The URL can be used to link to this page

Browse Search

Home My WebLink About20241974.tiffSI Colorado Counties Casualty and Property Pool 2024 Network Security Policy Arch - Policy No. NPL006916300 Summaries are brief outlines of the coverages afforded under the insurance policies. Since summaries are for informational purposes only, they should not be construed to constitute the entire insurance contracts. As the policies may contain additional coverages and restrictions, the exact wording should be consulted. Brief Summary of Liability Deductibles This information is provided to present counties with a simple overview of county deductibles in the pool. It does not provide information on limits. The pool insuring agreements contain actual coverages and limits. The county deductible for network security liability claims varies with levels of security The pool pays the first $100,000 of each claim CAPP's excess insurance carrier pays up to $1 million per claim with $5 million pool aggregate lamnnvni ClX-I i OYl$ ?°1 I@c-I c-c-=HRCSS/mRtKL), F=-Cc-PIC-O) 07/x.6 /24 2024-1974 P2,OO3e, AI Gallagher •••CORE 360 Named Insured Schedule Colorado Counties Casualty and Property Pool including the following members: • Alamosa • Archuleta • Baca Bent • Chaffee • Cheyenne • Clear Creek Conejos • Costilla • Crowley • Custer • Delta Dolores • Elbert • Fremont • Garfield • Gilpin • Grand • Gunnison • Hinsdale • Huerfano Jackson • Kiowa • Kit Carson • Lake • Las Animas • Lincoln • Logan • Mineral • Moffat Montrose • Morgan • Otero • Ouray • Park • Phillips • Prowers • Pueblo • Rio Blanco • Rio Grande • Routt • Saguache • San Juan • San Miguel • Sedgwick • Summit • Teller Washington Weld Yuma .•* Gallagher ***CORE 360- Cyber Enterprise Risk Management Pool Program for Members (Claims Made Policy) Current Carrier: Arch Specialty Insurance Company Policy Period: January 1, 2024 to January 1, 2025 Additional Insureds: • Member Counties (50 in total — per schedule 1 on policy) Policy Form: • Third Party Liability Insuring Agreement provide Claims -Made Coverage, which applies only to claims first made during the policy period or applicable Extended Reporting Period for any Incident taking place after the Retroactive Date but before the end of the Policy Period. Retroactive Date: • 1/1/2014 (applies only to Media Liability) Continuity Date: Limits: Pool First Party Insuring Agreements Pool Third Party Insuring Agreements • January 1, 2014 Amount Maximum Pool Policy Limits of Insurance $ 5,000,000 $ 5,000,000 Maximum Pool Single Limits of Insurance under any one Insuring Agreement Maximum Pool Policy Aggregate Limit of Insurance Pool Aggregate Limit for All Cyber Retention / Waiting Incidents/ Aggregate Period Each Incident Continuity Date Incident Response Expense Business Interruption (Network Security Breach) Business Interruption (System 5,000,000 Failure) Business Interruption (Technology Contractors $ 5,000,000 $ System Failure) Business Interruption Dependent Business (network $ 5,000,000 Security Breach) Business Interruption Dependent Business (System $ 5,000,000 Failure) Business Interruption (All) Waiting Period Data Recovery Expense $ 5,000,000 Coverage Bricking $ 5,000,000 Cyber Extortion Expense $ 5,000,000 Reputational Harm Coverage Reputational harm 5,000,000 5,000,000 Waiting Period 12 Hours 100,000 100,000 1/1/2014 1/1/2014 100,000 1/1/2014 100,000 1/1/2014 100,000 1/1/2014 100,000 1/1/2014 100,000 1/1/2014 100,000 1/1/2014 100,000 1/1/2014 14 Days Pool Aggregate Limit for All Cyber Incidents/ Aggregate Retention / Waiting Continuity Date Period Each Incident Network Security and Privacy $ Liability Media Liability $ Media Liability 30 ,'sQ024 Arthur J. Gallagher 8, Co. All rights reserved. 5,000,000 5,000,000 Retro Date 100,000 100,000 1/1/2014 1/1/2014 1/1/2014 ••• Gallagher •••CORE 360- Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy (Continued) Pool Cyber Crime Pool Aggregate Limit for All Cyber Incidents/ Aggregate Retention / Waiting Period Each Incident Continuity Date MEMBER DETAILS Per Member Limits: Member First Party Insuring Agreements Member Third Party Insuring Agreements Social Engineering $ Service Fraud $ Invoice Manipulation $ 500,000 500,000 500,000 100,000 100,000 100,000 1/1/2014 1/1/2014 1/1/2014 Amount Maximum Pool Policy Limits of Insurance $ 1,000,000 $ 1,000,000 $ 1,000,000 $ 250,000 Per Member Crime Aggregate Limit Per Member Ransomware Event Aggregate Limit Per Member Policy Aggregate Limit Ransomware Limitation (only applies if MFA is not implemented) Pool Aggregate Limit for All Cyber Retention / Waiting Incidents/ Aggregate Period Each Incident Continuity Date Incident Response Expense Business Interruption (Network Security Breach) Business Interruption (System 1,000,000 Failure) Business Interruption (Technology Contractors $ 1,000,000 System Failure) Business Interruption Dependent Business (network $ 1,000,000 Security Breach) Business Interruption Dependent Business (System $ 1,000,000 Failure) Business Interruption (All) Waiting Period 12 Hours Data Recovery Expense $ 1,000,000 $ 100,000 1/1/2014 Coverage Bricking $ 1,000,000 $ 100,000 1/1/2014 Cyber Extortion Expense $ 1,000,000 $ 100,000 1/1/2014 Reputational Harm Coverage Waiting Period 14 Days Reputational harm $ 1,000,000 $ 1,000,000 100,000 100,000 1/1/2014 1/1/2014 100,000 1/1/2014 100,000 1/1/2014 100,000 1/1/2014 100,000 1/1/2014 Pool Aggregate Limit for All Cyber Incidents/ Aggregate Retention / Waiting Period Each Incident Retro-Date / Pending or Prior Proceeding Date Network Security and Privacy $ Liability 2024 Arthur J. Gallagher & Co All rights reserved. 1,000,000 100,000 Media Liability $ 1,000,000 0 100,000 Media Liability Retro Date 1/1/2014 31 1/1/2014 1/1/2014 1/1/2014 $ O. Gallagher •••CORE 360 Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy (Continued) Member Cyber Crime Pool Aggregate Limit for All Cyber Incidents/ Aggregate Retention / Waiting Period Each Incident Continuity Date Social Engineering $ Service Fraud $ Invoice Manipulation $ 100,000 100,000 100,000 100,000 100,000 100,000 1/1/2014 1/1/2014 1/1/2014 Claims -Made Should you elect to change carriers (if a new retro-active date is provided) or non -renew this Coverage Note: policy, a supplemental extended reporting endorsement may be available subject to policy terms and conditions. You must request the extended reporting period in writing to the carrier within 30 days of the non -renewal or cancellation date of the policy and pay the additional premium by the due date specified on the premium invoice. The cost of this extended reporting period is 100% of the annual premium and is fully earned. The extended reporting period extends only to those claims that occurred prior to the expiration date and would have been covered by the policy. Claims must be reported to the carrier within 30 days of the end of the policy period. The extended reporting period does not increase the limits of liability and is subject to all policy terms, conditions and exclusions Minimum Premium: None Auditable Not subject to audit x,`-2024 Arthur J. Gallagher & Co All rights reserved. ID Gallagher ***CORE 360- Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy (Continued) Definitions "Claim" means any of the following: I. A written demand for services or monetary, non -monetary or injunctive relief, commenced by the Insured's receipt of such demand; II. A written request for mediation or arbitration, or to toll or waive an applicable statute of limitations, commenced by the Insured's receipt of such request; III. A civil proceeding for services or monetary, non -monetary or injunctive relief, commenced by the receipt by, or the service upon, the Insured of a complaint or similar pleading; or IV. A Regulatory Action, commenced by the receipt by, or the service upon, the Insured of an investigative demand, request for information, complaint or similar pleading. Paragraphs I. through IV. include any appeal from the actions described therein. All Claims arising from, or in any way related to the same or a series of related, repeated or continuing acts, errors, omissions, Wrongful Acts, Incidents, or Related Events will be considered a single Claim for the purposes of this Policy. All such Claims will be deemed to have been made at the earlier of: I. The first of any such Claim described in Paragraphs I. through IV., above; or II. When the earliest Incident comprising a Related Event was first discovered by an Insured, even if such Claim is deemed to have been made prior to the inception of the Policy Period. Cyber Incident means: "Incident" means any Network Security Breach, Privacy Violation, Business Interruption, Ransomware Event, Adverse Publicity, Fraudulent Instruction, Services Fraud, or Invoice Manipulation. All Incidents that are part of a series or combination of related, repeated or continuing Incidents that have a common nexus of facts, circumstances, situations, events, transactions, or causes, or series of causally connected facts, circumstances, situations, events, transactions or causes shall be considered a single Incident for purposes of this Policy. With respect to the Crime Coverage Part, Incident Response Expense Coverage, Data Recovery Expense Coverage, and Cyber Extortion Expense Coverage, all such Incidents will be deemed to have been discovered at the time the earliest Incident was first discovered by an Insured, even if such Incident is deemed to have been discovered prior to the inception of the Policy Period. With respect to the Business Interruption Coverage and Reputational Harm Coverage, all such Incidents will be deemed to have occurred at the time the earliest Incident was first discovered by an Insured, even if such Incident is deemed to have occurred prior to inception of the Policy Period.. Damages mean "Damages" means any settlement, judgment, pre judgment or post -judgment interest, or punitive, exemplary or multiple damages that the Insured becomes legally obligated to pay. The insurability of such punitive, exemplary or multiple damages shall be governed by the laws of the applicable jurisdiction that most favors coverage for such damages. "Multi -Factor Authentication" means: The use of at least one of the following methods of authentication (in addition to the use of a user identification and password) to validate access: 1. a hardware or software token access card; 2. third party authentication application(s) providing time bound, one-time codes, by a method other than text messaging; or 3. a unique one-time passcode received by text message to a pre -established mobile phone number linked to the account that is being accessed in order to validate access. 33 :2024 Arthur J. Gallagher & Co. All rights reserved. ••• Gallagher •.•CORE 360- Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy (Continued) Defense Provisions: Defense Costs and Expenses: Included in the Retention and within the Limits of Liability Defense Provisions: The Insurer shall have the right and duty to defend the Insured for each Claim alleging Loss covered under this Policy for which the Insurer receives notice that meets the requirements of the notice provisions of this Policy, even if such Claim is groundless, false or fraudulent. The Insurer may, at the Insurer's discretion, make any investigation it deems appropriate. The Insurer's right and duty to defend any Claim will end upon exhaustion of the applicable Limit of Insurance. If the Limit of Insurance is exhausted, the premium for this Policy will be deemed fully earned. Other Provisions: Settlement: The Insurer may, with the written consent of the Insured, settle any Claim for a monetary amount that the Insurer deems reasonable. If any Insured refuses to consent to the settlement of a Claim recommended by the Insurer and acceptable to a claimant, then the Insurer will not pay Loss for such Claim in excess of the sum of: I. The amount of the proposed settlement plus Defense Expenses incurred prior to such refusal; and II. 70% of Loss incurred for such Claim in excess of the amount specified in 4.1. above. Allocation: If any Insured incurs Loss under the Third Party Coverage Part that is only partially covered by this Policy because of any Wrongful Act, Claim, or Related Event that includes both covered and uncovered matters, Loss will be allocated as follows: I. One hundred (100%) percent of Defense Expenses incurred by the Insureds will be allocated to covered Loss; and II. With respect to all Loss other than Defense Expenses, such Loss will be allocated between covered and non -covered Loss based on the relative legal exposure of the parties to covered and non -covered matters. Territory: This Policy shall apply on a worldwide basis. Regarding the Coverage Parts, when a Claim is made or Loss is incurred outside of the United States of America and its territories and possessions, the following additional provisions apply: • 1. The Insurer shall have the right but not the duty to investigate, defend or settle any such Claims brought against an Insured. 2. If the Insurer elects not to investigate, defend or settle any such Claim, the Insured shall, under the Insurer's supervision, arrange for such investigation and defense thereof as is reasonably necessary and subject to the Insurer's prior authorization, and shall effect such settlement thereof as the Insurer and the Insured deem expedient. 3. The Insurer shall reimburse the Insured for the reasonable cost of such investigation and defense and the amount of any settlement or judgment in excess of the applicable Self - Insured Retention, all subject to and within the Limits of Insurance. Terms and Conditions: • Subrogation Clause • Bankruptcy Clause • Coordination of Coverage Clause 6..2024 Arthur J. Gallagher & Co All rights reserved. ••• Gallagher ***CORE 360- Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy (Continued) Endorsements and Notices: • 06 NPL0320 00 09 23 • 06 ML0002 00 12 14 • 00 ML0012 00 01 03 • 00 NPL0321 00 09 23 • 06 M L0294 00 04 22 • 00 M L0003 00 04 12 • 00 NPL0340 00 09 23 • 00 MLT0027 00 12 19 • 00 ML0065 00 06 07 ARCH Cyprosm POLICY DECLARATIONS SIGNATURE PAGE (ARCH SPECIALTY) SCHEDULE OF FORMS AND ENDORSEMENTS ARCH Cyprosm POLICY SURPLUS LINES FILING INFORMATION REQUIREMENTS SERVICE OF SUIT CLAIMS HANDLING PROCEDURES TERRORISM COVERAGE DISCLOSURE NOTICE U.S. TREASURY DEPARTMENTS OFFICE OF FOREIGN ASSETS CONTROL ( OFAC ) MANUSCRIPT/TBD RANSOMWARE SUBLIMIT MFA $250K PER MEMBER LIMIT IF LACKING MFA MANUSCRIPT/TBD PER MEMBER LIMIT ENDORSEMENT $1M FOR INCIDENT RESPONSE, BUSINESS INTERRUPTION I - VI, DATA RECOVERY, BRICKING, CYBER EXTORTION, REPUTATIONAL HARM, NETWORK SECURITY AND PRIVACY, MEDIA $100K FOR SOCIAL ENGINEERING, SERVICE FRAUD, INVOICE MANIPULATION Exclusions including Dishonest, fraudulent, criminal, malicious or intentional act, error, or omission, or any intentional but not limited to: knowing • Sanctions • Bodily Injury & Property Damage • Contractual Liability • Insured vs Insured • Professional Liability (including Technology Errors & Omissions) • Intellectual Property Laws • Pollutants • Gambling, waging, lottery, promotional games • Unsolicited electronic communication • Wire tapping, monitoring, or audio/video recording • Employment Practices • Discrimination • Workers Compensation • War (including Cyber War) • Governmental Seizure • Utility Service failure/failure to provide utility services • Trading loss, change in monetary value ':2024 Arthur J. Gallagher & Co. All rights reserved. *** Gallagher ***CORE 360- Cyber Enterprise Risk Management Pool Program for Members Claims Made Policy (Continued) Extended Reporting 100% of Annual Premium Additional 12 Months Period: I. Upon the effective date of such cancellation or non -renewal, the Named Insured will have the right to elect a continuation of coverage afforded by this Policy for the additional period stated in Item 8. of the Declarations (the "Optional Extended Reporting Period"). If elected, the Optional Extended Reporting Period will commence upon the effective date of such cancellation or non -renewal. The Optional Extended Reporting Period shall only apply to a Claim that is first made against the Insured during the Optional Extended Reporting Period for a Wrongful Act committed on or subsequent to the Retroactive Date (if applicable) and prior to the end of the Policy Period. The Optional Extended Reporting Period shall be provided by an Optional Extended Reporting Period Endorsement for an additional premium. II. The Named Insured's rights described in this Paragraph E.2. will terminate unless a written notice of election together with the additional premium due stated in Item 8. of the Declarations is received by the Insurer within thirty (30) days after the effective date of cancellation or non -renewal. III. The additional premium for the Optional Extended Reporting Period will be fully earned at the inception of the Optional Extended Reporting Period. I. There are no separate Limits of Insurance for the Automatic Extended Reporting Period or the Optional Extended Reporting Period. An Extended Reporting Period shall not increase or reinstate any Limit of Insurance. II. An Extended Reporting Period cannot be cancelled. III. The Optional Extended Reporting Period, if purchased, shall run concurrently with the Automatic Extended Reporting Notice: Notice: Regarding the Third Party Coverage Part: a. Notice of Circumstance If any Claims Manager first becomes aware of any Wrongful Act during the Policy Period that may reasonably be expected to give rise to a Claim against an Insured, then written notice of such Wrongful Act may be given by the Named Insured to the Insurer during the Policy Period, specifying the following: i. Reasons for anticipating such a Claim; ii. Nature and date of such Wrongful Act; iii. Identity of the Insured(s) involved; iv. Actual or alleged Loss incurred; v. Names of potential claimants; and vi. Manner in which the Insured(s) first became aware of the Wrongful Act. Any Claim subsequently arising from such Wrongful Act will be deemed a Claim first made at the time the Insurer receives the written notice. Notice of Claim The Named Insured shall give the Insurer written notice of any Claim as soon as practicable after any Claims Manager first becomes aware of the Claim, but such notice shall not be given later than the end of the Automatic Extended Reporting Period, or the end of the Optional Extended Reporting Period, if applicable. II. Regarding the First Party Coverage Part and Crime Coverage Part: a. Notice of Incident The Named Insured shall give the Insurer written notice of any Incident as soon as practicable after any Claims Manager first becomes aware of the Incident, but no later than sixty (60) days after the end of the Policy Period. III. Regarding all Coverage Parts: a. Law Enforcement Cooperation The Named Insured may receive an authorized order from a law enforcement or other governmental authority to keep confidential certain information about an actual or reasonably suspected Incident or Claim. In such circumstances, a notice of such Incident or Claim, shall be considered timely under this Policy if: i. As soon as practicable after receipt of such request, any Claims Manager requests permission to share such information with the Insurer; ii. The Named Insured only withholds from the Insurer that portion of the 36 ≤.2024 Arthur J Gallagher & Co. All rights reserved. Gallagher ie•. Gallagher •.