B.Tier 2 Liability Coverage

If Tier 2 is shown as applicable in the Schedule above, for the purposes of the coverage provided by this Endorsement, the following is added to Paragraph A. Coverages of Section I – Liability:

Insuring Agreement

Coverage is provided under the following Insuring Agreement:

d.Security Breach Liability

(1)We will pay for both "loss" that the insured becomes legally obligated to pay and "defense expenses" as a result of a "claim" first made against the insured during the "policy period" or during the applicable Extended Reporting Period, for a "wrongful act" or a series of "interrelated wrongful acts" taking place on or after the Retroactive Date, if any, shown in the Schedule and before the end of the "policy period".

(2)We will pay for both "loss" and "defense expenses" as a result of a "claim" in the form of a "regulatory proceeding" first made against the insured during the "policy period" or during the applicable Extended Reporting Period, in response to a "wrongful act" or a series of "interrelated wrongful acts" covered under Paragraph d.(1).

(1)A "security breach";

(2)A "computer system" transmitting, by email or other means, a "virus" to another person or organization.

C.Tier 3 Coverages

1.Tier 3 First-party Expense Coverages

If Tiers 2 and 3 are shown as applicable in the Schedule above, for the purposes of the coverage provided by this Endorsement, the following is added to Paragraph A.5. Additional Coverages of Section I – Property:

Insuring Agreements

Coverage is provided under the following Insuring Agreements:

e.Extortion Threats

We will pay for "loss" resulting directly from an "extortion threat" communicated to you during the "policy period".

However, we will not pay for "extortion expenses" or "ransom payments" which are part of a series of related threats that began prior to the "policy period".

f.Business Income And Extra Expense

We will pay for "loss" due to an "interruption" resulting directly from an "ecommerce incident" sustained during the "policy period" or an "extortion threat" communicated to you during the "policy period".

2.Tier 3 Liability Coverage

If Tiers 2 and 3 are shown as applicable in the Schedule above, for the purposes of the coverage provided by this Endorsement, the following is added to Paragraph A. Coverages of Section II – Liability:

Insuring Agreement

Coverage is provided under the following Insuring Agreement:

g.Web Site Publishing Liability

We will pay for both "loss" that the insured becomes legally obligated to pay and "defense expenses" as a result of a "claim" first made against the insured during the "policy period" or during the applicable Extended Reporting Period, for a "wrongful act" or a series of "interrelated wrongful acts" taking place on or after the Retroactive Date, if any, shown in the Schedule and before the end of the "policy period".

D.Additional Coverages A.5.p. And A.5.q.

1.Additional Coverage p. Electronic Data

Additional Coverage p. Electronic Data of Section I – Property does not apply to destruction or corruption of "electronic data" resulting directly from an "e-commerce incident".

2.Additional Coverage q. Interruption Of Computer Operations

If Tiers 2 and 3 are shown as applicable in the Schedule of this Endorsement, Additional Coverage q. Interruption Of Computer Operations of Section I – Property does not apply to a suspension of "operations" caused by an interruption in computer operations due to destruction or corruption of "electronic data" due to an "e-commerce incident".

Defense And Settlement

1.We shall have the right and duty to select counsel and defend the insured against any "claim" covered under Insuring Agreements d. Security Breach Liability and g. Web Site

Publishing Liability, even if the allegations of such "claim" are groundless, false or fraudulent. However, we shall have the right but not the duty to defend the insured against a "claim" covered under Paragraph (2) of Insuring Agreement d. Security Breach Liability, and we shall have no duty to defend the insured against any "claim" which is not covered under either of these Insuring Agreements.

2.We may, upon the written consent of the insured, make any settlement of a "claim" which we deem reasonable. If the insured withholds consent to such settlement, our liability for all "loss" resulting from such "claim" will not exceed the amount for which we could have settled such "claim", plus "defense expenses" incurred, as of the date we proposed such settlement in writing to the insured. Upon refusing to consent to a settlement we deem reasonable, the insured shall, at its sole expense, assume all further responsibility for its defense including all additional costs associated with the investigation, defense and/or settlement of such "claim".

G.For the purposes of the coverage provided by this Endorsement, the limitations in Paragraphs A.4.a.(3) and (4) of Section I – Property, which relate to missing property and property transferred outside the described premises on the basis of unauthorized instructions, do not apply.

