Financial Institution Computer Crime Policy
ISO Form FI 00 20 06 05
July 2006
Summary: In response to industry feedback that indicated an interest in ISO supporting the entire fidelity line of business, ISO has developed a Financial Institutions Program as a new line of business. This article provides an overview of form FI 00 20 06 05: the form provides coverage for losses resulting from computer fraud, fraudulent data processing, or programming. The policy is subject to certain exclusions and conditions, and the final section defines terms specific to this particular coverage.
Topics covered:
Introduction
Insuring agreement 1—computer fraud
Insuring agreement 2—data processing service operations
Insuring agreement 3—electronic data or computer programs
Limits of insurance and deductibles
Exclusions
Conditions
Definitions
Introduction
This policy contains three insuring agreements, and coverage is provided under these agreements when a limit of insurance is listed in the Declarations. The loss must arise from an occurrence and be discovered by a designated person during the policy period.
Insuring Agreement 1- Computer Fraud
1.Computer Fraud
a.We will pay for loss resulting directly from a fraudulent:
(1)Entry of “electronic data” or “computer program” into; or
(2)Change of “electronic data” or “computer program” within;
any “computer system” owned, leased or operated by you or your contracted electronic data processing firm, provided the fraudulent entry or fraudulent change causes, with regard to Paragraphs 1.a.(1) and 1.a.(2):
(a)”Property” to be transferred, paid or delivered;
(b)An account of yours, or of a “customer”, to be added, deleted, debited or credited; or
(c)An unauthorized account or a fictitious account to be debited or credited.
b.As used throughout this Insuring Agreement, fraudulent entry or fraudulent change of “electronic data” or “computer program” shall include such entry or change made by an employee of yours acting, in good faith, upon a fraudulent instruction:
(1)From a computer software contractor who has a written agreement with you to design, implement or service “computer programs” for a “computer system” covered under this Insuring Agreement; or
(2)Transmitted by “tested” telex or similar means of “tested” communication (except a “telefacsimile device”) purportedly sent by a “customer”, financial institution or automated clearinghouse.
Analysis
If the fraudulent entry or change of electronic data or of a computer program results in loss of property, coverage is provided for that loss. The fraudulent entry or change must cause property to be transferred, paid or delivered, or an account to be added, deleted, credited or debited, or an unauthorized account to be debited or credited.
If an employee makes a change to the computer system or data in good faith based on instructions received via a software contractor with which you have an agreement, or based on a tested communication from a supposed customer, coverage is provided.
Insuring Agreement 2 – Data Processing Service Operations
2.Data Processing Service Operations
a.We will pay for loss sustained by a “client” resulting directly from a fraudulent:
(1)Entry of “electronic data” or “computer program” into; or
(2)Change of “electronic data” or “computer program” within; any “computer system” covered under the terms of Insuring Agreement 1.; or
(3)Entry or change of “electronic data” during electronic transmission or physical transit from you to the “client”; provided the fraudulent entry or fraudulent change causes, with regard to Paragraphs 2.a.(1), 2.a.(2) or 2.a.(3):
(a)”Property” to be transferred, paid or delivered;
(b)An account of the “client”, or a customer of the “client”, to be added, deleted, debited or credited; or
(c)An unauthorized account or a fictitious account to be debited or credited; and for which loss you are legally liable to the “client” as a provider of data processing services.
b.As used throughout this Insuring Agreement, fraudulent entry or fraudulent change of “electronic data” or “computer program” shall include such entry or change made by an employee of yours acting, in good faith, upon a fraudulent instruction:
(1)From a software contractor who has a written agreement with you to design, implement or service “computer programs” for a “computer system” covered under this Insuring Agreement; or
(2)Transmitted by “tested” telex or similar means of “tested” communication (except a “telefacsimile device”) purportedly sent by a “customer”, financial institution or automated clearinghouse.
Analysis
Insuring agreement 2 is very similar to insuring agreement 1; coverage is provided for fraudulent entry or change of computer systems which results in the transfer of property or an unauthorized or fictitious account to be credited or debited. The main difference is that it is not the account of the named insured or a customer that is protected against fraudulent changes of addition, deletion, debit or credit, but it is the account of a client or a client's customer that is covered. A client is an entity for whom the named insured serves as a data processor under the terms of a written agreement. Therefore, when the named insured is providing data processing services to someone, and there is a fraudulent entry or change to an account of the client for whom the named insured is providing that processing function, the loss is covered.
The same provisions apply regarding an employee who in good faith acts upon fraudulent instructions from either a computer contractor or instructions received by a tested transmission for a supposed customer.
Insuring Agreement 3 – Electronic Data or Computer Programs
3.Electronic Data or Computer Programs
In the event of loss of or damage to “electronic data” or “computer programs” resulting directly from a virus or malicious instruction, we will pay for the cost to replace or restore such “electronic data” or “computer programs”, including the cost of data entry, reprogramming and computer consultation services. However, we will not pay for the cost to duplicate research that led to the development of your “electronic data” or “computer programs”. To the extent that any “electronic data” cannot be replaced or restored, we will pay the cost to replace the media on which the “electronic data” were stored with blank media of substantially identical type.