• CORE 360' information that it has been instructed by a law enforcement or other governmental authority not to share with the Insurer; and iii. The Named Insured provides full notice of such Incident or Claim to the Insurer as soon as practicable after the Named Insured is legally permitted. To the extent the procedure set forth above is followed in connection with an authorized law enforcement or governmental authority order, any failure or delay in providing information to the Insurer shall not be the basis for denial of coverage under this Policy. Claims Reporting: Where/How to Report a Claim: Notices — Circumstances, Claims or Incidents Arch Specialty Insurance Company 1299 Farnam Street, Suite 500 Omaha, NE 68102 P.O. Box 542033 Omaha, NE 68154 Phone: 877 688 -ARCH (2724) Fax: 866 266-3630 E-mail: Cyberclaims@Archlnsurance.com All Other Notices Arch Specialty Insurance Company Professional Liability Harborside 3 210 Hudson Street, Suite 300 Jersey City, NJ 07311-1107 Phone: (866) 413-5550 Also Report Claim to: Arthur J Gallagher Risk Management Services Main Claims Email: GGB.NRCCIaimsCenterat.alq.com 2024 Arthur J. Gallagher & Co. All rights reserved. This contract is delivered as surplus line coverage under the Non admitted Insurance Act. The insurer issuing this contract is not licensed in Colorado but is an eligible non admitted insurer. There is no protection under the provisions of the Colorado Insurance Guaranty Association Act. Agent/Broker Signature Home Office Address: 2345 Grand Blvd, Suite 900 Kansas City, MO 64108 Arch Insurance ARCH SPECIALTY INSURANCE COMPANY (A Missouri Corporation) COLORADO — ARCH CYPROSM POLICY DECLARATIONS Policy Number: NPL0069163-00 Administrative Address: Harborside 3 210 Hudson Street, Suite 300 Jersey City, NJ 07311-1107 Phone: (866) 413-5550 Renewal of: N/A DEFENSE EXPENSES WITHIN LIMITS THE THIRD PARTY COVERAGE PART OF THIS POLICY PROVIDES CLAIMS -MADE COVERAGE. CLAIMS MUST FIRST BE MADE AGAINST THE INSURED DURING THE POLICY PERIOD OR THE EXTENDED REPORTING PERIOD (IF APPLICABLE), AND MUST BE REPORTED IN WRITING TO THE COMPANY DURING THE POLICY PERIOD OR EXTENDED REPORTING PERIOD (IF APPLICABLE). THE PAYMENT OF DEFENSE EXPENSES REDUCES THE LIMITS OF INSURANCE. IF ANY THIRD PARTY COVERAGE LIMIT IS EXHAUSTED, THE INSURER SHALL HAVE NO FURTHER LIABILITY UNDER SUCH COVERAGE, INCLUDING LIABILITY FOR DEFENSE EXPENSES. PLEASE READ THE ENTIRE POLICY CAREFULLY. Item 1. Named Insured: Colorado Counties Casualty and Property Pool Named Insured Address: C/O CTSI 800 Grant Street, Suite 400 Denver, CO 80203 Item 2. Producer Name: Arthur J. Gallagher Risk Management Services, LLC Producer Address: 6300 S. Syracuse Way, Suite 700 Centennial, CO 80111 Surplus Lines Producer Name: Arthur J. Gallagher Risk Management Services, LLC Surplus Lines Producer Address: License Number: 6300 S. Syracuse Way, Suite 700 Centennial, CO 80111 113080 Item 3. Policy Period: Inception Date: 01/01/2024 Expiration Date: 01/01/2025 (12:01 A.M. Standard time at the Named Insured address shown above) 06 NPL0320 06 09 23 © 2023 Arch Insurance Group Inc. Page 1 of 3 Item 4. Premium: $300,000.00 State Tax: By Broker Surplus Lines Tax: Calculated and collected by the Surplus Lines Producer Item 5. Policy Period Aggregate Limit of Insurance $5,000,000 Item 6. Coverages Coverage Limit of Insurance Self -Insured Retention Continuity Date FIRST PARTY COVERAGE PART A. Incident Response Expense Coverage ® I $5,000,000 I $100,000 101/01/2014 B. Business Interruption Coverage I. Business Interruption (Network Security Breach) II. Business Interruption (System Failure) III. Business Interruption — Technology Contractor (Network Security Breach) IV. Business Interruption — Technology Contractor (System Failure) V. Business Interruption — Dependent Business (Network Security Breach) VI. Business Interruption — Dependent Business (System Failure) Business Interruption Waiting Period 12 Hours ® ® ® ® ® ® $5,000,000 $5,000,000 $5,000,000 5,000,000 5,000,000 $5,000,000 $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 01/01/2014 01/01/2014 01/01/2014 01/01/2014 01/01/2014 01/01/2014 C. Data Recovery Expense Coverage Bricking Sub -Limit of Insurance: $5,000,000 ® $5,000,000 $100,000 01/01/2014 D. Cyber Extortion Expense Coverage ® I $5,000,000 I $100,000 101/01/2014 E. Reputational Harm Coverage Reputational Harm Waiting Period 14 Days ® $5,000,000 $100,000 01/01/2014 THIRD PARTY COVERAGE PART F. Network Security and Privacy Liability Coverage ® I $5,000,000 I $100,000 I 01/01/2014 G. Media Liability Coverage Retroactive Date: 01/01/2014 ® $5,000,000 $100,000 01/01/2014 H. Technology and Professional Services Liability Coverage Retroactive Date: N/A ❑ N/A N/A N/A 06 NPL0320 06 09 23 © 2023 Arch Insurance Group Inc. Page 2 of 3 CYBER CRIME COVERAGE PART I. Social Engineering Coverage ® I $500,000 I $100,000 101/01/2014 J. Service Fraud Coverage ® I $500,000 I $100,000 101/01/2014 K. Invoice Manipulation Coverage ® I $500,000 I $100,000 101/01/2014 If any of the Limits of Insurance is denoted as "N/A", "Not Applicable", "$0" or is left blank, the corresponding coverage is not provided under this Policy. Item 7. Professional Services N/A Item 8. Optional Extended Reporting Period (Third Party Coverage Part Only): 1 Year 100% of Annual Premium Item 9. Insurer: Arch Specialty Insurance Company Notices — Circumstances, Claims or Incidents: All Other Notices: Arch Specialty Insurance Company 1299 Farnam Street, Suite 500 Omaha, NE 68102 P.O. Box 542033 Omaha, NE 68154 Phone: 877 688 -ARCH (2724) Fax: 866 266-3630 E-mail: Cyberclaims@ArchInsurance.com Arch Specialty Insurance Company Professional Liability Harborside 3 210 Hudson Street, Suite 300 Jersey City, NJ 07311-1107 Phone: (866) 413-5550 Arch Specialty Insurance Company is licensed in the state of Missouri only. 06 NPL0320 06 09 23 © 2023 Arch Insurance Group Inc. Page 3 of 3 SCHEDULE OF FORMS AND ENDORSEMENTS NAMED INSURED: Colorado Counties Casualty and Property Pool TERM: 01/01/2024 to 01/01/2025 POLICY NUMBER: NPL0069163-00 ENDT. NO. FORM NO. TITLE 06 NPL0320 06 09 23 COLORADO ARCH CYPROsm POLICY DECLARATIONS 00 ML0012 00 01 03 SCHEDULE OF FORMS AND ENDORSEMENTS 00 NPL0321 00 09 23 ARCH CYPROsm POLICY 06 ML0002 00 12 14 SIGNATURE PAGE (ARCH SPECIALTY) 00 NPL0340 00 09 23 CLAIMS HANDLING PROCEDURES 00 ML0065 00 06 07 U.S. TREASURY DEPARTMENT'S OFFICE OF FOREIGN ASSETS CONTROL ("OFAC") 00 MLT0027 00 12 19 TERRORISM COVERAGE DISCLOSURE NOTICE 06 ML0294 00 04 22 SURPLUS LINES FILING INFORMATION REQUIREMENTS 1 00 ML0207 00 11 03 00 MPX0947 06 01 24 COLORADO COUNTIES AMENDATORY ENDORSEMENT 2 00 ML0003 00 04 12 SERVICE OF SUIT 3 00 ML0207 00 11 03 00 MPX0973 00 03 24 PER POOL MEMBER LIMIT ENDORSEMENT 00 ML0012 00 01 03 Page 1 of 1 Arch CyProSM Policy TABLE OF CONTENTS A. INSURING AGREEMENTS B. DEFINITIONS C. EXCLUSIONS D. COVERAGE TERRITORY E. AUTOMATIC AND OPTIONAL EXTENDED REPORTING PERIODS F. LIMITS OF INSURANCE AND SELF -INSURED RETENTIONS G. DEFENSE AND SETTLEMENT OF CLAIMS AND INSURED'S OBLIGATIONS H. CONDITIONS 1. PROOF OF LOSS 2. ASSISTANCE AND COOPERATION 3. SPOUSAL, DOMESTIC PARTNER, ESTATE AND LEGAL REPRESENTATIVE COVERAGE 4. UNITED STATES OF AMERICA CURRENCY 5. NET INCOME CALCULATIONS AND APPRAISAL 6. NOTICE - CIRCUMSTANCES, CLAIMS OR INCIDENTS 7. SUBROGATION AND RECOVERY 8. OTHER INSURANCE 9. CHANGES IN CONTROL 10. APPLICATION AND SEVERABILITY 11. SUITS AGAINST THE INSURER 12. NAMED INSURED'S AUTHORITY 13. CANCELLATION 14. BANKRUPTCY 15. ATTRIBUTION OF A CYBER WAR TO A SOVEREIGN STATE 16. NOTICES 17. DISPUTE RESOLUTION 18. ALTERATION, ASSIGNMENT AND TITLES 19. REFERENCES TO LAWS 20. ENTIRE AGREEMENT 21. POLICY CHANGES 22. COVERAGE COORDINATION 23. ALLOCATION 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 1 of 41 Arch CyProsM Policy A. INSURING AGREEMENTS FIRST PARTY COVERAGE PART 1. INCIDENT RESPONSE EXPENSE COVERAGE The Insurer shall pay on behalf of the Insured Entity for Incident Response Expense Loss in excess of the applicable Self -Insured Retention, resulting from an actual or reasonably suspected Network Security Breach or Privacy Violation first discovered by an Insured during the Policy Period and reported to the Insurer pursuant to the terms of this Policy. 2. BUSINESS INTERRUPTION COVERAGE The Insurer shall reimburse the Insured Entity for Business Interruption Loss in excess of the applicable Self -Insured Retention, incurred by the Insured Entity during the Business Interruption Period of Recovery or the Extended Business Interruption Period of Recovery, that results from a Business Interruption that: I. first occurs during the Policy Period; II. exceeds the Business Interruption Waiting Period; and III. is reported to the Insurer pursuant to the terms of this Policy. 3. DATA RECOVERY EXPENSE COVERAGE The Insurer shall pay on behalf of the Insured Entity for Data Recovery Expense Loss in excess of the applicable Self -Insured Retention that is incurred by an Insured Entity, resulting from a Network Security Breach or Privacy Violation which is first discovered by an Insured during the Policy Period and is reported to the Insurer pursuant to the terms of this Policy. 4. CYBER EXTORTION EXPENSE COVERAGE The Insurer shall pay on behalf of the Insured Entity for Cyber Extortion Expense Loss in excess of the applicable Self -Insured Retention that is incurred by an Insured Entity, resulting from a Ransomware Event which is first discovered by an Insured during the Policy Period and is reported to the Insurer pursuant to the terms of this Policy. 5. REPUTATIONAL HARM COVERAGE The Insurer shall reimburse the Insured Entity for Reputational Harm Loss in excess of the applicable Self -Insured Retention, incurred by the Insured Entity during the Reputational Harm Period of Recovery, that results from Adverse Publicity that: I. first occurs during the Policy Period; II. exceeds the Reputational Harm Waiting Period; and III. is reported to the Insurer pursuant to the terms of this Policy. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 2 of 41 THIRD PARTY COVERAGE PART 6. NETWORK SECURITY AND PRIVACY LIABILITY The Insurer shall pay on behalf of the Insured for Network Security and Privacy Liability Loss in excess of the applicable Self -Insured Retention, resulting from a Claim for a Network Security Breach or Privacy Violation Wrongful Act that is committed prior to the end of the Policy Period, and the Claim is first made against the Insured during the Policy Period or Extended Reporting Period (If applicable) and is reported to the Insurer pursuant to the terms of this Policy. 7. MEDIA LIABILITY COVERAGE The Insurer shall pay on behalf of the Insured for Media Liability Loss in excess of the applicable Self -Insured Retention, resulting from a Claim for a Media Wrongful Act that is committed on or subsequent to the Retroactive Date and prior to the end of the Policy Period, and the Claim is first made against the Insured during the Policy Period or Extended Reporting Period (If applicable) and is reported to the Insurer pursuant to the terms of this Policy. 8. TECHNOLOGY AND PROFESSIONAL SERVICES LIABILITY The Insurer shall pay on behalf of the Insured for Technology or Professional Services Liability Loss in excess of the applicable Self -Insured Retention, resulting from a Claim for a Technology or Professional Services Wrongful Act that is committed on or subsequent to the Retroactive Date and prior to the end of the Policy Period, and the Claim is first made against the Insured during the Policy Period or Extended Reporting Period (If applicable) and is reported to the Insurer pursuant to the terms of this Policy. CYBER CRIME COVERAGE PART 9. SOCIAL ENGINEERING COVERAGE The Insurer shall reimburse the Insured Entity for Social Engineering Loss in excess of the applicable Self -Insured Retention that is incurred by an Insured Entity, resulting from a Fraudulent Instruction first discovered by an Insured during the Policy Period and reported to the Insurer pursuant to the terms of this Policy. 10. SERVICE FRAUD COVERAGE The Insurer shall reimburse the Insured Entity for Services Fraud Loss in excess of the applicable Self -Insured Retention that is incurred by an Insured Entity, resulting from Services Fraud first discovered by an Insured during the Policy Period and reported to the Insurer pursuant to the terms of this Policy. 11. INVOICE MANIPULATION COVERAGE The Insurer shall reimburse the Insured Entity for Invoice Manipulation Loss in excess of the applicable Self -Insured Retention that is incurred by an Insured Entity, resulting from Invoice Manipulation first discovered by an Insured during the Policy Period and reported to the Insurer pursuant to the terms of this Policy. B. DEFINITIONS The following terms shall have the meanings specified below: 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 3 of 41 "Additional Insured" means any natural person or entity that the Insured Entity has agreed in a written contract or agreement to add as an Insured under this Policy. 2. "Adverse Publicity" means the dissemination via any medium by a third party (including but not limited to dissemination via print, video, audio, electronic, or digital or digitized form) of previously non-public information specifically concerning an actual Network Security Breach or Privacy Violation affecting an Insured's customers, clients, or patients. Such Network Security Breach or Privacy Violation must first be discovered by an Insured during the Policy Period. 3. "Advertising Services Platform" means a social media advertising platform that is used to promote products, services, ideas, concepts, or issues through publications or advertisements of text, image or video on such platform. 4. "Affiliate" means: I. Any person or entity: which is operated, controlled or managed by an Insured; or b. in which any Insured has an ownership interest; At any time during or after the performance of Professional Services giving rise to a Claim; or II. Any entity of which any natural person Insured is a director, officer, trustee, regent, governor, independent contractor or equivalent executive at the time a Claim is made. Affiliate does not include a Subsidiary. 5. "Application" means: I. The application for this Policy, including any information or materials submitted, in connection with or incorporated therein; and II. Any application, including any information or materials submitted, in connection with or incorporated therein, for any insurance policy in an uninterrupted series of policies issued by the Insurer or any insurance company controlling, controlled by or under common control with the Insurer, of which this Policy is a direct or indirect renewal or replacement. All such information and materials submitted will be deemed attached to and incorporated into this Policy. 6. "Bodily Injury" means physical injury, sickness, disease or death of any person, including any mental anguish or emotional distress that results from such physical injury, sickness, disease, or death. 7. "Bricking" means damage or loss of use of hardware or electronic equipment included in the Insured Entity's Computer System caused by the reprograming of the software (including the firmware) of such hardware or electronic equipment rendering it useless for its intended purpose. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 4 of 41 8. "Business Interruption" means the actual, measurable, full or partial interruption, suspension, or degradation of the Insured Entity's business operations resulting from a: Network Security Breach of the Insured Entity's Computer System if Item 6.B.I. Business Interruption (Network Security Breach) is elected in the Declarations; II. Voluntary Shutdown of the Insured Entity's Computer System if Item 6.B.I. Business Interruption (Network Security Breach) is elected in the Declarations; III. System Failure of the Insured Entity's Computer System if Item 6.B.II. Business Interruption (System Failure) is elected in the Declarations; IV. Network Security Breach of the Technology Contractor's Computer System if Item 6.B.II1. Business Interruption — Technology Contractor (Network Security Breach) is elected in the Declarations; V. System Failure of the Technology Contractor's Computer System if Item 6.B.IV. Business Interruption — Technology Contractor (System Failure) is elected in the Declarations; VI. Network Security Breach of the Dependent Business's Computer System if Item 6.B.V. Business Interruption — Dependent Business (Network Security Breach) is elected in the Declarations; and VII. System Failure of the Dependent Business's Computer System if Item 6.B.VI. Business Interruption — Dependent Business (System Failure) is elected in the Declarations. The above -referenced Network Security Breach or System Failure must first be discovered by any Insured during the Policy Period. 