H.For the purposes of the coverage provided by this Endorsement, if any of the following endorsements, or any equivalent jurisdiction-specific endorsement, are attached to the Policy, the provisions of that endorsement do not apply:

1.Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability – With Limited Bodily Injury Exception Endorsement;

2.Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability – Limited Bodily Injury Exception Not Included Endorsement;

3.Exclusion – Access Or Disclosure Of Confidential Or Personal Information (Personal And Advertising Injury Only) Endorsement; or

4.Electronic Data Liability – Limited Coverage Endorsement.

We will not be liable for "loss" or "defense expenses":

a.Based upon, attributable to or arising out of lightning, earthquake, hail, volcanic action or any other act of nature.

b.Based upon, attributable to or arising out of:

(1)War, including undeclared or civil war or civil unrest;

(2)Warlike action by military force, including action hindering or defending against an actual or expected attack, by any government, sovereign or other authority using military personnel or other agents; or

(3)Insurrection, rebellion, revolution, usurped power, or action taken by government authority in hindering or defending against any of these.

c.Based upon, attributable to or arising out of bodily injury or physical damage to or destruction of tangible property, including loss of use thereof.

Bodily injury means bodily injury, sickness or disease sustained by a person, including death resulting from any of these at any time.

d.Based upon, attributable to or arising out of any unexplained or indeterminable failure, malfunction or slowdown of the "computer system", including "electronic data" and the inability to access or properly manipulate the "electronic data".

e.Based upon, attributable to or arising out of any "interruption" in normal computer function or network service or function due to insufficient capacity to process transactions or due to an overload of activity on the "computer system" or network. However, this exclusion shall not apply if such "interruption" is caused by an "e-commerce incident".

f.Based upon, attributable to or arising out of a complete or substantial failure, disablement or shutdown of the Internet or any communications and data network infrastructure, for any cause that is not an "e-commerce incident".

g.Based upon, attributable to or arising out of any failure of, reduction in or surge of power.

h.Based upon, attributable to or arising out of any actual or alleged violation of the Racketeer Influenced and Corrupt Organizations Act (RICO) and its amendments, or similar provisions of any federal, state or local statutory or common law.

i.Based upon, attributable to or arising out of any malfunction or failure of any satellite.

j.Based upon, attributable to or arising out of any oral or written publication of material, if done by an insured or at an insured's direction with knowledge of its falsity.

k.Based upon, attributable to or arising out of an insured's assumption of liability by contract or agreement, whether oral or written. However, this exclusion shall not apply to any liability that an insured would have incurred in the absence of such contract or agreement.

l.Based upon, attributable to or arising out of any actual or alleged patent or trade secret violation, including any actual or alleged violation of the Patent Act, the Economic Espionage Act of 1996 or the Uniform Trade Secrets Act and their amendments.

m.Based upon, attributable to or arising out of:

(1)The actual, alleged or threatened discharge, dispersal, seepage, migration, release or escape of "pollutants" at any time;

(2)Any request, demand, order or statutory or regulatory requirement that any insured or others test for, monitor, clean up, remove, contain, treat, detoxify or neutralize, or in any way respond to, or assess the effects of, "pollutants"; or

(3)Any "claim" or "suit" brought by, or on behalf of, any governmental authority for damages because of testing for, monitoring, cleaning up, removing, containing, treating, detoxifying or neutralizing, or in any way responding to, or assessing the effects of, "pollutants".

n.Based upon, attributable to or arising out of any "claim", "suit" or other proceeding against an insured which was pending or existed prior to the "policy period", or arising out of the same or substantially the same facts, circumstances or allegations which are the subject of, or the basis for, such "claim", "suit" or other proceeding.

o.Based upon, attributable to or arising out of your employment practices including, but not limited to, termination of employment, demotion, reassignment, discipline, harassment, coercion or refusal to employ regardless of whether you are liable as an employer or in any other capacity.

p.Based upon, attributable to or arising out of any "wrongful act" or "interrelated wrongful acts" that occurred before the Retroactive Date, if any, shown in the Schedule.

q.Based upon, attributable to or arising out of the same facts, "wrongful acts" or "interrelated wrongful acts", alleged or contained in any "claim" which has been reported, or in any circumstances of which notice has been given, under any insurance policy of which this Policy is a renewal or replacement.

r.Based upon, attributable to or arising out of any criminal, dishonest, malicious or fraudulent act or any willful violation of any statute or regulation committed by an insured, acting alone or in collusion with others. However, this exclusion shall not apply to dishonest, malicious or fraudulent acts committed by an "employee" which give rise to a "claim" or "loss" covered under Insuring Agreement d. Security Breach Liability.

