SECTION II – LIMITS OF INSURANCE

1. Policy Aggregate Limit Of Insurance

The most we will pay for all "loss", and "defense expenses" if covered, under this Policy is the Policy Aggregate Limit Of Insurance shown in the Declarations. The Policy Aggregate Limit of Insurance shall be reduced by the amount of any payment made under the terms of this Policy.

Upon exhaustion of the Policy Aggregate Limit of Insurance by such payments, we will have no further obligations or liability of any kind under this Policy.

2. Insuring Agreement Aggregate Limit Of Insurance

a. Subject to the Policy Aggregate Limit of Insurance, the most we will pay for all "loss", and "defense expenses" if covered, under each Insuring Agreement, is the Insuring Agreement Aggregate Limit Of Insurance shown in the Declarations:

(1) The Insuring Agreement Aggregate Limit of Insurance shall be reduced by the amount of any payment for "loss", and "defense expenses" if covered, under that Insuring Agreement; and

(2) Upon exhaustion of the Insuring Agreement Aggregate Limit of Insurance by such payments, we will have no further obligations or liability of any kind under that Insuring Agreement.

b. If coverage for "regulatory proceedings" is being provided under Paragraph b. of Insuring Agreement 2. Security Breach Liability, the Limit of Insurance shall be part of, not in addition to, the Aggregate Limit of Insurance for the Insuring Agreement.

SECTION III – DEDUCTIBLE

1. Subject to Section II – Limits Of Insurance:

a. Under Insuring Agreements 1. Web Site Publishing Liability, 2. Security Breach Liability and 3. Programming Errors And Omissions Liability:

We will pay only the amount of "loss" and "defense expenses" which are in excess of the applicable Deductible Amount shown in the Declarations resulting from the same "wrongful act" or "interrelated wrongful acts". Such Deductible Amount will be borne by you, self-insured, and at your own risk.

b. Under Insuring Agreements 4. Replacement Or Restoration Of Electronic Data, 5. Extortion Threats, 7. Public Relations Expense and 8. Security Breach Expense:

We will pay only the amount of "loss" which is in excess of the applicable Deductible Amount shown in the Declarations.

c. Under Insuring Agreement 6. Business Income And Extra Expense:

We will pay only the amount of "loss" which exceeds the greater of:

(1) The Deductible Amount shown in the Declarations; or

(2) The amount of "loss" incurred during the Waiting Period shown in the Declarations.

2. In the event a "loss" is covered under more than one Insuring Agreement, only the highest Deductible Amount applicable to the "loss" shall be applied.

SECTION IV – DEFENSE AND SETTLEMENT

The provisions contained within this section apply only to Insuring Agreements 1. Web Site Publishing Liability, 2. Security Breach Liability and 3. Programming Errors And Omissions Liability:

1. We shall have the right and duty to select counsel and defend the "insured" against any "claim" covered under Insuring Agreements 1. Web Site Publishing Liability, 2. Security Breach Liability and 3. Programming Errors And Omissions Liability, even if the allegations of such "claim" are groundless, false or fraudulent. However, we shall have the right but not the duty to defend the "insured" against a "claim" covered under Paragraph b. of Insuring Agreement 2. Security Breach Liability, and we shall have no duty to defend the "insured" against any "claim" which is not covered under any of these Insuring Agreements.

2. We may, upon the written consent of the "insured", make any settlement of a "claim" which we deem reasonable. If the "insured" withholds consent to such settlement, our liability for all "loss" resulting from such "claim" will not exceed the amount for which we could have settled such "claim", plus "defense expenses" incurred, as of the date we proposed such settlement in writing to the "insured". Upon refusing to consent to a settlement we deem reasonable, the "insured" shall, at its sole expense, assume all further responsibility for its defense, including all additional costs associated with the investigation, defense and/or settlement of such "claim".

SECTION V – EXCLUSIONS

We will not be liable for "loss" or "defense expenses":

1. Based upon, attributable to or arising out of lightning, earthquake, hail, volcanic action or any other act of nature.

2. Based upon, attributable to or arising out of:

a. War, including undeclared or civil war or civil unrest;

b. Warlike action by military force, including action hindering or defending against an actual or expected attack, by any government, sovereign or other authority using military personnel or other agents; or

c. Insurrection, rebellion, revolution, usurped power, or action taken by government authority in hindering or defending against any of these.

3. Based upon, attributable to or arising out of the dispersal or application of pathogenic or poisonous biological or chemical materials, nuclear reaction, nuclear radiation or radioactive contamination, or any related act or incident, however caused.

4. Based upon, attributable to or arising out of bodily injury or physical damage to or destruction of tangible property, including loss of use thereof.