9. "Business Interruption Loss" means the actual loss sustained by an Insured as measured by: I. Net income (net profit or net loss before income taxes), that could have reasonably been earned or incurred but for a Business Interruption; plus 11. Continuing normal operating expenses incurred by the Insured Entity (including payroll), but only to the extent that such operating expenses must necessarily continue during the Business Interruption Period of Recovery or Extended Business Interruption Period of Recovery; plus III. Reasonable and necessary extra expenses that would not have been incurred but for a Business Interruption and incurred during the Business Interruption Period of Recovery or Extended Business Interruption Period of Recovery to minimize, reduce or avoid the loss described in Paragraph 9.1. or 9.II. above. Business Interruption Loss shall not include: I. Net income (net profit before income taxes) that would likely have been earned as a result of: an increase in volume of business due to favorable business conditions; or b. unfavorable business conditions; 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 5 of 41 II. Liability to any third party, contractual penalties, loss of market, provision of any service credits by an Insured, or any other consequential loss; or III. Loss covered under: The First Party Coverage Part except Business Interruption Coverage; b. The Third Party Coverage Part; c. The Cyber Crime Coverage Part; or IV. Loss that would have otherwise been covered but for the reduction or exhaustion of any Limit of Insurance of the First Party Coverage Part (Except Business Interruption Coverage), Third Party Coverage Part, or Cyber Crime Coverage Part. 10. "Business Interruption Period of Recovery" means the period of time that: I. Begins on the date the Business Interruption first commences; and II. Ends on the earliest of: The date when the Insured Entity's Computer System, Technology Contractor's Computer System, or Dependent Business's Computer System is repaired or restored to the condition that existed immediately prior to the Business Interruption; b. The date when the Insured Entity's Computer System, Technology Contractor's Computer System, or Dependent Business's Computer System could have been repaired or restored with due diligence and dispatch to the same or substantially similar condition that existed immediately prior to the Business Interruption; or c. One Hundred Eighty (180) days after the date the Business Interruption first commenced. In no event will the Business Interruption Period of Recovery exceed One Hundred Eighty (180) days. The expiration date of this Policy will not cut short the Business Interruption Period of Recovery. 11. "Business Interruption Waiting Period" means the number of hours set forth in Item 6.B. of the Declarations that must elapse once the Business Interruption has begun. 12. "Claim" means any of the following: I. A written demand for services or monetary, non -monetary or injunctive relief, commenced by the Insured's receipt of such demand; II. A written request for mediation or arbitration, or to toll or waive an applicable statute of limitations, commenced by the Insured's receipt of such request; III. A civil proceeding for services or monetary, non -monetary or injunctive relief, commenced by the receipt by, or the service upon, the Insured of a complaint or similar pleading; or 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 6 of 41 IV. A Regulatory Action, commenced by the receipt by, or the service upon, the Insured of an investigative demand, request for information, complaint or similar pleading. Paragraphs I. through IV. include any appeal from the actions described therein. All Claims arising from, or in any way related to the same or a series of related, repeated or continuing acts, errors, omissions, Wrongful Acts, Incidents, or Related Events will be considered a single Claim for the purposes of this Policy. All such Claims will be deemed to have been made at the earlier of: 1. The first of any such Claim described in Paragraphs I. through IV., above; or II. When the earliest Incident comprising a Related Event was first discovered by an Insured, even if such Claim is deemed to have been made prior to the inception of the Policy Period. 13. "Claims Manager" means any natural person who holds the position (or the functional equivalent) of: I. Chief Executive Officer; II. Chief Financial Officer; III. General Counsel; IV. Chief Technology Officer; V. Chief Information Officer; VI. Chief Information Security Officer; or VII. Risk Manager; of the Insured Entity. 14. "Computer System" means any hardware, computer, network, or other electronic equipment, electronic mobile device, peripheral devices, software, firmware, application, platform, and components thereof including Data stored thereon. The Computer System shall also include any Voice Computer System or Operational Technology. 15. "Continuity Date" means the applicable date set forth in Item 6. of the Declarations with respect to each coverage. 16. "Coverage Parts" means the following combined: I. First Party Coverage Part; II. Third Party Coverage Part; and III. Cyber Crime Coverage Part. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 7 of 41 17. "Cyber Crime Coverage Part" means the combined coverages described in Insuring Agreements 9. Social Engineering Coverage, 10. Service Fraud Coverage, and 11. Invoice Manipulation Coverage of this Policy. 18. "Cyber Extortion Expense Loss" means the following reasonable and necessary expenses incurred by the Insured Entity, with the Insurer's prior written consent (such consent shall not be unreasonably withheld), to negotiate, terminate or end a Ransomware Event that would otherwise result in harm to the Insured Entity: I. Fees and costs incurred to retain a third party to determine the validity, severity, and cause of a Ransomware Event; and II. Any type of monetary consideration paid as a ransom payment, including but not limited to money, securities, bonds or commodities, digital assets, virtual currency, or non -fungible token (NFT). Cyber Extortion Expense Loss shall not include any legal expenses, fees, or costs of any type. 19. "Cyberterrorism" means any harmful act conducted using a Computer System (or series of related, repeated or continuing harmful acts conducted using one or more Computer Systems) directed against one or more Computer Systems, or any explicit threat to commit such harmful act(s), by an individual or group of individuals with the intention to further social, ideologicial, religious, political, or similar objectives. Cyberterrorism shall not include any such activities which are part of, connected to, or related to any War or Cyber War. 20. "Cyber War" means any harmful act conducted using a Computer System (or series of related, repeated or continuing harmful acts conducted using one or more Computer Systems) directed against one or more Computer Systems that is committed by or at the direction or under the control of, or on behalf of a sovereign state, and which: I. is connected to, related to or part of a War; or H. causes a sovereign state to become an Impacted State. 21. "Damages" means any settlement, judgment, pm -judgment or post judgment interest, or punitive, exemplary or multiple damages that the Insured becomes legally obligated to pay. The insurability of such punitive, exemplary or multiple damages shall be governed by the laws of the applicable jurisdiction that most favors coverage for such damages. 22. "Data" means any software, electronic code, digital data or electronic representation of information that exists in a Computer System. 23. "Data Recovery Expense Loss" means the reasonable and necessary expenses incurred by the Insured Entity, with the Insurer's prior written consent (such consent shall not be unreasonably withheld), to retain a third party computer restoration and recovery expert: To regain access to, recover, replace, restore or recreate Data that is lost, altered, damaged or destroyed as a result of a Network Security Breach. If Data cannot reasonably be accessed, recovered, replaced, restored or recreated, then only the expenses incurred by the Insured Entity to reach this determination shall be included; or 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 8 of 41 II. To replace or restore hardware and electronic equipment which is part of the Computer System as a result of Bricking. The maximum aggregate amount the Insurer shall pay for all Data Recovery Expense Loss described in this Paragraph 23.11. shall be the Bricking Sub -Limit of Insurance stated in the Declarations. The Bricking Sub -Limit of Insurance shall be part of, and not in addition to, the Data Recovery Expense Coverage Limit of Insurance stated in the Declarations. Data Recovery Expense Loss shall not include any legal expenses, fees, or costs of any type. 24. "Defense Expenses" means reasonable and necessary legal expenses, fees or costs incurred solely in the defense of a Claim. I. Defense Expenses shall include the premium for any appeal, attachment or similar bond, provided that the Insurer will have no obligation to furnish such bond. II. Defense Expenses shall not include any compensation, benefit expenses or overhead of, or paid to, any Insured. 25. "Dependent Business" means an entity other than an Insured, Technology Contractor, Internet Infrastructure Provider, Utilities Provider or a Financial Services Market, that provides necessary business services to an Insured Entity pursuant to a written contract or agreement. 26. "Dependent Business's Computer System" means any Computer System that is owned or leased by, and under the operational control of any Dependent Business. 27. "Distributed Denial -Of -Service Attack" means a malicious attack intended by the perpetrator to overwhelm the capacity of a Computer System by sending an excessive volume of electronic data to such Computer System in order to prevent authorized access to such Computer System. 28. "Domestic Partner" means any natural person who enters into a civil union or qualifies as a domestic partner under any federal, state or local law or under the provisions of any formal program established by the Named Insured. 29. "Essential Service" means a service that is essential for the maintenance of vital functions of a sovereign state, including but not limited to Financial Institutions, the Financial Services Market(s) and associated financial market infrastructure, emergency services, health care services, services provided by a Utilities Provider or Internet Infrastructure Provider, or services that are essential for the maintenance of the food, energy or transportation sector. 30. "Extended Business Interruption Period of Recovery" means the period of time that: I. Begins on the date the Business Interruption Period of Recovery ends; and II. Ends on the earliest of: a. The date when the Insured Entity's business operations are restored to the condition that existed immediately prior to the Business Interruption; b. The date when the Insured Entity's business operations could have been restored with due diligence and dispatch to the same or substantially similar condition that existed immediately prior to the Business Interruption; or 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 9 of 41 c. Sixty (60) days after the date the Business Interruption Period of Recovery ends. In no event will the Extended Business Interruption Period of Recovery exceed sixty (60) days. The expiration date of this Policy will not cut short the Extended Business Interruption Period of Recovery. 31. "Financial Institution" means any: I. Enitity subject to supervision by any state or federal bank or credit union supervisory authority; or II. Licensed broker or dealer of securities, bonds or commodities. 32. "Financial Services Market" means an operator, other than an Insured Entity, of a financial exchange or financial market. 33. "First Party Coverage Part" means the combined coverages described in Insuring Agreements 1., Incident Response Coverage, 2. Business Interruption Coverage, 3. Data Recovery Expenses Coverage, 4. Cyber Extortion Expenses Coverage, and 5. Reputational Harm Coverage of this Policy. 34. "Fraudulent Instruction" means any instruction provided by a natural person or entity that is not an Insured which purports to be from and approved by a customer, vendor, business affiliate, principal, partner, executive officer, director, employee or independent contractor of the Insured Entity but is not actually from such customer, vendor, business affiliate, principal, partner, executive officer, director, employee or independent contractor, and directs an Insured or Financial Institution to transfer, pay or deliver money, securities, bonds or commodities, digital assets, virtual currency, or non -fungible tokens (NFT). 35. "Fraudulent Invoice" means: I. An invoice that: a. is furnished to a customer of the Insured Entity; b. purports to be from the Insured Entity, but is not actually from such Insured Entity; c. requests the customer to transfer, pay or deliver money, securities, bonds, commodities, digital assets, virtual currency, or non -fungible tokens (NFT); and d. results from a Network Security Breach; or II. A purchase order that: a. is furnished to the Insured Entity; b. purports to be from a customer of the Insured Entity, but is not actually from such customer; c. requests the Insured Entity to: i. provide services; or 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 10 of 41 ii. transfer or deliver goods, products, or other tangible property; and d. results from a Network Security Breach. 36. Impacted State means a sovereign state where a Cyber War has resulted in a harmful impact on: I. The operations of that sovereign state due to disruption to the availability, integrity or delivery of any Essential Services in that sovereign state; or II. The security or defense of that sovereign state. 37. "Incident" means any Network Security Breach, Privacy Violation, Business Interruption, Ransomware Event, Adverse Publicity, Fraudulent Instruction, Services Fraud, or Invoice Manipulation. All Incidents that are part of a series or combination of related, repeated or continuing Incidents that have a common nexus of facts, circumstances, situations, events, transactions, or causes, or series of causally connected facts, circumstances, situations, events, transactions or causes shall be considered a single Incident for purposes of this Policy. With respect to the Crime Coverage Part, Incident Response Expense Coverage, Data Recovery Expense Coverage, and Cyber Extortion Expense Coverage, all such Incidents will be deemed to have been discovered at the time the earliest Incident was first discovered by an Insured, even if such Incident is deemed to have been discovered prior to the inception of the Policy Period. With respect to the Business Interruption Coverage and Reputational Harm Coverage, all such Incidents will be deemed to have occurred at the time the earliest Incident was first discovered by an Insured, even if such Incident is deemed to have occurred prior to inception of the Policy Period. 38. "Incident Response Expense Loss" means reasonable and necessary fees and expenses incurred by an Insured, with the Insurer's prior written consent (such consent shall not be unreasonably withheld), for: I. Legal services by an attorney selected by the Insurer regarding any Network Security Breach or Privacy Violation, including evaluating the Insured's obligations pursuant to Privacy Law; II. Computer forensic investigatory services by a third party data forensics incident response professional services firm selected by the Insurer to: a. Determine the existence, cause and scope of an actual or reasonably suspected Network Security Breach or Privacy Violation; b. Identify those who may have been victims of any Privacy Violation; and c. Assist in containing a Network Security Breach, if such Network Security Breach is actively in progress on the Insured Entity's Computer System. III. Public relations or crisis management firm to mitigate reputational damage resulting from any Network Security Breach or Privacy Violation; 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 11 of 41 IV. PCI Forensic Investigator to investigate the existence and extent of an actual or reasonably suspected Network Security Breach or Privacy Violation involving payment card data; V. PCI certified Qualified Incident Response Assessor (QIRA) to certify and assist in attesting to the Insured's PCI compliance, as required under a PCI-DSS Agreement; VI. Notifying individuals as required by any Privacy Law, or on a voluntary basis to minimize potential harm; VII. Credit monitoring services, identity theft education and identity theft insurance offered to those persons notified pursuant to Paragraph VI. above; or VIII. Identity theft call center services, but only for those persons notified pursuant to Paragraph VI. above. Incident Response Expense Loss shall not include any continuing normal operating expenses, compensation or overhead of any Insured. 39. "Insured(s)" means: I. The Insured Entity; II. Any natural person who is or was a principal, partner, officer, director or employee of the Insured Entity, but only with respect to acts or omissions committed within the scope of such natural person's duties related to the conduct of the Insured Entity's business; III. Any independent contractor that is a natural person and has entered into a written contract or agreement with an Insured Entity, wherein the Insured Entity has agreed to indemnify the independent contractor in such contract. The independent contractor shall be an Insured solely for work the independent contractor performs for or on behalf of the Insured Entity pursuant to such contract; and IV. Any Additional Insured, but only with respect to: a. Acts or omissions committed by the Insured Entity or any persons identified in Paragraphs II. or III., above; and b. Loss that occurs subsequent to the execution of the contract or agreement. The insurance afforded to such Additional Insured(s) described in this Paragraph IV.: Only applies to: i. The Third Party Coverage Part; ii. The extent permitted by law; and iii. The period of time required by the contract or agreement; b. Will not be broader than that which the Insured Entity is required by the contract or agreement to provide for such Additional Insured; and 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 12 of 41 c. Will not exceed the amount of insurance: i. Required by the contract or agreement; or ii. Available under the applicable limits of insurance of this Policy, Whichever is less. No natural person or entity shall be an Additional Insured with respect to any Claim or Loss arising out of such natural person's or entity's independent act(s) or omission(s). 40. "Insured Entity" means: I. The Named Insured; or II. Any Subsidiary. 41. "Insured Entity's Computer System" means any Computer System that is owned or leased by, and under the operational control of: I. An Insured Entity; or II. A principal, partner, executive officer, director, employee or any independent contractor of an Insured Entity. 