or constructive contract, warranty, guarantee, or promise, including any actual or alleged liability assumed by an Insured, unless such liability would have attached to the Insured even in the absence of such contract, warranty, guarantee, or promise. However, this exclusion shall not apply to: a. solely with respect to Insuring Agreement E, Payment Card Loss ; b. solely with respect to Insuring Agreements A or E, an Insured's contractual obligation to maintain the confidentiality or security of third party personal or corporate information ; or c. solely with respect to Insuring Agreement F, misappropriation of idea under implied contract. 12 . Fees or Chargebacks alleging, based upon, arising out of or attributable to: a. any fees, expenses, or costs paid to or charged by an Insured; or b. chargebacks, chargeback fees, interchange fees or rates, transfer fees, transaction fees, discount fees, merchant service fees, or prospective service fees . However, solely with respect to Insuring Agreement E, this exclusion shall not apply to Payment Card Loss. 13 . Intellectual Property alleging, based upon, arising out of or attributable to any infringement of, violation of, misappropriation of, or assertion of any right to or interest in a patent or Trade Secret by any Insured. However, solely with respect to Insuring Agreement E, this exclusion shall not apply to a Claim arising out of the actual or alleged disclosure or theft of Protected Information resulting from a Network Security Failure. PF-48169 (10/16) Page 11 of 21 14. Antitrust or Unfair Trade Practices alleging, based upon, arising out of or attributable to any price fixing, restraint of trade, monopolization, interference with economic relations (including interference with contractual relations or with prospective advantage) , unfair competition, unfair business or unfair trade practices, or any violation of the Federal Trade Commission Act, the Sherman Anti-Trust Act, the Clayton Act, or any other federal statutory provision involving anti-trust, monopoly, price fixing, price discrimination, predatory pricing, restraint of trade, unfair competition, unfair business or unfair trade practices, and any amendments thereto or any rules or regulations promulgated thereunder, amendments thereof, or any similar federal, state, or common law. However, this exclusion shall not apply to: a. solely with respect to Insuring Agreement E, a Claim resulting directly from a violation of Privacy or Cyber Laws ; or b. solely with respect to Insuring Agreement F, a Claim for a Media Incident as defined in paragraph g of such definition. 15 . Consumer Protection Laws alleging, based upon, arising out of or attributable to any violation by an Insured of the Truth in Lending Act, Fair Debt Collection Practices Act, or the Fair Credit Reporting Act or any amendments thereto or any rules or regulations promulgated thereunder, including the Fair and Accurate Credit Transactions Act, and any amendments thereto or any rules or regulations promulgated thereunder, amendments thereof, or any similar federal, state or common law. However, solely with respect to Insuring Agreement E, this exclusion shall not apply to a Claim arising out of the actual or alleged disclosure or theft of Protected Information resulting from a Cyber Incident. 16. ERISA or Securities Law Violation alleging, based upon, arising out of or attributable to an Insured's violation of: a. the Employee Retirement Income Security Act of 1974, as amended; b. the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Company Act of 1940, the Investment Advisors Act, or any other federal, state or local securities law, and any amendments thereto or any rules or regulations promulgated thereunder, amendments thereof, or any similar federal, state or common law. However, solely with respect to Insuring Agreements A or E, paragraph a, immediately above, shall not apply. 17. Discrimination or Employment Practices alleging, based upon, arising out of or attributable to any illegal discrimination of any kind, or any employment relationship, or the nature, terms or conditions of employment, including claims for workplace torts, wrongful termination, dismissal or discharge, or any discrimination, harassment, breach of employment contract or defamation. However, solely with respect to Insuring Agreement E, this exclusion shall not apply to that part of any Claim alleging employee-related invasion of privacy or employee—related wrongful infliction of emotional distress in the event such Claim arises out of the actual or alleged disclosure or theft of Protected Information resulting from a Cyber Incident. 18 . Unsolicited Communications alleging, based upon, arising out of or attributable to any unsolicited electronic dissemination of faxes, e- mails or other communications by or on behalf of an Insured, including actions brought under the Telephone Consumer Protection Act, any federal or state anti-spam statutes, or any other federal or state statute, law, rule, regulation or common law relating to a person's or entity's right of seclusion. However, solely with respect to Insuring Agreement E, this exclusion shall not apply to a Claim resulting from a Cyber Incident as defined under subparagraph 1(c) of such definition. 19. Unlawful Use or Collection of Protected Information alleging, based upon, arising out of or attributable to the unlawful use or collection of Protected Information, or the failure to provide adequate notice that such information is being collected or used, by an Insured, with knowledge of any Control Group Member. PF-48169 (10/16) Page 12 of 21 20. Intentional Failure to Disclose alleging, based upon, arising out of or attributable to an Insured's intentional failure to disclose the loss of Protected Information in violation of any law or regulation. However, this exclusion will not apply when an Insured's failure to disclose occurs pursuant to an order from a law enforcement or government authority in the course of a criminal investigation. Solely with respect to Insuring Agreement E, only facts pertaining to and knowledge possessed by any Control Group Member shall be imputed to other Insureds. B. EXCLUSIONS APPLICABLE TO SPECIFIC INSURING AGREEMENTS In addition to the Exclusions in Section IIIA above, the Insurer shall not be liable for Costs, Damages, or Claims Expenses on account of any Incident or any Claim: 1. Force Majeure solely with respect to Insuring Agreements B and C, alleging, based upon, arising out of or attributable to fire, smoke, explosion, lightning, wind, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, act of God (which does not include acts by actors purporting to be God) , nature or any other physical event, however caused and whether contributed to, made worse by, or in any way results from any such events. This exclusion applies regardless of any other contributing or aggravating cause or event that contributes concurrently with or in any sequence to the Costs, Damages, or Claims Expenses on account of any Incident or any Claim. 2. Governmental Authority solely with respect to Insuring Agreements C and D , alleging, based upon, arising out of, or attributable to any action of a public or governmental authority, including the seizure, confiscation or destruction of an Insured's Computer System, a Shared Computer System or an Insured's Digital Data . 3 . Insured v. Insured solely with respect to Insuring Agreements E and F, brought or maintained by, on behalf of, or in the right of any Insured. Provided, however, solely with respect to Insuring Agreement E, this exclusion shall not apply to that part of any Claim alleging employee-related invasion of privacy or employee—related wrongful infliction of emotional distress in the event such Claim arises out of the loss of Protected Information resulting from a Cyber Incident. 4. Licensing Entities solely with respect to Insuring Agreement F, alleging, based upon, arising out of or attributable to any action brought by or on behalf of the Federal Trade Commission, the Federal Communications Commission, or any other federal, state, or local government agency or ASCAP, SESAC, BMI or other licensing or rights entities in such entity's regulatory, quasi-regulatory, or official capacity, function or duty. 5 . False Advertising or Misrepresentation solely with respect to Insuring Agreement F, alleging, based upon, arising out of or attributable to any inaccurate, inadequate, or incomplete description of the price of goods, products or services, disclosure of fees, representations with respect to authenticity of any product, or the failure of any goods, product or services to conform with advertised quality or performance. 6. Contest or Game of Chance solely with respect to Insuring Agreement F, alleging, based upon, arising out of or attributable to any gambling, contest, game of chance or skill, lottery, or promotional game, including tickets or coupons or over-redemption related thereto. PF-48169 (10/16) Page 13 of 21 IV. SPOUSES, COMMON LAW PARTNERS, ESTATES AND LEGAL REPRESENTATIVES Coverage under this Policy shall extend to any Claim for any Incident made against: A. the lawful spouse or domestic partner of a natural person Insured solely by reason of such spouse's or domestic partner's status as a spouse or domestic partner, or such spouse's or domestic partner's ownership interest in property which the claimant seeks as recovery in such Claim; or B. the estate, heirs, legal representatives or assigns of a natural person Insured if such natural person Insured is deceased, or the legal representatives or assigns of a natural person Insured if such natural person Insured is legally incompetent, insolvent or bankrupt, provided that: 1. no coverage is provided for any act, error, or omission of an estate, heir, legal representative, assign, spouse or domestic partner; and 2. all of the terms and conditions of this Policy including, without limitation, all applicable Retentions shown in Item 4 of the Declarations apply to such Claim. V. EXTENDED REPORTING PERIOD A. Solely with respect to Insuring Agreements A, E, and F, if the Insurer terminates or does not renew this Policy (other than for failure to pay a premium when due) , or if the Named Insured terminates or does not renew this Policy and does not obtain replacement coverage as of the effective date of such termination or nonrenewal, the Named Insured shall have the right, upon payment of the additional premium shown in Item 7A of the Declarations and subject to the terms specified in Subsections B-E directly below, to a continuation of the coverage granted by this Policy for an Extended Reporting Period shown in Item 7B of the Declarations following the effective date of such termination or non-renewal. B. Coverage for the Extended Reporting Period shall be only for Claims first made or Incidents first discovered during such Extended Reporting Period and arising from Incidents taking place prior to the effective date of such termination or non-renewal . This right to continue coverage shall lapse unless written notice of such election is given by the Named Insured to the Insurer, and the Insurer receives payment of the additional premium shown in Item 7A of the Declarations, within thirty (30) days following the effective date of termination or non-renewal . C. The Extended Reporting Period is non-cancelable and the entire premium for the Extended Reporting Period shall be deemed fully earned and non-refundable upon payment. D. The Extended Reporting Period shall not increase or reinstate any Limits of Insurance. The Limits of Insurance as shown in Item 3 and Item 4 of the Declarations shall apply to both the Policy Period and the Extended Reporting