Analysis
Loss to data or programs as a result of a virus or malicious instruction is covered. The covered damages include cost to replace or restore data or programs, including cost of data entry, reprogramming and consultation services. What is not covered is the cost to duplicate any research that was required in originally creating the data or programs. If data cannot be restored, the cost to replace the media on which the data was stored using blank media of a basically identical type will be paid.
Limits of Insurance/Deductibles
1.Policy Aggregate Limit Of Insurance
a.The most we will pay for all loss “discovered” during the Policy Period shown in the Declarations is the Policy Aggregate Limit Of Insurance shown in the Declarations. The Policy Aggregate Limit Of Insurance shall be reduced by the amount of any payment made under the terms of this policy, regardless of when paid.
b.Upon exhaustion of the Policy Aggregate Limit Of Insurance by such payments:
(1)We shall have no further liability for loss or losses regardless of when “discovered” and whether or not previously reported to us; and
(2)We shall have no obligation under Condition 8.c. to continue your defense, and upon our notice to you that the Policy Aggregate Limit Of Insurance has been exhausted, you shall assume all responsibility for your defense at your own cost.
c.The Policy Aggregate Limit Of Insurance shall be reinstated by any recovery net of the expense of such recovery received by us during the Policy Period and before the Policy Aggregate Limit Of Insurance is exhausted. Recovery from reinsurance and/or indemnity of ours shall not be deemed a recovery. In the event that a loss of “property” is settled by us through the use of a lost instrument bond, such loss shall not reduce the Policy Aggregate Limit Of Insurance, unless a payment under such lost instrument bond is made and then only for that amount of payment.
2.Single Loss Limit Of Insurance
Subject to the Policy Aggregate Limit Of Insurance in Paragraph B.1., the most we will pay for each “single loss” is the applicable Single Loss Limit Of Insurance shown in the Declarations. If a “single loss” is covered under more than one Insuring Agreement or Coverage, the most we will pay for such loss shall not exceed the largest amount available under any one Insuring Agreement or Coverage.
We will only pay the amount by which any “single loss” exceeds the applicable Single Loss Deductible Amount shown in the Declarations. We will then pay the amount of loss in excess of the Single Loss Deductible Amount, up to the Single Loss Limit Of Insurance, subject to the Policy Aggregate Limit Of Insurance.
Analysis
This policy provides two limits of insurance, an aggregate limit and a single loss limit. The most that will be paid for all losses discovered during the policy period on the declarations is the policy aggregate limit shown on the declarations. Regardless of when payment is made, the aggregate limit of insurance will be reduced by that amount. Successive losses within a policy period will subtract from the overall available limit for other losses during the remainder of the policy period.
Once the policy aggregate limit has been reached, the insurer has no further obligation for any losses regardless of when they were discovered or reported. There is no obligation to continue any defense; once the aggregate limit has been reached, the insured is responsible for all defense costs.
Any recovery less the actual expense of such recovery, and received during the policy period before the aggregate limit is exhausted, will replenish the aggregate limit by the amount of recovery. Recovery from reinsurance is not considered to be recovery and will not replenish the aggregate limit.
A “single loss” means all covered loss including court costs and attorney fees incurred by the insurer resulting from an occurrence. The insuring agreements on the policy may each have a separate single loss limit. Subject to the aggregate limit, the most that is payable for a single loss is that listed on the declarations for the applicable single loss limit. If a loss involves more than one insuring agreement, the most that will be paid is the largest amount available under any one insuring agreement or coverage. For example, if damage to electronic property falls under the computer fraud and the electronic data insuring agreements, the most that will be paid for the loss is the highest limit of the two listed on the Declarations. The limit under computer fraud is $10,000, and the limit under electronic data is $15,000. With a $20,000 loss, the insurer will pay $15,000, the higher of the two single limits. If there have been several losses on the policy and the aggregate limit has been exhausted, then there is no payment for the claim, even though the declarations show a single loss limit amount.
This policy does not cover:
1.Loss of the type or kind covered by your financial institution crime policy or financial institution bond, regardless of any deductible amount or limit of insurance.
2.Loss resulting directly or indirectly from the dispersal or application of pathogenic or poisonous biological or chemical materials, nuclear reaction, nuclear radiation or radioactive contamination, or any related act or incident.
3.Loss or damage caused by or resulting from pollution. Pollution means the discharge, dispersal, seepage, migration, release or escape of any solid, liquid, gaseous or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals and waste. Waste includes materials to be recycled, reconditioned or reclaimed.
4.Potential income, including but not limited to interest and dividends, not realized by you.
5.Damages of any type for which you are legally liable, except direct compensatory damages, but not multiples thereof, arising directly from a loss covered under this policy.
6.Indirect or consequential loss of any nature.
Analysis
This policy excludes anything that is covered under the named insured's financial institution crime policy or bond, regardless of deductible amounts or insurance. This is to avoid duplication of coverage among policies.
The next two exclusions are the common biological, chemical, nuclear, and pollution exclusions. Coverage is not provided for any loss resulting from biological or chemical pathogens, nuclear radiation, or contamination. The pollution exclusion defines the pollutant and the mechanism by which it may occur on the property.