42. "Insured's Technology Products" means computer or telecommunications hardware, electronic equipment, software, firmware, platforms or applications designed, created, developed, manufactured, assembled, licensed, leased, or sold by an Insured. 43. "Insurer" means the organization specified in Item 9. of the Declarations. 44. "Internet Infrastructure Provider" means an entity that is an Internet Services Provider ("ISP"), including any provider of internet connectivity, any Domain Name System ("DNS") or any Certificate Authority ("CA"). 45. "Invoice Manipulation" means the use of a Fraudulent Invoice to fraudulently induce: I. The transfer, payment or delivery of: money, securities, bonds, commodities, digital assets, virtual currency, or non - fungible tokens (NFT); or b. goods, products, or other tangible property; or II. The provision of services. 46. "Invoice Manipulation Loss" means direct financial loss incurred by the Insured Entity as a result of Invoice Manipulation, including the inability to collect payment for any goods, products, or services after such goods, products, or services have been transferred, delivered, or provided. Invoice Manipulation Loss shall not include any profit to the Insured Entity as a result of the transferring, delivering, or providing goods, products, or services to a third party. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 13 of 41 47. "Loss" means the following: I. Incident Response Expense Loss; II. Business Interruption Loss; III. Cyber Extortion Expense Loss; IV. Data Recovery Expense Loss; V. Reputational Harm Loss; VI. Network Security and Privacy Liability Loss; VII. Media Liability Loss; VIII. Technology or Professional Services Liability Loss; IX. Social Engineering Loss; X. Services Fraud Loss; and XI. Invoice Manipulation Loss. 48. "Malicious Code" means any virus, Trojan, worm or other similar malicious software program, code or script designed to harm a Computer System. 49. "Media Activities" means the publishing, dissemination, releasing, transmission, production, webcasting, or other distribution of Media Content to the general public. 50. "Media Content" means any Data, text, sounds, images or similar matter disseminated in any form, including but not limited to advertising and matters disseminated electronically on the Insured's Computer System. Media Content shall not include: I. An Insured's Technology Products or Third Party Technology Products; II. Data, text, sounds, images or similar matter incorporated into or otherwise a part of an Insured's Technology Products or Third Party Technology Products; or III. The actual goods, products or services described, including but not limited to those illustrated or displayed in Media Content. 51. "Media Liability Loss" means Damages and Defense Expenses resulting from a Media Wrongful Act. 52. "Media Wrongful Act" means any actual or alleged negligent act, error or omission, misstatement, misleading statement, or breach of duty or neglect by any Insured, or by any other person for whom the Insured is legally responsible, solely in the performance of or failure to perform Media Activities that results in: I. Personal Injury, infliction of emotional distress, mental anguish, outrage or outrageous conduct; 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 14 of 41 II. False light, public disclosure of private facts, or the intrusion and commercial appropriation of a name, persona or likeness; III. Plagiarism, piracy or the misappropriation or unauthorized use of advertising ideas, advertising material, titles, literary or artistic formats, styles or performances; or IV. Infringement of copyright, domain name, trademark, trade name, title, slogan or service name. However, a Media Wrongful Act shall not include any actual or alleged negligent act, error or omission, misstatement, misleading statement, or breach of duty or neglect that results in a Claim containing any allegation of: I. Misappropriation, theft, plagiarism, infringement, disclosure or violation of any: Patent; b. Software, source code, or software licensing; or Trade dress or service mark of any goods, products or services, including goods, products or services displayed or contained in Media Content; II. False advertising or misrepresentation in advertising of an Insured's goods, products or services; or III. Failure of any goods, products or services to conform with an advertised quality or performance. 53. "Named Insured" means the organization specified in Item 1. of the Declarations. 54. "Network Security and Privacy Liability Loss" means: I. Damages; II. Defense Expenses; III. PCI-DSS Loss; or IV. Civil fines or penalties imposed by a governmental agency and arising from a Regulatory Action, including any monetary amount an Insured is required to deposit in a consumer redress fund, resulting from an actual or alleged Network Security Breach or Privacy Violation Wrongful Act. The insurability of such civil fines or penalties described in Paragraph IV. shall be governed by the laws of the applicable jurisdiction that most favors coverage for such damages. 55. "Network Security Breach" means any: I. Unauthorized access to, or unauthorized use of, a Computer System; II. Transmission of Malicious Code into or from a Computer System; III. Distributed Denial -Of -Service Attack against a Computer System; 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 15 of 41 IV. Access to, loss or theft of a System Password; V. Ransomware Event; or VI. Cyberterrorism, but only to the extent such Cyberterrorism results from a Network Security Breach as defined in Paragraphs I. through V. above. 56. "Network Security Breach or Privacy Violation Wrongful Act" means any actual or alleged negligent act, error or omission, misstatement, misleading statement, or breach of duty or neglect by any Insured, or by any other person for whom the Insured is legally responsible, that results in a Network Security Breach or Privacy Violation. 57. "Operational Technology" means hardware, software, or peripheral devices that interact with the physical environment, including but not limited to, programmable logic controllers, sensors, actuators, remote terminal units, distributed control systems, industrial control systems, supervisory control and data acquisition (SCADA) systems, building management systems, computer numerical control systems (CNC), computer aided manufacturing (CAM) or similar type of system. 58. "PCI-DSS Agreement" means a written contract between the Insured and any Payment Card Association (MasterCard, Visa, Discover, American Express or JCB Co., Ltd. or bank that processes payment card transactions (i.e., an acquiring bank)) that contains generally accepted and published Payment Card Industry Data Security Standards for data security (commonly referred to as "PCI-DSS"). 59. "PCI-DSS Loss" means any fine, fee, assessment or penalty imposed by any Payment Card Association (MasterCard, Visa, Discover, American Express or JCB Co., Ltd. or bank that processes payment card transactions (i.e., an acquiring bank)) under the terms of a PCI-DSS Agreement, as a result of a Network Security Breach or Privacy Violation. PCI- DSS Loss shall not include any charge backs. 60. "Personal Information" means any: Information for which an individual may be uniquely and reliably identified, including without limitation the individual's: a. Name; b. Address; c. Telephone number; d. Social security number; Driver's license number or any other state identification number; f. Biometric identifier or biometric information; or g. Medical or healthcare data, including protected health information; II. Credit, debit or other account numbers and associated security codes, access codes, passwords or pin numbers associated with such credit, debit or other account numbers; or III. Non-public personal information as defined in any Privacy Law. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 16 of 41 61. "Personal Injury" means any actual or alleged: I. False arrest, detention, imprisonment or malicious prosecution; II. Wrongful entry or eviction; III. Invasion of the right of privacy; IV. Libel, slander or other defamatory or disparaging material of a person, organization or product; or V. Publication or an utterance in violation of an individual's right of privacy. 62. "Policy Period" means the period of time specified in Item 3. Of the Declarations, subject to any cancellation prior to the expiration date stated in the Declarations. 63. "Pollutants" means any solid, liquid, gaseous, biological, radiological or thermal contaminant or irritant including without limitation, smoke, vapor, soot, fumes, acids, alkalis, chemicals, mold, fungi, odors, noise, lead, oil or oil products, radiation, asbestos or asbestos containing products, waste or any electric, magnetic or electromagnetic field of any frequency. Pollutants also includes, without limitation, materials to be recycled, reconditioned or reclaimed. 64. "Privacy Demand" means any threat or demand, or connected series of threats or demands to use, publicly disclose or destroy Private Information misappropriated from an Insured for the purpose of demanding any type of monetary consideration from an Insured including but not limited to, money, securities, bonds or commodities, digital assets, virtual currency, or non -fungible tokens (NFT). 65. "Privacy Law" means those parts of the following statutes or regulations regulating the use and protection of non-public personal information (as defined in such statutes or regulations): I. Health Insurance Portability and Accountability Act of 1996 (HIPAA); II. Gramm -Leach Bliley Act of 1999 (GLBA); III. Security breach notification laws that require notice to individuals of the actual or potential theft of their non-public personal information, including but not limited to the California Security Breach Notification Act of 2003 (CA SB1386); IV. European Union General Data Protection Regulation (GDPR); V. California Consumer Privacy Act (CCPA); or VI. Any other state, federal or foreign privacy laws for non-public personal information, or a privacy policy limiting the sale, disclosure or sharing of non-public personal information or providing individuals with the right to access or correct non-public personal information. 66. "Privacy Violation" means any: I. Failure to protect Private Information while in the care, custody or control of an Insured, or in the care, custody or control of a third party on any Insured's behalf; 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 17 of 41 II. Violation of a Privacy Law by an Insured in connection with Paragraph I., above; III. Violation of an Insured's privacy policy with respect to provisions prohibiting any Insured from disclosing Private Information; or IV. Ransomware Event. 67. "Private Information" means any of the following information: I. Personal Information; or II. Confidential or proprietary business information of a third party that is not an Insured that is not available to the general public, that exists in any format and that is in the care, custody or control of any Insured, or in the care, custody or control of a third party on any Insured's behalf. 68. "Professional Services" means those services rendered by the Insured for others for a fee and described in Item 7. of the Declarations. 69. "Property Damage" means: I. Physical injury to, loss or destruction of, tangible property, including loss of use thereof; or II. Loss of use of tangible property which has not been physically injured, lost, damaged or destroyed, provided however this will not apply to Data Recovery Expense Loss resulting from Bricking. Provided, however Data is not tangible property. 70. "Ransomware Event" means any: 1. Privacy Demand; or II. Security Demand. Any such event shall be considered a Ransomware Event regardless of: a. The specific amount of the demand; b. Whether the demand is actually paid; Whether the threat or demand is communicated; and d. Whether any Private Information is unlawfully used, publicly disclosed or destroyed at any time. 71. "Regulatory Action" means: I. An administrative or regulatory proceeding; or II. An administrative or regulatory investigation which may reasonably be expected to give rise to an administrative or regulatory proceeding, 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 18 of 41 brought or made by a local, state, federal or foreign governmental agency or authority that alleges a Network Security Breach or a Privacy Violation. A Regulatory Action shall not include any criminal demands, requests, proceedings or investigations. 72. "Related Event" means any series or combination of related, repeated or continuing Incident(s) or Wrongful Act(s) that have a common nexus of facts, circumstances, situations, events, transactions or causes, or series of causally connected facts, circumstances, situations, events, transactions or causes. 73. "Reputational Harm Loss" means net income (net profit or net loss before income taxes), that could have reasonably been earned by the Insured during the Reputational Harm Period of Recovery resulting from Adverse Publicity. Reputational Harm Loss shall not include: I. Net income (net profit or net loss before income taxes) that would likely have been earned as a result of an increase in volume of business due to favorable business conditions; II. Loss incurred as a result of unfavorable business conditions; III. Legal expenses, fees, or costs of any type; or IV. Loss arising or resulting from any contractual penalties, or indirect or consequential loss arising from a Technology Contractor or Dependent Business. 74. "Reputational Harm Period of Recovery" means the period of time that: I. Begins on the date the Adverse Publicity first commences; and II. Ends on the earliest of: a. The date when the Insured Entity's net income (net profit or net loss before income taxes), is restored to the level that existed immediately prior to the Adverse Publicity; b. The date when the Insured Entity's net income (net profit or net loss before income taxes), would have been restored to the condition that existed immediately prior to the Adverse Publicity, if the Insured Entity exercised due diligence and dispatch; or c. Ninety (90) days after the date when the Adverse Publicity first commenced. In no event will the Reputational Harm Period of Recovery exceed ninety (90) days. If the Insured Entity incurs Adverse Publicity for a period of time exceeding ninety (90) days from the date the Adverse Publicity first commenced, the Insurer will only be obligated to pay such Reputational Harm Loss that is incurred during the first ninety (90) days. The expiration date of this Policy will not cut short the Reputational Harm Period of Recovery. 75. "Reputational Harm Waiting Period" means the number of days set forth in Item 6.E. of the Declarations that must elapse once the Adverse Publicity has begun. 76. "Retroactive Date" means: I. The date set forth in Item 6.G. of the Declarations for Media Liability Coverage; and 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 19 of 41 II. The date set forth in Item 6.H. of the Declarations for Technology Services and Products and Professional Liability Coverage. 77. "Security Demand" means any threat or demand, or connected series of threats or demands against a Computer System for the purpose of demanding any type of monetary consideration from an Insured including but not limited to, money, securities, bonds or commodities, digital assets, virtual currency, or non -fungible tokens (NFT). 78. "Services Fraud" means the manipulation of any: I. Voice Computer System for the purpose of selling long distance call minutes to a third party; II. Insured Entity's Computer System for the purpose of exploiting processing power; or III. Advertising Services Platform for the purpose of exploiting advertising resources, resulting from a Network Security Breach. 79. "Services Fraud Loss" means additional charges incurred by the Insured Entity for services provided by a Utilities Provider, Internet Infrastructure Provider or Advertising Services Platform, resulting from Services Fraud. Services Fraud Loss shall not include expenses charged to the Insured at a flat fee that does not scale with the rate or use of the respective provider. 80. "Setoff Amounts" means the amounts, including credits, that any Insured has recovered from any third party (including any insurance company) to which Loss under this Policy would otherwise apply. 81. "Social Engineering Loss" means direct financial loss incurred by the Insured Entity resulting from a Fraudulent Instruction. I. In the event any Fraudulent Instruction is received by an Insured: a. Such Fraudulent Instruction must be authenticated and verified with reasonable due diligence by the Insured prior to making the transfer, payment or delivery; and b. Such reasonable due diligence must include at least two methods of authentication and verification, of which one method must rely solely on information (including contact information) outside of the Fraudulent Instruction. II. In the event any Fraudulent Instruction is received by a Financial Institution: Such Financial Institution must offer at least two methods of transaction authentication to the Insured; and b. The Insured must utilize such methods of transaction authentication, prior to making the transfer, payment or delivery. Social Engineering Loss shall not include loss arising or resulting from: 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 20 of 41 I. Any Fraudulent Instruction that does not meet the requirements of Paragraphs I. or II. above, whichever is applicable; II. Any Fraudulent Instruction involving transfer, payment or delivery of money, securities, bonds or commodities, digital assets, virtual currency, or non -fungible tokens (NFT) that are owned wholly or partially by a third party who is not an Insured or a Financial Institution; III. Any investment in securities, bonds or commodities, digital assets, virtual currency, or non -fungible tokens (NFT), or the ownership in any corporation, partnership, or similar instrument, whether or not such investment is genuine; or IV. Any money, securities, bonds or commodities, while in the mail or in the custody of any carrier for hire, including but not limited to any armored motor vehicle company. 