With the exception of "claims" excluded under Exclusion l., we will defend "claims" first made against an insured alleging such acts or violations until final adjudication is rendered against that insured. Final adjudication rendered against one insured shall not be imputed to any other insured.

We will not provide indemnification for any "claim" to which any insured enters a guilty plea or pleads no contest, and we will not provide a defense from the time we become aware that any insured intends to so plead.

s.Based upon, attributable to or arising out of any action or proceeding brought by, or on behalf of, any governmental authority or regulatory agency including, but not limited to:

(1)The seizure or destruction of property by order of a governmental authority; or

(2)Regulatory actions or proceedings brought by, or on behalf of, the Federal Trade Commission, Federal Communications Commission or other regulatory agency, except when covered under Paragraph (2) of Insuring Agreement d. Security Breach Liability.

However, this exclusion shall not apply to actions or proceedings brought by a governmental authority or regulatory agency acting solely in its capacity as a customer of the Named Insured.

t.Based upon, attributable to or arising out of costs associated with upgrading or improving the "computer system" regardless of the reason for the upgrade.

u.Based upon, attributable to or arising out of any "claim" brought or alleged by one insured against another, except for a "claim" brought or alleged by an "employee" against an insured as a result of a "security breach".

v.Based upon, attributable to or arising out of unintentional errors or omissions in the entry of "electronic data" into the "computer system".

w.Based upon, attributable to or arising out of infringing upon another's copyright, trade dress or slogan in your "advertisement".

x.Based upon, attributable to or arising out of fines, penalties or assessments imposed pursuant to contract or agreement, whether oral or written, including, but not limited to, Payment Card Industry (PCI) fines, penalties or assessments.

J.For the purposes of the coverage provided by this Endorsement, the following is added to Paragraph B. Exclusions of Section I – Property: Nuclear Hazard Nuclear reaction or radiation, or radioactive contamination, however caused.

Limits Of Insurance

Information Security Protection Aggregate Limit Of Insurance

The most we will pay for all "loss" and "defense expenses", if covered, under this Endorsement is the Information Security Protection Aggregate Limit Of Insurance shown in the Schedule. The Information Security Protection Aggregate Limit of Insurance shall be reduced by the amount of any payment made under the terms of this Endorsement. Upon exhaustion of the Information Security Protection Aggregate Limit of Insurance by such payments, we will have no further obligations or liability of any kind under this Endorsement.

1.Subject to Limits Of Insurance under Paragraph K. of this Endorsement:

a. Under Insuring Agreements d. Security Breach Liability and g. Web Site Publishing Liability:

We will pay only the amount of "loss" and "defense expenses" which are in excess of the Deductible Amount shown in the Schedule resulting from the same "wrongful act" or "interrelated wrongful acts". Such Deductible Amount will be borne by you, self-insured, and at your own risk.

b.Under Insuring Agreements a. Replacement Or Restoration Of Electronic Data, b. Public Relations Expense, c. Security Breach Expense and e. Extortion Threats:

We will pay only the amount of "loss" which is in excess of the Deductible Amount shown in the Schedule.

c.Under Insuring Agreement f. Business Income And Extra Expense:

We will pay only the amount of "loss" which exceeds the greater of:

(1)The Deductible Amount shown in the Schedule; or

(2)The amount of "loss" incurred during:

(a)The first 24 hours from the beginning of the "interruption" if no other waiting period is designated in the Schedule; or

(b)The number of hours waiting period designated in the Schedule from the beginning of the "interruption".

2.In the event a "loss" is covered under more than one Insuring Agreement:

a.If Insuring Agreement f. Business Income And Extra Expense does not apply, the Information Security Protection Deductible shown in the Schedule will be applied only once per occurrence, "wrongful act" or "interrelated wrongful acts"; or

b.If Insuring Agreement f. Business Income And Extra Expense does apply, the larger of the:

(1)Information Security Protection Deductible shown in the Schedule; or

(2)Amount of loss incurred during the applicable waiting period;

will be applied only once per occurrence, "wrongful act" or "interrelated wrongful acts".

Duties In The Event Of Claim Or Loss

In the event of either an occurrence or offense that may result in a "claim" against an insured or a "loss" or situation that may result in a "loss" covered under this Endorsement, you must notify us in writing as soon as practicable, but not to exceed 30 days, and cooperate with us in the investigation and settlement of the "claim" or "loss". Additionally:

a.Under Insuring Agreements d. Security Breach Liability and g. Web Site Publishing Liability, you must:

(1)Immediately record the specifics of the "claim" and the date received;

(2)Immediately send us copies of any demands, notices, summonses or legal papers received in connection with the "claim";

(3)Authorize us to obtain records and other information; and

(4)Assist us, upon our request, in the enforcement of any right against any person or organization which may be liable to you because of an occurrence or offense to which this Endorsement may also apply.