Period, combined. E. A change in Policy terms, conditions, exclusions or premiums shall not be considered a non-renewal for purposes of triggering the rights to the Extended Reporting Period. VI . LIMITS OF INSURANCE Regardless of the number of Insuring Agreements purchased under this Policy, or the number of Incidents, Insureds against whom Claims are brought, Claims made or persons or entities making Claims : A. MAXIMUM POLICY AGGREGATE LIMIT OF INSURANCE The Insurer's maximum limit of insurance under all Insuring Agreements resulting from all Claims first made and Incidents first discovered during the Policy Period is shown in Item 3B of the Declarations, Maximum Policy Aggregate Limit of Insurance. B . AGGREGATE LIMIT FOR ALL INCIDENTS OR CLAIMS UNDER ANY ONE INSURING AGREEMENT The Insurer's maximum limit of insurance for all Incidents or Claims under any one Insuring Agreement shall be the applicable Aggregate Limit for all Incidents or Claims shown in Item 4 of the Declarations, which shall be part of, and not in addition to, the Maximum Policy Aggregate Limit of Insurance shown in Item 3B of the Declarations. PF-48169 (10/16) Page 14 of 21 C. MAXIMUM LIMIT OF INSURANCE FOR EACH INCIDENT OR CLAIM UNDER ANY ONE INSURING AGREEMENT The Insurer's maximum limit of insurance for each Incident or Claim under any one Insuring Agreement shall be the applicable Each Incident or Claim Limit shown in Item 4 of the Declarations, which shall be part of, and not in addition to, the applicable Aggregate Limit for all Incidents or Claims shown in Item 4 of the Declarations, and the Maximum Policy Aggregate Limit of Insurance shown in Item 3B of the Declarations. D. MAXIMUM LIMIT OF INSURANCE FOR ALL INTERRELATED INCIDENTS AND CLAIMS All Claims arising out of the same Incident and all Interrelated Incidents shall be deemed to be one Claim, and such Claim shall be deemed to be first made on the date the earliest of such Claims is first made, regardless of whether such date is before or during the Policy Period. All Interrelated Incidents shall be deemed to be one Incident, and such Incident shall be deemed to be first discovered, on the date the earliest of such Incidents is first discovered, regardless of whether such date is before or during the Policy Period. The maximum limit of insurance for all Interrelated Incidents and Claims arising out of such Interrelated Incidents shall be the Maximum Single Incident or Claim Limit of Insurance shown in Item 3A of the Declarations, regardless of whether Costs, Damages or Claims Expenses from a single Incident or Claim are covered under more than one Insuring Agreement. Notwithstanding anything in this paragraph to the contrary, in no event shall the Insurer pay more than the applicable : 1. Maximum Policy Aggregate Limit of Insurance shown in Item 3B of the Declarations, 2 . Aggregate Limit for all Incidents or Claims under any one Insuring Agreement shown in Item 4 of the Declarations, and 3 . Each Incident or Claim Limit under any one Insuring Agreement shown in Item 4 of the Declarations. E. Costs, Damages and Claims Expenses shall be part of and not in addition to the applicable Limit of Insurance shown in the Declarations, and shall reduce such applicable Limit of Insurance. If the applicable Limit of Insurance is exhausted by payment of Costs, Damages and Claims Expenses, the obligations of the Insurer under this Policy shall be completely fulfilled and extinguished. F. Any sub-limits shown in the Declarations or added by endorsement to this Policy shall be part of and not in addition to the applicable Limit of Insurance shown in the Declarations, and shall reduce such applicable Limit of Insurance. VII . RETENTION A. The liability of the Insurer shall apply only to that part of Costs, Damages, and Claims Expenses which is in excess of the applicable Retention amount shown in Item 4 of the Declarations. Such Retention shall be borne uninsured by the Named Insured and at the risk of all Insureds. B . With respect to Insuring Agreement B, the Insurer will pay the actual Business Interruption Loss, Contingent Business Interruption Loss and Extra Expenses incurred by an Insured : 1. once the applicable Waiting Period shown in Item 4B of the Declarations has expired; and 2 . which is in excess of the applicable Retention amount shown in Item 4B of the Declarations. The Waiting Period and Retention amounts shall be computed as of the start of the Interruption in Service. Any Business Interruption Loss or Contingent Business Interruption Loss incurred by an Insured during the Waiting Period, and resulting from an Interrelated Incident with Extra Expenses, shall reduce and may exhaust any applicable Retention. C. A single Retention amount shall apply to Costs, Damages, and Claims Expenses, arising from all Incidents or Claims alleging an Interrelated Incident. D. If a single Incident or Claim, or Interrelated Incidents are subject to different Retentions, the applicable Retention shall be applied separately to each part of the Costs, Damages, and Claim Expenses, but the sum of such Retentions shall not exceed the largest applicable Retention. PF-48169 (10/16) Page 15 of 21 VIII. NOTICE A. Urgent crisis management assistance by the Cyber Incident Response Coach is available at the hotline number shown in the Declarations. Use of the services of the Cyber Incident Response Coach for a consultation DOES NOT constitute notice under this Policy of a Cyber Incident or Claim. In order to provide notice under this Policy, such notice must be given in accordance with and is subject to Subsections B-D of this Section VIII . B . An Insured shall, as a condition precedent to such Insured's rights under this Policy, give to the Insurer written notice of any Incident or Claim as soon as practicable after any Control Group Member discovers such Incident or becomes aware of such Claim, but in no event later than : 1. if this Policy expires (or is otherwise terminated) without being renewed with the Insurer, ninety (9o) days after the effective date of such expiration or termination; or 2. the expiration of the Extended Reporting Period, if applicable, provided that if the Insurer sends written notice to the Named Insured, stating that this Policy is being terminated for nonpayment of premium, an Insured shall give to the Insurer written notice of such Claim prior to the effective date of such termination. C. If, during the Policy Period, any Control Group Member first becomes aware of any specific Incident which may reasonably give rise to a future Claim under this Policy, and written notice is given to the Insurer during the Policy Period, of the: 1. nature of the Incident; 2 . identity of the Insureds allegedly involved; 3 . circumstances by which the Insureds first became aware of the Incident; 4. identity of the actual or potential claimants; 5 . foreseeable consequences of the Incident; and 6 . nature of the potential Damages; then any Claim which arises out of such Incident shall be deemed to have been first made at the time such written notice was received by the Insurer. The Insurer will not pay for Damages or Claims Expenses incurred prior to the time such Incident results in a Claim. D. All notices under any provision of this Policy shall be given as follows : 1. Notice to the Insureds may be given to the Named Insured at the address shown in Item 1 of the Declarations. 2 . Notice to the Insurer of any Incident or Claim shall be given to the Insurer at the physical address or email address shown in Item 9A of the Declarations. 3 . All other notices to the Insurer under this Policy shall be given to the Insurer at the physical address shown in Item 9B of the Declarations. Notice given as set out above shall be deemed to be received and effective upon actual receipt thereof by the addressee, or one day following the date such notice is sent, whichever is earlier. When any such notices are sent to a physical address, such notices shall be sent by prepaid express courier or certified mail properly addressed to the appropriate party. IX. DEFENSE AND SETTLEMENT A. Except as provided in Subsection B of this Section IX, the Insurer shall have the right and duty to defend any Claim brought against an Insured even if such Claim is groundless, false or fraudulent. The Insurer shall consult and endeavor to reach an agreement with the Insured regarding the appointment of counsel, but shall retain the right to appoint counsel and to make such investigation and defense of a Claim as it deems necessary. B. The Insurer shall have the right, but not the duty, to defend any Regulatory Proceeding. For such Claims, the Insured shall select defense counsel from the Insurer's list of approved law firms, and the Insurer reserves the right to associate in the defense of such Claims. PF-48169 (10/16) Page 16 of 21 C. No Insured shall settle any Claim, incur any Claims Expenses, or otherwise assume any contractual obligation or admit any liability with respect to any Claim without the Insurer's written consent, which shall not be unreasonably withheld. D. The Insurer shall not settle any Claim without the written consent of the Named Insured. If the Named Insured refuses to consent to a settlement recommended by the Insurer and acceptable to the claimant, then the Insurer's applicable Limit of Insurance under this Policy with respect to such Claim shall be reduced to: 1. the amount of Damages for which the Claim could have been settled plus all Claims Expenses incurred up to the time the Insurer made its recommendation to the Named Insured; plus 2 . eighty percent (80%) of all subsequent covered Damages and Claims Expenses in excess of such amount referenced in paragraph ( 1) immediately above, which amount shall not exceed that portion of any applicable Limit of Insurance that remains unexhausted by payment of Costs, Damages, and Claims Expenses. The remaining twenty percent (20%) of all subsequent covered Damages and Claims Expenses shall be borne by the Insureds uninsured and at their own risk. However, this provision does not apply to any potential settlement that is within the Retention. E. The Insurer shall not be obligated to investigate, defend, pay or settle, or continue to investigate, defend, pay or settle any Claim after any applicable Limit of Insurance has been exhausted by payment of Costs, Damages, or Claims Expenses, or by any combination thereof, or after the Insurer has deposited the remainder of any unexhausted applicable Limit of Insurance into a court of competent jurisdiction. In either such case, the Insurer shall have the right to withdraw from the further investigation, defense, payment or settlement of such Claim by tendering control of such Claim to the Insured. F. The Insureds shall cooperate with the Insurer and provide to the Insurer all information and assistance which the Insurer reasonably requests including attending hearings, depositions and trials and assistance in effecting settlements, securing and giving evidence, obtaining the attendance of witnesses and conducting the defense of any Claim covered by this Policy. The Insured shall do nothing that may prejudice the Insurer's position. The Insureds shall immediately forward to the Insurer, at the address shown in Item 9A of the Declarations, every demand, notice, summons, or other process or pleading received by an Insured or its representatives. G. With the exception of paragraph 6 of the Cyber Incident Response Expenses definition, an Insured has the right to incur Cyber Incident Response Expenses without the Insurer's prior consent. However, the Insurer shall, at its sole discretion and in good faith, pay only for such expenses that the Insurer deems to be reasonable and necessary. X. PROOF