Loss of potential income, indirect, or consequential loss is not covered. Damages are excluded unless the named insured is legally liable for direct compensatory damages arising out of a loss covered under this policy. Multiples of the compensatory damages are not covered.
7.Loss or damage caused directly or indirectly from:
a.War, including undeclared or civil war;
b.Warlike action by a military force, including action in hindering or defending against an actual or expected attack, by any government, sovereign or other authority using military personnel or other agents;
c.Insurrection, revolution, usurped power, or action taken by governmental authority in hindering or defending against any of these; or
d.Riot or civil commotion outside the United States of America (its territories and possessions), Puerto Rico and Canada.
8.All fees, costs and expenses incurred by you:
a.In establishing the existence or amount of loss covered under this policy; or
b.In connection with any legal proceeding whether or not such legal proceeding exposes you to loss covered under this policy.
Analysis
There is no coverage for war, warlike action, insurrection, revolution, or military action to defend against any such actions. Riot or civil commotion outside the United States, its territories and possessions, Canada and Puerto Rico is excluded.
Fees and expenses from determining the amount or existence of loss, or related to any legal proceedings, are excluded. The legal fees are not covered even if the first named insured is exposed to loss covered under this policy.
9.Loss of or damage to confidential information, except loss of or damage to “electronic data” or “computer programs” when covered under Insuring Agreement 3.
10.Loss resulting directly or indirectly from any acts of any of your directors, trustees or employees or by a person in collusion with any of your directors, trustees or employees. (Collusion shall include the willful withholding of knowledge from you by any of your directors, trustees or employees that a fraudulent act by a person who is not a director, trustee or employee of yours has been or will be perpetrated against you.)
11.Loss resulting directly or indirectly from the use or purported use of credit, debit, charge, access, convenience, identification or other cards whether such cards were issued, or purport to have been issued, by you or by anyone else.
12.Loss resulting directly or indirectly from payments made or withdrawals from a depositor's account involving items of deposit which are not finally paid for any reason.
Analysis
Unless coverage is provided for the loss of electronic data or computer programs under insuring agreement 3, Electronic Data or Computer Programs, any loss to confidential information is excluded. Insuring agreement 3 provides coverage for damage due to a virus or malicious instruction. Errors are not covered.
Acts of directors, trustees, employees, or anyone they are in collusion with are not covered.
The use of authentic or forged credit, debit, charge, or other cards that supposedly have been issued by the first named insured which results in loss is not covered. The insured has no control over how cards it issues are used, and cannot prevent the creation of fraudulent cards identical in appearance to legitimate cards issued by the insured.
13.Loss through the surrender of property away from any of your offices or premises as a result of a threat:
a.To do bodily harm to any person;
b.To do damage to offices or premises or property;
c.To introduce a denial of service attack into your “computer system”;
d.To introduce a virus or other malicious instruction into your “computer system” which is designed to damage, destroy or corrupt “electronic data” or “computer programs” stored within your “computer system”; or
e.To disseminate, divulge or utilize:
(1)Your proprietary information; or
(2)Weaknesses in the source code within your “computer system”.
14.Loss involving any automated teller machine which, on your behalf, disburses money, accepts deposits, cashes checks, drafts or similar written instruments or makes credit card loans.
15.Loss resulting directly or indirectly from any e-mail instruction, except when covered under Insuring Agreement 1.b.(1) or 2.b.(1).
16.Loss resulting directly or indirectly from any voice instruction, unless covered under Insuring Agreement 1.b.(1) or 2.b.(1).
17.Loss resulting directly or indirectly from any telefacsimile instruction.
18.Loss resulting directly or indirectly from negotiable instruments, securities, documents or other written instruments which bear a forged signature, or are counterfeit, altered or otherwise fraudulent and which are used as source documentation in the preparation of “electronic data” entered into a data terminal.
19.Loss resulting directly or indirectly from:
a.Mechanical failure, faulty construction, error in design, latent defect, fire, wear or tear, gradual deterioration, electrical disturbance or electrical surge which affects a “computer system”;
b.Failure, malfunction or breakdown of electronic data processing media; or
c.Error or omission in programming or processing.
20.Loss resulting directly or indirectly from the input of “electronic data” into a “computer system” terminal device either on the premises of a “customer” or under the control of such “customer” by a person who had authorized access to the “customer's” authentication mechanism.
21.Loss resulting directly or indirectly from your assumption of liability under any contract, unless the liability arises from an otherwise covered loss and would be imposed on you regardless of the existence of the contract.
Analysis
This series of exclusions restricts coverage for losses that are covered under other crime policies; the policy does not intend to provide duplicate coverage. Extortion losses, which are demands of property against threats of harm against employees or systems of the named insured, are excluded. For example; an insured receives a message that unless 5 million dollars is wired to an overseas account by midnight the computer systems will be attacked by a virus and data will be destroyed. If the insured wires the money, there is no coverage for that loss of funds.
Losses involving automated teller machines, telefacsimile instructions, mechanical failure of equipment, forged documents or human error are excluded.
Loss from email instructions and voice instructions are excluded unless it's covered in Insuring Agreement 1 Computer Fraud section 1.b.(1) or Agreement 2 Data Processing Service Operations section 2.b (1). Both sections provide coverage if an employee has in good faith relied on instructions of a computer software contractor with a written agreement with the named insured. Losses for any contract under which the insured assumes additional liability, except for losses arising from a covered loss or losses the insured would be liable for without the contract are excluded.
