Welcome to our policy. Take a look around.

The information on this page is provided for illustration purposes only. Issuance of coverage is subject to underwriting review and approval and other requirements, which are subject to change from time to time at At-Bay's and the insurer's discretion. Coverage may not be available in all jurisdictions. Please review your actual policy for the actual terms, conditions and exclusions that will apply to you.

An At-Bay cyber insurance policy allows your clients to take on tomorrow. Our 13 comprehensive first-party and third-party insuring agreements are current, broad, and sophisticated. Whatever your clients’ exposures are—a new ecommerce platform, expansion into Europe, automated manufacturing, collection of biometric data, or maybe it’s simply email—our coverage will bring peace of mind.

We encourage you to dive in. If you have questions, don't hesitate to reach out to underwriting@at-bay.com


Policy Overview:

Primary insurance coverage for clients up to $2B in revenue in almost any industry.

Standalone cyber insurance up to $10m in aggregate limits.

Coverage underwritten by HSB Specialty Insurance Company, rated A++ Superior by A.M. Best Company

Every policy includes ongoing protection from the At-Bay Security Team at no additional cost.

Post-breach services provided through a panel of experienced firms.


Coverage Basics:

All insuring agreements available up to the aggregate limit.

Financial Fraud includes Social Engineering and Computer Crime.

Direct and Contingent Business Interruption with no hourly waiting period.

Media Content covers online and offline media.

Reputational harm is available by endorsement.

Insuring Agreements



Coverage is afforded pursuant to those Insuring Agreements included under this Policy, displayed as “Included” in ITEM 6 of the Declarations, and for Claims and Cyber Events reported to us pursuant to the terms of this Policy:

A. INFORMATION PRIVACY

  1. Information Privacy Liability

    We shall pay on behalf of the Insured, all Claim Expenses and Damages resulting from a Claim first made against any Insured during the Policy Period or, if exercised, during the Extended Reporting Period, for an Information Privacy Wrongful Act.
  2. Regulatory Liability

    We shall pay on behalf of the Insured, all Claim Expenses, Damages, including GDPR Penalties, Regulatory Penalties, and Regulatory Assessments and Expenses resulting from a Regulatory Claim first made against any Insured during the Policy Period or, if exercised, during the Extended Reporting Period, for an Information Privacy Wrongful Act.
  3. Event Response and Management

    We shall pay the Insured Organization for Technical Response Loss, Legal Services Loss, Public Relations Loss, Notification Loss, Reward Expense Loss, and Credit Monitoring Loss incurred by the Insured Organization as a result of an Information Privacy Event first discovered during the Policy Period.
  4. PCI-DSS Liability

    We shall pay the Insured Organization, all PCI-DSS Penalties, PCI-DSS Response Expenses, and Claim Expenses resulting from a PCI-DSS Claim first made against the Insured Organization during the Policy Period or, if exercised, during the Extended Reporting Period, for an Information Privacy Wrongful Act.

B. NETWORK SECURITY

  1. Network Security Liability

    We shall pay on behalf of the Insured, all Claim Expenses and Damages resulting from a Claim first made against any Insured during the Policy Period or, if exercised, the Extended Reporting Period, for a Network Security Wrongful Act.
  2. Event Response and Recovery

    We shall pay the Insured Organization for Technical Response Loss, Public Relations Loss, Data Recovery Loss, Reward Expense Loss, and System Restoration Loss incurred by the Insured Organization as a result of a Network Security Event first discovered during the Policy Period.

C. BUSINESS INTERRUPTION

  1. Direct Business Interruption

    We shall pay the Insured Organization for Business Interruption Loss, Extra Expense, Reward Expense Loss, and Public Relations Loss incurred by the Insured Organization as a direct result of a System Disruption which first occurs during the Policy Period.
  2. Contingent Business Interruption

    We shall pay the Insured Organization for Contingent Business Interruption Loss, Extra Expense, Reward Expense Loss, and Public Relations Loss incurred by the Insured Organization as a direct result of a System Disruption which first occurs during the Policy Period.

D. CYBER EXTORTION

  1. Cyber Extortion

    We shall pay the Insured Organization for Extortion Loss, Reward Expense Loss, and Public Relations Loss incurred by the Insured Organization as a direct result of an Extortion Threat first discovered during the Policy Period.

E. FINANCIAL FRAUD

  1. Social Engineering

    We shall pay the Insured Organization for Fraudulent Inducement Loss and Reward Expense Loss incurred by the Insured Organization as a direct result of Fraudulent Inducement Instructions it receives and accepts and which are first discovered during the Policy Period.
  2. Computer Fraud

    We shall pay the Insured Organization for Computer Crimes Loss and Reward Expense Loss incurred by the Insured Organization as a direct result of Computer Crimes first discovered during the Policy Period.

F. MEDIA CONTENT

  1. Media Liability
  2. We shall pay on behalf of the Insured, all Claim Expenses and Damages resulting from a Claim first made against any Insured during the Policy Period or, if exercised, during the Extended Reporting Period, for a Media Wrongful Act.

  3. Media Event Response
  4. We shall pay the Insured Organization for Public Relations Loss and Reward Expense Loss incurred by the Insured Organization as a result of a Media Wrongful Act first discovered during the Policy Period.

You're cruising right through this policy. See you at the end.

Limits of Insurance

Regardless of the number of Claims first made, Cyber Events first discovered, or number of Insuring Agreements purchased under this Policy:



A. AGGREGATE LIMIT OF INSURANCE
  1. The Aggregate Limit of Insurance is our maximum liability under this Policy for the duration of the Policy Period or, if exercised, the Extended Reporting Period.
  2. We shall have no further obligations or liability under this Policy upon exhaustion of the Aggregate Limit of Insurance, including the continuation of payment of Loss, Damages, or Claims Expenses or the duty to defend or investigate any Claim.


B. SUB-LIMITS OF INSURANCE
  1. The amounts stated as Sub-Limits of Insurance in ITEM 6 of the Declarations, which are part of and not in addition to the Aggregate Limit of Insurance, are the most we shall pay for all Loss, Damages, and Claims Expenses with respect to the Insuring Agreement to which each such Sub-Limit of Insurance applies, and we shall not be responsible to pay any Loss, Damages, or Claims Expenses under such Insuring Agreement upon exhaustion of such Sub-Limit of Insurance.
  2. Subject to II.A.1., II.A.2., and II.B.1. above, the most we shall pay for all Loss, Damages, and Claim Expenses shall be:
    1. with respect to any Cyber Events or Claims which are covered under more than one Insuring Agreement, the sum of the Sub-Limits of Insurance available under the Insuring Agreements to which such Cyber Events or Claims apply; and
    2. with respect to any Related Incidents, the sum of the Sub-Limits of Insurance available under the Insuring Agreements to which such Related Incidents apply.

Retention

  1. Our liability shall apply only to that portion of Loss, Damages, and Claims Expenses arising from each Claim or Cyber Event which exceeds the Retention applicable to the Insuring Agreement affording coverage to such Claim or Cyber Event. Payment of such Retention is the Named Insured’s responsibility and remains uninsured under this Policy.
  2. If a Claim is covered under more than one Third Party Coverage, each Retention shall apply separately but the sum of such Retentions shall not exceed the largest applicable Retention.
  3. If a Cyber Event is covered under more than one First Party Coverage, each Retention shall apply separately but the sum of such Retentions shall not exceed the largest applicable Retention.
  4. The largest applicable Retention amount shall apply as a single Retention for all Claims or Cyber Events resulting from Related Incidents covered under more than one Third Party Coverage or First Party Coverage.
  5. Solely with respect to Third Party Coverage and Insured Persons, the Retention shall not apply to an Insured Person if the Insured Organization is:
    1. not legally permitted to provide indemnification to such Insured Person; or
    2. unable to provide indemnification solely by reason of its financial insolvency, including such Insured Organization becoming a debtor in possession under Chapter 11 of the United States Bankruptcy Code, as amended, or the foreign equivalent of such; provided, however, that the applicable Insured Organization agrees to repay us any Retention amounts we pay on its behalf, as described in this paragraph III.5.b., at the time such Insured Organization emerges from financial insolvency or bankruptcy.

Defense and Settlement of Claims

A. DEFENSE
  1. We shall have the right and duty to defend any Claim covered by a Third Party Coverage even if the allegations are groundless, false, or fraudulent.
  2. We shall consult and attempt to reach an agreement with the Insureds regarding the appointment of counsel in the investigation and defense of any Claim, but we retain the right to appoint counsel and to investigate and defend any Claim as we deem necessary.


B. SETTLEMENT
  1. We shall not settle any Claim without the written consent of the Insured. In the event the Insured refuses to consent to a settlement recommended by us and acceptable to the claimant(s), then:
    1. we shall pay the sum of all Damages for which the Claim could have settled plus all Claim Expenses incurred up to the time we made our recommendation to the Insured; and
    2. we shall pay and maintain responsibility for eighty percent (80%) of all Claim Expenses and Damages that are in excess of the amount referenced in paragraph IV.B.1.a. above.
    3. This condition, IV.B. Settlement, shall not apply if the total incurred Damages and Claim Expenses do not exceed the applicable Retention amount.