OF LOSS FOR FIRST PARTY INSURING AGREEMENTS A. Requests for payment or reimbursement of Costs incurred by an Insured shall be accompanied by a proof of loss with full particulars as to the computation of such Costs. Such proof of loss will include in detail how the Costs were calculated, and what assumptions have been made, and shall include documentary evidence, including any applicable reports, books of accounts, bills, invoices and other vouchers or proofs of payment made by an Insured in relation to such Costs. Furthermore, the Insureds shall cooperate with, and provide any additional information reasonably requested by, the Insurer in its review of Costs, including the right to investigate and audit the proof of loss and inspect the records of an Insured. B . With respect to Insuring Agreement B , the Business Interruption Loss or Contingent Business Interruption Loss will be determined taking full account and due consideration of an Insured's proof of loss and in addition, the trends or circumstances which affect the profitability of the business and would have affected the profitability of the business had the Business Interruption Loss or Contingent Business Interruption Loss not occurred, including all material changes in market conditions or adjustment expenses which would affect the net profit generated. However, the Insurer's adjustment will not include the Insured's increase in income that would likely have been earned as a result of an increase in the volume of business due to favorable business conditions caused by the impact of a Malicious Computer Act on others. PF-48169 (10/16) Page 17 of 21 XI . ALLOCATION If a Claim includes both covered and uncovered matters, then coverage shall apply as follows : A. Claims Expenses: One hundred percent ( l00%) of Claims Expenses incurred by any Insured on account of such Claim shall be considered covered provided that the foregoing shall not apply with respect to: (i) a Regulatory Proceeding; or, (ii) any Insured for whom coverage is excluded pursuant to Exclusion III .A.1 or Section XIV, Subsection C. With respect to a Regulatory Proceeding, amounts for covered Claims Expenses and for uncovered fees, costs and expenses shall be allocated based upon the relative legal and financial exposures of, and the relative benefits obtained by, the parties to such matters. B. Loss other than Claims Expenses : all remaining loss incurred by such Insured from such Claim shall be allocated between covered Damages and uncovered damages based upon the relative legal and financial exposures of, and the relative benefits obtained by, the parties to such matters. XII . OTHER INSURANCE If any Costs, Damages or Claims Expenses covered under this Policy are covered under any other valid and collectible insurance, then this Policy shall cover such Costs, Damages or Claims Expenses, subject to the Policy terms and conditions, only to the extent that the amount of such Costs, Damages or Claims Expenses are in excess of the amount of such other insurance whether such other insurance is stated to be primary, contributory, excess, contingent or otherwise, unless such other insurance is written only as specific excess insurance over the Limits of Insurance provided by this Policy. XIII. MATERIAL CHANGES IN EXPOSURE A. ACQUISITION OR CREATION OF ANOTHER ENTITY If, during the Policy Period, the Named Insured : 1. acquires voting securities in another entity or creates another entity, which as a result of such acquisition or creation becomes a Subsidiary; or 2 . acquires any entity by merger into or consolidation with the Named Insured; then, subject to the terms and conditions of this Policy, such entity and its natural person Insureds shall be covered under this Policy but only with respect to Claims for Incidents, or Incidents, as applicable, taking place after such acquisition or creation, unless the Insurer agrees to provide coverage by endorsement for Claims for Incidents, or Incidents, as applicable, taking place prior to such acquisition or creation. B . ACQUISITION OF THE NAMED INSURED If, during the Policy Period, any of the following events occurs : 1. the acquisition of the Named Insured, or of all or substantially all of its assets, by another entity, or the merger or consolidation of the Named Insured into or with another entity such that the Named Insured is not the surviving entity; or 2 . the obtaining by any person, entity or affiliated group of persons or entities of the right to elect, appoint or designate at least fifty percent (50%) of the directors, trustees, managers, members of the Board of Managers, management or executive committee members or equivalent positions of the Named Insured; then coverage under this Policy will continue in full force and effect until termination of this Policy, but only with respect to Claims for Incidents, or Incidents, as applicable, taking place before such event. Coverage under this Policy will cease as of the effective date of such event with respect to Claims for Incidents, or Incidents, as applicable, taking place after such event. This Policy may not be cancelled after the effective time of the event, and the entire premium for this Policy shall be deemed earned as of such time. C. TERMINATION OF A SUBSIDIARY If, before or during the Policy Period, an entity ceases to be a Subsidiary, coverage with respect to such Subsidiary and any Insured (as defined in paragraphs 3, 4 and 5 of such definition) of the Subsidiary shall continue until termination of this Policy. Such coverage continuation shall apply only with respect to Claims for Incidents, or Incidents, as applicable, taking place prior to the date such entity ceased to be a Subsidiary. PF-48169 (10/16) Page 18 of 21 XIV. REPRESENTATIONS A. In granting coverage to any Insured, the Insurer has relied upon the declarations and statements in the Application for this Policy. Such declarations and statements are the basis of the coverage under this Policy and shall be considered as incorporated in and constituting part of this Policy. B . The Application for coverage shall be construed as a separate Application for coverage by each Insured. With respect to the declarations and statements in such Application, no knowledge possessed by a natural person Insured shall be imputed to any other natural person Insured. C. However, in the event that such Application contains any misrepresentations made with the actual intent to deceive or contains misrepresentations which materially affect either the acceptance of the risk or the hazard assumed by the Insurer under this Policy, then no coverage shall be afforded for any Incident or Claim based upon, arising from or in consequence of any such misrepresentations with respect to: 1. any natural person Insured who knew of such misrepresentations (whether or not such natural person knew such Application contained such misrepresentations) ; or 2. an Organization, if any past or present Control Group Member knew of such misrepresentations (whether or not such Control Group Member knew such Application contained such misrepresentations) . D . The Insurer shall not be entitled under any circumstances to void or rescind this Policy with respect to any Insured. XV. TERMINATION OF THIS POLICY A. This Policy shall terminate at the earliest of the following times : 1. the effective date of termination specified in a prior written notice by the Named Insured to the Insurer; 2. sixty (60) days after receipt by the Named Insured of a written notice of termination from the Insurer for any reason allowed by applicable insurance laws or regulations, other than failure to pay premium when due ; 3 . twenty (20) days after receipt by the Named Insured of a written notice of termination from the Insurer for failure to pay a premium when due, unless the premium is paid within such twenty (20) day period; 4. upon expiration of the Policy Period as shown in Item 2 of the Declarations; or 5 . at such other time as may be agreed upon by the Insurer and the Named Insured. B. If the Policy is terminated by the Named Insured or the Insurer, the Insurer shall refund the unearned premium computed pro rata. Payment or tender of any unearned premium by the Insurer shall not be a condition precedent to the effectiveness of such termination, but such payment shall be made as soon as practicable. XVI . TERRITORY AND VALUATION A. Coverage provided under this Policy shall extend to Incidents and Claims taking place, brought or maintained anywhere in the universe. Any provision in this Policy pertaining to coverage for Incidents or Claims made or Damages or Claims Expenses sustained anywhere outside the United States of America shall only apply where legally permissible. B . All premiums, limits, retentions, Costs, Damages, Claims Expenses and other amounts under this Policy are expressed and payable in the currency of the United States of America. If judgment is rendered, settlement is denominated or another element of loss under this Policy is stated in a currency other than United States of America dollars, or if Extortion Expenses are stated in a currency, including Bitcoin or other crypto- currency(ies) , other than United States of America dollars, payment under this Policy shall be made in United States dollars at the applicable rate of exchange as published in The Wall Street Journal as of the date the final judgment is reached, the amount of the settlement is agreed upon or the other element of loss is due, respectively, or, if not published on such date, the next date of publication of The Wall Street Journal. If there is no applicable rate of exchange published in the Wall Street Journal, then payment under this Policy shall be made in the equivalent of United States of America dollars at the actual rate of exchange for such currency. PF-48169 (10/16) Page 19 of 21 XVII . CYBER INCIDENT RESPONSE FUND PROVISIONS A. With respect to the Cyber Incident Response Team or a Non-Panel Response Provider: 1. The Insureds are under no obligation to contract for services with the Cyber Incident Response Team. However, if an Insured elects to use any Non-Panel Response Providers for any Cyber Incident Response Expenses, the applicable Limits of Insurance shown in Item 4A2 of the Declarations will apply. 2 . The Insurer shall not be a party to any agreement entered into between any Cyber Incident Response Team service provider and an Insured. 3 . Cyber Incident Response Team service providers are independent contractors, and are not agents of the Insurer. The Insureds agree that the Insurer assumes no liability arising out of any services rendered by a Cyber Incident Response Team service provider. The Insurer shall not be entitled to any rights or subject to any obligations or liabilities set forth in any agreement entered into between any Cyber Incident Response Team service provider and an Insured. Any rights and obligations with respect to such agreement, including billings, fees and services rendered, are solely for the benefit of, and borne solely by such Cyber Incident Response Team service provider and such Insured, and not the Insurer. 