The Conditions section enumerates rights and duties of the insured and rights of the insurer.
1.Cooperation
You must cooperate with us in all matters pertaining to this policy as stated in its terms and conditions.
2.Representations
a.You represent that all information and statements contained in the application for this policy are true, accurate and complete. All such information and statements are the basis for our issuing this policy and shall be considered as incorporated into and constitute a part of this policy.
b.Any intentional:
(1)Misrepresentation;
(2)Omission;
(3)Concealment; or
(4)Misstatement of a material fact; in the application or otherwise, shall be grounds for the rescission of this policy.
3.Ownership
The “property” covered under this policy is limited to “property”:
a.That you own or lease;
b.That is held by you in any capacity; or
c.For which you are legally liable.
However, this policy is for your benefit only. It provides no rights or benefits to any other person or organization. Any claim for loss covered under this policy must be presented by you.
Analysis
The named insured is required to cooperate with the company in all matters, and must represent that all information in the application is true and correct. Intentional misrepresentation, concealment, omission or misstatement of a material fact is grounds for rescission of the policy. A material fact is one that has importance to the information presented. Failure to disclose that the director of the company was just released from prison because of computer and insurance fraud is a material fact. The fact that he wears size ten shoes is not a material fact.
When a policy is rescinded due to intentional misrepresentation, the coverage is void ab initio, which is from the beginning as if coverage never existed. The reasoning behind this is that if the insurer had known the truth from the beginning, they would not have agreed to provide coverage. Statutes concerning rescission of policies vary from state to state.
The property covered under this policy must be owned or leased by the insured, held by the insured, or for which the insured is liable. Property is defined as money, monetary instruments, securities, electronic data or computer programs, and tangible property.
4.Additional Computer Systems
If, while this policy is in force, you establish any additional “computer systems”, other than through consolidation or merger with, or purchase or acquisition of assets or liabilities of another institution, such “computer systems” shall automatically be covered under this policy. Notice to us of an increase in the number of “computer systems” need not be given and no additional premium need be paid for the remainder of the Policy Period.
5.Consolidation – Merger Or Acquisition
a.Except as provided in Paragraph 5.b., if you consolidate or merge with, or purchase or acquire the assets or liabilities of, another institution and you acquire additional “computer systems”:
(1)You shall notify us in writing as soon as practicable and obtain our written consent to extend the coverage provided by this policy to such “computer systems”. We may condition our consent by requiring payment of an additional premium; but
(2)For the first 90 days after the effective date of such consolidation, merger or purchase or acquisition of assets or liabilities, the coverage provided by this policy shall apply to such “computer systems”, provided all “occurrences” causing or contributing to a loss involving such “computer systems” must take place after the effective date of such consolidation, merger or purchase or acquisition of assets or liabilities.
b.For institutions you acquire in which you own greater than 50% of the voting stock or voting rights, coverage under this policy shall automatically become effective on the date of such acquisition with no additional premium required, provided:
(1)All “occurrences” causing or contributing to a loss involving such “computer systems” must take place after the effective date of such acquisition; and
(2)The assets of the acquired institution do not exceed 10% of your total assets as reflected in your most recent calendar quarter consolidated financial statements immediately preceding the effective date of the policy.
6.Joint Insured
a.If more than one Insured is named in the Declarations, the first Named Insured shall act for itself and for every other Insured for all purposes of this policy.
b.Knowledge possessed or “discovery” made by a “designated person” of any Insured shall constitute knowledge or “discovery” by all Insureds for all purposes of this policy.
c.We will not pay more for loss or losses sustained by more than one Insured than the amount we would pay if all such loss or losses had been sustained by one Insured.
d.Payment by us to the first Named Insured for loss sustained by any Insured shall fully release us on account of such loss.
7.Change In Control – Notice To Us
a.When you learn of a change in control, you shall notify us in writing as soon as practicable, but not to exceed 60 days from the date of such change in control.
b.As used in this Condition, control means the power to determine the management or policy of the Insured or of a controlling holding company by virtue of voting stock ownership. A change in ownership of voting stock which results in direct or indirect ownership by a stockholder or an affiliated group of stockholders of more than 10% of such stock shall be presumed to result in a change of control for the purpose of the required notice.
c.A change in ownership which results in direct or indirect ownership by a stockholder or an affiliated group of stockholders of more than 50% of the voting stock of the first Named Insured shall cause this policy to be terminated as set forth in Condition 20.b.(1)(b).
Analysis
Unless the result of a consolidation or merger, or purchase of another institution's assets, the addition of computer systems will automatically be covered without a charge for additional premium or the need to notify the insurer of the additional computer equipment.
When the additional computer systems are the result of a consolidation, merger or acquisition, the insurer must be notified in writing as soon as possible, and an additional premium may be charged. Coverage for the newly acquired systems is provided during the first ninety days only if the date of loss is after the date of the merger.