C. ALLOCATION
  1. If a Claim includes both covered and uncovered matters, then coverage shall apply as follows:
    1. One hundred percent (100%) of Claim Expenses incurred by the Insureds who are afforded coverage for such Claim shall be considered covered; and
    2. All remaining Damages incurred by such Insureds from such Claim shall be allocated between covered Damages and uncovered damages based upon the relative legal and financial exposures and benefits of the parties to such matters.

Definitions

Wherever appearing throughout this Policy, the following terms appearing in bold face type, whether used in their singular or plural form, shall have the meanings set forth in this Section V. Definitions:


  1. Aggregate Limit of Insurance means the amount stated in ITEM 4 of the Declarations.
  2. Application means all applications, including any information and statements attached thereto, submitted to us by, or on behalf of, any Insured in connection with the underwriting and issuance of this Policy. All such applications, attachments, information, and materials are deemed attached to and incorporated into this Policy.
  3. With respect to publicly held companies, Application also means each and every public filing made with the Securities Exchange Commission by or on behalf of any Insured, including but not limited to any Insured Organization’s Annual Report(s), 10-Ks, 8-Ks, and proxy statements, provided that such public filing was filed during the period of time:

    1. beginning at the start of the twelve (12) month period immediately preceding the first submission to us in connection with the underwriting of this Policy; and
    2. ending at the effective date of the Policy Period.
  4. Bodily Injury means physical injury, sickness, or disease and any resulting mental anguish, mental injury, shock, humiliation, or death.
  5. Business Interruption Loss means the following amounts incurred by an Insured Organization during the Period of Restoration:
    1. net profit before income taxes that would have been earned had no System Disruption of Insured Computer Systems occurred;
    2. net loss before income taxes that would have been avoided had no System Disruption of Insured Computer Systems occurred;
    3. the Insured Organization’s continuing normal operating and payroll expenses; and
    4. costs to retain the services of a third party forensic accounting firm to determine the amounts of Business Interruption Loss described in paragraphs V.4.a.–V.4.c. above, subject to our prior consent.
  6. Change of Control means:
    1. the acquisition by another person, entity, or group of person or entities acting together, of more than fifty percent (50%) of the outstanding securities, or ownership interests representing the majority and present right to control, elect, appoint or designate the Board of Directors, Board of Trustees, Board of Managers, or functional equivalent thereof, of the Named Insured;
    2. the acquisition by another person, entity, or group of person or entities acting together of all, or substantially all, of the Named Insured’s assets such that the Named insured is not the surviving entity; or
    3. the merger or consolidation of the Named Insured into or with another entity or group of entities acting together such that the Named Insured is not the surviving entity.
  7. Claim means any:
    1. written demand, request, or assertion seeking monetary damages, or non-monetary or injunctive relief;
    2. civil proceeding, investigation, or suit commenced by service of a complaint, notice, request for information, or similar proceeding seeking monetary damages or non-monetary or injunctive relief;
    3. arbitration, mediation, or similar alternative dispute resolution proceeding commenced by the receipt of a complaint, written demand, or similar proceeding seeking monetary damages or non-monetary or injunctive relief;
    4. criminal proceeding commenced by the filing of charges, arrest or detainment, or a return of an indictment or similar document;
    5. request to toll or waive a statute of limitations applicable to a Claim referenced in paragraphs V.6.a.-V.6.d. above;
    6. formal appeal of a Claim referenced in paragraphs V.6.a.-V.6.d. above;
    7. with respect to Insuring Agreement I.A.2., any Claim referenced in paragraphs V.6.a.–V.6.f. above which is a Regulatory Claim; or
    8. with respect to Insuring Agreement I.A.4., any Claim referenced in paragraphs V.6.a.–V.6.f. above which is a PCI-DSS Claim.
  8. Claim Expenses means reasonable and necessary:
    1. attorneys’ fees, mediation and arbitration expenses, expert witness and consultant fees and attendance expenses, and other fees and costs incurred by us, or by an Insured with our prior written consent, in the investigation and defense of a Claim; and
    2. premiums for any appeal bond, injunction bond, attachment bond, or any similar bond, although we shall have no obligation to furnish such bond.
    3. Claim Expenses shall not include salaries, wages, or other compensation of any Insured Person; except to the extent that such Claim Expenses are expenses incurred to secure and obtain a member of the Control Group’s attendance at any mediation, arbitration, hearing, depositions, or trial in connection to the investigation and defense of a Claim.

  9. Computer Crimes means the intentional, fraudulent, or unauthorized input, destruction, or modification of electronic data or computer instructions into Computer Systems by any entity which is not an Insured Organization or person who is not an Insured Person, provided that such Computer Crimes cause:
    1. Funds or Securities to be transferred, paid, or delivered; or
    2. an account of the Insured Organization, or of its customer, to be added, deleted, debited, or credited.
  10. Computer Crime Loss means the Insured Organization’s loss of Funds or Securities.
  11. Computer System means Insured Computer Systems and External Computer Systems.
  12. Contingent Business Interruption Loss means the following amounts incurred by an Insured Organization during the Period of Restoration:
    1. net profit before income taxes that would have been earned had no System Disruption of External Computer Systems occurred;
    2. net loss before income taxes that would have been avoided had no System Disruption of External Computer Systems occurred;
    3. the Insured Organization’s continuing normal operating and payroll expenses; and
    4. costs to retain the services of a third party forensic accounting firm to determine the amounts of Contingent Business Interruption Loss described in paragraphs V.11.a.–V.11.c. above, subject to our prior consent.
  13. Control Group means an Insured Organization’s Chief Executive Officer, Chief Financial Officer, Chief Security Officer, Chief Technology Officer, Chief Information Officer, Risk Manager, General Counsel, or any functionally equivalent positions, regardless of title.
  14. Corporate Information means any confidential or proprietary information of an entity, other than an Insured Organization, which:
    1. an Insured Organization is contractually or legally required to hold or maintain in confidence; or
    2. is not known or accessible by the general public.

    Corporate Information does not include Protected Personal Information.

  15. Credit Monitoring Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to:
    1. establish and maintain call center services to be used by natural persons whose Protected Personal Information was impacted in an Information Privacy Event;
    2. provide credit monitoring, freezing, or thawing services to natural persons whose Protected Personal Information was impacted in an Information Privacy Event;
    3. provide identity theft identification and restoration services to those natural persons whose Protected Personal Information was impacted in an Information Privacy Event; and
    4. retain the services of a Cyber Response Firm to provide consultative and professional services related to Credit Monitoring Loss described in paragraphs V.14.a.–V.14.c. above.

    Credit Monitoring Loss includes costs and expenses incurred in order to comply with applicable Privacy Regulations and shall follow the law of the applicable jurisdiction which most favors coverage for such costs and expenses. Those costs and expenses not required to comply with Privacy Regulations require our prior consent.

  16. Cyber Event means an Information Privacy Event, Network Security Event, Extortion Threat, Fraudulent Inducement Instructions, Computer Crimes, System Disruption, and, with respect to Insuring Agreement I.F.2. only, a Media Wrongful Act.
  17. Cyber Response Firm means:
    1. any firm listed on our pre-approved response provider list, available upon request from us; or
    2. a firm not part of paragraph V.16.a. above, but only with our prior written consent.
  18. Damages means any amounts an Insured becomes legally obligated to pay on account of any Claim, including:
    1. compensatory damages, settlements, and judgments;
    2. awards of prejudgment and post-judgment interest;
    3. sums for deposit in a consumer redress fund as equitable relief for the payment of consumer claims due to an adverse judgment or settlement;
    4. punitive, exemplary, or multiplied damages and awards; provided, however, that punitive, exemplary, or multiplied damages and awards shall only be included as Damages to the extent insurable under the applicable laws of any jurisdiction which most favors coverage and which has a substantial relationship to an Insured, us, this Policy, or the Claim giving rise to such Damages;
    5. with respect to a PCI-DSS Claim under Insuring Agreement I.A.4., any PCI-DSS Penalties and PCI-DSS Response Expenses; and
    6. with respect to a Regulatory Claim under Insuring Agreement I.A.2., any Regulatory Penalties, GDPR Penalties, and Regulatory Assessments and Expenses.