82. "Subsidiary" means: Any entity that the Named Insured directly or indirectly owns interests representing more than 50% of the voting, appointment or designation power for the selection of: I. A majority of the board of directors of a corporation; II. The members of the board of managers of a limited liability company; or III. The general partners of a limited partnership. 83. "System Failure" means an unintentional and unplanned outage of a Computer System that is not part of or caused by a Network Security Breach. 84. "System Password" means a confidential and protected string of characters which identifies or authenticates a person or entity and permits that person or entity to gain access to the Computer System. 85. "Technology Contractor" means any entity other than an Insured, Dependent Business, Internet Infrastructure Provider, Utilities Provider, Advertising Services Platform, or Financial Services Market, that: I. An Insured Entity depends on to conduct its business; II. Provides necessary information technology or Operational Technology services, including but not limited to, data hosting, cloud services or computing, co -location, data back-up, data storage, data processing, platforms, software, network infrastructure -as -a -service, web hosting, systems integration or other managed technology services in order for the Insured Entity to operate the Insured Entity's Computer System; and III. Provides the information technology or Operational Technology services described in Paragraph II. above, pursuant to a written contract or agreement with an Insured Entity. 86. "Technology Contractor's Computer System" means any Computer System that is owned or leased by, and under the operational control of any Technology Contractor. 87. "Technology or Professional Services Liability Loss" means Damages and Defense Expenses resulting from a Technology or Professional Services Wrongful Act. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 21 of 41 88. "Technology or Professional Services Wrongful Act" means any actual or alleged negligent act, error or omission, misstatement, misleading statement, or breach of duty or neglect by any Insured, or by any other person for whom the Insured is legally responsible, solely in the performance of or failure to perform Technology Services or Professional Services. 89. "Technology Services" means information technology or Operational Technology services rendered by any Insured for others for a fee, including but not limited to: Technology consulting services in connection with an Insured's Technology Products or Third Party Technology Products, including the analysis, design, programming, integration, installation, hosting, management, repair or maintenance of an Insured's Technology Products or Third Party Technology Products; II. Data processing; III. Provision of cloud or hosted services including Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), Network as a Service (NaaS) or Block chain as a Service (BaaS), including Data associated therein; IV. Custom software, website, platform or application design, development, integration, installation or maintenance; V. Backup, disaster recovery or Data and record retrieval; or VI. Education and training services related to Technology Services. 90. "Third Party Coverage Part" means the combined coverages described in Insuring Agreements 6. Network Security and Privacy Liability Coverage, 7. Media Liability Coverage, and 8. Technology and Professional Services Liability Coverage of this Policy. 91. "Third Party Technology Products" means computer or telecommunications hardware, electronic equipment, software, firmware, platforms or applications designed, created, developed, manufactured, assembled, licensed, leased, or sold by any person or entity that is not an Insured. 92. "Utilities Provider" means any entity that provides power, electricity, fossil fuels (including oil, natural gas, coal or any derivative thereof), water, steam, mechanical, satellite, telecommunications or other utility service. 93. "Voice Computer System" means a system which functions as a Voice over Internet Protocol (VotP), Private Branch Exchange (PBX), voice mail processor, automated call attendant or provider of similar capability used for the direction or routing of telephone calls in a voice communications network. 94. "Voluntary Shutdown" means the voluntary and intentional shutdown of any part of the Insured Entity's Computer System after the Insured Entity's discovery of a Network Security Breach of an Insured's Computer System, Technology Contractor's Computer System, or Dependent Business's Computer System. Such shutdown shall be: I. Conducted at the direction of a Claims Manager or ordered by a local, state, federal or foreign governmental agency or authority; 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 22 of 41 II. Commenced with the Insurer's prior written consent (such consent shall not be unreasonably withheld); and III. With a reasonable expectation that it will minimize, avoid, or reduce the Business Interruption Loss that would otherwise be incurred. 95. "War" means the use of physical force by a sovereign state in any: I. Declared or undeclared war against another sovereign state; II. Warlike action, including action in hindering or defending against an actual or expected attack by any government, sovereign state or other authority using military power, personnel, or other agents; or III. Civil war, rebellion, revolution, insurrection, usurped power, or any action taken in hindering or defending against any of these. 96. "Wrongful Act" means any Network Security Breach or Privacy Violation Wrongful Act, Media Wrongful Act, or Technology or Professional Services Wrongful Act. C. EXCLUSIONS (I) EXCLUSIONS APPLICABLE TO ALL COVERAGE PARTS The following Exclusions are applicable to all Coverage Parts: This Policy shall not apply to any Loss based upon, arising out of, attributable to, or resulting from, directly or indirectly: 1. Any actual or alleged: I. Dishonest, fraudulent, criminal, malicious or intentional act, error or omission, or any intentional or knowing violation of the law by an Insured; or II. Gaining in fact of any profit, restitution, remuneration or financial advantage to which any Insured was not legally entitled. However, this Exclusion shall not apply to Defense Expenses until there is a final, non - appealable adjudication against, binding arbitration against, adverse admission by, or plea of nolo contendere or no contest, by the Insured as to such conduct or violation, at which time the Insured shall reimburse the Insurer for any Defense Expenses paid by the Insurer. Provided that: I. No conduct pertaining to any natural person Insured shall be imputed to any other natural person Insured; and II. Any conduct pertaining to any past, present, or future Claims Manager, other than a Claims Manager acting outside of his or her capacity as such, shall be imputed to an Insured Entity. 2. Any Incident, Wrongful Act or circumstance that: 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 23 of 41 I. Occurred prior to the appllicable Continuity Date, if as of such date any Claims Manager knew or could have reasonably forseen that such Incident, Wrongful Act or circumstance could give rise to a Claim or Loss; or II. Was the subject of any notice given under any prior policy of which this Policy is a renewal or replacement. 3. Any sanction, prohibition or restriction under United Nations resolutions or the trade or economic sanctions, laws or regulations of the United States of America, Canada, European Union or United Kingdom, or any similar law. 4. Any actual or alleged Bodily Injury or Property Damage. 5. Any Insured's liability, whether assumed or otherwise, under any contract, warranty, guarantee, cost estimate or promise. Provided however, this Exclusion does not apply to: I. The extent liability would attach to an Insured in the absence of such contract(s), warranty(ies), guarantee(ies), cost estimate(s) or promise(s); II. Any obligation to comply with a PCI-DSS Agreement; or III. With respect to a Privacy Violation, any liability or obligation under a confidentiality or non -disclosure provision of any agreement. 6. Any Claim brought by or on behalf of any: I. Insured; II. Affiliate; or III. Person or entity not identified in the Declarations which has an ownership interest in any Insured. However, this Exclusion shall not apply to any Claim brought by or on behalf of any: a. Insured that alleges a violation of any law described in Paragraph III. of the definition of Privacy Law in connection with a Network Security Breach or Privacy Violation; or b. Person or entity qualifying as an Insured under Paragraph IV. of the definition of Insured. 7. Any actual or alleged violation of any intellectual property law, including but not limited to misappropriation, theft, plagiarism, infringement, disclosure or violation of any patent, copyright, trademark, trade secret, trade dress, trade name, service mark, service name, title, slogan, or rights protecting intangible property, products of human intelligence and creation, ideas or manufacturing secrets. However, this Exclusion shall not apply to any: I. Media Wrongful Act; II. Claim for an actual or alleged disclosure or theft of Private Information resulting from a Network Security Breach made under Insuring Agreement 6., Network Security and Privacy Liability; or 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 24 of 41 Ill. Claim for a Technology or Services Wrongful Act, but only if such Claim: Is brought against an Insured by a client or customer of such Insured for the loss of use of Technology Services, and b. Alleges a violation of any law relating to the misappropriation, theft, plagiarism, misuse, infringement, or disclosure of software, source code or software license. 8. Any actual, alleged or threatened discharge, dispersal, seepage, migration, release, emission, escape or transportation of Pollutants, including, without limitation, any direction, request or order to test for, monitor, clean up, remove, contain, treat, detoxify or neutralize, or in any way respond to or assess the effects of Pollutants. 9. Any gambling, sports wagering, casino games, contests, games of chance or skill, lottery or promotional games, including any prizes, awards, tickets, coupons or other incentives related thereto, or any over -redemption or under -redemption of payments given in excess or under the total contracted or expected amount. 10. Any actual or alleged: Unsolicited electronic faxes, emails, telephone calls or communications, including without limitation, Claims arising out of unsolicited electronic messages, chat room postings, bulletin board postings, newsgroup postings, "pop-up" or "pop -under" internet advertising or fax -blasting, direct mailing or telemarketing; II. Wire tapping, tracking or monitoring, or audio or video recording; III. Any actual or alleged violations of: The Telephone Consumer Protection Act; b. The Controlling the Assault of Non -Solicited Pornography and Marketing Act; c. The Drivers Privacy Protection Act; d. The Fair Credit Reporting Act; e. The Fair and Accurate Credit Transaction Act; f. The Electronic Communication Privacy Act; g. The Video Privacy Protection Act; or h. Any similar law to those listed in Paragraphs a. through g., above. However, this Exclusion shall not apply to a Network Security Breach. 11. Any actual or alleged: I. Wrongful, unauthorized, unlawful or illegal collection, use, tracking, monitoring, sharing, sale, distribution, or purchase of Private Information, (including but not limited to the collection, tracking, or monitoring of Private Information 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 25 of 41 using cookies, spyware, Malicious Code, or any other type of tracking or monitoring tool); or II. Failure to provide adequate disclosure or notice or obtain consent in connection with the collection, use, tracking, monitoring, sharing, sale, distribution, or purchase of Private Information. 12. Any actual or alleged violation of: I. The Racketeer Influenced and Corrupt Organizations Act; II. The Employee Retirement Income Security Act of 1974; III. Any securities laws, including but not limited to, the Securities Act of 1933, Securities Exchange Act of 1934, Investment Company Act of 1940, Investment Advisors Act, or any blue sky laws; or IV. Any similar law to those listed in Paragraphs I. through III., above. However, Paragraph III. shall not apply to any Claim that alleges a Network Security Breach and a violation of any law described in Paragraph III. of the definition of Privacy Law. 13. Any actual or alleged: I. Price fixing, restraint of trade, monopolization, including violations of the Sherman Anti -Trust Act, the Clayton Act, Robinson-Patman Act, or any similar law; II. Unfair, false or deceptive trade practices or violation of consumer protection laws, including violations of the Federal Trade Commission Act. However, Paragraph II. shall not apply to any Claim that alleges a Network Security Breach and a violation of any law described in Paragraph III. of the definition of Privacy Law. 14. Any actual or alleged employment -related practices by any Insured, including but not limited to, any actual or alleged hostile work environment, wrongful dismissal, discharge or termination, retaliation, wrongful disciplinary action, deprivation of career opportunity, failure to employ or promote, inadequate work place policies or procedures, negligent evaluation of employees or violation of the Fair Labor Standard Act. This Exclusion shall not apply to any Claim brought by or on behalf of any individual that is or was a current, former, or prospective employee of an Insured and such Claim alleges Loss resulting from a violation of any law described in Paragraph III. of the definition of Privacy Law in connection with a Network Security Breach or Privacy Violation. 15. Any actual or alleged discrimination, humiliation or harassment in any form or manner, including, but not limited to, race, creed, color, religion, ethnic background, national origin, age, handicap, disability, gender, sex, sexual orientation or preference, pregnancy, marital status, retaliation, or any other protected class under any federal, state, local or other law. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 26 of 41 16. Any actual or alleged violation of: I. Any workers' compensation, unemployment, social security, disability or pension benefits laws; II. The National Labor Relations Act; III. The Worker Adjustment and Retraining Notification Act; IV. The Consolidated Omnibus Budget Reconciliation Act of 1985; V. The Occupational Safety and Health Act; or VI. Any similar law to those listed in Paragraphs I. through V., above. 17. Any Insured's service at any time as a director, officer, trustee, regent, governor, independent contractor or equivalent executive, or as an employee, of any entity other than an Insured even if such service is with the knowledge and consent, or at the request, of an Insured. 18. Any fire, flood, earthquake, smoke, riot, civil commotion, falling objects, volcanic eruption, explosion, lightning, wind, hail, tidal wave, landslide, solar storm, electromagnetic pulse, act of God or other physical event. 19. Any War or Cyber War. 20. Any seizure, nationalization, confiscation, or destruction of property or data by order of any governmental authority. 21. Any actual or alleged: I. Network Security Breach, System Failure, error, degradation, or malfunction sustained by any Utilities Provider, Internet Infrastructure Provider or Financial Services Market; or II. Inability of any Utilities Provider, Internet Infrastructure Provider or Financial Services Market to provide any service. 22. Any actual or alleged System Failure intentionally caused by any Insured, Technology Contractor or Dependent Business. 23. Any actual or alleged: I. Trading losses, trading liabilities, or change in value of accounts in connection thereto; II. Change in value of money, securities, bonds or commodities, digital financial assets, virtual currency, non -fungible tokens (NFT), or any derivatives thereof; or III. Loss, transfer or theft of money, securities, bonds or commodities, digital financial assets, virtual currency, non -fungible tokens (NFT) or any derivatives thereof. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 27 of 41 Provided, however Paragraphs II. and III. shall not apply to the Cyber Crime Coverage Part. (II) EXCLUSIONS APPLICABLE TO FIRST PARTY COVERAGE PART The following Exclusions are applicable to the First Party Coverage Part: 1. Loss shall not include: I. Defense Expenses; II. Costs, expenses, loss, or damages arising out of or resulting from liability to any third party, including any payments made as compensation for any injury or damages; or III. Costs or expenses to update, upgrade, or enhance, any part of any Computer System to a level beyond that which existed prior to sustaining Loss. However this Exclusion shall not apply to any costs or expenses incurred with the Insurer's prior written consent (such consent shall not be unreasonably withheld), to make reasonable updates, upgrades, or enhancements to the Insured Entity's Computer System, but only if: the updates, upgrades, or enhancements reduce the Loss that would otherwise be incurred; or b. the Data or any other parts of the Insured Entity's Computer System that need to be replaced or restored were discontinued, outdated or not available anymore. (III) EXCLUSIONS APPLICABLE TO THIRD PARTY COVERAGE PART The following Exclusions are applicable to the Third Party Coverage Part: 1. This Policy shall not apply to any Loss based upon, arising out of, attributable to, or resulting from, directly or indirectly: I. Inaccurate, inadequate or incomplete description of the price of goods, products or services, cost guarantees, cost representations, or contract price estimates; or II. The failure of any goods or services to conform with any represented quality or performance. However, this Paragraph II. shall not apply to the representation of the quality or performance of Technology Services or Professional Services. 