You will not, except at your own cost, voluntarily make a payment, assume any obligation or incur any expense without our consent.

A "claim" brought by a person or organization seeking damages will be deemed to have been made when the "claim" is received by an insured.

b.Under Insuring Agreement a. Replacement Or Restoration Of Electronic Data and Insuring Agreement e. Extortion Threats, you must:

(1)Notify local law enforcement officials;

(2)Submit to examination under oath at our request and give us a signed statement of your answers; and

(3)Give us a detailed, sworn proof of loss within 120 days.

(4)In addition, under Insuring Agreement e. Extortion Threats, you must:

(a)Determine that the "extortion threat" has actually occurred;

(b)Make every reasonable effort to immediately notify an associate and the security firm, if any, before making any "ransom payment" based upon the "extortion threat";

(c)With respect to "ransomware", make a reasonable effort to access your "electronic data" from backup; and

(d)Approve any "ransom payment" based upon the "extortion threat".

N.Extended Reporting Periods

For the purposes of the coverage provided by this Endorsement under Insuring Agreements d. Security Breach Liability and g. Web Site Publishing Liability, the following are added to Paragraph E. Liability And Medical Expenses General Conditions of Section II – Liability:

1.Basic Extended Reporting Period

a.A Basic Extended Reporting Period is automatically provided without additional charge if:

(1)This Endorsement is cancelled or not renewed for any reason; or

(2)We renew or replace this Endorsement with insurance that:

(a)Has a Retroactive Date later than the date shown in the Schedule of this Endorsement for either Insuring Agreement d. Security Breach Liability or g. Web Site Publishing Liability. However, the Basic Extended Reporting Period will only be provided for the insuring agreement for which our renewal or replacement endorsement has a Retroactive Date later than the date shown in the Schedule of this Endorsement; or

(b)Does not apply to "wrongful acts" on a claims-made basis for either Insuring Agreement d. Security Breach Liability or g. Web Site Publishing Liability. However, the Basic Extended Reporting Period will only be provided for the insuring agreement for which our renewal or replacement endorsement does not apply to "wrongful acts" on a claims-made basis.

b.The Basic Extended Reporting Period starts with the end of the "policy period" and lasts for 30 days. A "claim" first made and reported by the insured during this 30-day period will be considered to have been received within the "policy period". However, the 30-day Basic Extended Reporting Period does not apply to "claims" that are covered under any subsequent insurance purchased by the insured, or that would be covered but for exhaustion of the Aggregate Limit of Insurance applicable to such "claims".

c.The Basic Extended Reporting Period does not extend the "policy period" or change the scope of coverage provided. It applies only to "claims" to which the following applies:

(1)The "claim" is first made and reported to us during the Basic Extended Reporting Period; and

(2)The "claim" arose out of either a "wrongful act" or the first of a series of "interrelated wrongful acts" which occurred on or after the Retroactive Date, if any, shown in the Schedule and before the end of the "policy period".

2.Supplemental Extended Reporting Period

a.You will have the right to purchase a Supplemental Extended Reporting Period from us if:

(1)This Endorsement is cancelled or not renewed; or

(2)We renew or replace this Endorsement with insurance that:

(a)Has a Retroactive Date later than the date shown in the Schedule of this Endorsement for either Insuring Agreement d. Security Breach Liability or g. Web Site Publishing Liability. However, the Supplemental Extended Reporting Period will only be provided for the insuring agreement for which our renewal or replacement endorsement has a Retroactive Date later than the date shown in the Schedule of this Endorsement; or

(b)Does not apply to "wrongful acts" on a claims-made basis for either Insuring Agreement d. Security Breach Liability or g. Web Site Publishing Liability. However, the Supplemental Extended Reporting Period will only be provided for the insuring agreement for which our renewal or replacement endorsement does not apply to "wrongful acts" on a claims-made basis.

b.The Supplemental Extended Reporting Period will not be available if:

(1)We cancel this Endorsement for nonpayment of premium; or

(2)You fail to pay any amounts owed us.

c.A Supplemental Extended Reporting Period, as specified in Paragraph a., lasts one year and is available only for an additional premium.