    Damages shall not include:

    1. fines, penalties, taxes, or sanctions imposed against an Insured; except to the extent such fines, penalties, taxes, or sanctions are insurable under the applicable laws of any jurisdiction which most favors coverage and which has a substantial relationship to an Insured, us, this Policy, or the Claim giving rise to such Damages, are PCI-DSS Penalties otherwise covered under Insuring Agreement I.A.4., or Regulatory Penalties, GDPR Penalties, or Regulatory Assessments and Expenses otherwise covered under Insuring Agreement I.A.2. of this Policy;
    2. costs to comply with any injunctive, remedial, preventative, or other non-monetary or declaratory relief; or
    3. any matters deemed uninsurable under the laws pursuant to which this Policy is construed.
  19. Data Recovery Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to:
    1. replace and restore corrupted, destroyed, lost, or stolen software;
    2. re-create and recover corrupted, destroyed, lost, or stolen data in electronic form which is, or was, stored on a Computer System;
    3. re-create and recover corrupted, destroyed, lost, or stolen data in non-electronic form for which there is no electronic source available; and
    4. to retain the services of a Cyber Response Firm to provide consultative and professional services related to Data Recovery Loss described in paragraphs V.18.a.–V.18.c. above.
  20. Employee means any natural person whose work or service is or was guided and engaged by an Insured Organization, including full-time or part-time laborers, interns, volunteers, seasonal or temporary laborers, or laborers whose service or work is or was leased by or to an Insured Organization.
  21. External Computer Systems means any computer hardware, software, firmware, wireless device, voice based telecommunication system, operating system, virtual machine, as well as any data stored thereon, and:
    1. associated input, output, processing, data storage, and mobile devices, networks, operating systems, application software, networking equipment, storage area networks, and other electronic data storage or backup facilities;
    2. includes, but is not limited to, associated telephone systems (including “PBX”, “CBX,” “Merlin,” or “VoIP”), remote access systems (including “DISA”), peripheral communication equipment and systems, industrial control systems (including “SCADA”), Internet of things (commonly referred to as “IoT”), media libraries, extranets, and offline electronic data storage facilities; and
    3. includes, but is not limited to, associated application hosting, cloud services, cloud computing platforms, data hosting, data storage, co-location, data back-up, data processing, and infrastructure as a service;

    which are operated for an Insured’s benefit by a third party under written contract between such third party and Insured.

  22. Extortion Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to:
    1. make payment of any funds, digital currencies (“crypto-currencies”), marketable goods, services, or other assets to the person or group which is believed to be responsible for, and to have made, such Extortion Threat;
    2. reduce or mitigate the severity of Extortion Loss described in paragraph V.21.a. above; and
    3. retain the services of a Cyber Response Firm to provide consultative and professional services related to Extortion Loss described in paragraphs V.21.a. and V.21.b. above.
  23. Extortion Threat means any credible threat or series of related threats made to an Insured by a third party person or group, or by a rogue Employee who is not a member of the Control Group and who is acting in a manner not authorized by the Insured Organization, which threatens to take any of the following actions unless an Insured pays such group or person the funds demanded, or meet some other non-monetary demand, in exchange for the mitigation or removal of such threat:
    1. cause an Information Privacy Event or Network Security Event;
    2. alter, corrupt, damage, manipulate, misappropriate, encrypt, delete, or destroy any Computer System, Corporate Data, or Protected Personal Information;
    3. restrict or inhibit access to a Computer System; or
    4. any action connected to the continuation or furthering of any already commenced action referenced in paragraphs V.22.a.-V.22.c. above.
  24. Extra Expense means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to:
    1. reduce the Period of Restoration;
    2. mitigate or reduce expenses resulting from the System Disruption of a Computer System;
    3. secure Computer Systems such that a similar System Disruption is avoided in the future; and
    4. retain the services of a Cyber Response Firm to provide consultative and professional services related to Extra Expense described in paragraphs V.23.a.–V.23.c. above.
  25. First Party Coverage means Insuring Agreement(s) I.A.3., I.B.2., I.C.1., I.C.2., I.D.1., I.E.1., I.E.2., and I.F.2..
  26. Fraudulent Inducement Instructions means the misrepresentation of one or more facts by a third-party person or entity via email or other means of electronic communication with the intent of misleading an Insured into transferring Funds or Securities.
  27. Fraudulent Inducement Loss means an Insured Organization's loss of Funds or Securities.
  28. Funds or Securities means any medium of exchange, including any written negotiable or non-negotiable instruments representative of such, which is authorized or adopted by a foreign or domestic government and in current use, including bank notes, travelers' checks, registered check, money orders, currency, bullion, and coins.
  29. Funds or Securities does not include any crypto-currencies or crypto-assets.

  30. GDPR Penalties means Regulatory Penalties an Insured becomes legally obligated to pay as a result of a Regulatory Claim for such Insured’s actual, alleged or reasonably suspected non-compliance with the General Data Protection Regulation Standard, as amended.
  31. Independent Contractor means any natural person, agent, or single person entity who is not an Employee but performs work for an Insured Organization pursuant to a written contract or agreement.
  32. Information Privacy Event means any actual or reasonably suspected:
    1. failure to prevent unauthorized access to Protected Personal Information;
    2. failure to properly manage, handle, store, protect, disclose, destroy, control, or collect Protected Personal Information;
    3. violation of any Privacy Regulations, including, but not limited to, the wrongful collection or disclosure of Protected Personal Information;
    4. failure to comply with those portions of a Privacy Policy which govern the collection, dissemination, confidentiality, integrity, accuracy, disclosure, sale, access, or availability of Protected Personal Information;
    5. failure to provide natural persons whose Protected Personal Information an Insured stores or maintains to access, delete, or amend their Protected Personal Information as required by any Privacy Regulation, including, but not limited to, the “Right to be Forgotten” or “Right to Erasure” as described in the General Data Protection Regulation Standard, as amended;
    6. failure to provide notification of any Information Privacy Event as required by any Privacy Regulation; or
    7. failure to disclose an actual or potential Information Privacy Event as required by any Privacy Regulation.
  33. Information Privacy Wrongful Act means any actual or alleged error, misstatement, misleading statement, act, omission, neglect, breach of duty, or other offense committed or attempted by an Insured, based upon or resulting in an Information Privacy Event.
  34. Insured means the Insured Organization and any Insured Person.
  35. Insured Computer Systems means any computer hardware, software, firmware, wireless device, voice based telecommunication system, operating system, virtual machine, as well as any data stored thereon, and:
    1. associated input, output, processing, data storage, and mobile devices, networks, operating systems, application software, networking equipment, storage area networks, and other electronic data storage or backup facilities; and
    2. includes, but is not limited to, associated telephone systems (including “PBX”, “CBX,” “Merlin,” or “VoIP”), remote access systems (including “DISA”), peripheral communication equipment and systems, industrial control systems (including “SCADA”), Internet of things (commonly referred to as “IOT”), media libraries, extranets, and offline electronic data storage facilities;

    which are rented, leased, owned, or operated by an Insured or which are operated solely for an Insured’s benefit by a third party under written contract between such third party and Insured.

  36. Insured Organization means the Named Insured and any Subsidiaries.
  37. Insured Organization also means any entity as a debtor in possession or the bankruptcy estate of such

    Insured Organization under the United States bankruptcy law, or foreign equivalent.

  38. Insured Person means any past, current or future natural person:
    1. Employee, director, officer, trustee, partner, general partner, managing partner, managing member, LLC member, or principal of an Insured Organization, but only with respect to a Wrongful Act or Cyber Event committed within the scope of such natural person’s duties performed on behalf of such Insured Organization; or
    2. Independent Contractor, but only with respect to a Wrongful Act or Cyber Event committed within the scope of such Independent Contractor’s duties performed on behalf of the Insured Organization and only if the Insured Organization indemnifies such Independent Contractor.
  39. Legal Services Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to:
    1. determine the applicability of any notifications, communications, actions, or other services required or necessary for the Insured Organization to comply with applicable Privacy Regulations;
    2. draft and develop letters, documents, or other materials to properly notify the natural persons whose Protected Personal Information was, or may have been, wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of the applicable Information Privacy Event;
    3. provide any legally required communications and reporting services to any regulatory, administrative, or supervisory authority; and
    4. retain the services of a Cyber Response Firm to provide legal, consultative, and professional services related to Legal Services Loss described in paragraphs V.36.a.–V.36.c. above.

    Legal Services Loss includes costs and expenses incurred in order to comply with applicable Privacy Regulations and shall follow the law of the applicable jurisdiction which most favors coverage for such costs and expenses. Those costs and expenses not required to comply with any applicable Privacy Regulations require our prior consent.

  40. Loss means:
    1. Reward Expense Loss, Technical Response Loss, Public Relations Loss, Legal Services Loss, Notification Loss, Credit Monitoring Loss, Data Recovery Loss, System Restoration Loss, Business Interruption Loss, Contingent Business Interruption Loss, Extra Expense, Extortion Loss, Fraudulent Inducement Loss, and Computer Crimes Loss.
    2. Loss shall not include:

    3. salaries, benefits or other compensation payable to Insured Persons, except to the extent covered under Insuring Agreement(s) I.C.1. and I.C.2.;
    4. an Insured Organization’s internal operating costs, expenses, or fees, except to the extent covered under Insuring Agreement(s) I.C.1. and I.C.2.;
    5. taxes, fines, penalties, or amounts for injunctive relief or sanctions;
    6. Funds or Securities in the care, custody, or control of an Insured, except to the extent covered under Insuring Agreement(s) I.D.1., I.E.1., and I.E.2.; or
    7. costs or expenses incurred to update, improve, enhance, or replace privacy or network security controls, policies or procedures, or Computer Systems to a level beyond that which existed prior to the applicable Cyber Event, except to the extent we have recommended and provided prior consent to incur such costs or expenses, including:
      1. claim avoidance related costs or expenses anticipated under Extra Expense; and
      2. incremental improvement costs or expenses anticipated under System Restoration Loss.
  41. Malicious Code means any software or computer program that is:
    1. purposefully designed to adversely affect, intentionally harm, or dishonestly monetize any computer hardware, software, firmware, wireless device, operating system, virtual machine, and the data stored thereon or any components thereof, including, but not limited to, industrial control systems (SCADA), IoT, VoIP telephone systems, media libraries, extranets, offline storage facilities (to the extent electronic data is held), mobile devices, input and output devices, data storage devices, networking equipment, and electronic data backup facilities or networks; or
    2. capable of affecting that which is referenced in paragraph V.38.a. above by inserting itself by a variety of forms, causing damage, possessing the ability to replicate itself, or possessing the capability of spreading copies of itself.