When an acquisition results in the insured owning greater than fifty percent of the voting stock or rights of the acquired organization, coverage is automatically provided without additional premium as long as: occurrences are after the effective date of the acquisition;
and the assets acquired do not exceed ten percent of the insured's total assets as shown in the most recent calendar quarter financial statements immediately preceding the date of the policy.
For example, Big Bank purchases Little Bank; as part of the purchase, Big Bank acquires 60 percent of the voting stock of Little Bank. Big Bank is a much larger institution than Little Bank, so while Big Bank controls the voting stock, the assets of Little Bank, when added to Big Bank's original assets, are less than 10 percent of Big Bank's total assets as reflected on the most recent quarterly financial statements. In order for any loss to be covered, it must occur during the policy period. If Little Bank had sustained a loss prior to the effective date of the acquisition by Big Bank, there would be no coverage.
If there is more than one insured named in the Declarations, any action by the first named insured shall be applicable to every other insured. The first named insured can make coverage changes to the policy that affects all other insureds. Likewise knowledge relevant to the policy that one insured knows is considered to be known by all insureds.
If more than one insured sustains a loss, no more will be paid out than if all such losses had been sustained by one insured. Payment to the first named insured for loss sustained by any insured releases the insurer on account of such loss.
A change in control is defined as a change in ownership of voting stock that result in any given stockholder having possession of more than 10 percent of such stock. The insured is required to notify the carrier immediately of such a change and must do so within sixty days after the effective date of the change. Any change in ownership which results in more than 50 percent of the voting stock being held by one stockholder or organization will cause this policy to be terminated in accordance with Condition 20.b.(1)(b).
8.Notice To Us Of Legal Proceedings Against You – Our Election To Defend
a.You shall notify us at the earliest practicable moment, not to exceed 60 days after you receive notice of any legal proceeding brought to determine your liability for any loss, claim or damage, which, if established, would constitute a collectible loss under this policy. Concurrently, you shall furnish copies of all pleadings and pertinent papers to us.
b.We may, at our sole option, elect to conduct the defense of such legal proceeding, in whole or in part. If we so elect, the defense by us shall be in your name through attorneys selected by us. You shall provide all reasonable information and assistance required by us for such defense.
c.If we elect to defend you, in whole or in part, any judgment against you on those counts or causes of action which we defended on your behalf or any settlement in which we participate and all attorneys' fees, costs and expenses incurred by us in defense of the litigation shall be a loss covered by this policy.
d.If you do not give the notices required in Condition 9.a.(1) and also in Paragraph 8.a., or if we elect not to defend any causes of action, neither a judgment against you, nor a settlement of any legal proceeding by you, shall determine the existence, extent or amount of coverage under this policy for loss sustained by you, and we shall not be liable for any attorneys' fees, costs and expenses incurred by you.
e.With regard to this Condition, Paragraphs a.(5) and b. of Condition 9. apply upon the entry of such judgment or the occurrence of such settlement instead of upon “discovery” of loss. In addition, you must notify us within 30 days after such judgment is entered against you or after you settle such legal proceeding, and, subject to Condition 9.c., you may not bring legal proceedings for the recovery of such loss after the expiration of 24 months from the date of such final judgment or settlement.
Analysis
In the event of legal proceedings against the insured that could establish liability for damages collectible under this policy, the insured is to notify the company as soon as possible, not to exceed sixty days from the initial date of notice. Any copies of pleadings are to be sent to the company.
The company has the right to elect to conduct a defense, and select attorneys. The company will pay any defense costs and any judgment the insured becomes liable for as a result of the company defense.
If the insured fails to provide the company notice of a suit or the company decides not to defend the case, any resultant judgment or settlement shall not determine the existence of coverage under this policy, nor will the company cover legal expenses and fees.
Paragraph a.(5) and b. of Condition 9 indicate that within six months of the discovery of a loss the insured must furnish a proof of loss, and that beyond twenty four months no legal proceedings for the recovery of any loss may be brought.
9.Notice To Us – Proof – Legal Proceedings Against Us
a.After you “discover” a loss or a situation that may result in a loss, you shall:
(1)Notify us at the earliest practicable moment, not to exceed 60 days.
(2)Submit to examination under oath at our request and give us a signed statement of your answers.
(3)Produce for our examination all pertinent records.
(4)Cooperate with us in the investigation and settlement of any claim.
(5)Within 6 months from the date you “discovered” the loss, furnish to us proof of loss, duly sworn to, with full particulars. In addition, “certificated securities” listed in a proof of loss shall be identified by certificate or bond numbers if such securities were issued therewith.
b.Legal proceedings for the recovery of any loss under this policy shall not be brought after the expiration of 24 months from the date of “discovery” of such loss.
c.If any limitation embodied in this Condition is prohibited by any law controlling the construction hereof, such limitation shall be deemed to be amended so as to equal the minimum period of limitation provided by such law.
d.This policy affords coverage only in your favor. No suit, action or legal proceeding shall be brought under this policy by anyone other than you.
Analysis
This agreement details the specific duties of the insured in the event of a loss; the reporting of the loss to the carrier, providing information including proof of loss statements, statements under oath, records, cooperation with the investigation, and time frames for submission of losses and documents.
Notification of the loss must be as soon as possible and not more than sixty days from the date of loss. A fully detailed proof of loss statement is required within six months of the date of the discovery of the loss.