Bodily injury means bodily injury, sickness or disease sustained by a person, including death resulting from any of these at any time.

5. Based upon, attributable to or arising out of any unexplained or indeterminable failure, malfunction or slowdown of the "computer system", including "electronic data" and the inability to access or properly manipulate the "electronic data".

6. Based upon, attributable to or arising out of any "interruption" in normal computer function or network service or function due to insufficient capacity to process transactions or due to an overload of activity on the "computer system" or network. However, this exclusion shall not apply if such "interruption" is caused by an "e-commerce incident".

7. Based upon, attributable to or arising out of a complete or substantial failure, disablement or shutdown of the Internet, regardless of the cause.

8. Based upon, attributable to or arising out of any failure of, reduction in or surge of power.

9. Based upon, attributable to or arising out of any actual or alleged violation of the Racketeer Influenced and Corrupt Organizations Act (RICO) and its amendments, or similar provisions of any federal, state or local statutory or common law.

10. Based upon, attributable to or arising out of any malfunction or failure of any satellite.

11. Based upon, attributable to or arising out of any oral or written publication of material, if done by an "insured" or at an "insured's" direction with knowledge of its falsity.

12. Based upon, attributable to or arising out of an "insured's" assumption of liability by contract or agreement, whether oral or written. However, this exclusion shall not apply to any liability that an "insured" would have incurred in the absence of such contract or agreement.

13. Based upon, attributable to or arising out of any actual or alleged patent or trade secret violation, including any actual or alleged violation of the Patent Act, the Economic Espionage Act of 1996 or the Uniform Trade Secrets Act and their amendments.

14. Based upon, attributable to or arising out of:

a. The actual, alleged or threatened discharge, dispersal, seepage, migration, release or

escape of "pollutants" at any time;

b. Any request, demand, order or statutory or regulatory requirement that any "insured" or others test for, monitor, clean up, remove, contain, treat, detoxify or neutralize, or in any way respond to, or assess the effects of, "pollutants"; or

c. Any "claim" or "suit" brought by, or on behalf of, any governmental authority for damages because of testing for, monitoring, cleaning up, removing, containing, treating, detoxifying or neutralizing, or in any way responding to, or assessing the effects of, "pollutants".

15. Based upon, attributable to or arising out of any "claim", "suit" or other proceeding against an "insured" which was pending or existed prior to the "policy period", or arising out of the same or substantially the same facts, circumstances or allegations which are the subject of, or the basis for, such "claim", "suit" or other proceeding.

16. Based upon, attributable to or arising out of an "insured's" employment practices including, but not limited to, termination of employment, demotion, reassignment, discipline, harassment, coercion or refusal to employ regardless of whether the "insured" is liable as an employer or in any other capacity.

17. Based upon, attributable to or arising out of any "wrongful act" or "interrelated wrongful acts" that occurred before the Retroactive Date, if any, shown in the Declarations.

18. Based upon, attributable to or arising out of the same facts, "wrongful acts" or "interrelated wrongful acts" alleged or contained in any "claim" which has been reported, or in any circumstances of which notice has been given, under any insurance policy of which this Policy is a renewal or replacement.

19. Based upon, attributable to or arising out of any criminal, dishonest, malicious or fraudulent act or any willful violation of any statute or regulation committed by an "insured", acting alone or in collusion with others. However, this exclusion shall not apply to dishonest, malicious or fraudulent acts committed by an "employee" which give rise to a "claim" or "loss" covered under Insuring Agreement 2. Security Breach Liability. With the exception of "claims" excluded under Exclusion 13., we will defend "claims" first made against an "insured" alleging such acts or violations until final adjudication is rendered against that "insured". Final adjudication rendered against one "insured" shall not be imputed to any other "insured".

We will not provide indemnification for any "claim" to which any "insured" enters a guilty plea or pleads no contest and we will not provide a defense from the time we become aware that any "insured" intends to so plead.

20. Based upon, attributable to or arising out of any action or proceeding brought by, or on behalf of, any governmental authority or regulatory agency including, but not limited to:

a. The seizure or destruction of property by order of a governmental authority; or

b. Regulatory actions or proceedings brought by, or on behalf of, the Federal Trade Commission, Federal Communications Commission or other regulatory agency, except when covered under Paragraph b. of Insuring Agreement 2. Security Breach Liability.

However, this exclusion shall not apply to actions or proceedings brought by a governmental authority or a regulatory agency acting solely in its capacity as a customer of the "named insured" or of a "subsidiary".

21. Based upon, attributable to or arising out of costs associated with upgrading or improving the "computer system" regardless of the reason for the upgrade.