    Malicious Code includes, but is not limited to, auto-reproduction programs, computer viruses, worms, Trojan horses, spyware, dishonest adware, crime-ware, mine-ware, script or any other software program, computer program, or virus that is functionally equivalent to Malicious Code described in paragraphs V.38.a.and V.38.b. above.

  42. Media Content means data, text, images, graphics, music, sounds, photographs, advertisements, video, streaming content, webcasts, podcasts, blog posts, and online forum posts.

    Media Content does not include computer software, software technology, or the actual goods, products, or services described, illustrated, or displayed in such Media Content.
  43. Media Wrongful Act means any actual or alleged error, misstatement, misleading statement, act, omission, neglect, breach of duty, or other offense committed or attempted by an Insured, or by any third party entity or natural person for whom the Insured is legally responsible, in the public dissemination, posting, or display of Media Content, by or on behalf of an Insured, on a voice or video based communication medium, including radio, internet streaming, satellite, cable, television, or any similar communications broadcast, or on an Insured’s website, printed material, social media site, or anywhere else on the internet, which results in the following:
    1. defamation, libel, slander, or other tort related to disparagement or harm to the character, reputation or feelings of any person or organization, including product disparagement, trade libel, infliction of emotional distress, malicious falsehood, outrage, or outrageous conduct;
    2. infringement or dilution of title, slogan, logo, trademark, trade name, metatag, domain name, trade dress, service mark, or service name;
    3. copyright infringement, passing off, plagiarism, piracy, or other misappropriation of intellectual property rights;
    4. invasion, infringement, or interference with rights of privacy or publicity, including public disclosure of private facts, breach of confidence, intrusion, false light, and commercial appropriation of name or likeness;
    5. false detention or arrest, harassment, trespass, wrongful entry or eviction, eavesdropping, or other invasion of the right of private occupancy;
    6. improper deep framing or linking; or
    7. unfair trade practices or competition, including misrepresentations in advertising, but solely when alleged in conjunction with the alleged conduct referenced in paragraphs V.40.a.–V.40.f. above.
  44. Named Insured means the entity displayed in ITEM 1 of the Declarations.
  45. Network Security Event means any actual or reasonably suspected:
    1. propagation of Malicious Code from a Computer System;
    2. attack by Malicious Code which infects a Computer System;
    3. denial of service attack:
      1. originating from a Computer System; or
      2. made against a Computer System;
    4. gaining of access or use of a Computer System by:
      1. an unauthorized person; or
      2. an authorized person for purposes not authorized by an Insured Organization;
    5. acquisition, access, loss, or disclosure of Corporate Information not authorized by an Insured Organization;
    6. theft of a password or access code by electronic or non-electronic means from a Computer System, the Insured Organization’s premises, or directly from an Insured Person;
    7. the failure to provide any authorized user access to the Insured Organization’s website or Computer System due to the failure or violation of the security of a Computer Systems; or
    8. the failure to protect Computer Systems which results in, or is based upon, a Network Security Event referenced in paragraphs V.42.a.-V.42.g. above.

    Network Security Event includes any of the foregoing, regardless of whether such Network Security Event is a specifically targeted attack or a generally distributed attack.

  46. Network Security Wrongful Act means any actual or alleged error, misstatement, misleading statement, act, omission, neglect, breach of duty, or other offense committed or attempted by an Insured, based upon or resulting in a Network Security Event.
  47. Notification Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to:
    1. provide any legally required notification services to those natural persons whose Protected Personal Information was wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of the applicable Information Privacy Event;
    2. complete mailing or other communications duties to notify those natural persons whose Protected Personal Information was wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of the applicable Information Privacy Event;
    3. provide information on the availability of any related services or resources to those natural persons whose Protected Personal Information was wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of the applicable Information Privacy Event; and
    4. retain the services of a Cyber Response Firm to provide consultative and professional services related to Notification Loss described in paragraphs V.44.a.-V.44.c. above.

    Notification Loss includes costs and expenses incurred in order to comply with applicable Privacy Regulations and shall follow the law of the applicable jurisdiction which most favors coverage for such costs and expenses. Those voluntary costs and expenses not required to comply with any applicable Privacy Regulations require our prior consent.

  48. PCI Data Security Standards means generally accepted and published rules, regulations, standards, or guidelines which relate to data security and the safeguarding, disclosure, and handling of Protected Personal Information and which are adopted or required by the Payment Card Industry Data Security Standards Council or any payment provider whose payment method is accepted for processing.
  49. PCI-DSS Claim means any Claim, brought by or on behalf of a Payment Card Association or entity processing or providing payment card transactions, based upon an Insured Organization’s actual, alleged, or potential non-compliance with PCI Data Security Standards, including but not limited to:
    1. failure to properly protect, handle, manage, store, destroy, or control payment account or payment card data, including applicable Protected Personal Information; or
    2. non-compliance with EMV specifications or mobile payment security requirements.

    PCI-DSS Claim includes an investigation into a potential violation of PCI Data Security Standards, which may reasonably be expected to give rise to a PCI-DSS Claim.

  50. PCI-DSS Penalties means monetary assessments, fines, penalties, chargebacks, reimbursements, and fraud recoveries, including card reissuance costs, the Insured Organization is legally obligated to pay due to a PCI-DSS Claim and its non-compliance under a payment card processing agreement or merchant services agreement pertaining to PCI Data Security Standards.
  51. PCI-DSS Response Expenses means reasonable and necessary costs and expenses to retain the services of:
    1. a third party forensic firm that is a qualified Payment Card Industry Forensic Investigator, to determine the cause and scope of the Information Privacy Event which led to a PCI-DSS Claim; and
    2. a Qualified Security Assessor (QSA) to validate an Insured Organization’s adherence to PCI Data Security Standards following a PCI-DSS Claim.
  52. Period of Restoration means the continuous period of time that:
    1. begins with the earliest date a System Disruption first occurred; and
    2. ends on the date when Insured Computer Systems or External Computer Systems are, or could have been, repaired or restored with reasonable speed to the same functionality and level of service which existed prior to the System Disruption.

    A Period of Restoration shall not exceed one hundred eighty (180) days from the date the applicable System Disruption first occurred; provided, however, that the end of the Policy Period shall not cut short the Period of Restoration.

  53. Policy means, collectively, the Declarations, Application, each included Insuring Agreement, and all forms and endorsements, stated in ITEM 8 of the Declarations, which are attached to and form part of this Policy.
  54. Policy Period means the period of time from the Effective Date to the Expiration Date, as set forth in ITEM 2 of the Declarations, or the effective date of termination of this Policy, whichever is earlier.
  55. Pollution means any liquid, gaseous, solid or thermal irritant or contaminant, including vapor, smoke, fumes, acids, chemicals and material to be recycled, reconditioned or reclaimed.
  56. Privacy Policy means an Insured Organization’s written or electronic policies which govern the collection, dissemination, confidentiality, integrity, accuracy, disclosure, sale, access, or availability of Protected Personal Information.
  57. Privacy Regulations means any local, state, federal, or foreign identity theft or privacy protection laws, statutes, legislation, or regulations which require commercial entities which collect, process, or maintain Protected Personal Information to post privacy policies, adopt specific privacy or security controls, or notify individuals in the event that Protected Personal Information has potentially or actually been compromised, accessed, or acquired without their authorization.
  58. Privacy Regulations explicitly include, but are not limited to, the Gramm-Leach Bliley Act of 1999, Health Insurance Portability and Accountability Act of 1996, California Database Breach Act, Minnesota Plastic Card Security Act, and General Data Protection Regulation Standard, and regulations issued pursuant to such Acts or Standards, as amended if applicable.

  59. Property Damage means damage to, loss of use of, or destruction of any tangible property other than electronic or non-electronic data or Protected Personal Information.
  60. Protected Personal Information means any of the following information or data, regardless of whether such data or information is in electronic, non-electronic, or any other format:
    1. any natural person’s social security number, name, e-mail address, driver’s license or state identification number, address, and telephone number;
    2. any natural person’s personally identifiable pictures or videos, internet browsing history, security access codes, or passwords, and account histories;
    3. any natural person’s medical or healthcare data, biometric records, or any other protected health information (“PHI”);
    4. any natural person’s credit card or debit card number, account number, or any other protected financial information; or
    5. any other non-public personal information or data of a natural person as specified in any Privacy Regulations.