4. The Insurer has no obligation to provide any of the services provided by the Cyber Incident Response Team. B . With respect to any other third party vendor, the Insurer may provide the Named Insured with a list of third-party privacy and network security loss mitigation vendors whom the Named Insured, at its own election and at the Named Insured's own expense, may retain for cyber risk management to inspect, assess, and audit the Named Insured's property, operations, systems, books, and records, including the Named Insured's network security, employee cyber security awareness, incident response plans, services provider contracts, and regulatory compliance. Any loss mitigation inspection, assessment, or audit purchased by the Named Insured, and any report or recommendation resulting therefrom, shall not constitute an undertaking at the request of or for the benefit of the Insurer. XVIII . SUBROGATION A. The Insurer shall have no rights of subrogation against any Insured under this Policy unless Exclusion III .A.1 or Section XIV, Subsection C, applies. B. In the event of payment under this Policy, the Insureds must transfer to the Insurer any applicable rights to recover from another person or entity all or part of any such payment. The Insureds shall execute all papers required and shall do everything necessary to secure and preserve such rights, including the execution of such documents necessary to enable the Insurer to effectively bring suit or otherwise pursue subrogation rights in the name of the Insureds. C. If prior to the Incident or Claim connected with such payment an Insured has agreed in writing to waive such Insured's right of recovery or subrogation against any person or entity, such agreement shall not be considered a violation of such Insured's duties under this Policy. XIX. ACTION AGAINST THE INSURER AND BANKRUPTCY Except as provided in Section XXII, Alternative Dispute Resolution, no action shall lie against the Insurer. No person or entity shall have any right under this Policy to join the Insurer as a party to any action against any Insured to determine the liability of such Insured nor shall the Insurer be impleaded by any Insured or its legal representatives. Bankruptcy or insolvency of any Insured or of the estate of any Insured shall not relieve the Insurer of its obligations nor deprive the Insurer of its rights or defenses under this Policy. XX. AUTHORIZATION CLAUSE By acceptance of this Policy, the Named Insured agrees to act on behalf of all Insureds with respect to the giving of notice of Incident or Claim, the giving or receiving of notice of termination or non-renewal, the payment of premiums, the receiving of any premiums that may become due under this Policy, the agreement to and acceptance of endorsements, consenting to any settlement, exercising the right to the Extended Reporting Period, and the giving or receiving of any other notice provided for in this Policy, and all Insureds agree that the Named Insured shall so act on their behalf. PF-48169 (10/16) Page 20 of 21 XXI. ALTERATION, ASSIGNMENT, AND HEADINGS A. Notice to any agent or knowledge possessed by any agent or by any other person shall not affect a waiver or a change in any part of this Policy nor prevent the Insurer from asserting any right under the terms of this Policy. B . No change in, modification of, or assignment of interest under this Policy shall be effective except when made by a written endorsement to this Policy which is signed by an authorized representative of the Insurer. C. The titles and headings to the various parts, sections, subsections and endorsements of the Policy are included solely for ease of reference and do not in any way limit, expand, serve to interpret or otherwise affect the provisions of such parts, sections, subsections or endorsements. D . Any reference to the singular shall include the plural and vice versa . XXII . ALTERNATIVE DISPUTE RESOLUTION A. The Insureds and the Insurer shall submit any dispute or controversy arising out of or relating to this Policy or the breach, termination or invalidity thereof to the alternative dispute resolution ("ADR") process set forth in this Section. B . Either an Insured or the Insurer may elect the type of ADR process discussed below. However, such Insured shall have the right to reject the choice by the Insurer of the type of ADR process at any time prior to its commencement, in which case the choice by such Insured of ADR process shall control. C. There shall be two choices of ADR process : 1. non-binding mediation administered by any mediation facility to which the Insurer and an Insured mutually agree, in which such Insured and the Insurer shall try in good faith to settle the dispute by mediation in accordance with the then-prevailing commercial mediation rules of the mediation facility; or 2 . arbitration submitted to any arbitration facility to which an Insured and the Insurer mutually agree, in which the arbitration panel shall consist of three disinterested individuals. In either mediation or arbitration, the mediator or arbitrators shall have knowledge of the legal, corporate management, or insurance issues relevant to the matters in dispute. In the event of arbitration, the decision of the arbitrators shall be final and binding and provided to both parties, and the award of the arbitrators shall not include attorneys' fees or other costs . In the event of mediation, either party shall have the right to commence a judicial proceeding. However, no such judicial proceeding shall be commenced until at least sixty (60) days after the date the mediation shall be deemed concluded or terminated. In all events, each party shall share equally the expenses of the ADR process. D . Either ADR process may be commenced in New York or in the state shown in Item 1 of the Declarations as the principal address of the Named Insured. The Named Insured shall act on behalf of each and every Insured in connection with any ADR process under this Section. XXI II .I . INTERPRETATION The terms and conditions of this Policy shall be interpreted and construed in an even-handed fashion as between the parties. If the language of this Policy is deemed to be ambiguous or otherwise unclear, the issue shall be resolved in the manner most consistent with the relevant terms and conditions, without regard to authorship of the language, without any presumption or arbitrary interpretation or construction in favor of either the Insureds or the Insurer, and without reference to the reasonable expectations of either the Insureds or the Insurer. XXIV. COMPLIANCE WITH TRADE SANCTIONS This insurance does not apply to the extent that trade or economic sanctions or other similar laws or regulations prohibit the providing of such insurance. PF-48169 (10/16) Page 21 of 21 CHUBS SIGNATURES THE ONLY COMPANY APPLICABLE TO THIS POLICY IS THE COMPANY NAMED ON THE FIRST PAGE OF THE DECLARATIONS . By signing and delivering the policy to you, we state that it is a valid contract. INDEMNITY INSURANCE COMPANY OF NORTH AMERICA (A stock company) BANKERS STANDARD INSURANCE COMPANY (A stock company) ACE AMERICAN INSURANCE COMPANY (A stock company) ACE PROPERTY AND CASUALTY INSURANCE COMPANY (A stock company) INSURANCE COMPANY OF NORTH AMERICA (A stock company) PACIFIC EMPLOYERS INSURANCE COMPANY (A stock company) ACE FIRE UNDERWRITERS INSURANCE COMPANY (A stock company) WESTCHESTER FIRE INSURANCE COMPANY (A stock company) 436 Walnut Street, P .O. Box 1OOO , Philadelphia, Pennsylvania 19106 -3703 etS Sat- JULIET SCHWEIDEL, Secretary JOHN J . LUPICA, President Authorized Representative CC-iKnj (03/21) Forms Schedule Form Form Form Number Edition Title PF-48152 (09/16) Forms Schedule CC-iKnj (03/21) Signature Endorsement PF-45354 (01/15) Cap on Losses From Certified Acts of Terrorism PF-46422 (07/15) Trade or Economic Sanctions Endorsement PF-48290 (10/16) Colorado Amendatory Endorsement PF-48288 (10/ 16) Colorado Disclosure Notice For Claims-Made Policy ALL-22368 (06/07) Colorado Fraud Statement ALL-2Z75 (12/99) STATE OF COLORADO DISCLAIMER NOTICE PF-49501 ( 08/17) Preventative Shutdown PF-48160 ( 09/ 16) Period of Restoration PF-49491 ( 08 /17) Conduct Exclusion Amended — Final , Non-Appealable Adjudication MS-339594.5 (01/22) Specified Incident - Government Shutdown MS-339594.2 (01/ 22) Protective Safeguards MS-339594.3 (01/22 Ransomware Encounter MS-339594. 1 (01/ 22) Neglected Software MS-339594.4 (01/22) Co Insurance — Contingent Contingent Business Interruption TRIA1ie (08/20) Policyholder Disclosure Notice of Terrorism Insurance Coverage PF-48259 (10/ 16) Cyber Services for Incident Response — Notice to Policyholders PF-48260 (10/16) Cyber Services for Loss Mitigation ALL-2Z77 (10/ 16) Statement of Colorado Disclaimer - Commercial Lines Deregulation ALL-20887a (03/ 16) Chubb Producer Compensation Practices & Policies PF- 17914a (04/16) U.S . Treasury Department's Office of Foreign Assets Control ("OFAC") Advisory Notice to Policyholders ALL-2Z76 (12/99) Certification State of Colorado - Commercial Lines Deregulation PF-48152 (09/16) © 2016 Page 1 of 1 CHUBB SIGNATURES THE ONLY COMPANY APPLICABLE TO THIS POLICY IS THE COMPANY NAMED ON THE FIRST PAGE OF THE DECLARATIONS . By signing and delivering the policy to you, we state that it is a valid contract. INDEMNITY INSURANCE COMPANY OF NORTH AMERICA (A stock company) BANKERS STANDARD INSURANCE COMPANY (A stock company) ACE AMERICAN INSURANCE COMPANY (A stock company) ACE PROPERTY AND CASUALTY INSURANCE COMPANY (A stock company) INSURANCE COMPANY OF NORTH AMERICA (A stock company) PACIFIC EMPLOYERS INSURANCE COMPANY (A stock company) ACE FIRE UNDERWRITERS INSURANCE COMPANY (A stock company) WESTCHESTER FIRE INSURANCE COMPANY (A stock company) 436 Walnut Street, P.O . Box 1000, Philadelphia, Pennsylvania 19106 -3703 Pt _or "Mr. ;Heel lb 7‘ i et elate mag JULIET SCHWEIDEL, Secretary JOHN J . LUPICA, President Authorized Representative CC-1K11 (03/21) THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. Cap On Losses From Certified Acts Of Terrorism A . If aggregate insured losses attributable to terrorist acts certified under the federal Terrorism Risk Insurance Act exceed $ 1Oo billion in a calendar year and we have met our insurer deductible under the Terrorism Risk Insurance Act , we shall not be liable for the payment of any portion ofthe amount of such losses that exceeds $ io o billion, and in such case insuredlosses up to that amount are subject to pro rata allocation in accordance with procedures established by the Secretary of the Treasury . " Certified act ofterrorism" means an act that is certified by the Secretary ofthe Treasury , in accordance with the provisions ofthe federal Terrorism Risk Insurance Act , to be an act ofterrorism pursuant to such Act . The criteria contained in the Terrorism Risk Insurance Act for a " certified act ofterrorism" include the following : 1. The act resulted in insured losses in excess of $ 5 million in the aggregate , attributable to all types of insurance subject to the Terrorism Risk Insurance Act ; and 2 . The act is a violent act or an act that is dangerous to human life , property or infrastructure and is committed by an individual or individuals as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct ofthe United States Government by coercion. B. The terms and limitations of any terrorism exclusion, or the inapplicability or omission of a terrorism exclusion, do not serve to create coverage for any " loss" that is otherwise excluded under this Policy . All other terms and conditions of this Policy remain unchanged . PF-45354 Col /15) 2015 Page 1 of 1 Includes copyrightedmaterial of Insurance Services Office, Inc ., with its permission . TRADE OR ECONOMIC SANCTIONS ENDORSEMENT THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This insurance does not apply to the extent that trade or economic sanctions or similar laws or regulations prohibitus from providing insurance , including, but not limited to , the payment of claims . All other terms and conditions of policy remain unchanged. PF-46422 (07/15) Page 1 of i Amendatory Endorsement - Colorado THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY This endorsement modifies insurance provided under the following: Chubb Cyber Enterprise Risk Management Policy Chubb DigiTech R Enterprise