d.The Supplemental Extended Reporting Period starts with the end of the Basic Extended Reporting Period set forth in Paragraph 1. It does not extend the policy period or change the scope of the coverage provided. It applies only to "claims" to which the following applies:

(1)The "claim" is first made and reported to us during the Supplemental Extended Reporting Period; and

(2)The "claim" arose out of either a "wrongful act" or the first of a series of "interrelated wrongful acts" which occurred on or after the Retroactive Date, if any, shown in the Schedule and before the end of the "policy period".

e.You must give us a written request for the Supplemental Extended Reporting Period within 30 days after the end of the "policy period" or the effective date of cancellation, whichever comes first.

f.The Supplemental Extended Reporting Period will not go into effect unless you pay the additional premium in full along with any premium or deductible you owe us for coverage provided under this Endorsement within 30 days after the end of the "policy period" or the effective date of cancellation, whichever comes first. Once in effect, the Supplemental Extended Reporting Period may not be cancelled.

g.We will determine the additional premium in accordance with our rules and rates. In doing so, we may take into account the following:

(1)The exposures insured;

(2)Previous types and amounts of insurance;

(3)Limit of Insurance available under this Endorsement for future payment of damages; and

(4)Other related factors.

The additional premium may not exceed 100% of the annual premium for this Endorsement. The premium for the Supplemental Extended Reporting Period will be deemed fully earned as of the date it is purchased.

3.Basic And Supplemental Extended Reporting Period Limits

a.Basic Extended Reporting Period Limit

There is no separate or additional Aggregate Limit of Insurance for the Basic Extended Reporting Period. The Limit of Insurance available during the Basic Extended Reporting Period shall be the remaining amount, if any, of the Information Security Protection Aggregate Limit of Insurance available at the end of the "policy period".

b.Supplemental Extended Reporting Period Limit

There is no separate or additional Aggregate Limit of Insurance for the Supplemental Extended Reporting Period. The Limit of Insurance available during the Supplemental Extended Reporting Period, if purchased, shall be the remaining amount, if any, of the Information Security Protection Aggregate Limit of Insurance available at the end of the Basic Extended Reporting Period.

H. Other Insurance

1.If any covered "claim" or "loss" is insured by any other valid policy, then this Endorsement shall apply only in excess of the amount of any deductible, retention and Limit of Insurance under such other policy, whether such other policy is stated to be primary, contributory, excess, contingent or otherwise.

2.When this Endorsement is excess, we shall have no duty under Insuring Agreement d. Security Breach Liability or g. Web Site Publishing Liability to defend the insured against any "suit" if any other insurer has a duty to defend the insured against that "suit". If no other insurer defends, we will undertake to do so, but we will be entitled to the insured's rights against all those other insurers.

P.For the purposes of the coverage provided by this Endorsement, the following is added to Section III – Common Policy Conditions:

A. Valuation – Settlement

1.All premiums, Aggregate Limits of Insurance, Deductible Amounts, "loss" and any other monetary amounts under this Endorsement are expressed and payable in the currency of the United States of America. If judgment is rendered, settlement is agreed to or another component of "loss" under this Endorsement is expressed in any currency other than United States of America dollars, payment under this Endorsement shall be made in United States dollars at the rate of exchange published in The Wall Street Journal on the date the final judgment is entered, settlement amount is agreed upon or the other component of "loss" is due, respectively.

2.With respect to "loss" covered under Insuring Agreement f. Business Income And Extra Expense:

a.The amount of "business income" will be determined based on consideration of:

(1)The net income generated from your "e-commerce activities" before the "interruption" occurred;

(2)The likely net income generated by your "e-commerce activities" if no "interruption" had occurred, but not including any net income that would likely have been earned as a result of an increase in the volume of business due to favorable business conditions caused by the impact of the "e-commerce incident" on customers or on other businesses;

(3)The operating expenses, including payroll, necessary to resume your "e-commerce activities" with the same quality of service that existed before the "interruption"; and

(4)Other relevant sources of information, including your financial records and accounting procedures, bills, invoices and other vouchers, and debts, liens and contracts.

However, the amount of "business income" will be reduced to the extent that the reduction in the volume of business from the affected "e-commerce activities" is offset by an increase in the volume of business from other channels of commerce such as via telephone, mail or other sources.

b.The amount of "extra expense" will be determined based on:

(1)Necessary expenses that exceed the normal operating expenses that would have been incurred in the course of your "e-commerce activities" during the period of coverage if no "interruption" had occurred. We will deduct from the total of such expenses the salvage value that remains of any property bought for temporary use during the period of coverage once your "ecommerce activities" are resumed; and

(2)Necessary expenses that reduce the "business income" "loss" that otherwise would have been incurred during the period of coverage.