    Protected Personal Information does not include Corporate Information.

  61. Public Relations Loss means reasonable and necessary public relations related costs and expenses incurred or paid by an Insured Organization to:
    1. protect or restore the Insured Organization’s reputation;
    2. mitigate financial harm to the Insured Organization’s business; and
    3. retain the services of a Cyber Response Firm to provide public relations or crisis communications consultative and professional services related to Public Relations Loss described in paragraphs V.57.a. and V.57.b. above.
  62. Regulatory Assessments and Expenses means reasonable and necessary costs and expenses an Insured becomes legally obligated to pay on account and as a direct result of a Regulatory Claim to retain the services of a Cyber Response Firm to perform a legally required audit or assessment, including related consultative and professional services, of the Insured Organization’s privacy practices or Computer Systems.
  63. Regulatory Assessments and Expenses includes costs and expenses incurred in order to comply with applicable Privacy Regulations and shall follow the law of the applicable jurisdiction which most favors coverage for such costs and expenses. Those costs and expenses not required to comply with any applicable Privacy Regulations require our prior consent.

  64. Regulatory Claim means any Claim brought by, or on behalf of, the Federal Trade Commission, the Federal Communications Commission, any supervisory authority enforcing the General Data Protection Regulation AB-CYB-001 08/2018 © 2018 Page 20 of 36 Standard, or any state attorney general, government licensing entity, regulatory authority, or any federal, state, local, or foreign governmental entity in such entity’s official capacity.

    Regulatory Claim includes an investigation into a potential violation of Privacy Regulations, which may reasonably be expected to give rise to a Regulatory Claim.
  65. Regulatory Penalties means civil fines or penalties resulting from a Regulatory Claim, including GDPR Penalties, imposed against an Insured by the Federal Trade Commission, the Federal Communications Commission, any supervisory authority enforcing the General Data Protection Regulation Standard, or any state attorney general, government licensing entity, regulatory authority, or any federal, state, local, or foreign governmental entity in such entity’s official capacity.
  66. Related Incident means all Wrongful Acts and Cyber Events which share as a common nexus any act, fact, circumstance, situation, event, transaction, cause, or series of related acts, facts, circumstances, situations, events, transactions, or causes, and all:
    1. Cyber Events arising out of any Related Incident shall be considered one single Cyber Event, and such Cyber Event shall be considered first discovered on the date the earliest of such Cyber Events is first discovered, regardless of whether such date is before or during the Policy Period; and
    2. Claims arising out of all Related Incidents shall be considered one single Claim, and such Claim shall be considered first made on the date the earliest of such Claims is first made, regardless of whether such date is before or during the Policy Period.
  67. Retention means the amounts stated as Retention in ITEM 6 of the Declarations with respect to the Insuring Agreement to which each such stated Retention amount applies.
  68. Reward Expense Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to an informant for information not otherwise available which leads to the arrest and conviction of a natural person or an entity responsible for the Cyber Event which resulted in a covered Loss under this Policy.

    Reward Expense Loss requires our prior consent.
  69. Subsidiary means:
    1. any corporation, partnership, limited liability company or other entity in which the Named Insured owns, directly or indirectly through one or more Subsidiaries, more than fifty percent (50%) of such entity’s outstanding securities or voting rights representing the present right to elect, appoint or exercise a majority control over such entity’s board of directors, board of trustees, board of managers, natural person general partners, or functional equivalent;
    2. any entity operated as a joint venture in which the Named Insured owns, directly or indirectly through one or more Subsidiaries, exactly fifty percent (50%) of the issued and outstanding voting stock and whose management and operation an Insured Organization solely controls, pursuant to a written agreement with the owner(s) of the remaining issued and outstanding voting stock; or
    3. any non-profit entity over which the Named Insured, directly or indirectly through one or more Subsidiaries, exercises management control.
  70. System Disruption means the measurable interruption, suspension, degradation, or failure in the service of:
    1. with respect to Insuring Agreement I.C.1., Insured Computer Systems; or
    2. with respect to Insuring Agreement I.C.2., External Computer Systems;

    directly caused by a Network Security Event or Information Privacy Event.

  71. System Restoration Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to:
    1. restore Computer Systems, including replacing or reinstalling software programs contained therein, to their level of functionality immediately prior to the applicable Network Security Event:
    2. remove any Malicious Code from Computer Systems resulting from the applicable Network Security Event;
    3. restore the configuration of Computer Systems to an adequacy at or higher to that which was present immediately prior to the applicable Network Security Event; and
    4. retain the services of a Cyber Response Firm to provide consultative and professional services related to System Restoration Loss described in paragraphs V.66.a.–V.66.c. above.
  72. Technical Response Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to:
    1. investigate and determine the cause of the applicable Information Privacy Event or Network Security Event;
    2. mitigate or contain an ongoing Information Privacy Event or Network Security Event;
    3. identify and catalog natural persons whose Protected Personal Information was wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of an applicable Information Privacy Event;
    4. identify and catalog organizations whose Corporate Information was wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of an applicable Network Security Event; and
    5. retain the services of a Cyber Response Firm to provide consultative and professional services related to Technical Response Loss described in paragraphs V.67.a.–V.67.d. above.
  73. Third Party Coverage means Insuring Agreement(s) I.A.1., I.A.2., I.A.4., I.B.1., and I.F.1.
  74. Wrongful Act means any Information Privacy Wrongful Act, Network Security Wrongful Act, or Media Wrongful Act.

Exclusions

A. EXCLUSIONS APPLICABLE TO ALL INSURING AGREEMENTS

This Policy shall not apply to any Loss, Damages, or Claim Expenses on account of any Wrongful Act, any Cyber Event, or any Claim:

  1. Conduct
  2. based upon, arising out of, or attributable to any Insured’s

    1. fraudulent, criminal, or malicious error, act or omission;
    2. intentional or deliberate violation of the law; or
    3. gaining of any profit, remuneration, or advantage to which such Insured was not legally entitled.

    However, this exclusion shall not apply to:

    1. Claim Expenses or our duty to defend any such Claim; or
    2. Damages unless a final, non-appealable, adjudication establishes that such Insured committed such conduct, act, or violation.

    Provided that:

    1. no such conduct pertaining to any Insured Person shall be imputed to any other Insured Person;
    2. any such conduct pertaining to past, present, or future members of the Control Group shall be imputed to the Insured Organization; provided, however, if such member of the Control Group acted deliberately outside his or her capacity as such then such conduct shall not be imputed to the Insured Organization; and
    3. for First Party Coverage only, this exclusion shall not apply to an intentionally dishonest or fraudulent act or omission, willful violation of any statute, rule of law, or gaining any profit, remuneration, or advantage by an Employee.
  3. Contract
  4. for breach of any express, implied, actual or constructive contract, warranty, or guarantee.

    However, this exclusion shall not apply to:

    1. liability assumed by an Insured, but only to the extent that such assumed liability would have attached to the Insured in the absence of such contract, warranty, or guarantee;
    2. an Insured’s contractual obligation to maintain the confidentiality or security of Protected Personal Information;
    3. an Insured’s obligation under an implied or statutory standard of care obligation to prevent an Information Privacy Event or Network Security Event;
    4. with respect to Insuring Agreement I.A.1., an unintentional violation by an Insured to comply with an Insured Organization’s Privacy Policy;
    5. solely with respect to Insuring Agreement I.A.4., a PCI-DSS Claim;
    6. solely with respect to Insuring Agreement I.F.1., any actual or alleged misappropriation of idea under implied contract; or
    7. solely with respect to Insuring Agreement I.A.1., an Insured’s unintentional breach of contract or agreement with a business associate, as defined in the U.S. Health Insurance Portability and Accountability Act (HIPAA), as amended, or the Health Information Technology for Economic and Clinical Health Act (HITECH), as amended.
  5. Bodily Injury
  6. for any actual or alleged Bodily Injury.

    However, this exclusion shall not apply to:

    1. solely with respect to Insuring Agreement I.F.1., emotional distress, mental anguish, humiliation, or loss of reputation resulting from a Media Wrongful Act; or
    2. solely with respect to Insuring Agreement I.A.1., emotional distress, mental anguish, or mental injury resulting from an Information Privacy Wrongful Act.
  7. Property Damage
  8. alleging, based upon, arising out of, or attributable to Property Damage.

  9. Prior Notice
  10. alleging, based upon, arising out of, or attributable to any fact, circumstance, situation, event, Cyber Event, or Wrongful Act which was the subject of any notice of claim or potential claim given by or on behalf of any Insured under any policy of insurance of which this Policy is a direct or indirect renewal or replacement, or which it succeeds in time.

  11. Prior Knowledge
  12. alleging, based upon, arising out of, or attributable to any fact, circumstance, situation, event, Cyber Event, or Wrongful Act that is, or reasonably would be regarded as, the basis for a Claim or Cyber Event about which any member of the Control Group had knowledge prior to the Continuity Date set forth in ITEM 7 of the Declarations.