Risk Management Policy IF THERE IS ANY CONFLICT BETWEEN THE POLICY, OTHER ENDORSEMENTS TO THE POLICY AND THIS ENDORSEMENT, THE TERMS PROVIDING THE BROADEST COVERAGE INSURABLE UNDER APPLICABLE LAW SHALL PREVAIL. It is agreed that : 1 . Paragraph 1 . of the definition of Claim in Section II. DEFINITIONS, is deleted and replaced with the following: 1. Demand against any Insured for monetary damages or non -monetary or injunctive relief; 2 . Subsection (A) of Section V, EXTENDED REPORTING PERIOD, is deleted and replaced with the following: (A) Solely with respect to Insuring Agreements T (where applicable) , A, E, and F, if the Insurer terminates or does not renew this Policy, or if the Named Insured terminates or does not renew this Policy and does not obtain replacement coverage as of the effective date of such termination or nonrenewal, the Named Insured shall have the right, upon payment of the additional premium shown in Item 7A of the Declarations and subject to the terms specified in Subsections B -E directly below, to a continuation of the coverage granted by this Policy for an Extended Reporting Period shown in Item 7B of the Declarations following the effective date of such termination of non -renewal. In the event that premium is due for the Policy Period at the time that the right to purchase the Extended Reporting Period is exercised, such Extended Reporting Period will not become effective until all premiums due under this Policy are paid and unless the premium for the Extended Reporting Period, which shall not exceed 2OO% of the annual premium for the immediately expiring policy year for a one (1) year Extended Reporting Period, is paid when due. Any amounts paid for the Extended Reporting Period will be applied first to any outstanding premiums due during the Policy Period. 3 . Subsection (B) of Section V, EXTENDED REPORTING PERIOD, is deleted and replaced with the following: (B) Coverage for the Extended Reporting Period shall be only for Claims first made or Incidents first discovered during such Extended Reporting Period and arising from Incidents taking place prior to the effective date of such termination or non -renewal. This right to continue coverage shall lapse unless written notice of such election is given by the Named Insured to the Insurer, and the Insurer receives payment of the additional premium shown in Item 7A of the Declarations, within sixty (60) days following the effective date of termination or non -renewal. PF-48290 (10/16) Page 1 of 2 4. Paragraph 4 of Section XV, TERMINATION OF POLICY, is amended to include the following: 4 . provided that, non-renewal by the Insurer is effective only if the Insurer mails at least forty- five (45) days' advance written notice of non -renewal by first class mail to the Named Insured at its address last shown in the Insurer's records. No notice of non-renewal will be provided if the Named Insured has not paid any premium deposit required for renewal ; or 5 . Section XV, TERMINATION OF POLICY, is amended to include the following paragraphs : • The policy can only be terminated for one of the following reasons: 1. failure to pay a premium when due; 2 . a false statement knowingly made by the Named Insured on the Application for insurance ; or 3 . a substantial change in the exposure or risk other than that indicated in the Application and underwritten as of the effective date of the Policy unless the Named Insured has notified the Insurer of the change and the Insurer accepts such change . • Notice of termination from the Insurer will state the effective date of termination and the reason (s) for termination, and will be mailed by certified mail to the Named Insured, and by first-class mail to the agent or broker of record, at the last mailing addresses known to the Insurer. Proof of mailing will be sufficient proof of notice. • The Insurer may condition the renewal of this Policy upon a decrease in coverage or upon an increase in premium provided that the Insurer mails written notice of such changes(s) and the reason (s) for such change(s) by first class mail to the Named Insured at its address last shown in the Insurer's records at least forty-five (45) days before the expiration of the Policy Period. If the Insurer does not provide such renewal terms and a statement of the amount of premium due at least forty-five (45) days before the expiration of the Policy Period, the Insurer shall extend the existing Policy for a period of forty-five (45) days and the premium for this extended period shall be prorated based on the premium applicable to the existing Policy. If no such notice is mailed or delivered before the expiration of the Policy Period, the Named Insured may renew this Policy for an additional Policy Period at the same terms, conditions and premium as the expiring Policy. 5 . Within thirty (3o) days after receipt of a request by the Named Insured, the Insurer will furnish the Named Insured with information about closed or paid Claims, Claims for which the Company has established reserves, and Claims for which the Insurer has received notices of Wrongful Acts which could give rise to Claims. All other terms and conditions of this Policy remain unchanged. PF-48290 (10/16) Page 2 of 2 C H U B B ' COLORADO DISCLOSURE NOTICE FOR CLAIMS -MADE POLICY IMPORTANT NOTICE TO POLICYHOLDERS THIS DISCLOSURE FORM IS NOT YOUR POLICY. IT DESCRIBES SOME OF THE MAJOR FEATURES OF THE CLAIMS MADE COVERAGE PARTS OF OUR POLICY FORM. READ YOUR POLICY CAREFULLY TO DETERMINE RIGHTS, DUTIES, AND WHAT IS AND IS NOT COVERED. ONLY THE PROVISIONS OF YOUR POLICY DETERMINE THE SCOPE OF YOUR INSURANCE PROTECTION. DEFINITIONS 1 . "Claims-made coverage" means insurance that provides coverage only if a claim is made during the policy period or any applicable extended reporting period. A claim made during the policy period could be charged against a claims-made policy even if the injury or loss occurred many years prior to the policy period. If a claims-made policy has a retroactive date, an occurrence prior to that date is not covered. 2 . "Extended reporting period" means a period allowing for making claims after expiration of a claims-made policy. This is also known as a "tail". 3 . "Occurrence coverage" means an insurance policy that provides liability coverage only for injury or damage that occurs during the policy term, regardless of when claim is actually made. A claim made in the current policy year could be charged against a prior policy year, or may not be covered, if it arises from an occurrence prior to the effective date. 4. "Retroactive date" means the date on a claims-made policy which denotes the commencement date of coverage under the policy. YOUR POLICY Certain coverage parts provide coverage only for "Claims" first made during the "Policy Period" or any applicable Extended Reporting Period and reported to the Insurer in accordance with the Policy provisions . Upon termination of claims-made insurance coverage an extended reporting period option is available from your insurer. There is no difference in the kinds of injury and damage covered by occurrence or claims-made policies. Claims for damages may be assigned to different policy periods, however, depending on which type of policy you have. If you make a claim under your claims-made insurance coverage, the claim must be a demand for damages by an injured party and does not have to be in writing. Under most circumstances, a claim is considered made when it is received and recorded by you or by us. Sometimes, a claim may be deemed made at an earlier time. This can happen when another claim for the same injury or damage has already been made, or when the claim is received and recorded during an extended reporting period. PRINCIPAL BENEFITS The claims made coverage parts of this policy provide coverage for various types of professional liability, depending upon the particular coverage part(s) purchased. All of these coverages are subject to all of the terms and conditions set forth in the applicable coverage part and the maximum dollar limit of liability specified in such coverage parts. The principal benefits and coverages are explained in detail in your claims-made coverage parts . Please read the policy carefully and consult your insurance producer about any questions you might have. PF-48288 (10/16) Page 1 of 2 EXCEPTIONS, REDUCTION AND LIMITATIONS Your policy contains certain exceptions, reductions and limitations . Please read them carefully and consult your insurance producer about any questions you might have. RENEWALS AND EXTENDED REPORTING PERIODS The claims-made coverage part(s) of your policy has some unique features relating to renewal, extended reporting periods and coverage for events with long periods of exposure. If there is a retroactive date in your policy, no event or occurrence prior to that date will be covered under the policy even if reported during the policy period. It is therefore important for you to be certain that there are no gaps in your insurance coverage. These gaps can occur in several ways. Among the most common are: 1. If you switch from an occurrence policy to a claims-made insurance coverage, the retroactive date in your claims-made insurance coverage should be no later than the expiration date of the occurrence policy. 2 . When replacing a claims-made policy with a claims-made policy, you should consider the following : a . The retroactive date in the replacement policy should extend far enough back in time to cover any events with long periods of liability exposure, or b . If the retroactive date in the replacement policy does not extend far enough back in time to cover events with long periods of liability exposure, you should consider purchasing extended reporting period coverage under the old claims-made policy. 3 . If you replace your claims-made coverage part(s) with an occurrence policy, you may not have insurance coverage for a claim arising during the period of claims-made coverage unless you have purchased an extended reporting period under the applicable claims-made coverage part(s) . Extended reporting period coverage must be offered to you by law for at least one year after the expiration of the claims- made policy at a premium not to exceed 20O% of your last policy premium. CAREFULLY REVIEW YOUR POLICY REGARDING THE AVAILABLE EXTENDED REPORTING PERIOD COVERAGE, INCLUDING THE LENGTH OF COVERAGE, THE PRICE AND THE TIME PERIOD DURING WHICH YOU MUST PURCHASE OR ACCEPT ANY OFFER FOR EXTENDED REPORTING PERIOD COVERAGE. PF-48288 (10/16) Page 2 of 2 COLORADO FRAUD STATEMENT It is unlawful to knowingly provide false , incomplete, or misleading facts or information to an insurance company for the purpose of defrauding or attempting to defraud the company. Penalties may include imprisonment, fines, denial of insurance, and civil damages. Any insurance company or agent of an insurance company who knowingly provides false , incomplete, or misleading facts or information to a policyholder or claimant for the purpose of defrauding or attempting to defraud the policyholder or claimant with regard to a settlement or award payable from insurance proceeds shall be reported to the Colorado division of insurance within the department of regulatory agencies. ALL-22368 (06/07) co ISO Properties, Inc. , 2004 C F M M STATE OF COLORADO DISCLAIMER NOTICE COMMERCIAL LINES DEREGULATION THE RATES, RATING PLANS, RESULTING PREMIUMS, AND THE POLICY FORMS FOR THIS POLICY ARE EXEMPT FROM THE FILING REQUIREMENTS UNDER COLORADO INSURANCE LAW AND THE RULES OF THE COLORADO INSURANCE COMMISSIONER. ALL-2Z75 12.99 Preventative Shutdown Endorsement THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: Chubb Cyber Enterprise Risk Management Policy Chubb DigiTechp Enterprise Risk Management Policy It is agreed that Section II, DEFINITIONS, is amended as follows: 1. The definition of Interruption in Service is deleted and replaced with the following: Interruption in Service means a detectable interruption or degradation in service of: 1 . with respect to Insuring Agreement Bi, an Insured's Computer System ; or 2 . with respect to Insuring Agreement B2, a Shared Computer System; caused by a Malicious Computer Act or Preventative Shutdown. 