B.Confidentiality

Under Insuring Agreement e. Extortion Threats, the Named Insured and its "employees" must make every reasonable effort not to divulge the existence of this coverage.

R.For the purposes of the coverage provided by this Endorsement, the following replaces the definition of "electronic data" under Paragraph H. Property Definitions of Section I – Property and is added to Paragraph F. Liability And Medical Expenses Definitions of Section II – Liability:

"Electronic data" means digital information, facts, images or sounds stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software) on electronic storage devices including, but not limited to, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. "Electronic data" is not tangible property.

"Electronic data" does not include your "electronic data" that is licensed, leased, rented or loaned to others.

S.For the purposes of the coverage provided by this Endorsement, the following replaces the definition of "suit" under Paragraph F. Liability And Medical Expenses Definitions of Section II – Liability and is added to Paragraph H. Property Definitions of Section I – Property:

"Suit" means a civil proceeding in which damages to which this Endorsement applies are claimed against the insured. "Suit" includes:

a.An arbitration proceeding in which such damages are claimed and to which the insured submits with our consent; or

b.Any other alternative dispute resolution proceeding in which such damages are claimed and to which the insured submits with our consent.

"Suit" does not include a civil proceeding seeking recognition and/or enforcement of a foreign money judgment.

T.For the purposes of the coverage provided by this Endorsement, the definition of "coverage territory" under Paragraph F. Liability And Medical Expenses Definitions of Section II – Liability is replaced by the following: "Coverage territory" means anywhere in the world.

However, "suits" must be brought in the United States of America (including its territories and possessions), Puerto Rico or Canada.

U.For the purposes of the coverage provided by this Endorsement, the following replaces the definition of "employee" under Paragraph F. Liability And Medical Expenses Definitions of Section II – Liability and is added to Paragraph H. Property Definitions of Section I – Property:

"Employee" means any natural person who was, now is or will be:

a.Employed on a full- or part-time basis;

b.Furnished temporarily to you to substitute for a permanent employee on leave or to meet seasonal or short-term workload conditions;

c.Leased to you by a labor leasing firm under an agreement between you and the labor leasing firm, to perform duties related to the conduct of your business, but does not mean a temporary employee as defined in Paragraph b.;

d.An officer;

e.A director, trustee or manager (if a limited liability company);

f.A volunteer worker; or

g.A partner or a member (if a limited liability company);

of the Named Insured, but only while acting within the scope of their duties as determined by the Named Insured.

1."Business income" means the:

a.Net income (net profit or loss before income taxes) that would have been earned or incurred; and

b.Continuing normal operating expenses incurred, including payroll.

2."Claim" means: a. A written demand for monetary or nonmonetary damages, including injunctive relief;

b.A civil proceeding commenced by the service of a complaint or similar proceeding; or

c.Under Paragraph (2) of Insuring Agreement d. Security Breach Liability, a "regulatory proceeding" commenced by the filing of a notice of charges, formal investigative order, service of summons or similar document; against any insured for a "wrongful act", including any appeal therefrom.

3."Computer program" means a set of related electronic instructions, which direct the operation and function of a computer or devices connected to it, which enables the computer or devices to receive, process, store or send "electronic data".

4."Computer system" means the following which are owned, leased or operated by you:

a.Computers, including Personal Digital Assistants (PDAs) and other transportable or hand-held devices, electronic storage devices and related peripheral components;

b.Systems and applications software; and

c.Related communications networks;

by which "electronic data" is collected, transmitted, processed, stored or retrieved.

5."Defense expenses" means the reasonable and necessary fees (attorneys' and experts' fees) and expenses incurred in the defense or appeal of a "claim", including the cost of appeal, attachment or similar bonds (without any obligation on our part to obtain such bonds) but excluding wages, salaries, benefits or expenses of your "employees".

6."E-commerce activities" means those activities conducted by you in the normal conduct of your business via the Internet or other computer-based interactive communications network.

7."E-commerce incident" means a:

a."Virus";

b.Malicious code; or

c.Denial of service attack;

introduced into or enacted upon the "computer system" (including "electronic data") or a network to which it is connected, that is designed to damage, destroy, delete, corrupt or prevent the use of or access to any part of the "computer system" or otherwise disrupt its normal operation.