22. Based upon, attributable to or arising out of any "claim" brought or alleged by one "insured" against another, except for a "claim" brought or alleged by an "employee" against an "insured" as a result of a "security breach".

23. Based upon, attributable to or arising out of unintentional errors or omissions in the entry of "electronic data" into the "computer system".

SECTION VI – CONDITIONS

1. Cancellation

a. The first "named insured" shown in the Declarations may cancel this Policy by mailing or delivering to us advance written notice of cancellation.

b. We may cancel this Policy by mailing or delivering to the first "named insured" written notice of cancellation at least:

(1) 10 days before the effective date of cancellation if we cancel for nonpayment of premium; or

(2) 30 days before the effective date of cancellation if we cancel for any other reason.

c. We will mail or deliver our notice to the first "named insured's" last mailing address known to us.

d. Notice of cancellation will state the effective date of cancellation. The "policy period" will end on that date.

e. If this Policy is canceled, we will send the first "named insured" any premium refund due. If we cancel, the refund will be prorated. If the first "named insured" cancels, the refund may be less than pro rata. The cancellation will be effective even if we have not made or offered a refund.

f. If notice is mailed, proof of mailing will be sufficient proof of notice.

2. Changes

This Policy contains all the agreements between you and us concerning the insurance afforded.

The first "named insured" shown in the Declarations is authorized to make changes in the terms of this Policy with our consent. This Policy's terms can be amended or waived only by endorsement issued by us and made a part of this Policy.

3. Examination Of Your Books And Records We may examine and audit your books and records as they relate to this Policy at any time during the "policy period" and up to three years afterward.

4. Inspections And Surveys

a. We have the right to:

(1) Make inspections and surveys at any time;

(2) Give you reports on the conditions we find; and

(3) Recommend changes.

b. We are not obligated to make any inspections, surveys, reports or recommendations, and any such actions we do undertake relate only to insurability and the premiums to be charged.

We do not make safety inspections. We do not undertake to perform the duty of any person or organization to provide for the health or safety of workers or the public. And we do not warrant that conditions:

(1) Are safe or healthful; or

(2) Comply with laws, regulations, codes or standards.

c. Paragraphs 4.a. and 4.b. of this condition apply not only to us, but also to any rating, advisory, rate service or similar organization which makes insurance inspections, surveys, reports or recommendations.

5. Premiums

The first "named insured" shown in the Declarations:

a. Is responsible for the payment of all premiums; and

b. Will be the payee for any return premiums we pay.

6. Transfer Of Your Rights And Duties Under This Policy

Your rights and duties under this Policy may not be transferred without our written consent.

7. Subrogation

With respect to any payment made under this Policy on behalf of any "insured", we shall be subrogated to the "insured's" rights of recovery to the extent of such payment. The "insured" shall execute all papers required and shall do everything necessary to secure and preserve such rights, including the execution of such documents necessary to enable us to bring suit in the "insured's" name. Any recoveries, less the cost of obtaining them, will be distributed as follows:

a. To you, until you are reimbursed for any "loss" you sustain that exceeds the sum of the applicable Aggregate Limit of Insurance and the Deductible Amount, if any;

b. Then to us, until we are reimbursed for the payment made under this Policy; and

c. Then to you, until you are reimbursed for that part of the payment equal to the Deductible Amount, if any.

8. Bankruptcy

Your bankruptcy will not relieve us of our obligations under this Policy. However, this condition shall not apply to any financial institution which is not subject to bankruptcy law.

9. Representations

You represent that all information and statements contained in the "application" are true, accurate and complete. All such information and statements are the basis for our issuing this Policy and shall be considered as incorporated into and shall constitute a part of this Policy. Misrepresentation of any material fact may be grounds for the rescission of this Policy.

10. Changes In Exposure

a. Acquisition Or Creation Of Another Institution

If before or during the "policy period":

(1) You acquire securities or voting rights in another institution or create another institution which, as a result of such acquisition or creation, becomes a "subsidiary"; or

(2) You acquire any institution through merger or consolidation; then such institution will be covered under this Policy but only with respect to "wrongful acts" or "loss" which occurred after the effective date of such acquisition or creation provided, with

regard to Paragraphs 10.a.(1) and 10.a.(2), you:

(a) Give us written notice of the acquisition or creation of such institution within 90 days after the effective date of such action;

(b) Obtain our written consent to extend the coverage provided by this Policy to such institution; and

(c) Upon obtaining our consent, pay us an additional premium.

b. Acquisition Of Named Insured

If during the "policy period":

(1) The "named insured" merges into or consolidates with another institution, such that the "named insured" is not the surviving institution; or

(2) Another institution, or person or group of institutions and/or persons acting in concert, acquires securities or voting rights which result in ownership or voting control by the other institution(s) or person(s) of more than 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors, trustees or managers (if a limited liability company) of the "named insured"; then the coverage afforded under this Policy will continue until the end of the "policy period", but only with respect to "claims" arising out of "wrongful acts" or "loss" which occurred prior to the effective date of such merger, consolidation or acquisition.