2. Loss shall not include: I. Any loss covered under the First Party Coverage Part or any loss that would have otherwise been covered but for the exhaustion or reduction of any Limit of Insurance of the First Party Coverage Part; II. Return or offset of fees, service credits, charges or commissions charged by or owed to an Insured for goods or services already provided or contracted to be provided; 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 28 of 41 III. Taxes or loss of tax benefits; IV. Fines, sanctions or penalties imposed by law; provided, however this Paragraph IV. shall not apply to fines, sanctions or penalties resulting from a PCI-DSS Loss or Regulatory Action; V. Liquidated damages, but only to the extent that such damages exceed the amount for which the Insured would have been liable in the absence of such liquidated damages agreement; VI. Amount for which the Insured is not liable or for which the claimant(s) are without legal recourse to the Insured; VII. Fees, deposits, commissions or charges; VIII. Matters that are uninsurable pursuant to applicable law; IX. Expenses incurred by any Insured or others for the reprinting, reposting, recalling, repairing, withdrawing, replacing, upgrading, supplementing, removing or disposing of any products or services from or in the marketplace, including but not limited to Media Content, Insured's Technology Products or Third Party Technology Products, or for any loss of use by any Insured or others that arises out of the above; or X. Expenses to comply with orders granting injunctive or non -monetary relief, including specific performance or any agreement to provide such relief. (IV) EXCLUSIONS APPLICABLE TO CYBER CRIME COVERAGE PART The following Exclusions are applicable to the Cyber Crime Coverage Part: 1. This Policy shall not apply to any Loss based upon, arising out of, attributable to, or resulting from, directly or indirectly: I. The processing of, or failure to process, credit, check, debit, personal identification number, electronic benefit transfers or mobile payments for merchant accounts; II. Accounting or arithmetical errors or omissions, or the failure, malfunction, inadequacy or illegitimacy of any product or service; III. The extension of any loan, credit or similar promise to pay; or IV. Any liability to any third -party, including any payments made as compensation for any injury or damages. 2. Loss shall not include: I. Any continuing normal operating expenses, compensation or overhead of any Insured; or II. Defense Expenses or legal expenses of any type. D. COVERAGE TERRITORY 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 29 of 41 This Policy shall apply on a worldwide basis. Regarding the Coverage Parts, when a Claim is made or Loss is incurred outside of the United States of America and its territories and possessions, the following additional provisions apply: 1. The Insurer shall have the right but not the duty to investigate, defend or settle any such Claims brought against an Insured. 2. If the Insurer elects not to investigate, defend or settle any such Claim, the Insured shall, under the Insurer's supervision, arrange for such investigation and defense thereof as is reasonably necessary and subject to the Insurer's prior authorization, and shall effect such settlement thereof as the Insurer and the Insured deem expedient. 3. The Insurer shall reimburse the Insured for the reasonable cost of such investigation and defense and the amount of any settlement or judgment in excess of the applicable Self - Insured Retention, all subject to and within the Limits of Insurance. E. AUTOMATIC AND OPTIONAL EXTENDED REPORTING PERIODS This Section E. shall only apply to the Third Party Coverage Part. If the Named Insured does not obtain replacement coverage as of the effective date of cancellation or non -renewal of this Policy, then the following provisions shall apply: 1. Automatic Extended Reporting Period Upon the effective date of such cancellation or non -renewal, the Named Insured will automatically be provided a period of sixty (60) days (the "Automatic Extended Reporting Period") to give written notice to the Insurer of any Claim first made against the Insured during the Policy Period or the Automatic Extended Reporting Period for any Wrongful Act committed on or subsequent to the Retroactive Date (if applicable) and prior to the end of the Policy Period. The Automatic Extended Reporting Period is provided at no additional charge. 2. Optional Extended Reporting Period Upon the effective date of such cancellation or non -renewal, the Named Insured will have the right to elect a continuation of coverage afforded by this Policy for the additional period stated in Item 8. of the Declarations (the "Optional Extended Reporting Period"). If elected, the Optional Extended Reporting Period will commence upon the effective date of such cancellation or non -renewal. The Optional Extended Reporting Period shall only apply to a Claim that is first made against the Insured during the Optional Extended Reporting Period for a Wrongful Act committed on or subsequent to the Retroactive Date (if applicable) and prior to the end of the Policy Period. The Optional Extended Reporting Period shall be provided by an Optional Extended Reporting Period Endorsement for an additional premium. II. The Named Insured's rights described in this Paragraph E.2. will terminate unless a written notice of election together with the additional premium due stated in Item 8. of the Declarations is received by the Insurer within thirty (30) days after the effective date of cancellation or non -renewal. III. The additional premium for the Optional Extended Reporting Period will be fully earned at the inception of the Optional Extended Reporting Period. 3. Application of Extended Reporting Periods 00 NPL0321 00 09 23 O 2023 Arch Insurance Group Inc. Page 30 of 41 I. There are no separate Limits of Insurance for the Automatic Extended Reporting Period or the Optional Extended Reporting Period. An Extended Reporting Period shall not increase or reinstate any Limit of Insurance. II. An Extended Reporting Period cannot be cancelled. III. The Optional Extended Reporting Period, if purchased, shall run concurrently with the Automatic Extended Reporting Period for the first sixty (60) days of the Optional Extended Reporting Period. F. LIMITS OF INSURANCE AND SELF -INSURED RETENTIONS 1. Limits of Insurance The Limits of Insurance shown in the Declarations (and any applicable endorsement) apply in excess of the applicable Self -Insured Retention. Regardless of the number of Insureds, persons or entities directly or indirectly impacted by any Incident, Wrongful Act, or Related Events, Claims made or brought, or persons or entities making or bringing Claims: I. Coverage Limit(s) of Insurance The Limit of Insurance for any one coverage stated in Item 6. of the Declarations shall be the maximum aggregate amount the Insurer shall pay for all Loss under the applicable coverage. Such Limit of Insurance shall be part of, and not in addition to, the Policy Period Aggregate Limit of Insurance stated in Item 5. of the Declarations. II. Policy Period Aggregate Limit of Insurance The Policy Period Aggregate Limit of Insurance stated in Item 5. of the Declarations shall be the maximum aggregate amount the Insurer shall pay for all Loss under all Coverage Parts. The Insurer shall not be responsible to pay any Loss upon exhaustion of the applicable Limit of Insurance. 2. Self -Insured Retentions I. The Insurer shall only be liable for the amount of Loss that exceeds the applicable Self -Insured Retention stated in Item 6. of the Declarations. A separate Self -Insured Retention shall apply to each coverage. The Loss within the Self -Insured Retentions must be borne by the Insured and shall be uninsured. II. With respect to the Third Party Coverage Part, the Self Insured Retention(s) shall apply to each Claim. Wth respect to the First Party Coverage Part or Crime Coverage Part, the Self Insured Retention(s) shall apply to each Incident (or Related Event, if applicable) that triggers coverage. III. With respect to any Incident, Claim, or Related Event that triggers more than one coverage, the single highest Self -Insured Retention will apply to such Incident, Claim, or Related Event. IV. Any Business Interruption Loss incurred by an Insured Entity during the Business Interruption Waiting Period will erode the applicable Self -Insured Retention, but the Insurer will not pay any Business Interruption Loss until the Self -Insured Retention is met and the Business Interruption Waiting Period has expired. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 31 of 41 V. Any Reputational Harm Loss incurred by an Insured during the Reputational Harm Waiting Period will not erode the Self -Insured Retention. The Self -Insured Retention will not begin to be eroded until the Reputational Harm Waiting Period has expired. The Insurer will not pay any Reputational Harm Loss until the Self -Insured Retention is met and the Reputational Harm Waiting Period has expired. VI. The Insurer may at its sole discretion advance payment for Loss within the Self - Insured Retention. Any Loss first paid by the Insurer within the Self -Insured Retention shall, upon written demand by the Insurer, be paid by the Insured to the Insurer within thirty (30) days upon receipt of such written demand. G. DEFENSE AND SETTLEMENT OF CLAIMS AND INSURED'S OBLIGATIONS 1. The Insurer shall have the right and duty to defend the Insured for each Claim alleging Loss covered under this Policy for which the Insurer receives notice that meets the requirements of the notice provisions of this Policy, even if such Claim is groundless, false or fraudulent. The Insurer may, at the Insurer's discretion, make any investigation it deems appropriate. 2. The Insurer's right and duty to defend any Claim will end upon exhaustion of the applicable Limit of Insurance. If the Limit of Insurance is exhausted, the premium for this Policy will be deemed fully earned. 3. The Insured shall not: I. Admit or assume any liability unless required by law; II. Make any settlement offer of monetary or non -monetary consideration; III. Enter into any settlement agreement; IV. Stipulate to any judgment; V. Incur any Defense Expenses; or VI. Make any offer to negotiate, terminate or end any Ransomware Event, or enter into any agreement in connection with a Ransomware Event, without the prior written consent of the Insurer, such consent not to be unreasonably withheld. The Insurer will not be liable for any admission, assumption, offer, settlement, stipulation, or Defense Expenses to which it has not consented. 4. The Insurer may, with the written consent of the Insured, settle any Claim for a monetary amount that the Insurer deems reasonable. If any Insured refuses to consent to the settlement of a Claim recommended by the Insurer and acceptable to a claimant, then the Insurer will not pay Loss for such Claim in excess of the sum of: I. The amount of the proposed settlement plus Defense Expenses incurred prior to such refusal; and II. 70% of Loss incurred for such Claim in excess of the amount specified in 4.1. above. H. CONDITIONS 1. PROOF OF LOSS 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 32 of 41 With respect to the Crime Coverage Part and First Party Coverage Part, the Insured shall provide a detailed proof of Loss statement within one hundred twenty (120) days of notice to the Insurer of such Loss. Such proof of Loss statement shall include a detailed calculation of Loss incurred and all documents and materials that reasonably relate to or form part of the basis of the proof of such Loss. 2. ASSISTANCE AND COOPERATION I. The Insured will reasonably cooperate with the Insurer and upon request of the Insurer: a. Assist the Insurer in the investigation of any Wrongful Act, Incident, or Claim; b. Attend hearings, depositions, trials and other such proceedings; c. Assist the Insurer in effecting settlements and defending Claims; d. Secure and provide evidence which includes, but is not limited to, obtaining the attendance of witnesses; e. Allow the Insurer to participate in the handling and management of any Claim; f. Assist the Insurer in enforcing any right, contribution or indemnity against a third party (including any person, entity, organization, or insurer) which may be liable to the Insured; g. Provide to the Insurer all information that the Insurer reasonably requires, including the full details of the dates, persons, and entities involved in a Wrongful Act, Incident, or Claim; and h. Allow a third party data forensics incident response professional services firm access to systems, files and information. II. The Insured will take all reasonable steps to limit and mitigate any Loss arising from any Wrongful Act or Incident for which coverage may be, or is, sought under this Policy. The Insured will do nothing which in any way may prejudice the Insurer's postion. 3. SPOUSAL, DOMESTIC PARTNER, ESTATE AND LEGAL REPRESENTATIVE COVERAGE Regarding the Third Party Coverage Part only, coverage will apply to a Claim made against the lawful spouse or Domestic Partner of an Insured, or if an Insured dies, becomes incapacitated, or files for bankruptcy, such Insured's trustee, estate, heirs, assignees, or legal representatives, provided that: I. The Claim arises solely out of such person's status as a spouse, Domestic Partner, trustee, estate, heir, assignee or legal representative of such Insured; II. Property that is either owned or in the custody of such person is sought as recovery for a Wrongful Act; III. The Insured and such person are both named in such Claim; 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 33 of 41 IV. No coverage will apply to any Claim for a Wrongful Act committed by such person; and V. All of the terms and conditions of this Policy including, without limitation, all applicable Self -Insured Retentions apply to such Claim. 4. UNITED STATES OF AMERICA CURRENCY We shall make any payment due under this Policy in United States of America dollars. If Loss is incurred in a currency other than United States of America dollars, payment under this Policy shall be made in United States of America dollars. 5. LOSS CALCULATIONS AND APPRAISAL In determining the amount of Loss under the Business Interruption Coverage or the Reputational Harm Coverage, due consideration shall be given to: I. The prior experience of an Insured Entity's business before the commencement of the Business Interruption or Adverse Publicity; and II. The probable business an Insured Entity could have conducted had no Business Interruption or Adverse Publicity occurred during, or within a reasonable time after the end of the Business Interruption Period of Recovery, Extended Business Interruption Period of Recovery or Reputational Harm Period of Recovery. Provided, however, that such calculations shall not include, and this Policy will not cover, net income that would likely have been earned as a result of an increase in volume of business due to favorable business conditions caused by the impact of the Business Interruption or Adverse Publicity on other businesses. 6. NOTICE — CIRCUMSTANCES, CLAIMS OR INCIDENTS I. Regarding the Third Party Coverage Part: Notice of Circumstance If any Claims Manager first becomes aware of any Wrongful Act during the Policy Period that may reasonably be expected to give rise to a Claim against an Insured, then written notice of such Wrongful Act may be given by the Named Insured to the Insurer during the Policy Period, specifying the following: I. Reasons for anticipating such a Claim; ii. Nature and date of such Wrongful Act; iii. Identity of the Insured(s) involved; iv. Actual or alleged Loss incurred; v. Names of potential claimants; and vi. Manner in which the Insured(s) first became aware of the Wrongful Act. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 34 of 41 Any Claim subsequently arising from such Wrongful Act will be deemed a Claim first made at the time the Insurer receives the written notice. b. Notice of Claim The Named Insured shall give the Insurer written notice of any Claim as soon as practicable after any Claims Manager first becomes aware of the Claim, but such notice shall not be given later than the end of the Automatic Extended Reporting Period, or the end of the Optional Extended Reporting Period, if applicable. II. Regarding the First Party Coverage Part and Crime Coverage Part: Notice of Incident The Named Insured shall give the Insurer written notice of any Incident as soon as practicable after any Claims Manager first becomes aware of the Incident, but no later than sixty (60) days after the end of the Policy Period. III. Regarding all Coverage Parts: a. Law Enforcement Cooperation The Named Insured may receive an authorized order from a law enforcement or other governmental authority to keep confidential certain information about an actual or reasonably suspected Incident or Claim. In such circumstances, a notice of such Incident or Claim, shall be considered timely under this Policy if: i. As soon as practicable after receipt of such request, any Claims Manager requests permission to share such information with the Insurer; ii. The Named Insured only withholds from the Insurer that portion of the information that it has been instructed by a law enforcement or other governmental authority not to share with the Insurer; and iii. The Named Insured provides full notice of such Incident or Claim to the Insurer as soon as practicable after the Named Insured is legally permitted. To the extent the procedure set forth above is followed in connection with an authorized law enforcement or governmental authority order, any failure or delay in providing information to the Insurer shall not be the basis for denial of coverage under this Policy. 7. SUBROGATION AND RECOVERY I. Subrogation The Insurer will be subrogated to all of the Insureds' rights of recovery regarding any payment of Loss under this Policy. The Insureds will do everything necessary to secure and preserve such rights, including, without limitation, the execution of any documents necessary to enable the Insurer to effectively bring suit in the name of the Insureds. The Insureds will do nothing to prejudice the Insurer's position or any 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 35 of 41 rights of recovery. However, if the Insured has waived any right of recovery against any person or organization for all or part of any Loss, the Insurer will also waive such right of recovery, but only if the Insured waived its right of recovery pursuant to a written contract or agreement that was executed prior to the Loss. II. Recovery By Insured If any Insured recovers any Setoff Amounts, such Insured must give the Insurer prompt notice, and the Insurer shall have the right to apply the Setoff Amounts to any payment of Loss. If Loss has already been paid by the Insurer, then the Insured shall return the applicable amounts of Loss in accordance with Paragraph III. below. III. Distribution Recoveries for Loss paid under Paragraphs 7.1. and 7.11. above, less the actual cost of recovery, will be distributed as follows: a. First, the Insurer shall be reimbursed for the amount of the settlement paid by the Insurer; b. Second, the Insured shall be reimbursed for Loss equal to the applicable Self - Insured Retention amount paid by the Insured; and Third, the Insured shall be reimbursed for any remaining Loss exceeding the applicable Limit of Insurance and the applicable Self -Insured Retention. 