2 . The following definition is added: Preventative Shutdown means an Insured's reasonable and necessary intentional shut down of: 1 . with respect to Insuring Agreement Bi, an Insured's Computer System , but only to the extent that such shut down : a. is in response to an actual or credible threat of a Malicious Computer Act expressly directed against such Insured's Computer System which may reasonably be expected to cause an Interruption in Service in the absence of such shut down ; and b . serves to mitigate, reduce, or avoid Business Interruption Loss as a result of the actual or credible threat of such Malicious Computer Act; or 2 . with respect to Insuring Agreement B2, the Insured's access or connectivity to a Shared Computer System , but only to the extent that such shut down : a. is in response to an actual Malicious Computer Act against such Shared Computer System which may reasonably be expected to cause an Interruption in Service in the absence of such shut down ; and b . serves to mitigate, reduce, or avoid Contingent Business Interruption Loss as a result of such Malicious Computer Act. Notwithstanding anything to the contrary in the Policy, and solely with respect to an Interruption in Service caused by a Preventative Shutdown, the Period of Restoration shall not exceed the lesser of 14 days or the number of days otherwise set forth in paragraph 2 of the Period of Restoration definition . PF-495o1 (8/17) Page 1 of 1 Period of Restoration - Fill In THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: Cyber Enterprise Risk Management Policy DigiTech R Enterprise Risk Management Policy It is agreed that Section II, Definitions, Period of Restoration, is deleted and replaced with the following : Period of Restoration means the continuous period of time that : 1. begins with the earliest date of an Interruption in Service; and 2 . ends on the date when the Insured's Computer System or Shared Computer System is or could have been repaired or restored with reasonable speed to the same functionality and level of service that existed prior to the Interruption in Service. In no event shall the Period of Restoration exceed ninety (go) days. All other terms and conditions of this Policy remain unchanged. PF-48160 (09/16) Page 1 of i Conduct Exclusion Amended - Final, Non-Appealable Adjudication THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: Chubb Cyber Enterprise Risk Management Policy Chubb DigiTech R Enterprise Risk Management Policy It is agreed that Section III, EXCLUSIONS, subsection A, EXCLUSIONS APPLICABLE TO ALL INSURING AGREEMENTS, Exclusion 1, Conduct, is deleted and replaced with the following : 1. Conduct alleging, based upon, arising out of or attributable to : a. any fraudulent, criminal, malicious or intentional act, error or omission, or any intentional or knowing violation of the law by an Insured; or b. the gaining in fact of any profit, remuneration or financial advantage to which any Insured was not legally entitled. However, this exclusion shall not apply to Claims Expenses or the Insurer's duty to defend any such Claim, until there is a final, non-appealable adjudication in any underlying proceeding or action against the Insured as to such conduct or violation, at which time the Insured shall reimburse the Insurer for any Claims Expenses paid by the Insurer. Provided that : i. no conduct pertaining to any natural person Insured shall be imputed to any other natural person Insured; and ii. any conduct pertaining to any past, present, or future Control Group Member, other than a Rogue Actor, shall be imputed to an Organization . For purposes of this exclusion, "Rogue Actor" means a Control Group Member acting outside his or her capacity as such. All other terms and conditions of the Policy remain unchanged. PF-49491 (o 8/ 17) Page 1 of 1 CHUSB SPECIFIED INCIDENT EXCLUSION THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: CHUBB CYBER ENTERPRISE RISK MANAGEMENT POLICY It is agreed that Section III, Exclusions, Subsection A, Exclusions Applicable To All Insuring Agreements , is amended by adding the following: • Specified Incident alleging, based upon, arising out of, or attributable to the following, or any Incident, fact, circumstance, or situation underlying or alleged therein, or any other Incident whenever occurring which, together with an Incident underlying or alleged in the following, would constitute Interrelated Incidents: the application or enforcement of any law, rule, regulation, ordinance, code, governmental directive, standard, or legal or administrative restriction of any kind mandating the shutdown of: a. an Insured's Computer System; b . a Shared Computer System; c. any Internet infrastructure or telecommunications infrastructure, which is owned, operated, or controlled by a third party with whom an Insured does not have a direct written contract; or d. any Internet access or telecommunications service of any Domain Name System ("DNS") Top- Level Domain, DNS Root Zone, Tier 1 Internet Service Provider in the provider's capacity as such, or Tier 1 Telecommunications Provider in the provider's capacity as such. However, this exclusion shall not apply a Claim or Incident resulting from a Cyber Incident otherwise covered under this Policy. All other terms, conditions and limitations of this Policy shall remain unchanged. MS-339594.5 (04/22) Page 1 of 1 CHUSB PROTECTIVE SAFEGUARDS EXCLUSION THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: CHUBB CYBER ENTERPRISE RISK MANAGEMENT POLICY It is agreed that the Policy is amended as follows: 1 . Section III, Exclusions, subsection B, Exclusions Applicable To Specific Insuring Agreements, is amended by adding the following: • Protective Safeguards solely with respect to Insuring Agreements A- E, alleging, based upon, arising out of, or attributable to any Cyber Incident that reasonably could have been avoided had the Insured not failed to: maintain Specified Cyber Security Safeguards. remediate Known Cyber Vulnerabilities which the Insurer specifically communicated to the Insured prior to the effective date of this Policy. However, this exclusion shall not apply to Costs, Claims Expenses, or the Insurer's duty to defend any such Claim, unless the Insurer obtains information that such Cyber Incident reasonably could have been avoided but for the Insured's failure, at which time the Insured shall reimburse the Insurer for any Costs or Claims Expenses paid by the Insurer. Provided that : i. if a criminal proceeding is brought against any natural person Insured other than a Control Group Member ("Suspected Individual") , alleging conspiracy to commit or assist others in committing a Malicious Computer Act against other Insureds, then no such failure or act of such Suspected Individual shall be imputed to any other Insured for purposes of this exclusion; and ii. any conduct pertaining to any past, present, or future Control Group Member, other than a Rogue Actor, shall be imputed to an Organization. For purposes of this exclusion, "Rogue Actor" means a Control Group Member acting outside his or her capacity as such. 2. Section II, Definitions, is amended by adding the following: Specified Cyber Security Safeguards means the following: • Multi-Factor Authentication for email. • Multi-Factor Authentication for remote access. Known Cyber Vulnerabilities means the following: • CVE-2014-3566 • CVE-2016- 0800 • CVE-2020-3452 • CVE-2020- 7961 • CVE-2020-3452 • CVE-2020- 3452 • VO Package 3. Section IX, Defense and Settlement, subsection F, is deleted and replaced with the following: F. The Insureds shall cooperate with the Insurer and provide to the Insurer all information and assistance which the Insurer reasonably requests, including attending hearings, depositions, and trials, and MS-339594.2 (01/22) Page 1 of 2 CHUSB assistance in effecting settlements, securing and giving evidence, obtaining the attendance of witnesses, and conducting the investigation and defense of any Claim covered by this Policy. Further, the Insureds shall provide the Insurer a signed statement of the Insureds' complete and truthful responses to any requests for information and produce all pertinent records at such reasonable times and places as the Insurer shall designate . The Insured shall do nothing that may prejudice the Insurer's position . The Insureds shall forward to the Insurer as soon as practicable, at the address shown in Item 1oA of the Declarations, every demand, notice, summons, or other process or pleading received by an Insured or its representatives. 4 . Section X, Proof of Loss for First Party Insuring Agreements, subsection A, is amended by adding the following: Further, the Insureds shall provide the Insurer a signed statement of the Insureds' complete and truthful responses to any requests for information and produce all pertinent records at such reasonable times and places as the Insurer shall designate . All The title and any headings in this endorsement/rider are solely for convenience and form no part of the terms and conditions of coverage. All other terms, conditions and limitations of this Policy shall remain unchanged. MS-339594.2 (01/22) Page 2 of 2 CHUBB RANSOMWARE ENCOUNTER SUBLIMIT, RETENTION, AND COINSURANCE ENDORSEMENT THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: CHUBB CYBER ENTERPRISE RISK MANAGEMENT POLICY It is agreed that the Policy is amended as follows: 1 . Item 4 of the Declarations and Item 4 of the Member's certificate is amended by adding the following: Member $ 1, 000, 000 Each Cyber Incident and in the Ransomware Aggregate for all Cyber Incidents Encounter Sublimit Member $ 100, 000 Each Cyber Incident Ransomware Encounter Retention Ransomware Coinsurance Percentage: Encounter Coinsurance: 50% 2 . Section II, Definitions, is amended by adding the following: • Ransomware Encounter means a Cyber Incident involving malicious software which is designed to block access to a Computer System or Digital Data, or alter, corrupt, damage, manipulate, misappropriate, encrypt, delete, or destroy Digital Data, in order to extort a ransom payment from the Insured in exchange for restoring access to or decrypting such Computer System or Digital Data. Further, Ransomware Encounter shall also include any credible threat, or series of credible threats, to release, divulge, disseminate, or use Protected Information, or confidential corporate information of an Insured, that has been exfiltrated as part of an event described in the paragraph immediately above. 3 . Section VI, Limits of Insurance, is amended by adding the following: • RANSOMWARE ENCOUNTER SUBLIMIT Notwithstanding anything in this Policy to the contrary, solely with respect to Insuring Agreements A- E, the Insurer's maximum limit of insurance for all Costs incurred in response to a Cyber Incident arising out of a Ransomware Encounter shall be the Ransomware Encounter Sublimit shown in Item 4 of the Declarations and Item 4 of the Member certificate, as amended by this endorsement . The Ransomware Encounter Sublimit shall be part of and not in addition to: 1 . the applicable limits of insurance shown in Items 4A- E of the Declarations and the Items 4A-E of Member certificate ; 2 . the Maximum Single Limit of Insurance set forth in Item 3A of the Declarations; 3 . the Maximum Pool Policy Aggregate Limit of Insurance set forth in Item 3B of the Declarations and 1. the Maximum Single Limit of Insurance set forth in Item 3 .A of the Member certificate ; 2 . the Maximum Pool Policy Aggregate Limit of Insurance set forth in Item 3. B of the Member certificate ; and the Maximum Member Policy Aggregate Limit of Insurance set forth in Item 4. C. of the Member certificate . 