Recurrence of the same "virus" after the "computer system" has been restored shall constitute a separate "e-commerce incident".

8."Extortion expenses" means:

a.Fees and costs of:

(1)A security firm; or

(2)A person or organization;

hired with our consent to determine the validity and severity of an "extortion threat" made against you;

b.Interest costs paid by you for any loan from a financial institution taken by you to pay a ransom demand;

c.Reward money paid by you to an "informant" which leads to the arrest and conviction of parties responsible for "loss"; and

d.Any other reasonable expenses incurred by you with our written consent, including:

(1)Fees and costs of independent negotiators; and

(2)Fees and costs of a company hired by you, upon the recommendation of the security firm, to protect your "electronic data" from further threats.

9."Extortion threat" means a threat or series of related threats:

a.To perpetrate an "e-commerce incident";

b.To disseminate, divulge or utilize:

(1)Your proprietary information; or

(2)Weaknesses in the source code;

within the "computer system" by gaining unauthorized access to the "computer system";

c.To destroy, corrupt or prevent normal access to the "computer system" by gaining unauthorized access to the "computer system";

d.To inflict "ransomware" on the "computer system" or a network to which it is connected; or

e.To publish your client's "personal information".

10."Extra expense" means necessary expenses you incur:

a.During an "interruption" that you would not have incurred if there had been no "interruption"; or

b.To avoid or minimize the suspension of your "e-commerce activities".

"Extra expense" does not include any costs or expenses associated with upgrading, maintaining, improving, repairing or remediating any "computer system".

11."Informant" means a person, other than an "employee", providing information not otherwise obtainable, solely in return for a reward offered by you.

12."Interrelated wrongful acts" means all "wrongful acts" that have as a common nexus any:

a.Fact, circumstance, situation, event, transaction or cause; or

b.Series of causally connected facts, circumstances, situations, events, transactions or causes.

13."Interruption" means:

a.With respect to an "e-commerce incident":

(1)An unanticipated cessation or slowdown of your "e-commerce activities"; or

(2)Your suspension of your "e-commerce activities" for the purpose of avoiding or mitigating the possibility of transmitting a "virus" or malicious code to another person or organization; and, with regard to Paragraphs 13.a.(1) and 13.a.(2), shall be deemed to begin when your "e-commerce activities" are interrupted and ends at the earliest of:

(a)90 days after the "interruption" begins;

(b)The time when your "e-commerce activities" are resumed; or

(c)The time when service is restored to you.

b.With respect to an "extortion threat", your voluntary suspension of your "e-commerce activities":

(1)Based upon clear evidence of a credible threat; or

(2)Based upon the recommendation of a security firm, if any; and, with regard to Paragraphs 13.b.(1) and 13.b.(2), shall be deemed to begin when your "e-commerce activities" are interrupted and ends at the earliest of:

(a)14 days after the "interruption" begins;

(b)The time when your "e-commerce activities" are resumed; or

(c)The time when service is restored to you.

14."Loss" means:

a.With respect to Insuring Agreement a. Replacement Or Restoration Of Electronic Data:

The cost to replace or restore "electronic data" or "computer programs" as well as the cost of data entry, reprogramming and computer consultation services.

"Loss" does not include the cost to duplicate research that led to the development of your "electronic data" or "computer programs". To the extent that any "electronic data" cannot be replaced or restored, we will pay the cost to replace the media on which the "electronic data" was stored with blank media of substantially identical type.

b.With respect to Insuring Agreement b. Public Relations Expense: "Public relations expenses".

c.With respect to Insuring Agreement c. Security Breach Expense: "Security breach expenses".

d.With respect to Insuring Agreements d. Security Breach Liability and g. Web Site Publishing Liability:

(1)Compensatory damages, settlement amounts and costs awarded pursuant to judgments or settlements;

(2)Punitive and exemplary damages to the extent such damages are insurable by law; or

(3)Under Paragraph (2) of Insuring Agreement d. Security Breach Liability, fines or penalties assessed against the insured to the extent such fines or penalties are insurable by law.

With regard to Paragraphs d.(1) through d.(3), "loss" does not include:

(a)Civil or criminal fines or penalties imposed by law, except civil fines or penalties as provided under Paragraph d.(3);

(b)The multiplied portion of multiplied damages;

(c)Taxes;

(d)Royalties;

(e)The amount of any disgorged profits; or

(f)Matters that are uninsurable pursuant to law.

e.With respect to Insuring Agreement e. Extortion Threats:

"Extortion expenses" and "ransom payments".

f.With respect to Insuring Agreement f. Business Income And Extra Expense:

The actual loss of "business income" you sustain and/or "extra expense" you incur.