8. OTHER INSURANCE Coverage under this Policy will apply only in excess of the applicable Self -Insured Retention and over any other valid and collectible insurance regardless of whether such other insurance is stated to be primary, excess, contributory, contingent or otherwise, unless such other insurance is written specifically excess over the Limits of Insurance of this Policy by reference in such other insurance to this Policy's policy number. 9. CHANGES IN CONTROL I. Takeover of Named Insured If, during the Policy Period. Any person or entity or group of persons and/or entities acting in concert acquires securities or voting rights resulting in ownership by such person(s) and/or entity(ies) of more than 50% of the outstanding securities representing the present right to vote for the election of directors or equivalent positions of the Named Insured; or b. The Named Insured merges into or consolidates with another organization such that the Named Insured is not the surviving organization; then coverage for such Named Insured and its Insureds will continue under this Policy, but only if the following conditions are met: a. With respect to the Third Party Coverage Part, the Wrongful Act must have been committed prior to the effective date of the transaction; 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 36 of 41 b. With respect to the Crime Coverage Part, the Incident must have been first discovered by an Insured prior to the effective date of the transaction; and With respect to the First Party Coverage Part: Under the Incident Response Expense Coverage, Data Recovery Expense Coverage, and Cyber Extortion Expense Coverage, the Incident must first have been discovered by an Insured prior to the effective date of the transaction; and ii. Under the Business Interruption Coverage and the Reputational Harm Coverage, the Incident must have first occurred and have been first discovered by an Insured prior to the effective date of the transaction. Upon the effective date of such transaction, the entire premium for this Policy will be deemed fully earned. II. Acquisition or Creation of Subsidiary by Named Insured If, during the Policy Period, any Named Insured: Acquires or creates a Subsidiary; or b. Merges with another organization such that the Named Insured is the surviving entity, then coverage for such Subsidiary or organization that merged will continue under this Policy, but only if the following conditions are met: a. With respect to the Third Party Coverage Part, the Wrongful Act must have been committed after the effective date of the transaction; b. With respect to the Crime Coverage Part, the Incident must have first been discovered by an Insured after the effective date of the transaction; and c. With respect to the First Party Coverage Part: Under the Incident Response Expense Coverage, Data Recovery Expense Coverage, and Cyber Extortion Expense Coverage, the Incident must have first been discovered by an Insured after the effective date of the transaction; and ii. Under the Business Interruption Coverage and the Reputational Harm Coverage, the Incident must have first occurred and have been first discovered by an Insured after the effective date of the transaction. III. Loss of Subsidiary Status If, during the Policy Period, any entity ceases to be a Subsidiary, then coverage for such entity and its Insureds will continue under this Policy, but only if the following conditions are met: a. With respect to the Third Party Coverage Part, the Wrongful Act must be committed prior to the effective date of the transaction; 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 37 of 41 b. With respect to Crime Coverage Part, the Incident must have first been discovered by an Insured prior to the effective date of the transaction; and c. With respect to the First Party Coverage Part: Under the Incident Response Expense Coverage, Data Recovery Expense Coverage, and Cyber Extortion Expense Coverage, the Incident must have first been discovered by an Insured prior to the effective date of the transaction; and ii. Under the Business Interruption Coverage and the Reputational Harm Coverage, the Incident must have first occurred and have been first discovered by an Insured prior to the effective date of the transaction. With respect to Paragraphs I. Takeover of Named Insured and III. Loss of Subsidiary Status, the Named Insured will give the Insurer written notice of the transaction as soon as practicable, but not later than thirty (30) days after the effective date of such transaction. Subject to the expiration of the Policy Period, any continuation of coverage beyond thirty (30) days after the effective date of such transaction will be subject to a review and written acceptance by the Insurer. The Insurer shall have the right to amend the terms and conditions of this Policy, including but not limited to premiums, Limits of Insurance, Self - Insured Retentions or exclusions. With respect to Paragraph II. Acquisition or Creation of Subsidiary by Named Insured, if the current annual gross revenues of any newly acquired or merged organization exceeds 15% of the current annual gross revenues of the Named Insured as reflected in the most recent Application, then the Named Insured will give the Insurer written notice of the acquisition or merger as soon as practicable but not later than thirty (30) days after the effective date of such transaction. Subject to the expiration of the Policy Period, any continuation of coverage for beyond thirty (30) days after the effective date of such transaction will be subject to a review and written acceptance by the Insurer. The Insurer shall have the right to amend the terms and conditions of this Policy, including but not limited to premiums, Limits of Insurance, Self -Insured Retentions or exclusions. 10. APPLICATION AND SEVERABILITY The Insureds represent and agree that the statements and information contained in the Application are true, accurate and complete; that each representation is deemed material to the acceptance of the risk assumed by the Insurer and that this Policy is issued in reliance upon the truth and accuracy of such representations contained within the Application. This Policy embodies all of the agreements existing between the Insureds and the Insurer and any of its representatives. II. If the Application contains misrepresentations or omissions made with the intent to deceive or that materially affects the acceptance of the risk or the hazard assumed by the Insurer, the Insurer shall not pay Loss for, based upon, arising out of, or in any way related to any: Natural person Insured who knew at the inception of the Policy Period of such information; or b. Insured Entity, if any of the Insured Entity's Claims Managers or the person signing the Application knew at the inception of the Policy Period of such information. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 38 of 41 This Paragraph II. shall apply regardless of whether the natural person Insured, the Insured Entity's Claims Manager, or the person signing the Application was aware that the above described information had been misrepresented or omitted from the Application. Notwithstanding any provision of this Policy, the Insurer shall not rescind this Policy. 11. SUITS AGAINST THE INSURER I. No suit or other proceeding will be commenced by any Insured against the Insurer unless there has been full compliance with all of the terms and conditions of this Policy. II. No person or organization will have any right under this Policy to join the Insurer as a party to any suit or other proceeding against the Insured nor will the Insurer be impleaded by the Insured in any such suit or other proceeding. 12. NAMED INSURED'S AUTHORITY The Named Insured will act on behalf of all Insureds regarding all matters under this Policy, including, without limitation, cancellation, non -renewal, election of the Optional Extended Reporting Period, transmission and receipt of notices, reporting of Claims, Incidents and Losses, acceptance of endorsements, payment of premiums, and receipt of return premiums. 13. CANCELLATION I. The Insurer may cancel this Policy for non-payment of premium by sending not less than ten (10) days notice to the Named Insured. This Policy may not otherwise be cancelled by the Insurer. II. Except as otherwise provided, the Named Insured may cancel this Policy by sending written notice of cancellation to the Insurer. Such notice will be effective upon receipt by the Insurer unless a later cancellation date is specified therein. III. If the Insurer cancels this Policy, unearned premium will be calculated on a pro rata basis. If the Named Insured cancels this Policy, unearned premium will be calculated at the Insurer's customary short rates. Payment of any unearned premium will not be a condition precedent to the effectiveness of such cancellation. The Insurer will refund any unearned premium as soon as practicable. 14. BANKRUPTCY I. Bankruptcy or insolvency of any Insured will not relieve the Insurer of any of its obligations under this Policy, nor deprive the Insurer of any of its rights and defenses under this Policy. II. In the event of the bankruptcy or insolvency of any Insured, the Insurer will have the right to assert any appropriate claim or demand in such proceeding for payment of any obligations of any Insured, including, without limitation, any amounts which the Insurer may advance on behalf of any Insured within the Self -Insured Retention. 15. ATTRIBUTION OF A CYBER WAR TO A SOVEREIGN STATE 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 39 of 41 The primary but not exclusive factor in determining attribution of a Cyber War shall be whether the government of the Impacted State (including its intelligence and security services) in which the Computer System affected by the Cyber War is physically located attributes the Cyber War to another sovereign state or those acting on its behalf. II. Pending attribution by the government of the Impacted State (including its intelligence and security services) in which the Computer System affected by the Cyber War is physically located, the Insurer may rely upon an inference which is objectively reasonable as to attribution of the Cyber War to another sovereign state or those acting on its behalf. It is agreed that during this period no Loss shall be paid. III. In the event that the government of the Impacted State (including its intelligence and security services) in which the Computer System affected by the Cyber War is physically located either a. Takes an unreasonable length of time to make an attribution; b. Does not make an attribution; or Makes an attribution that the Insurer deems unreasonable; then it shall be the duty of the Insurer to prove attribution by reference to such other evidence as is available. Such evidence shall include, but not be limited to: Publicly available intelligence information provided by: i. A Group of Seven (G7) or European Union nation; ii. The United States Federal Bureau of Investigation, United States Secret Service, United States Department of Homeland Security, or United States Department of State; or b. Information received from the perpetrator(s). 16. NOTICES I. Notices to the Insured will be sent to the Named Insured at the address specified in Item 1. of the Declarations. II. Notices to the Insurer will be sent to the applicable e-mail, facsimile, or other address specified in Item 9. of the Declarations and shall include the policy number of this Policy. 17. DISPUTE RESOLUTION In the event that a dispute arises in connection with rights and obligations owed under this Policy, the Insured(s) and the Insurer will participate in a non -binding mediation in which the parties will attempt in good faith to resolve such dispute. Either the Insured(s) or the Insurer will have the right to commence a judicial proceeding, or if the parties agree, submit the dispute to a binding arbitration, in order to resolve such dispute. However, no judicial proceeding or arbitration will be commenced prior to the termination of the mediation and until at least ninety (90) days have passed from the termination of the mediation. The expenses of any mediation, or any arbitration, shall be split equally by the parties. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 40 of 41 18. ALTERATION, ASSIGNMENT AND TITLES I. Notice to any agent or knowledge possessed by any agent or by any other person shall not affect a waiver or change in any part of this Policy nor prevent the Insurer from asserting any right under the terms of this Policy. II. Assignment of any interest under this Policy will not bind the Insurer unless such assignment is acknowledged by a written endorsement issued by the Insurer. III. The titles of the sections of, and endorsements to, this Policy are for reference only and shall not be used to interpret coverage under this Policy. Such titles will not be part of the terms and conditions of coverage. 19. REFERENCES TO LAWS I. Any statute, act, or code mentioned in this Policy will be deemed to include all amendments of, and rules and regulations promulgated under, such statute, act, or code. II. Any statute, act, or code mentioned in this Policy that is followed by the phrase "any similar law" will be deemed to include all similar laws of all jurisdictions throughout the world, including, without limitation, any common law. 20. ENTIRE AGREEMENT This Policy, including the Declarations, written endorsements, and the Application will constitute the entire agreement between the Insurer and the Insureds or any of its agents regarding the insurance provided hereunder. 21. POLICY CHANGES This Policy will not be changed in any manner except by a written endorsement issued by the Insurer. 22. COVERAGE COORDINATION If there is coverage available for a Loss under two or more coverages, the Insurer will be entitled to determine how to apportion such Loss between coverages at its sole discretion. 23. ALLOCATION If any Insured incurs Loss under the Third Party Coverage Part that is only partially covered by this Policy because of any Wrongful Act, Claim, or Related Event that includes both covered and uncovered matters, Loss will be allocated as follows: I. One hundred (100%) percent of Defense Expenses incurred by the Insureds will be allocated to covered Loss; and II. With respect to all Loss other than Defense Expenses, such Loss will be allocated between covered and non -covered Loss based on the relative legal exposure of the parties to covered and non -covered matters. 00 NPL0321 00 09 23 © 2023 Arch Insurance Group Inc. Page 41 of 41 Arch Insurance Signature Page IN WITNESS WHEREOF, Arch Specialty Insurance Company has caused this policy to be executed and attested. 41_0 Brian D. First President Regan Shulman Secretary 06 ML0002 00 12 14 Page 1 of 1 Claims Handling Procedures An important value of your insurance coverage is the ability of the insurance company to respond when you have a claim. Arch Specialty Insurance Company is committed to providing its insureds with effective claim services. Notices of each incident, claim or suit must be sent immediately to: Arch Specialty Insurance Company Cyber Risk Claims 1299 Farnam Street, Suite 500 Omaha, NE 68102 P.O. Box 542033 Omaha, NE 68154 Phone: 877 688 -ARCH (2724) Fax: 866 266-3630 E-mail: Cyberclaims@ArchInsurance.com You will be contacted by a representative of the company's Claim Department. This representative will confirm receipt of the loss notice directly to you, provide a company claim number for all future correspondence, refer to legal counsel if necessary, and discuss further handling of the claim. 00 NPL0340 00 09 23 © 2023 Arch Insurance Group Inc. Page 1 of 1 U.S. TREASURY DEPARTMENT'S OFFICE OF FOREIGN ASSETS CONTROL ("OFAC") ADVISORY NOTICE TO POLICYHOLDERS No coverage is provided by this Policyholder Notice nor can it be construed to replace any provisions of your policy. You should read your policy and review your Declarations page for complete information on the coverages you are provided. This Notice provides information concerning possible impact on your insurance coverage due to directives issued by OFAC. Please read this Notice carefully. The Office of Foreign Assets Control (OFAC) administers and enforces sanctions policy, based on Presidential declarations of "national emergency". OFAC has identified and listed numerous: Foreign agents; Front organizations; Terrorists; Terrorist organizations; and Narcotics traffickers; as "Specially Designated Nationals and Blocked Persons". This list can be located on the United States Treasury's web site — http://www.treas.gov/ofac. In accordance with OFAC regulations, if it is determined that you or any other insured, or any person or entity claiming the benefits of this insurance has violated U.S. sanctions law or is a Specially Designated National and Blocked Person, as identified by OFAC, this insurance will be considered a blocked or frozen contract and all provisions of this insurance are immediately subject to OFAC. When an insurance policy is considered to be such a blocked or frozen contract, no payments nor premium refunds may be made without authorization from OFAC. Other limitations on the premiums and payments also apply. 