4 . Section VII, Retention , is amended by adding the following: • RANSOMWARE ENCOUNTER RETENTION MS-339594.3 (01/22) Page 1 of 2 CHUBS Notwithstanding anything in this Policy to the contrary, solely with respect to a Cyber Incident covered under Insuring Agreements A- E that arises out of a Ransomware Encounter, the liability of the Insurer shall apply only to that part of Costs which is in excess of the Ransomware Encounter Retention amount shown in Item 4 of the applicable Member certificate, as amended by this endorsement . Such Retention shall be borne uninsured by the Named Insured and at the risk of all Insureds. • RANSOMWARE ENCOUNTER COINSURANCE Notwithstanding anything in this Policy to the contrary, solely with respect to a Cyber Incident covered under Insuring Agreements A- E that arises out of a Ransomware Encounter, and after satisfaction of any applicable Retention amount, the Insureds shall bear uninsured and at their own risk the percentage of all Costs set forth in the Ransomware Encounter Coinsurance shown in Item 4 of the Declarations and applicable Member certificate, as amended by this endorsement, and applied to Insuring Agreements A-E, combined. Payments of any Costs by an Insured under the Ransomware Encounter Coinsurance percentage shall not reduce the Limits of Insurance applicable to Insuring Agreements A- E, including the Ransomware Encounter Sublimit, the Maximum Policy Limits of Insurance , or the Maximum Member Policy Aggregate Limit of Insurance. Only the portion of any such Costs paid by the Insurer shall reduce the foregoing limits of insurance . 5 . Section VIII, Notice, is amended by adding the following subsection : • Notwithstanding anything in this Policy to the contrary, a Ransomware Encounter shall also be reported to law enforcement by or on behalf of an Insured. All other terms, conditions and limitations of this Policy shall remain unchanged. MS-339594.3 (01/22) Page 1 of 2 CHUBB COINSURANCE - CONTINGENT BUSINESS INTERRUPTION THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: CHUBB CYBER ENTERPRISE RISK MANAGEMENT POLICY It is agreed that Section VII, Retention , is amended by adding the following subsection : • COINSURANCE - CONTINGENT BUSINESS INTERRUPTION Notwithstanding anything in this Policy to the contrary, solely with respect to Insuring Agreement B2, after satisfaction of the applicable Retention amount set forth in Item 4B of the applicable Member certificate, the Insureds shall bear uninsured and at their own risk 50% of all Contingent Business Interruption Loss and Extra Expenses ("Insured's Coinsurance") , and the Insurer's liability for Contingent Business Interruption Loss and Extra Expenses under Insuring Agreement B2 shall apply only to the remaining percent of such Contingent Business Interruption Loss and Extra Expenses . Payments of any Contingent Business Interruption Loss or Extra Expenses by an Insured under the Insured's Coinsurance shall reduce the Pool Each Cyber Incident Limit and the Pool Aggregate Limit for all Cyber Incidents set forth in Item 4B of the Declarations and the Member Each Cyber Incident Limit and Member Aggregate Limit for all Cyber Incidents set forth in 4.B . of applicable Member certificate, but shall not reduce the Maximum Pool Policy Limits of Insurance set forth in Item 3 of the Declarations or the Maximum Member Policy Aggregate Limit of Insurance set forth in the applicable Member certificate. All other terms, conditions and limitations of this Policy shall remain unchanged. MS-339594.4 (01/22) Page 1 of 1 CHUBB NEGLECTED SOFTWARE EXPLOIT ENDORSEMENT THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. This endorsement modifies insurance provided under the following: CHUBB CYBER ENTERPRISE RISK MANAGEMENT POLICY It is agreed that the Policy is amended as follows: 1. Item 4 of the Declarations and Item 4 of the Member's certificate is amended by adding the following : Sub- Limited Coverage Extension for Neglected Software Exploits Period of Neglect Coinsurance Limit of Insurance per Policy Period 0 - 45 days o% $ 1, 000, 000 46 - 90 days 5 % $750, 000 91 - 18oclays io% $500, 000 181 — 365 days 25 % $ 250, 000 Longer than 365 days so% $ 100, 000 2 . Section II, Definitions, is amended by adding the following: Neglected Software Exploit means a Cyber Incident involving the exploitation of a vulnerability in software, which as of the first known date of such exploitation : 1. such software has been withdrawn, is no longer available, or is no longer supported by, or has reached end- of-life or end-of-support status with, the vendor that developed it; or 2 . such vulnerability has been listed as a Common Vulnerability and Exposure (CVE) in the National Vulnerability Database operated by the National Institute of Standards and Technology; and for which a patch, fix, or mitigation technique is available to the Insured, but has not been applied by such Insured, for the applicable number of days shown as ranges in the Sub-Limited Coverage Extension for Neglected Software Exploits set forth in Item 4 of the Declarations, as amended by this endorsement. 3 . Section VI, Limits of Insurance, is amended by adding the following: • NEGLECTED SOFTWARE EXPLOIT SUBLIMIT Notwithstanding anything in this Policy to the contrary, solely with respect to Insuring Agreements A- E, the Insurer's maximum limit of insurance for Costs incurred in response to a Cyber Incident arising out of a Neglected Software Exploit shall be the applicable Neglected Software Exploit Sublimit shown in Item 4 of the Declarations and in Item 4 of the Member certificate, as amended by this endorsement. The Neglected Software Exploit Sublimit shall be part of and not in addition to : 1 . the applicable limits of insurance shown in Items 4A- E of the Declarations and the Items 4A-E of Member certificate; 2 . the Maximum Single Limit of Insurance set forth in Item 3A of the Declarations; 3. the Maximum Policy Aggregate Limit of Insurance set forth in Item 3B of the Declarations and 1. the Maximum Single Limit of Insurance set forth in Item 3.A of the Member certificate ; 2 . the Maximum Pool Policy Aggregate Limit of Insurance set forth in Item 3. B of the Member certificate ; and the Maximum Member Policy Aggregate Limit of Insurance set forth in Item 4. C. of the Member certificate 4 . Section VII, Retention, is amended by adding the following: • NEGLECTED SOFTWARE EXPLOIT COINSURANCE Notwithstanding anything in this Policy to the contrary, solely with respect to a Cyber Incident covered under Insuring Agreements A-E that arises out of a Neglected Software Exploit, and after satisfaction MS-339594. 1 (01/22) Page 1 of 2 CHUBS of any applicable Retention amount, the Insureds shall bear uninsured and at their own risk the percentage of all Costs set forth in the Neglected Software Exploit Coinsurance shown in Item 4 of the Declarations and applicable Member certificate, as amended by this endorsement, and applied to Insuring Agreements A-E, combined. Payments of any Costs by an Insured under the Neglected Software Exploit Coinsurance percentage shall not reduce the Limits of Insurance applicable to Insuring Agreements A-E, including the Neglected Software Exploit Sublimit, the Maximum Policy Limits of Insurance, or the Maximum Member Policy Aggregate Limit of Insurance. Only the portion of any such Costs paid by the Insurer shall reduce the foregoing limits of insurance. All other terms, conditions and limitations of this Policy shall remain unchanged. MS-339594.1 (01/22) Page 2 of 2 CHUBB DISCLOSURE PURSUANT TO TERRORISM RISK INSURANCE ACT THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. Disclosure Of Premium In accordance with the federal Terrorism Risk Insurance Act, we are required to provide you with a notice disclosing the portion of your premium, if any, attributable to coverage for terrorist acts certified under the Terrorism Risk Insurance Act. The portion of your premium attributable to such coverage is shown in this endorsement or in the policy Declarations. Disclosure Of Federal Participation In Payment Of Terrorism Losses The United States Government, Department of the Treasury, will pay a share of terrorism losses insured under the federal program. The federal share equals; 8o% of that portion of the amount of such insured losses that exceeds the applicable insurer retention . However, if aggregate insured losses attributable to terrorist acts certified under the Terrorism Risk Insurance Act exceed $ 100 billion in a calendar year , the Treasury shall not make any payment for any portion of the amount of such losses that exceeds $ loo billion . Cap On Insurer Participation In Payment Of Terrorism Losses If aggregate insured losses attributable to terrorist acts certified under the Terrorism Risk Insurance Act exceed $ loo billion in a calendar year and we have met our insurer deductible under the Terrorism Risk Insurance Act, we shall not be liable for the payment of any portion of the amount of such losses that exceeds $ 100 billion, and in such case insured losses up to that amount are subject to pro rata allocation in accordance with procedures established by the Secretary of the Treasury. COVERAGE OF "ACTS OF TERRORISM" AS DEFINED BY THE REAUTHORIZATION ACT WILL BE PROVIDED FOR THE PERIOD FROM THE EFFECTIVE DATE OF YOUR NEW OR RENEWAL POLICY THROUGH THE EARLIER OF THE POLICY EXPIRATION DATE OR DECEMBER 31, 2027. EFFECTIVE DECEMBER 31, 2027 THE TERRORISM RISK INSURANCE PROGRAM REAUTHORIZATION ACT EXPIRES . Terrorism Risk Insurance Act premium: $ o. TRIAiie (08/20) Includes copyrighted material of Insurance Services office, Inc., with its permission . Page 1 of 1 C H U S Er Policyholder Notice Cyber Services for Incident Response This Policyholder Notice shall be construed as part of your Policy but no coverage is provided by this Policy holder Notice nor can it be construed to replace any provisions of y our Policy . While no coverage is provided by this Policyholder Notice, bolded terms in this Policyholder Notice shall have the meaning set forth in your Policy. You should read your Policy and review y our Declarations page for complete information on the coverages you are provided . This Notice provides information concerning access to cyber services for incident response . Cyber Incident Response T earn The Cyber Incident Response Team is a list of approved service providers available to provide the services set forth in the definition ofCyber Incident Response Expenses in your Policy . The list of approved service providers is available on the Chubb website . These providers have been carefully selected by Chubb and are reviewed on a periodic basis. The service providers have capabilities in various disciplines for a Cyber Incident response that include , but are not limited to , the following : 1. Computer Forensics 2 . Public Relations 3 . Notification and Identity Services 4 . Call Center Services 5 . Cyber Extortion and Ransom Services 6 . Legal and Regulatory Communications 7 . Business Interruption Services In the event ofa Cyber Incident , a copy of the Cyber Incident Response T earn list can also be obtained from any Cyber Incident Respon se Coach . In the event of a Cyber Incident , contact the Cyber Incident Response Coach as indicated on the Declarations Page and referenced throughout the Policy . Please note the following : 1 . Should you experience a cyber related incident , you may choose to call the Cyber Incident Response T earn Hotline listed in your Policy for immediate triage assistance . Please be aware that the hotline service is provided by a third-party law firm . If you engage this service, it is billable to you at the standard rate per hour outlined in the Chubb Cyber Incident Response Team Panel Guidelines . Calling the hotline does NOT satisfy the claim notification requirements of your Policy . 