Certificated securities listed in a proof of loss need to be identified by certificate or bond numbers.
10.Assignment – Subrogation – Recovery
a.In the event of payment under this policy, you shall deliver, if so requested by us, an assignment of your rights, title and interest and causes of action as you have against any person or entity to the extent of the loss payment.
b.In the event of payment under this policy, we shall be subrogated to all of your rights of recovery against any person or entity to the extent of such payment.
c.Recoveries, whether effected before or after any payment under this policy, whether made by us or by you, shall be applied net of the expense of such recovery:
(1)First, to you in the satisfaction of your covered loss in excess of the amount paid under this policy;
(2)Second, to us in satisfaction of amounts paid in settlement of your claim;
(3)Third, to you in satisfaction of any Single Loss Deductible Amount; and
(4)Fourth, to you in satisfaction of any loss not covered under this policy.
Recovery on account of loss of securities as set forth in Condition 19.b. or recovery from reinsurance and/or indemnity by us shall not be deemed a recovery as used herein.
11.Transfer Of Your Rights And Duties Under This Policy
Your rights and duties under this policy may not be transferred without our written consent.
12.Changes
This policy contains all the agreements between you and us concerning the insurance afforded. The first Named Insured shown in the Declarations is authorized to make changes in the terms of this policy with our consent. This policy's terms can be amended or waived only by endorsement issued by us and made a part of this policy.
13.Records
You must keep records of all “property” covered under this policy so we can verify the amount of any loss.
14.Examination Of Your Books And Records
We may examine and audit your books and records as they relate to this policy at any time during the Policy Period and up to 3 years afterward.
15.Inspections And Surveys
a.We have the right to:
(1)Make inspections and surveys at any time;
(2)Give you reports on the conditions we find; and
(3)Recommend changes.
b.We are not obligated to make any inspections, surveys, reports or recommendations and any such actions we do undertake relate only to insurability and the premiums to be charged. We do not make safety inspections. We do not undertake to perform the duty of any person or organization to provide for the health or safety of any workers or the public. And we do not warrant that conditions:
(1)Are safe or healthful; or
(2)Comply with laws, regulations, codes or standards.
c.Paragraphs 15.a. and 15.b. apply not only to us, but also to any rating, advisory, rate service or similar organization which makes insurance inspections, surveys, reports or recommendations.
Analysis
Upon payment under this policy, the insured is required to assign any rights, title, interest or causes of action against the other party to the insurer at their request. This allows the insurer to proceed against the other party to recover what they have paid out. Recoveries shall be applied as follows: first to the insured for any loss in excess of what the policy paid out; next to the insurer for payments made under the policy; then to the insured for any deductible, and lastly to the insured for any damages not covered under this policy.
The insured may not transfer rights or duties under this policy without written consent from the carrier. The first named insured is authorized to make changes to the policy with the consent of the insurer. Policy terms can only be amended by endorsement to the policy issued by the insurer.
Records are to be kept of all property covered by this policy so that in the event of a loss the amount of the loss can be verified.
The insurer has the right to examine and audit books and records up to three years after the policy period. The company may also make inspections, or surveys, and give the named insured reports and recommend changes. The company is not obligated to make surveys, and does so only to review insurability. No warranties are made that conditions are safe or comply with laws/regulations/codes.
16.Liberalization
If we adopt any revision that would broaden the coverage under this policy without additional premium within 45 days prior to or during the Policy Period, the broadened coverage will immediately apply to this policy.
17.Premiums
The first Named Insured shown in the Declarations:
a.Is responsible for the payment of all premiums; and
b.Will be the payee for any return premiums we pay.
18.Other Insurance Or Indemnity
Coverage afforded under this policy shall apply only as excess over any valid and collectible insurance or indemnity obtained by:
a.You; or
b.One other than you.
However, this policy does not provide excess indemnity for losses covered by your financial institution crime policy or financial institution bond.
Analysis
When the insurer makes revisions to a policy that broadens coverage, and there is no additional premium, if the revisions are made forty five days prior to, or during the policy period, the policy will automatically expand to contain this coverage.
The first named insured is held responsible for any payments due, and is the payee for any return premiums.
If the insured has another policy which would apply, the insurance under this policy is considered excess except for losses covered by a financial institution crime policy or financial institution bond. Excess coverage over those two policies is not provided by this policy.
19.Valuation – Settlement
a.Money
Any loss of “money”, or loss payable in “money”, will be paid, at your option:
(1)In the “money” of the country in which the loss was sustained; or
(2)In the United States of America dollar equivalent determined by the rate of exchange published in The Wall Street Journal on the day the loss was “discovered”.
b.Securities
(1)We will settle in kind our liability under this policy on account of a loss of any securities or, at your option, will pay you the cost of replacing such securities, determined by the market value of such securities at the close of business on the day the loss was “discovered”.
In case of a loss of subscription, conversion or redemption privileges through the misplacement or loss of securities, the amount of such loss will be the value of such privileges immediately preceding their expiration.