  13. Pending or Prior Proceedings
  14. alleging, based upon, arising out of, or attributable to any fact, circumstance, situation, event, Cyber Event, or Wrongful Act underlying or alleged in any prior or pending civil, criminal, administrative or regulatory proceeding or litigation against an Insured as of, or prior to, the Prior and Pending Litigation Date set forth in ITEM 7 of the Declarations.

  15. Pollution

    alleging, based upon, arising out of, or attributable to:
    1. the actual, alleged or threatened discharge, release, seepage, migration, or disposal of Pollution;
    2. any request that any Insured test for, monitor, clean up, remove, contain, treat, detoxify, or neutralize Pollution, including any voluntary decision to do so; or
    3. any request or requirement brought by or on behalf of any governmental authority relating to testing, monitoring, cleaning, removing, containing, treating, neutralizing, or in any way responding to or assessing the effects of Pollution.
  16. War
  17. alleging, based upon, arising out of, or attributable to war, invasion, acts of foreign enemies, hostilities or warlike operations (whether war is declared or not), strike, lock-out, riot, civil war, rebellion, revolution, insurrection, civil commotion assuming the proportions of or amounting to an uprising, or military or usurped power.

  18. Nuclear, Biological, and Chemical Contamination

    alleging, based upon, arising out of, or attributable to any planning, construction, maintenance, or use of any nuclear reactor, nuclear storage, disposal, waste or radiation site, or any other nuclear facility or site, the transportation of nuclear material, or any nuclear reaction or radiation, or radioactive, biological or chemical contamination, regardless of its cause.
  19. Natural Disaster
  20. alleging, based upon, arising out of, or attributable to fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, act of God, nature or any other related physical event.

  21. Intellectual Property
  22. alleging, based upon, arising out of, or attributable to any infringement, violation, or misappropriation of, or assertion of any right to, or interest in, any patent, copyright, trademark, trade dress or any other intellectual property right

    However, this exclusion shall not apply to:

    1. solely with respect to Insuring Agreement I.F.1., an otherwise covered Claim for a Media Wrongful Act, except to the extent such Claim alleges that Media Content consisted of computer software or software technology which infringed upon copyrighted software;
    2. solely with respect to Insuring Agreement I.A.1., any Claim arising out of any actual, alleged, or reasonably suspected failure by an Insured to properly disclose, handle, manage, store, destroy, protect, use or otherwise control Protected Personal Information resulting from an Information Privacy Event; or
    3. solely with respect to Insuring Agreement I.B.1., any Claim arising out of the actual or alleged disclosure of Corporate Information resulting from a Network Security Event.
  23. Fees or Chargebacks
  24. alleging, based upon, arising out of, or attributable to any fees, expenses, or costs paid to or charged by an Insured, including chargebacks, transfer fees, transaction fees, merchant service fees, or prospective service fees.

    However, this exclusion shall not apply to:

    1. Solely with respect to Insuring Agreement I.A.4., any PCI-DSS Claim.
  25. Unsolicited Communications
  26. alleging, based upon, arising out of, or attributable to any violation of the Telephone Consumer Protection Act of 1991, as amended, or any similar federal, state, common, or foreign law relating to the unsolicited electronic dissemination of faxes, e-mails or other communications, or a natural person’s or entity’s right of seclusion.

    However, this exclusion shall not apply to:

    1. solely with respect to Insuring Agreements I.A.1. and I.A.2., a Claim resulting from any Insured’s actual, alleged or reasonably suspected violation of any Privacy Regulation; or
    2. solely with respect to Insuring Agreements I.A.1. and I.A.2., a Claim resulting from any Insured’s actual or alleged failure to adequately protect Computer Systems resulting in the release of Protected Personal Information.
  27. Consumer Protection Laws
  28. alleging, based upon, arising out of, or attributable to any Insured’s violation of the Truth in Lending Act, Fair Debt Collection Practices Act, Fair Credit Reporting Act, or the Fair and Accurate Credit Transactions Act or any amendments thereto or any rules or regulations promulgated thereunder, or any similar federal, state, common, or foreign law.

    However, this exclusion shall not apply to:

    1. solely with respect to Insuring Agreement I.A.1., any Claim arising out of the actual or alleged disclosure or theft of Protected Personal Information resulting from an Information Privacy Event.
  29. Infrastructure
  30. alleging, based upon, arising out of, or attributable to any electrical or mechanical failures of infrastructure, including an interruption, electrical disturbance, surge, spike, brownout, blackout, or outages to electricity, gas, water, or Internet access service and Domain Name System (DNS) service provided by the service provider that hosts an Insured Organization’s website, telecommunications, or other infrastructure.

    However, this exclusion shall not apply to failures, interruptions, disturbances or outages of telephone, cable or telecommunications systems, networks or infrastructure:

    1. under an Insured’s direct operational control; or
    2. solely with respect to Insuring Agreement(s) I.A.1. and I.B.1., which are the result of an actual or alleged Information Privacy Wrongful Act or Network Security Wrongful Act.

B. EXCLUSIONS APPLICABLE TO PARTICULAR INSURING AGREEMENTS

This Policy shall not apply to any Loss, Damages, or Claim Expenses on account of any Wrongful Act, any Cyber Event, or any Claim:

  1. Prior Acts
  2. Exclusively with respect to Third Party Coverage, alleging, based upon, arising out of, or attributable to any Wrongful Act:

    1. taking place, in whole or in part, prior to the Retroactive Date as stated in ITEM 7 of the Declarations;or
    2. by a Subsidiary or any of its Insured Persons, occurring at any time during which such entity was not a Subsidiary.
  3. Insured vs. Insured
  4. Exclusively with respect to Third Party Coverage, brought by or on behalf of any:

    1. Insured:
    2. entity, if ten percent (10%) or more of its equity is owned, controlled, operated or managed, directly or indirectly, by any Insured at the time the Wrongful Act is committed or Claim is made; or
    3. successor or assignee of any Insured.

    However, this exclusion shall not apply to any Claim:

    1. brought by or on behalf of an Insured Person for a Wrongful Act, but only to the extent such Insured Person did not commit or contribute to such Wrongful Act or to such extent such Insured Person is alleging an Insured Organization failed to comply or act in accordance with a Privacy Regulation;
    2. brought by or on behalf of an Employee alleging employee-related invasion of privacy or employeerelated wrongful infliction of emotional distress, but only to the extent that such Claim arises out of the loss of Protected Personal Information resulting from an Information Privacy Wrongful Act; or
    3. brought by or on behalf of any Insured which is a third party entity as described in paragraph VII.A.2.a..
  5. Securities
  6. Exclusively with respect to Third Party Coverage, alleging, based upon, arising out of, or attributable to any Insured’s:

    1. purchase, sale, or offer, or solicitation of an offer, to purchase or sell securities; or
    2. violation of the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Company Act of 1940, the Investment Advisors Act, the Organized Crime Control Act of 1970, or any other federal, state or local securities law, and any amendments thereto or any rules or regulations circulated thereunder, or any similar federal, state or common law.

      However, paragraph VI.B.3.b. of this exclusion shall not apply to:
    3. solely with respect to Insuring Agreement(s) I.A.1., I.A.2., and I.A.4., any Claim alleging a failure to disclose an actual, reasonably suspected or potential Information Privacy Event if such disclosure is required by any Privacy Regulations.
  7. Governmental Seizure
  8. Exclusively with respect to First Party Coverage, alleging, based upon, arising out of, or attributable to any confiscation, nationalization, seizure, or destruction of a Computer System or electronic data held or processed by an Insured or by order of any governmental or public authority.

  9. Employment Practices or Discrimination
  10. Exclusively with respect to Third Party Coverage, alleging, based upon, arising out of, or attributable to any employment practices or illegal discrimination of any kind, or any employment relationship, or the nature, terms or conditions of employment, including claims for workplace torts, wrongful termination, dismissal or discharge, or any discrimination, harassment, or breach of employment contract.

    However, this exclusion shall not apply to:

    1. solely with respect to Insuring Agreement(s) I.A.1., I.A.2., and I.A.4., that portion of any Claim alleging Employee related invasion of privacy or wrongful infliction of emotional distress, provided that such Claim arises out of the actual or alleged disclosure or theft of Protected Personal Information resulting from an Information Privacy Wrongful Act.
  11. Antitrust
  12. Exclusively with respect to Third Party Coverage, alleging, based upon, arising out of, or attributable to any unfair competition or restraint of trade, including violations of any local, state, federal, or foreign laws governing the foregoing, whether brought by or on behalf any individuals, entities, the Federal Trade Commission, or any other federal, state, local, or foreign government agency.

    However, this exclusion shall not apply to:

    1. solely with respect to Insuring Agreement I.A.2., a Regulatory Claim resulting directly from a violation of Privacy Regulations;
    2. solely with respect to Insuring Agreement I.F.1., a Claim for a Media Wrongful Act as defined in paragraph V.40.g..
  13. Advertising & Representations
  14. Exclusively with respect to Insuring Agreement(s) I.F.1. and I.F.2, alleging, based upon, arising out of, orattributable to any inaccurate, inadequate, or incomplete description of the price of goods, products orservices, cost guarantees, cost representations, or contract price estimates, the authenticity of any goods,products or services, or the failure of any goods or services to conform with any represented quality of performance.