15."Negative publicity" means information which has been made public that has caused, or is reasonably likely to cause, a decline or deterioration in the reputation of the Named Insured or of one or more of its products or services.

16."Personal information" means any information not available to the general public for any reason through which an individual may be identified, including, but not limited to, an individual's:

a.Social security number, driver's license number or state identification number;

b.Protected health Information;

c.Financial account numbers;

d.Security codes, passwords, PIN numbers associated with credit, debit or charge card numbers which would permit access to financial accounts; or

e.Any other nonpublic information as defined in "privacy regulations".

17."Policy period" means the period of time from the inception date of this Policy shown in the Declarations to the expiration date shown in the Declarations, or its earlier cancellation or termination date.

18."Privacy regulations" means any of the following statutes and regulations, and their amendments, associated with the control and use of personally identifiable financial, health or other sensitive information including, but not limited to:

a.The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191);

b.The Health Information Technology for Economic and Clinical Health Act (HITECH) (American Recovery and Reinvestment Act of 2009);

c.Gramm-Leach-Bliley Act of 1999;

d.Section 5(a) of the Federal Trade Commission Act (15 U.S.C. 45(a)), but solely for alleged unfair or deceptive acts or practices in or affecting commerce;

e.Identity Theft Red Flags Rules under the Fair and Accurate Credit Transactions Act of 2003; or

f.Any other similar state, federal or foreign identity theft or privacy protection statute or regulation.

19."Public relations expenses" means:

a.Fees and costs of a public relations firm; and

b.Any other reasonable expenses incurred by you with our written consent; to protect or restore your reputation solely in response to "negative publicity".

20."Ransom payment" means a payment made in the form of cash.

21."Ransomware" means any software that encrypts "electronic data" held within the "computer system" and demands a "ransom payment" in order to decrypt and restore such "electronic data".

22."Regulatory proceeding" means an investigation, demand or proceeding brought by, or on behalf of, the Federal Trade Commission, Federal Communications Commission or other administrative or regulatory agency, or any federal, state, local or foreign governmental entity in such entity's regulatory or official capacity.

23."Security breach" means the acquisition of "personal information" held within the "computer system" or in non-electronic format while in the care, custody or control of the insured or authorized "third party" by a person:

a.Who is not authorized to have access to such information; or

b.Who is authorized to have access to such information but whose access results in the unauthorized disclosure of such information.

24."Security breach expenses" means:

a.Costs to establish whether a "security breach" has occurred or is occurring;

b.Costs to investigate the cause, scope and extent of a "security breach" and to identify any affected parties;

c.Costs to determine any action necessary to correct or remediate the conditions that led to or resulted from a "security breach", including, but not limited to, fees paid for legal and other professional advice on how to respond to the "security breach";

d.Costs to notify all parties affected by a "security breach", including, but not limited to, notice to be transmitted through media required by "privacy regulations";

e.Overtime salaries paid to "employees" assigned to handle inquiries from the parties affected by a "security breach";

f.Fees and costs of a company hired by you for the purpose of operating a call center to handle inquiries from the parties affected by a "security breach";

g.Post-event monitoring costs for the parties affected by a "security breach" for up to one year from the date of notification to those affected parties of such "security breach"; and

h.Any other reasonable expenses incurred by you with our written consent.

"Security breach expenses" do not include any costs or expenses associated with upgrading, maintaining, improving, repairing or remediating any "computer system" as a result of a "security breach".

25."Third party" means any entity that you engage under the terms of a written contract to perform services for you.

26."Virus" means any kind of malicious code designed to damage or destroy any part of the "computer system" (including "electronic data") or disrupt its normal functioning.

27."Wrongful act" means:

a.With respect to Insuring Agreement d. Security Breach Liability:

Any actual or alleged neglect, breach of duty or omission by an insured that results in:

(1)A "security breach"; or

(2)A "computer system" transmitting, by email or other means, a "virus" to another person or organization.

b.With respect to Insuring Agreement g. Web Site Publishing Liability:

Any actual or alleged error, misstatement or misleading statement posted or published by an insured on its web site that results in an infringement of another's copyright, trademark, trade name, trade dress, title, slogan, service name or service mark. This does not include infringing upon another's copyright, trade dress or slogan in your "advertisement".