(2)If the applicable coverage of this policy is subject to a Single Loss Deductible Amount and/or is not sufficient in amount to indemnify you in full for the loss of securities for which claim is made under this policy, our liability under this policy is limited to the payment for, or the duplication of, so much of such securities as has a value equal to the limit of such applicable coverage.
c.Other Property Not Specified Above
(1)In case of loss of or damage to any “property” (other than “property” specified in Paragraphs 19.a. and 19.b., “electronic data” and “computer programs”), we will pay the replacement cost of such “property” without deduction for depreciation. However, we will not pay more than the least of the following:
(a)The Single Loss Limit of Insurance applicable to the lost or damaged “property”;
(b)The cost to replace the lost or damaged “property” with “property” of comparable material and quality and used for the same purpose; or
(c)The amount you actually spend that is necessary to repair or replace the lost or damaged “property”.
(2)We will not pay on a replacement cost basis for any loss of or damage to “property” covered in Paragraph 19.c.(1):
(a)Until the lost or damaged “property” is actually repaired or replaced; and
(b)Unless the repairs or replacement are made as soon as reasonably possible after the loss or damage.
If the lost or damaged “property” is not repaired or replaced, we will pay on an actual cash value basis.
(3)We will, at your option, pay for loss of or damage to such “property”:
(a)In the “money” of the country in which the loss or damage occurred; or
(b)In the United States of America dollar equivalent of the “money” of the country in which the loss or damage occurred determined by the rate of exchange published in The Wall Street Journal on the day the loss was “discovered”.
(4)Any “property” that we pay for or replace becomes our property.
Analysis
Any losses of money, or loss payable in money, are payable, at the insured's request, either in the currency of the country in which the loss was sustained or in U.S. dollars. The dollar equivalent is based on the exchange rate published in the Wall Street Journal on the date the loss was discovered.
Loss of securities is settled in kind or, at insured's option, the cost of replacing them will be paid. Their value is determined by the market value of the securities on the close of business on the day the loss was discovered. If subscription, conversion or redemption privileges are lost, the amount of settlement will be the value of such privileges immediately preceding their expiration. Once the policy limits have been reached, the insurer's obligation for payment is complete, even though the loss may be greater than the applicable limits of coverage.
Other property not specified as money or securities will be paid on a replacement cost basis without deductions for depreciation. Payment will not be more than the least of: Single loss limit of applicable insurance, cost to replace lost or damaged property with like kind and quality, amount the insured actually spends to repair or replace the lost or damaged property.
While payment is on a replacement cost basis, payment will not be made until the lost or damaged property is repaired or replaced. The repairs or replacements are to be made as soon as possible. Payment again is offered in the currency of the country in which the loss occurred or in U.S. currency at the exchange rate on the day the loss was discovered.
20.Policy Cancellation Or Termination
a.Policy Cancellation
(1)The first Named Insured shown in the Declarations may cancel this policy by mailing or delivering to us advanced written notice of cancellation.
(2)We may cancel this policy by mailing or delivering to the first Named Insured written notice of cancellation at least:
(a)10 days before the effective date of cancellation if we cancel for nonpayment of premium; or
(b)60 days before the effective date of cancellation if we cancel for any other reason, other than for policy termination as provided in Paragraph 20.b.
(3)We will mail or deliver our notice to the first Named Insured's last mailing address known to us.
(4)Notice of cancellation will state the effective date of cancellation. The Policy Period will end on that date.
(5)If this policy is canceled, we will send the first Named Insured any premium refund due. If we cancel, the refund will be pro rata. If the first Named Insured cancels, the refund may be less than pro rata. The cancellation will be effective even if we have not made or offered a refund.
(6)If notice is mailed, proof of mailing will be sufficient proof of notice.
b.Policy Termination
(1)This policy terminates immediately upon:
(a)Your being taken over by a receiver or other liquidator or by State or Federal officials;
(b)The effective date of the first Named Insured being acquired by another entity. As used in this Condition, acquired means a change in control where the power to determine the management or policy of the first Named Insured has changed by virtue of a change of ownership which results in direct or indirect ownership by a stockholder or an affiliated group of stockholders of more than 50% of its voting stock, regardless as to the changes to the core functions of the acquired institution;
(c)The expiration of the Policy Period shown in the Declarations; or
(d)The exhaustion of the Policy Aggregate Limit Of Insurance.
If this policy terminates for any reason specified in Paragraph 20.b.(1)(a) or 20.b.(1)(b), we will send the first Named Insured any premium refund due. The refund will be pro rata.
(2)This policy terminates as to any Insured, other than the first Named Insured, immediately upon its acquisition by another entity of more than 50% of its voting stock or being taken over by a receiver or other liquidator or by State or Federal officials.
(3)Termination of the policy as to any Insured terminates liability for any loss sustained by such Insured, which is “discovered” after the effective date of such termination.
Analysis
The policy may be cancelled at the request of the insured; the request must be in writing from the first named insured. The company may cancel the policy by delivering notice to the last known address of the first named insured. If the policy is to be cancelled due to nonpayment of premium, notice must be given ten days in advance of the effective date of the action. For cancellations for any other reason, notice must be given sixty days in advance. Any refunds will be sent to the first named insured. These cancellation and time requirements are subject to individual state regulations.
The policy terminates immediately upon the expiration of the policy period or the exhaustion of the aggregate limit of insurance as shown in the Declarations.