  15. Licensing
  16. Exclusively with respect to Insuring Agreement(s) I.F.1. and I.F.2., alleging, based upon, arising out of, or attributable to any action brought by or on behalf of the Federal Trade Commission, the Federal Communications Commission, or any other federal, state, or local government agency or ASCAP, SESAC, BMI or other licensing or rights entities in such entity’s regulatory, quasi-regulatory, or official capacity, function or duty.

  17. Contest or Game of Chance
  18. Exclusively with respect to Insuring Agreement(s) I.F.1. and I.F.2., alleging, based upon, arising out of, or attributable to any gambling, contest, game of chance, lottery, or promotional game, including the redemption of coupons or tickets related thereto.


C. EXCLUSIONS APPLICABLE TO FINANCIAL FRAUD INSURING AGREEMENTS

Exclusively with respect to Insuring Agreement(s) I.E.1. and I.E.2., this Policy shall not apply to any Computer Crimes Loss, Fraudulent Inducement Loss, or Reward Expense Loss on account of any Computer Crimes or any Fraudulent Inducement Instructions:

  1. Financial Fraud of Intellectual Property
  2. for the loss of confidential information, including trade secrets, formulas, patents, customer information, negatives, drawings, manuscripts, prints, and other records of a similar nature, or other confidential information, intellectual property of any kind, data or computer programs.

  3. Interest Income
  4. for or applicable to any potential income, including interest and dividends, not realized by the Insured Organization or a customer of the Insured Organization.

  5. Forged or Altered Instruments
  6. resulting directly from forged, altered, or fraudulent negotiable instruments, securities, documents or written instructions or instructions used as source documentation to enter electronic data or send instructions.

Conditions

Insured Extensions

Third Party Coverage shall extend to apply as follows:

  1. Spousal, Domestic Partner, Estates, and Legal Representatives
    1. In the event of an Insured Person’s death, incapacity, or bankruptcy, any Claim made against such Insured Person’s estate, heirs, executors, administrators, assigns, and legal representatives shall be considered to be a Claim made against such Insured Person, but only to the extent such Insured Person would otherwise be covered under this Policy; and
    2. In the event of a Claim made against an Insured Person’s lawful spouse or domestic partner, such Claim shall be considered to be a Claim made against such Insured Person, but only for a Wrongful Act actually or allegedly committed by such Insured Person other than such spouse or domestic partner.
  2. Additional Insureds
    1. If an Insured Organization is required by contract, or has explicitly agreed in writing, to add any third party entity as an Insured under this Policy, then such third party entity shall be considered an Insured under this Policy but only for Wrongful Acts actually or allegedly committed or attempted by an Insured Organization other than such third party entity.

Subsidiaries

  1. Coverage for Subsidiaries
  2. With respect to any Insured Organization which is a Subsidiary, coverage afforded under this Policy for such Subsidiary, and its Insured Persons, shall only apply to:

    1. Loss resulting from Cyber Events which occurred after the effective date that such entity became a Subsidiary and prior to the date that such entity ceased to be a Subsidiary; and
    2. Claims for Wrongful Acts which actually or allegedly occurred after the effective date that such entity became a Subsidiary and prior to the date that such entity ceased to be a Subsidiary.

    Any entity which ceases to be a Subsidiary during the Policy Period shall be afforded coverage through the expiration date of the current Policy Period but only with respect to Wrongful Acts and Cyber Events which occurred before the date it ceased to be a Subsidiary.

  3. Subsidiary Acquisition or Creation
  4. If, during the Policy Period, an Insured Organization acquires or creates another entity whose gross revenues exceed twenty five percent (25%) of the consolidated gross revenues of the Insured Organization, as of the most recent fiscal year prior to the effective date of this Policy, and such that the AB-CYB-001 08/2018 © 2018 Page 30 of 36 acquired or created entity becomes a Subsidiary, then such Subsidiary shall only be considered an Insured Organization for a period of ninety (90) days following its acquisition or formation unless:

    1. the Named Insured provides us written notice within sixty (60) days of the full particulars of such entity and agrees to any additional premium and amendments to this Policy relating to such entity; and
    2. we have ratified our acceptance of such entity as a Subsidiary by endorsement to this Policy.

Change of Control & Automatic Run-Off

If a Change of Control occurs during the Policy Period, then:

  1. Third Party Coverage under this Policy shall:
    1. continue in full force and effect until the expiration date of the current Policy Period with respect to Claims for Wrongful Acts committed before such Change of Control; and
    2. cease with respect to Claims for Wrongful Acts committed after such Change of Control;
  2. First Party Coverage under this Policy shall:
    1. continue in full force and effect until the expiration date of the current Policy Period with respect to Loss for Cyber Events which occurred before such Change of Control; and
    2. cease with respect to Loss for Cyber Events which occurred after such Change of Control;
  3. The Named Insured shall have the right to give us notice that it desires to purchase an Extended Reporting Period, in accordance to the conditions set forth in section VII.D.2., Extended Reporting Period, of this Policy; and
  4. This Policy may not be canceled by the Named Insured, and the entire premium shall be deemed fully earned.

Extended Reporting Period

  1. Automatic Discovery Reporting Period
  2. If this Policy does not renew or otherwise terminates for a reason other than failure to pay premium, then following the effective date of such event the Named Insured shall have the right, for a period of sixty (60) days following such event, to give us written notice of Claims made against any Insured during such sixty (60) day period for any Wrongful Acts committed prior to the effective date of such Policy termination or end of the Policy Period, whichever is applicable.

  3. Extended Reporting Period
  4. An “Extended Reporting Period,” if purchased, means the period of time in which the Named Insured may give us written notice of Claims first made against any Insured under this Policy, and shall be extended to apply to Claims first made during such Extended Reporting Period but only with respect to;

    1. Claims for Wrongful Acts which occurred prior to the effective date of Policy termination, the end of the Policy Period, or effective date of Change of Control (whichever is applicable); and
    2. Claims for Wrongful Acts made against persons or entities which were Insureds as of the effective date of Policy termination, the end of the Policy Period, or effective date of Change of Control (whichever is applicable).

    If this Policy does not renew or otherwise terminates for a reason other than for failure to pay premium, or upon the occurrence of a Change of Control, then upon the effective date of such event:

    1. the Named Insured shall have the right to give us notice that it desires to purchase an Extended Reporting Period for Third Party Coverage at any of the following additional periods and associated premium amounts, which are represented as a percentage of the annualized premium of the Policy to which the Extended Reporting Period applies:
      1. one (1) year for seventy five percent (75%); or
      2. two (2) years for one hundred twenty five percent (125%);
    2. the Named Insured, or a party acting on its behalf, may send us a request for the purchase of an Extended Reporting Period outside the additional periods and amounts indicated in VII.D.2.c. above, and we may, at our discretion, subsequently provide a quote for such request;
    3. any Claim made during a purchased Extended Reporting Period shall be deemed to have been made during the Policy Period immediately preceding the Extended Reporting Period;
    4. the Aggregate Limit of Insurance and Sub-Limits of Insurance available for any purchased Extended Reporting Period shall not be increased or renewed, unless we expressly provide such amendment via an endorsement to this Policy;
    5. the Named Insured’s right to purchase an Extended Reporting Period shall lapse unless we receive written notice from the Named Insured, or a party acting on its behalf, of the election to purchase such Extended Reporting Period within sixty (60) days after this Policy’s termination or expiration date or, if applicable, the effective date of any Change of Control; and
    6. the entire premium charged for any purchased Extended Reporting Period is due at the time of purchase and shall be considered fully earned as of the effective date of such Extended Reporting Period.

Notice

  1. Notice of Claims and Cyber Events
  2. An Insured shall, as a condition precedent to our obligations under this Policy, give us written notice as soon as practicable after any member of the Control Group:

    1. first becomes aware of any Claim made against an Insured; or
    2. discovers any Cyber Event;

    Provided further, and notwithstanding VII.E.1.a. and VII.E.1.b. above:

    1. all such notice of Claims made or Cyber Events discovered must be noticed to us no later than ninety (90) days after the end of the Policy Period or termination of this Policy, whichever is earlier; and
    2. if an Extended Reporting Period is purchased pursuant to section VII.D.2., all Claims made during such Extended Reporting Period must be reported to us no later than the end of the Extended Reporting Period;

    All such notices described in this clause VII.E.1. must include the following details related to the applicable Cyber Event or Claim:

    1. all pertinent facts, particulars, and dates, including the nature of such Cyber Event and its potential consequences and Damages;
    2. the identities of those persons allegedly involved or affected; and
    3. with respect to notices related to First Party Coverage, the business operations, Computer Systems, or other assets affected.
  3. Notice of Circumstances
  4. If, during the Policy Period, any member of the Control Group first becomes aware of any circumstances which may reasonably give rise to a Claim under this Policy, then any Claim which arises out of such circumstances shall be deemed to have been first made at the time such written notice was received by us, but only to the extent that such written notice includes the following details and is received by us during the Policy Period:

    1. details on why the Insured believes a Claim may be forthcoming;
    2. all pertinent facts, particulars, and dates, including the nature of such circumstances, why the Insured believes a Claim may reasonably be forthcoming, and its potential consequences and Damages; and
    3. the identities of those persons allegedly involved or affected.
  5. Notice Delivery
  6. All notices described within this condition VII.E., Notice, shall be given to us in writing, either electronically or non-electronically, at the address set forth in ITEM 5 of the Declarations. All such notices shall be effective on the date we receive such notice. If such notice is mailed or transmitted by electronic mail, the date of such mailing or transmission shall constitute the date that such notice was given to us, and proof of mailing or transmission shall be sufficient proof of notice.