00 ML0065 00 06 07 Includes copyrighted material of Page 1 of 1 Insurance Services Office, Inc. with its permission. TERRORISM COVERAGE DISCLOSURE NOTICE TERRORISM COVERAGE PROVIDED UNDER THIS POLICY The Terrorism Risk Insurance Act of 2002 as amended and extended by the subsequent Terrorism Risk Insurance Program Reauthorization Acts (collectively referred to as the "Act") established a program within the Department of the Treasury, under which the federal government shares, with the insurance industry, the risk of loss from future terrorist attacks. An act of terrorism is defined as any act certified by the Secretary of the Treasury, in consultation with the Secretary of Homeland Security and the Attorney General of the United States, to be an act of terrorism; to be a violent act or an act that is dangerous to human life, property or infrastructure; to have resulted in damage within the United States, or outside the United States in the case of an air carrier or vessel or the premises of a United States Mission; and to have been committed by an individual or individuals as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion. In accordance with the Act, we are required to offer you coverage for losses resulting from an act of terrorism that is certified under the federal program as an act of terrorism. The policy's other provisions will still apply to such an act. Your decision is needed on this question: do you choose to pay the premium for terrorism coverage stated in this offer of coverage, or do you reject the offer of coverage and not pay the premium'? You may accept or reject this offer. If your policy provides commercial property coverage, in certain states, statutes or regulations may require coverage for fire following an act of terrorism. In those states, if terrorism results in fire, we will pay for the loss or damage caused by that fire, subject to all applicable policy provisions including the Limit of Insurance on the affected property. Such coverage for fire applies only to direct loss or damage by fire to Covered Property. Therefore, for example, the coverage does not apply to insurance provided under Business Income and/or Extra Expense coverage forms or endorsements that apply to those coverage forms, or to Legal Liability coverage forms or Leasehold Interest coverage forms. Your premium will include the additional premium for terrorism as stated in the section of this Notice titled DISCLOSURE OF PREMIUM. DISCLOSURE OF FEDERAL PARTICIPATION IN PAYMENT OF TERRORISM LOSSES The United States Government, Department of the Treasury, will pay a share of terrorism losses insured under the federal program. The federal share equals 80% in years 2020 through 2027 of that portion of the amount of such insured losses that exceeds the applicable insurer deductible during Calendar Year 2020 and each Calendar Year thereafter through 2027. DISCLOSURE OF CAP ON ANNUAL LIABILITY If the aggregate insured terrorism losses of all insurers exceed $100,000,000,000 during any Calendar Year provided in the Act, the Secretary of the Treasury shall not make any payments for any portion of the amount of such losses that exceed $100,000,000,000, and if we have met our insurer deductible, we shall not be liable for the payment of any portion of such losses that exceeds $100,000,000,000. DISCLOSURE OF PREMIUM Your premium for terrorism coverage is: (This charge/amount is applied to obtain the final premium.) You may choose to reject the offer by signing the statement below and returning it to us. Your policy will be changed to exclude the described coverage. If you chose to accept this offer, this form does not have to be returned. REJECTION STATEMENT I hereby decline to purchase coverage for certified acts of terrorism. I understand that an exclusion of certain terrorism losses will be made part of this policy. Galaxy Digital LP Policyholder/Legal Representative/Applicant's Signature Print Name of Policyholder/Legal Representative /Applicant Date: 00 MLT0027 00 12 19 Named Insured Arch Insurance Company Insurance Company Policy Number: NPL0069112-00 Page 1 of 1 Arch Insurance SURPLUS LINES FILING INFORMATION REQUIREMENTS NOTE: ALL NON -ADMITTED BUSINESS SUBMITTED TO ARCH SPECIALITY INSURANCE COMPANY MUST BE PLACED THROUGH A LICENSED (RESIDENT OR NON-RESIDENT) SURPLUS LINES BROKER IN THE STATE IN WHICH THE INSURED IS LOCATED AND THE POLICY IS WRITTEN. In order to ensure compliance with applicable surplus lines laws, you are required to provide the below information. If requested, this information may be provided to a state's regulatory authority as confirmation of the proper surplus lines placement of this risk. Please complete and return this form to your Underwriter as soon as possible as we are unable to bind without receipt of this information, with the exception of the New Jersey Transaction Number which is required prior to policy issuance. The following account is quoted on a Surplus Lines Basis by: Arch Specialty Insurance Company. Nothing in this document should imply that coverage has been bound. Insured Name: Acceptance Insurance Agency of Tennessee, Inc. Policy Risk State: TN Individual Surplus Lines Licensee: Individual Surplus Lines License Number: Surplus Lines Agency Name: Michael Cavallaro/Arc Excess and Surplus, LLC Surplus Lines Agency License Number: 802655 For New Jersey risks, provide the full 12 -digit New Jersey Transaction Number (required prior to policy issuance): 06 ML0294 00 04 22 © 2022 Arch Insurance Group Inc. Page 1 of 1 THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. COLORADO COUNTIES AMENDATORY ENDORSEMENT SCHEDULE 1 Alamosa Archuleta Baca Bent Chaffee Cheyenne Clear Creek Conejos Costilla Crowley Custer Delta Dolores Elbert Fremont Garfield Gilpin Grand Gunnison Hinsdale Huerfano Jackson Kiowa Kit Carson Lake Las Animas Lincoln Logan Mineral Moffat Montrose Morgan Otero Ouray Park Phillips Prowers Pueblo Rio Blanco Rio Grande Routt Saguache San Juan San Miguel Sedgwick Summit Teller Washington Weld Yuma 00 ML0207 00 11 03 Page 1 of 2 It is agreed that this endorsement modifies Insurance provided under the Arch CyProSA° Policy. It is agreed that the solely for the purposes of this Endorsement, the following changes are made to Section B. DEFINITIONS: 1.The following definition is added: "Multi -Factor Authentication" means: The use of at least one of the following methods of authentication (in addition to the use of a user identification and password) to validate access: 1. a hardware or software token access card; 2. third party authentication application(s) providing time bound, one-time codes, by a method other than text messaging; or 3. a unique one-time passcode received by text message to a pre -established mobile phone number linked to the account that is being accessed in order to validate access. 2.Definition 40. "Insured Entity" is amended by adding the following: III. Any entity stated in Schedule 1. of this Endorsement. II. The following is added to Section F. LIMITS OF INSURANCE AND SELF -INSURED RETENTIONS, directly after Paragraph 1.1.: With respect to any Ransomware Event that reasonably could have been prevented or avoided had the Insured not failed to install, activate, enforce or maintain Multi -Factor Authentication at the time of, or prior to, such Ransomware Event, the maximum aggregate amount the Insurer shall pay for all such Loss shall be $250,000. Such amount is a Sublimit of Insurance which will be part of and not in addition to the applicable Coverage Limit of Insurance stated in Item 6. of the Declarations and the Policy Period Aggregate Limit of Insurance stated in Item 5. of the Declarations. All other terms and conditions of this Policy remain unchanged. Issued By: Arch Specialty Insurance Company Endorsement Number: 1 Policy Number NPL0069163-00 Named Insured: Arthur J. Gallagher Risk Management Services, LLC Endorsement Effective Date: January 01, 2024 L2),--;„ President 00 ML0207 00 11 03 00 MPX0947 06 01 24 Page 2 of 2 This contract is delivered as surplus line coverage under the Non admitted Insurance Act. The insurer issuing this contract is not licensed in Colorado but is an eligible non admitted insurer. There is no protection under the provisions of the Colorado Insurance Guaranty Association Act. THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. SERVICE OF SUIT It is agreed that: 1. In the event of the failure of the Insurer to pay any amount claimed to be due hereunder, the Insurer, at the request of the Insured, will submit to the jurisdiction of any court of competent jurisdiction within the United States and will comply with all requirements necessary to give such court jurisdiction. All matters arising under this Policy shall be determined in accordance with the law and practice of such Court, provided that nothing shall prohibit the Insurer from removing any action, suit or proceeding to a United States District Court. The Insurer shall abide by the final decision of such court or any appellate court in the event of an appeal. 2. Service of process in the above described action, suit or proceeding may be made upon: General Counsel, Arch Specialty Insurance Company, Harborside 3 210 Hudson Street, Suite 300 Jersey City, NJ 07311-1107. Upon the request of the Insured, such General Counsel shall give a written undertaking to enter an appearance on behalf of the Insurer in the event that such an action, suit or proceeding shall be instituted. 3. Pursuant to any statute of any state, territory or district of the United States which makes provision therefore, the Insurer hereby designates the Superintendent, Commissioner, or Director of Insurance or other officer specified in such statute as its true and lawful attorney upon whom may be served any lawful process in any action, suit or proceeding instituted against the Insurer upon this Policy. The Superintendent, Commissioner or Director of Insurance or other officer is hereby authorized and directed to accept service of process on behalf of the Insurer in any such action, suit or proceeding and to mail a copy of such process to the above mentioned General Counsel. All other terms and conditions of this policy remain unchanged. Endorsement Number 2 Policy Number: NPL0069163-00 Named Insured: Colorado Counties Casualty and Property Pool This endorsement is effective on the inception date of this Policy unless otherwise stated herein: Endorsement Effective Date: January 01, 2024 00 ML0003 00 04 12 Page 1 of 1 THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. PER POOL MEMBER LIMIT ENDORSEMENT It is agreed that this Endorsement modifies insurance provided under the Arch CyProsM Policy. SCHEDULE 1 Alamosa Archuleta Baca Bent Chaffee Cheyenne Clear Creek Conejos Costilla Crowley Custer Delta Dolores Elbert Fremont Garfield Gilpin Grand Gunnison Hinsdale Huerfano Jackson Kiowa 00 ML0207 00 11 03 00 MPX0973 00 03 24 Kit Carson Lake Las Animas Lincoln Logan Mineral Moffat Montrose Morgan Otero Ouray Park Phillips Prowers Pueblo Rio Blanco Rio Grande Routt Saguache San Juan San Miguel Sedgwick Summit Teller Washington Weld Yuma Page 1 of 5 SCHEDULE 2 I. Per Pool Member Crime Aggregate Limit of Insurance $1,000,000 II. Per Pool Member Ransomware Event Aggregate Limit of Insurance $1,000,000 III. Per Pool Member Policy Period Aggregate Limit of Insurance $1,000,000 Coverages — Per Pool Member Per Pool Member Coverage Limit of Insurance Per Pool Member Self -Insured Retention FIRST PARTY COVERAGE PART A. Incident Response Expense Coverage ® $1,000,000 $100,000 B. Business Interruption Coverage I. Business Interruption (Network Security ® Breach) II. Business Interruption (System Failure) ® III. Business Interruption — Technology Contractor ® (Network Security Breach) IV. Business Interruption — Technology Contractor ® (System Failure) V. Business Interruption — Dependent Business Z (Network Security Breach) VI. Business Interruption — Dependent Business ® (System Failure) Business Interruption Waiting Period 12 Hours $1,000,000 $1,000,000 $1,000,000 $1,000,000 $1,000,000 $1,000,000 $100,000 $100,000 $100,000 $100,000 $100,000 $100,000 C. Data Recovery Expense Coverage ® Bricking Sub -Limit of Insurance: $1,000,000 $1,000,000 $100,000 D. Cyber Extortion Expense Coverage ® I $1,000,000 I $100,000 E. Reputational Harm Coverage ® Reputational Harm Waiting Period 14 Days $1,000,000 $100,000 THIRD PARTY COVERAGE PART F. Network Security and Privacy Liability Coverage ® I $1,000,000 I $100,000 G. Media Liability Coverage ® $1,000,000 Retroactive Date: 01/01/2014 $100,000 H. Technology and Professional Services ❑ Liability Coverage Retroactive Date: N/A Not Applicable Not Applicable CRIME COVERAGE PART I. Social Engineering Coverage ® $100,000 $100,000 J. Service Fraud Coverage ® $100,000 $100,000 K. Invoice Manipulation Coverage ® I $100,000 I $100,000 00 ML0207 00 11 03 00 MPX0973 00 03 24 Page 2 of 5 I. It is agreed that the solely for the purposes of this Endorsement, the following changes are made to Section B. DEFINITIONS: 1. The following definition is added: "Multi -Factor Authentication" means: The use of at least one of the following methods of authentication (in addition to the use of a user identification and password) to validate access: 1. a hardware or software token access card; 2. third party authentication application(s) providing time bound, one-time codes, by a method other than text messaging; or 3. a unique one-time passcode received by text message to a pre -established mobile phone number linked to the account that is being accessed in order to validate access. 2. The following definition is added: "Pool Member" means any entity that is specified in Schedule 1 of this Endorsement, and is a participant in the Risk Purchase Group Insurance Program titled "Colorado Counties Casualty and Property Pool" that is administered by the Named Insured. 3. Definition 40. "Insured Entity" is amended by adding the following: III. Any Pool Member. II. It is agreed that the following is added to Section F. LIMITS OF INSURANCE AND SELF - INSURED RETENTIONS, immediately after Paragraph 1.1: III. Per Pool Member Coverage Limits of Insurance The Per Pool Member Coverage Limit of Insurance for any one coverage stated in Schedule 2. of this Endorsement shall be the maximum amount the Insurer shall pay for all Loss for any individual Pool Member under the applicable coverage. Such Limit of Insurance shall apply separately to each individual Pool Member. The Per Pool Member Coverage Limit(s) of Insurance shall be part of and not in addition to the applicable Coverage Limit of Insurance stated in the Declarations, the Per Pool Member Crime Aggregate Limit of Insurance (If applicable) stated in Schedule 2, the Per Pool Member Policy Period Aggregate Limit of Insurance stated in Schedule 2, and the Policy Period Aggregate Limit of Insurance stated in the Declarations. III. It is agreed that the following is added to Section F. LIMITS OF INSURANCE AND SELF - INSURED RETENTIONS, at the end of Paragraph 1. Per Pool Member Crime Aggregate Limit The Per Pool Member Crime Aggregate Limit of Insurance stated in Schedule 2 of this Endorsement shall be the maximum aggregate amount the Insurer shall pay for all Loss under the Crime Coverage Part for any individual Pool Member. Such Limit of Insurance shall apply separately to each individual Pool Member. 00 ML0207 00 11 03 00 MPX0973 00 03 24 Page 3 of 5 The Per Pool Member Crime Aggregate Limit of Insurance shall be part of and not in addition to the Per Pool Member Policy Period Aggregate Limit of Insurance stated in Schedule 2, and the Policy Period Aggregate Limit of Insurance stated in the Declarations. Per Pool Member Policy Period Aggregate Limit of Insurance The Per Pool Member Policy Period Aggregate Limit of Insurance stated in Schedule 2 of this Endorsement shall be the maximum aggregate amount the Insurer shall pay for all Loss under all Coverage Parts for any individual Pool Member. Such Limit of Insurance shall apply separately to each individual Pool Member. The Per Pool Member Policy Period Aggregate Limit of Insurance shall be part of and not in addition to the Policy Period Aggregate Limit of Insurance stated in the Declarations_ Per Pool Member Ransomware Event Aggregate Limit of Insurance With respect to all Loss resulting from a Ransomware Event that reasonably could have been prevented or avoided had a Pool Member Entity not failed to install, activate, enforce or maintain Multi -Factor Authentication at the time of, or prior to, such Ransomware Event, the maximum aggregate amount the Insurer shall pay for all such Loss shall be the Per Pool Member Ransomware Event Aggregate Limit of Insurance stated in Schedule 2 of this Endorsement. Such amount is a Sublimit of Insurance and shall apply separately to each individual Pool Member. The Per Pool Member Ransomware Event Aggregate Limit of Insurance shall be part of and not in addition to the Per Pool Member Policy Period Aggregate Limit of Insurance stated in Schedule 2 of this Endorsement and the Policy Period Aggregate Limit of Insurance stated in Item 5. of the Declarations IV. The following is added to Section F. LIMITS OF INSURANCE AND SELF -INSURED RETENTIONS, Paragraph 2.: Solely with respect to any Pool Member(s), the Self -Insured Retentions stated in Schedule 2 of this Endorsement shall apply in lieu of the Self -Insured Retentions stated in the Declarations. The Self Insured Retentions stated in Schedule 2 shall apply separately to each individual Pool Member. V. Solely with respect to any Pool Member(s), it is agreed that Section B. DEFINITIONS, Definition 76. Retroactive date is deleted and replaced by the following: 76. "Retroactive Date" means: I. The date set forth in Item G. of Schedule 2 for Media Liability Coverage; and II. The date set forth in Item H. of Schedule 2 for Technology Services and Products and Professional Liability Coverage. VI. Solely with respect to any Pool Member(s), it is agreed that Section B. DEFINITIONS, Definition 11. Business Interruption Waiting Period is deleted and replaced by the following: 00 ML0207 00 11 03 00 MPX0973 00 03 24 Page 4 of 5 11. "Business Interruption Waiting Period" means the number of hours set forth in Item B. of Schedule 2 that must elapse once the Business Interruption has begun. Such Business Interruption Waiting Period shall apply separately to each individual Pool Member. VII. Solely with respect to any Pool Member(s), it is agreed that Section B. DEFINITIONS, Definition 75. Reputational Harm Waiting Period is deleted and replaced by the following: 75. "Reputational Harm Waiting Period" means the number of days set forth in Item E. of Schedule 2 that must elapse once the Adverse Publicity has begun. Such Reputational Harm Waiting Period shall apply separately to each individual Pool Member. All other terms and conditions of this Policy remain unchanged. Issued By: Arch Specialty Insurance Company Endorsement Number: 3 Policy Number: NPL0069163-00 Named Insured: Colorado Counties Casualty and Property Pool Endorsement Effective Date: January 01, 2024 President 00 ML0207 00 11 03 00 MPX0973 00 03 24 Page 5 of 5 Hello