The full annual premium for the "policy period" will be deemed to be fully earned immediately upon the occurrence of such merger, consolidation or acquisition of the "named insured".

The "named insured" must give written notice of such merger, consolidation or acquisition to us as soon as practicable, together with such information as we may reasonably require.

c. Cessation Of Subsidiaries

If before or during the "policy period" an institution ceases to be a "subsidiary", the coverage afforded under this Policy with respect to such "subsidiary" will continue until the end of the "policy period" but only with respect to "claims" arising out of "wrongful acts" or "loss" which occurred prior to the date such institution ceased to be a "subsidiary".

d. Official Appointments

If during the "policy period" the appointment of a receiver, conservator, trustee, liquidator or rehabilitator, or any similar official, for or with respect to the "named insured" occurs, the coverage afforded under this Policy will continue until the end of the "policy period" but only with respect to "claims" arising out of "wrongful acts" or "loss" which occurred prior to the effective date of such appointment.

The full annual premium for the "policy period" will be deemed to be fully earned immediately upon the occurrence of such appointment of a receiver, conservator, trustee, liquidator or rehabilitator, or any similar official.

11. Other Insurance

a. If any covered "claim" or "loss" is insured by any other valid policy, then this Policy shall apply only in excess of the amount of any deductible, retention and limit of insurance under such other policy, whether such other policy is stated to be primary, contributory, excess, contingent or otherwise, unless such other policy is written specifically excess of this Policy by reference in such other policy to this Policy's policy number.

b. When this Policy is excess, we shall have no duty under Insuring Agreement 1. Web Site Publishing Liability, 2. Security Breach Liability or 3. Programming Errors And Omissions Liability to defend the "insured" against any "suit" if any other insurer has a duty to defend the "insured" against that "suit". If no other insurer defends, we will undertake to do so, but we will be entitled to the "insured's" rights against all those other insurers.

12. Legal Action Against Us

a. No person or organization has a right:

(1) To join us as a party or otherwise bring us into a "suit" asking for damages from an "insured"; or

(2) To sue us under this Policy unless all of its terms have been fully complied with. A person or organization may sue us to recover on an agreed settlement or on a final judgment against an "insured", but we will not be liable for damages that are not payable under Insuring Agreement 1. Web Site Publishing Liability, 2. Security Breach Liability or 3. Programming Errors And Omissions Liability, or that are in excess of the applicable Aggregate Limit of Insurance. An agreed settlement means a settlement and release of liability signed by us, the first "named insured" and the claimant or the claimant's legal representative.

b. You may not bring any legal action against us involving "loss":

(1) Unless you have complied with all the terms of this Policy;

(2) Until 90 days after you have filed proof of loss with us; and

(3) Unless brought within two years from the date you reported the "loss" to us.

If any limitation in this condition is prohibited by law, such limitation is amended so as to equal the minimum period of limitation provided by such law.

13. Separation Of Insureds

Except with respect to the applicable Aggregate Limit of Insurance, and any rights or duties specifically assigned in Insuring Agreement 1. Web Site Publishing Liability, 2. Security Breach Liability or 3. Programming Errors And Omissions Liability to the first "named insured", this Policy applies separately to each "insured" against whom "claim" is made.

14. Duties In The Event Of Claim Or Loss

In the event of either an occurrence or offense that may result in a "claim" against an "insured" or a "loss" or situation that may result in a "loss" covered under this Policy, you must notify us in writing as soon as practicable, but not to exceed 30 days, and cooperate with us in the investigation and settlement of the "claim" or "loss".

Additionally:

a. Under Insuring Agreements 1. Web Site Publishing Liability, 2. Security Breach Liability and 3. Programming Errors And Omissions Liability, you must:

(1) Immediately record the specifics of the "claim" and the date received;

(2) Immediately send us copies of any demands, notices, summonses or legal papers received in connection with the "claim";

(3) Authorize us to obtain records and other information; and

(4) Assist us, upon our request, in the enforcement of any right against any person or organization which may be liable to you because of an occurrence or offense to which this Policy may also apply.