2 . Chubb shall not be a party to any agreement entered into between any Cyber Incident Response T earn service provider and the policyholder. It is understood that Cyber Incident Response T earn service providers are independent contractors, and are not agents of Chubb . The policyholder agrees that Chubb assumes no liability arising out of any services rendered by a Cyber Incident Response T earn service provider. Chubb shall not be entitled to any rights or subject to any obligations or liabilities set forth in any agreement entered into between any Cyber Incident Response Team service provider and the policyholder. Any rights and obligations with respect to such agreement, including but limited to billings, fees and services rendered, are solely for the benefit of, and borne solely by such Cyber Incident Response Team service provider and the policyholder , and not Chubb . PF-48259 (1016) @2016 Page 1of2 3 . Chubb has no obligation to provide any ofthe legal, computerforensics , public relations, notification and identity services, call center services, cyber extortion and ransom , legal and regulatory communications , and business interruption advice and services provided by the Cyber Incident Response Team . 4 . The policyholder is under no obligation to contract for services with Cyber Incident Response Team service providers , except as may be amended by the Policy . 5 . Solely with respect to the services provided by the Cyber Incident Response Team : a . Failure to comply with any one or more ofthe requirements of the Cyber Incident Response Team will preclude coverage under the applicable limit(s) . b . Chubb may , at its sole discretion and only as evidenced by Chubb 's prior written approval, on or before the effective date of the Policy , permit the policyholder to retain alternative service providers to provide services comparable to the services and rates offered by the Cyber Incident Response Team . c . If, during the Policy Period, either (i) any of the Cyber Incident Response Team service providers is unable to or does not provide the services covered and as defined in the definition of Cyber Incident Response Expenses or (ii) there is a change of law or regulation that prevents service providers selected exclusively from the Cyber Incident Response Team from providing the legal, computer forensic , notification, call center, public relations , crisis communications, fraud consultation, credit monitoring, and identity restoration advice and services soughtbythe policyholder, Chubb may , at its sole discretion and only as evidenced by Chubb 's prior written approval, permit the policyholder to retain alternative service providers to provide services comparable to the services offered by the Cyber Incident Response Team . d . The maximum rate Chubb will pay for Cyber Incident Response Expenses shall be no more than the rates outlined in the ` Chubb Cyber Incident Response Team Panel Guidelines' for such services . PF-48259 (1016) O 2016 Page 2 of 2 C H U B B Policyholder Notice Cyber Services for Loss Mitigation This Policyholder Notice shall be construed as part of your Policy but no coverage is provided by this Policyholder Notice nor can it be construed to replace any provisions of your Policy . While no coverage is provided by this Policyholder Notice, bolded terms in this Policyholder Notice shall have the meaning set forth in your Policy. You should read your Policy and review your Declarations page for complete information on the coverage you are provided . As a Chubb policyholder, you have cyber services available to you , as described in this Notice . Loss Mitigation Services Chubb provides " pre -event " cyber security services as a benefit to help our policyholders analyze key cyber exposures and help limit the exposures to a potential loss . These services , which complement our post incident cyber services, have been createdbased on our claim and industry experience . These services have been carefully selected by Chubb and are reviewed on a periodic basis. These services include , but are not limited to , the following : 1 . Online Web Portal 2 . Incident Response Readiness 3 . Security Awareness 4 . Information Governance 5 . Security Risk Ratings 6 . Cyber Security Standards 7 . Encryption 8 . User Access Controls 9 . Regulatory and Standards Compliance 1O . Password Management Services shall be provided by a panel of Chubb pre -approved vendors at preferred rates and must be rendered during the Policy Period . Policyholder Reimbursements In order to assist the Insured in reducing exposure to covered Costs, Damages and Expenses under the Policy, Chubb can authorize contributions to the cost of qualified services from a pre -approved vendor or a vendor that is reviewed and approved in writing by Chubb . Such contribution shall take the form of a matched reimbursement of the cost of a qualified service up to a maximum of $ 3000 per Policy Period. Reimbursements must be authorized by Chubb and will be made for only those services rendered 90 days prior to the Policy expiration or renewal date . Please note the following : 1 . Chubb does not endorsevendors or their respective services . Before you engage any of these vendors , we urge you to conduct your own due diligence to ensure the companies and their services meet your needs. Unless otherwise indicated or approved, payment for services provided by these companies is the responsibility of the Insured. PF-4 8260 (10/16) © 2016 Pagel of 2 2 . The web portal is currently powered by eRisk Hubp , a 3rd party web -based loss prevention portal managed by NetDiligencep . Do not share portal access instructions with anyone outside your organization. You are responsible for maintaining the confidentiality of the Chubb Access Code provided to you . An unlimited number of individuals from your organization may register and use the portal . PF-4 8260 (10/16) @ 2016 Page 2 of 2 STATE OF COLORADO DISCLAIMER NOTICE - COVERAGE QUOTE COMMERCIAL LINES DEREGULATION THE RATES, RATING PLANS, RESULTING PREMIUMS, AND THE POLICY FORMS USED FOR THIS COVERAGE QUOTE ARE NOT SUBJECT TO THE RATE, RULE AND FORM FILING REQUIREMENTS OF THE COLORADO DIVISION OF INSURANCE . ALL-2Z77 (12/99) CHUBB ® Chubb Producer Compensation Practices & Policies Chubb believes that policyholders should have access to information about Chubb's practices and policies related to the payment of compensation to brokers and independent agents. You can obtain that information by accessing our website at chubbproducercompensation.com or by calling the following toll-free telephone number: 1-866-512 -2862. ALL-20887a (03/ 16) C H U B B U . S . TreasuryDepartment' s Office Of Foreign Assets Control ( " OFAC" ) AdvisoryNotice to Policyholders This Policyholder Notice shall not be construed as part of your policy and no coverage is provided by this Policyholder Notice nor can it be construed to replace any provisions of your policy. You should read your policy and review your Declarations page for complete information on the coverages you are provided . This Notice provides information concerning possible impact on your insurance coverage due to directives issued by OFAC . Please read this Notice carefully. The Office of Foreign Assets Control ( OFAC) administers and enforces sanctions policy, based on Presidential declarations of "national emergency" . OFAC has identified and listed numerous : • Foreign agents ; • Front organizations ; • Terrorists ; • Terrorist organizations ; and • Narcotics traffickers ; as " Specially Designated Nationals and Blocked Persons" . This list can be located on the United States Treasury's web site — http//www.treas .gov/ofac . In accordance with OFAC regulations , if it is determined that you or any other insured, or any person or entity claiming the benefits of this insurance has violated U.S . sanctions law or is a Specially Designated National and Blocked Person , as identified by OFAC , this insurance will be considered a blocked or frozen contract and all provisions of this insurance are immediately subject to OFAC . When an insurance policy is considered to be such a blocked or frozen contract, no payments nor premium refunds may be made without authorization from OFAC . Other limitations on the premiums and payments also apply. PF-17914a (04/ 16) Reprinted, in part, with permission of Page 1 of 1 ISO Properties, Inc. CERTIFICATION STATE OF COLORADO COMMERCIAL LINES DEREGULATION Insured : Colorado Counties Casualty and Property Pool Date : 1 / 1 /22 Insurance Company : Ace American Insurance Policy Agent/Broker: Arthur J . Gallagher Risk Management Services , Inc. Policy Number Type of Insurance: Cyber Enterprise Risk Management Pool Policy Place a checkmark identifying the eligibility criteria met: XI $ 50 , 000 Annual Account Premium for all eligible lines of business . Insured has net worth of at least $ 10 million dollars as reported in the policyholder' s most recently issued financial statement , reviewed or audited by an independent certified public accountant YInsured has annual net revenues or net sales of at least $ 10 million dollars as reported in the policyholder' s most recently issued financial statement , reviewed or audited by an independent certified public accountant ❑ Employs at least 25 full -time employees For nonprofit organizations : must have an annual operating budget of at least $2 . 5 million dollars for the most recently completed calendar or fiscal year ❑ For public entities : must have an operating budget of at least $ 10 million dollars for the most recently completed calendar or fiscal year ❑ For municipalities : must have a population of at least 20 , 000 as recorded in the latest Population of Municipalities and Counties published by the Division of Local Government, Colorado Department of Local Affairs . Risk Manager qualification ( enter checkmark on each applicable qualification) : (must check at least one ) ❑ A bachelor' s or higher degree in risk management issued by an accredited college or university ; ❑ A designation as a Chartered Property and Casualty Underwriter ( CPCU ) issued by the American Institute for GPGU/Insurance Institute of America ; ALL-2Z76 ( 12/99 ) ❑ A designation as an Associate in Risk Management (ARM ) issued by the American Institute for CPCU/Insurance Institute of America ; ❑ A designation as a Certified Risk Manager ( CRM ) issued by the National Alliance for Insurance Education & Research ; ❑ A designation as Fellow in Risk Management ( FRM ) issued by the Global Risk Management Institute/ Risk & Insurance Management ; At least 7 years of experience in one or more of the following areas commercial property and casualty insurance ( I ) risk financing , ( II ) claims administration , ( III ) loss prevention , or ( IV) risk and insurance coverage analysis . I hereby certify that we meet the requirements set forth to qualify as an exempt commercial policyholder as defined pursuant to 10 -4 - 1402 C . R . S . and the rules of the Commissioner promulgated thereunder. Signature and title se . • Sr s for manager title : EXece r71e ? 'c62117& Risk Manager: ALL-2Z76 ( 12/99 ) Hello