The taking over of the first named insured by a receiver or other liquidator, or by State or Federal officials results in immediate termination of the policy. If the first named insured is acquired by another entity, the effective date of that takeover is the termination date of the policy. This acquisition indicates a change in control by management or stockholders controlling more than 50 percent of the voting stock.
Definitions
As used in this policy:
1.”Certificated security” means a share, participation or other interest in property of or an enterprise of the issuer or an obligation of the issuer, which is:
a.Represented by an instrument issued in bearer or registered form;
b.Of a type commonly dealt in on securities exchanges or markets or commonly recognized in any area in which it is issued or dealt in as a medium for investment; and
c.Either one of a class or series or by its terms divisible into a class or series of shares, participations, interests or obligations.
2.”Client” means an entity for whom you serve as a data processor under the terms of a written agreement.
3.”Computer program” means a set of related electronic instructions that direct the operations and function of a computer and computer devices connected to it and enable the computer or devices to receive, process, store or send “electronic data”.
4.”Computer system” means:
a.Computers and related peripheral components;
b.Systems and applications software;
c.Terminal devices; and
d.Related communications networks;
by which “electronic data” is collected, transmitted, processed, stored and retrieved.
5.”Customer” means a person or entity having an account with you or for whom you provide services, other than a “client” of yours.
6.”Designated person” means:
a.Any insurance risk manager;
b.Any director;
c.Any trustee;
d.Any elected, appointed or otherwise titled officer; or
e.The highest ranking employee at the office or premises where such employee performs the majority of his or her duties;
of any Insured.
7.”Discovery”, “discover” or “discovered” means the time when a “designated person” first becomes aware of facts which would cause a reasonable person to assume that a loss of a type covered by this policy has been or will be incurred, regardless of when the act or acts causing or contributing to such loss occurred, even though the exact amount or details of loss may not then be known.
“Discovery”, “discover” or “discovered” also means the time when a “designated person” first receives notice of an actual or potential claim in which it is alleged that you are liable to a third party under circumstances which, if true, would constitute a loss under this policy.
Analysis
A certificated security is a security whose ownership is represented by a physical document. A certificate represents a share or interest in the property or an enterprise of the issuer.
The designated person is instrumental in the discovery of losses in this policy; such a person has a high level of responsibility within the organization, or at minimum is the highest ranking employee on the insured's premises. The designated person is responsible for acting promptly on any notice received of the occurrence of a loss. A loss discovered by a lower level employee does not imply that the insured as an entity is aware of the loss; the loss must be reported to a designated person or discovered by a designated person in order for the insured to be considered aware of the loss.
Discovery is defined as the earliest possible moment when a designated person becomes aware of facts that would indicate a loss has or will occur, or when the designated person first receives notice of an actual or potential claim. The discovery of the claim is a key element in the conditions regarding proof of loss to the company; so the moment of discovery is critical in starting the clock for the insured to submit a notice of loss.
8.”Electronic data” means information or facts stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software), on hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.
9.”Money” means a medium of exchange in current use authorized or adopted by a domestic or foreign government as a part of its currency.
10.”Occurrence” means:
a.All loss or series of losses involving the fraudulent or destructive acts of one individual, or involving fraudulent or destructive acts in which one individual is implicated, whether or not that individual is specifically identified.
b.A series of losses involving unidentified individuals but arising from the same method of operation shall be deemed to involve the same individual.
c.Under Insuring Agreement 3., all covered costs incurred by you between the time loss or damage is “discovered” and the time the “computer system” is restored to substantially the previous level of operational capacity. Recurrence of loss or damage after the “computer system” is restored shall constitute a separate “occurrence”.
11.”Property” means “money”, “certificated securities”, “uncertificated securities”, “electronic data”, “computer programs” and items of tangible property.
12.”Single loss” means all covered loss, including court costs and attorneys' fees incurred by us under Condition 8., resulting directly from an “occurrence”.
13.”Telefacsimile device” means a machine capable of sending or receiving a duplicate image of a written document by means of electronic impulses transmitted through a telephone line and which reproduces the duplicate image on paper.
14.”Tested” means a method of authenticating the contents of a communication by placing a valid test key on it which has been agreed upon between you and a “customer”, automated clearinghouse or another financial institution for the purpose of protecting the integrity of the communication in the ordinary course of business.
15.”Uncertificated security” means a share, participation or other interest in property of or an enterprise of the issuer or an obligation of the issuer, which is:
a.Not represented by an instrument and the transfer of which is registered upon books maintained for that purpose by or on behalf of the issuer;
b.Of a type commonly dealt in on securities exchanges or markets; and
c.Either one of a class or series or by its terms divisible into a class or series of shares, participations, interests or obligations.
Analysis
Many of the definitions are self-explanatory. An occurrence involves a single loss or series of losses involving the acts of one individual, whether or not the individual is identified. For example; there are multiple attacks on the insured's computer system, and with each attack the same image of the Jolly Roger appears with the same threatening message; the attacks are presumed to be generated by the same individual and considered one occurrence, even though the true identity of the hacker is unknown.
An uncertificated security is one where the interest or share is a particular asset is not represented by a tangible document.