Obligations

In connection with all Claims and Cyber Events under this Policy, the Insured agrees to the following:

  1. The Insured shall cooperate with and assist us in the effort to defend and settle any Claim, including:
    1. attending hearings and trials, assisting in securing and giving evidence, obtaining the attendance of witnesses, and enforcing the Insured’s rights of contribution or indemnity against any person or entity which may be liable to such Insured because of an act or omission covered under any Third Party Coverage; and
    2. delivering to us copies of all demands, legal papers, other related legal documents and invoices the Insured receive, as soon as practicable.
  2. The Insured shall not settle any Claim, incur any Claim Expenses, or otherwise assume any contractual obligation or admit any liability with respect to any Claim without our written consent, which shall not be unreasonably withheld. We shall not be liable for any settlement, Claim Expenses, assumed obligation, or admission to which we have not provided such consent.

Policy Termination

  1. We may only cancel this Policy prior to the expiration date of the Policy Period if the Named Insured fails to pay premium prior to its due date. If such cancellation is being considered, we shall deliver a written notice of pending cancellation. Such notice shall be delivered at least twenty (20) days prior to the date that such cancellation is proposed to become effective. If the full premium due is remitted to us prior to the proposed cancellation effective date, then such cancellation shall not go into effect.
  2. The Named Insured may cancel this Policy at any time and for any reason by delivering such instructions to us by mail or electronic mail. Such instructions may be delivered directly by the Named Insured or through any person or entity contracted to act on the Named Insured’s behalf for the placement of this Policy.
  3. If this Policy is canceled for any reason prior to the end of the Policy Period, we shall refund the unearned premium computed pro rata. Such premium adjustment shall be made as soon as practicable upon termination of the Policy, but payment or tender of any unearned premium by us shall not be a condition precedent to the effectiveness of such termination.
  4. We are not required to renew or offer to renew this Policy upon the expiry of its Policy Period.

Loss Calculations for Business Interruption and Public Relations

  1. In determining and calculating the amount of Public Relations Loss covered under this Policy, we shall give due consideration to the prior experience of the Insured Organization’s public and market perception before the beginning of the applicable Cyber Event or Media Wrongful Act, and we shall make this assessment at our sole discretion, in good faith, and as we deem reasonable and necessary.
  2. In determining and calculating the amount of Contingent Business Interruption Loss, Business Interruption Loss, and Extra Expense covered under this Policy, we shall give due consideration to the prior experience of the Insured Organization’s business before the beginning of the applicable System Disruption and to the probable business such Insured Organization could have performed had no System Disruption occurred.

Representations & Severability

We have relied upon the representations and statements in the Application in granting this Policy to the Insured, with such representations and statements forming the basis of coverage under this Policy. With respect to such representations and statements contained in the Application:

  1. no knowledge possessed by an Insured Person shall be imputed to any other Insured Person, and the Application shall be considered to be separate for each Insured Person;
  2. in the event the Application contains misrepresentations made with the actual intent to deceive or contains misrepresentations which materially affect either the acceptance of the risk or the hazard assumed by us under this Policy, then no coverage shall be afforded under this Policy based upon, arising from, or in any way attributable to any such misrepresentations with respect to:
    1. any Insured Person who knew of such misrepresentations, regardless of if such Insured Person knew such Application contained such misrepresentations; and
    2. an Insured Organization if any past or present member of the Control Group knew of such misrepresentations, regardless of if such member of the Control Group knew such Application contained such misrepresentations.
  3. we shall not be entitled under any circumstances to void or rescind this Policy with respect to any Insured.

Other Insurance

  1. If any Loss, Damages, or Claim Expenses or other amounts covered under this Policy are covered under any other valid and collectible insurance, then this Policy shall apply only to the extent that the amount of such Loss, Damages, or Claim Expenses are in excess of the amount of such other insurance whether such other insurance is specified as primary, contributory, excess, contingent or otherwise.
  2. However, paragraph VII.J.1. above shall not apply if such other insurance is written explicitly to serve as excess insurance over the Aggregate Limit of Insurance or Sub-Limits of Insurance provided by this Policy.

  3. The conditions set forth in VII.D.1., Automatic Discovery Reporting Period, and VII.E.2., Notice of Circumstances, shall not apply to Claims that are covered under any subsequent insurance purchased by an Insured or for an Insured’s benefit, or that would be covered by any subsequent insurance but for the exhaustion of the amount of insurance limits applicable and available under such subsequently placed insurance.

Subrogation

  1. In the event of any payment by us of Loss, Damages, or Claim Expenses or other amounts under this Policy, we are subrogated to the Insured’s rights of recovery against any person or organization, and the Insureds shall execute and deliver instruments, papers, and whatever else is necessary to secure such rights and enable us to effectively bring suit or otherwise pursue subrogation rights in the name of the Insureds under this Policy.
  2. However, we shall not subrogate as described in paragraph VII.K.1. above:
    1. against any Insured Person, unless such Insured Person was in violation of paragraph VI. A.1.; or
    2. if an Insured agreed in writing to waive such Insured’s right of recovery or subrogation against any person or entity prior to the Cyber Event or Wrongful Act which gave rise to the Claim or Loss connected with such subrogation.

Recoveries

All recoveries from third parties for payments of Loss, Damages, or Claim Expenses shall be applied in the following order of priority after first deducting the costs and expenses incurred in obtaining such recovery:

  1. to us, to reimburse us for any Retention we paid on an Insured’s behalf and for any Damages, Loss, or Claims Expenses we paid under this Policy; and
  2. to the Insured, to reimburse the Insured for any Retention such Insured paid and for any other amounts not covered under this Policy.

Provided, that such recoveries shall not include any recovery from insurance, reinsurance, security, or indemnity taken for our benefit, or any portion of a Retention we waived.

Authorization

The Named Insured has the authority to act on behalf of all Insureds and is responsible for the payment of premiums and receiving of notices of cancellation, nonrenewal, or any change to coverage provided under this Policy. All Insureds agree to this authority and have delegated, individually and collectively, all such authority exclusively to the Named Insured.

Provided, however, that nothing within this condition, VII.M. Authorization, shall relieve any Insured from giving any notice to us that is required under this Policy.

Assignment

This Policy, including any rights or duties herein, may not be transferred or assigned to another party unless we have provided our prior written consent to such transfer or assignment.

Actions Against Us

No action shall lie against us unless, as a condition precedent thereto, the Insured has been in full compliance with all terms of this Policy. No person or entity shall have any rights under this Policy to join us as a party to any action against any Insured to determine such Insured’s liability, nor shall we be impleaded by such Insured or the legal representatives of such Insured.

Disputes & Resolutions

This condition, VII.P. Disputes & Resolutions, provides the terms and conditions applicable to disputes which may arise between us and any Insured or amongst various Insureds. If any limitation in this section is deemed to be inconsistent with applicable law, such limitation is amended so as to equal the minimum period of limitation provided by such law.

  1. If any dispute persists between us and any Insured as it relates to this Policy, or any term or condition herein, we and such Insureds agree to make a determined effort to solve such dispute via alternative dispute mediation or through a third-party mediator. The costs to procure such mediation shall be paid by us, if applicable, but our payments of such costs shall not persist past a single alternative dispute mediation effort.
  2. In the event of a disagreement between or amongst any Insureds, the Named Insured shall have exclusive authority to act on behalf of all other Insureds with respect to negotiation of settlements and the decision to appeal or not to appeal any judgment.

Bankruptcy

Bankruptcy or insolvency of any Insured, including any Insured Person’s estate, does not relieve us of any of our obligations, rights or defenses under this Policy.

State Amendatory Inconsistency

If there is an inconsistency between any term or condition of this Policy, those terms and conditions which are more favorable to the Insured’s coverage shall apply to the extent permitted by law.

Provided, however, that with respect to any time period relating to notice of cancellation provided under this Policy, we shall apply the applicable state law.

Territory

Coverage provided under this Policy shall extend to Cyber Events and Wrongful Acts occurring or discovered, Claims made, and Losses incurred anywhere in the world.

Headings

The titles, headings, and subheadings of certain paragraphs, sections, conditions, or provisions of this Policy, and any endorsements attached thereto, are intended solely for convenience and reference and form no part of the terms and conditions of coverage under this Policy.