You will not, except at your own cost, voluntarily make a payment, assume any obligation or incur any expense without our consent. A "claim" brought by a person or organization seeking damages will be deemed to have been made when the "claim" is received by an "insured".

b. Under Insuring Agreements 4. Replacement Or Restoration Of Electronic Data and 5. Extortion Threats, you must:

(1) Notify local law enforcement officials;

(2) Submit to examination under oath at our request and give us a signed statement of your answers; and

(3) Give us a detailed, sworn proof of loss within 120 days.

(4) In addition, under Insuring Agreement 5. Extortion Threats, you must:

(a) Determine that the "extortion threat" has actually occurred;

(b) Make every reasonable effort to immediately notify an associate and the security firm, if any, before making any "ransom payment" based upon the "extortion threat"; and

(c) Approve any "ransom payment" based upon the "extortion threat".

15. Valuation – Settlement

a. All premiums, Aggregate Limits of Insurance, Deductible Amounts, "loss" and any other monetary amounts under this Policy are expressed and payable in the currency of the United States of America. If judgment is rendered, settlement is agreed to or another component of "loss" under this Policy is expressed in any currency other than United States of America dollars, payment under this Policy shall be made in United States dollars at the rate of exchange published in The Wall Street Journal on the date the final judgment is entered, settlement amount is agreed upon or the other component of "loss" is due, respectively.

b. With respect to "loss" covered under Insuring Agreement 6. Business Income And Extra Expense:

(1) The amount of "business income" will be determined based on consideration of:

(a) The net income generated from your "ecommerce activities" before the "interruption" occurred;

(b) The likely net income generated by your "e-commerce activities" if no "interruption" had occurred, but not including any net income that would likely have been earned as a result of an increase in the volume of business due to favorable business conditions caused by the impact of the "e-commerce incident" on customers or on other businesses;

(c) The operating expenses, including payroll, necessary to resume your "ecommerce activities" with the same quality of service that existed before the "interruption"; and

(d) Other relevant sources of information, including your financial records and accounting procedures, bills, invoices and other vouchers, and debts, liens and contracts.

However, the amount of "business income" will be reduced to the extent that the reduction in the volume of business from the affected "e-commerce activities" is offset by an increase in the volume of business from other channels of commerce such as via telephone, mail or other sources.

(2) The amount of "extra expense" will be determined based on:

(a) Necessary expenses that exceed the normal operating expenses that would have been incurred in the course of your "e-commerce activities" during the period of coverage if no "interruption" had occurred. We will deduct from the total of such expenses the salvage value that remains of any property bought for temporary use during the period of coverage once your "ecommerce activities" are resumed; and

(b) Necessary expenses that reduce the "business income" "loss" that otherwise would have been incurred during the period of coverage.

16. Extended Reporting Periods

The provisions contained within this condition apply only to Insuring Agreements 1. Web Site Publishing Liability, 2. Security Breach Liability and 3. Programming Errors And Omissions Liability.

a. Basic Extended Reporting Period

(1) A Basic Extended Reporting Period is automatically provided without additional charge. This period starts with the end of the "policy period" and lasts for 30 days. A "claim" first made and reported by the "insured" during this 30-day period will be considered to have been received within the "policy period". However, the 30-day Basic Extended Reporting Period does not apply to "claims" that are covered under any subsequent insurance purchased by the "insured", or that would be covered but for exhaustion of the Aggregate Limit of Insurance applicable to such "claims".

(2) The Basic Extended Reporting Period does not extend the "policy period" or change the scope of coverage provided. It applies only to "claims" to which the following applies:

(a) The "claim" is first made and reported to us during the Basic Extended Reporting Period; and

(b) The "claim" arose out of either a "wrongful act" or the first of a series of

"interrelated wrongful acts" which occurred on or after the Retroactive Date, if any, shown in the Declarations and before the end of the "policy period".

b. Supplemental Extended Reporting Period

(1) A Supplemental Extended Reporting Period is available if this Policy is canceled or not renewed by either you or us, but only by endorsement and for an extra charge. The Supplemental Extended Reporting Period starts when the Basic Extended Reporting Period set forth in Paragraph 16.a. ends.

The Supplemental Extended Reporting Period is available unless:

(a) We cancel this Policy for nonpayment of premium; or

(b) You fail to pay any amounts owed us.

(2) In order to obtain a Supplemental Extended Reporting Period, you must give us a written request for the Supplemental Extended Reporting Period Endorsement together with the full payment of the additional premium for the endorsement within 30 days after the end of the "policy period". The Supplemental Extended Reporting Period will not go into effect unless you pay the additional premium promptly when due.

(3) The Supplemental Extended Reporting Period does not extend the "policy period" or change the scope of coverage provided. It applies only to "claims" to which the following applies:

(a) The "claim" is first made and reported to us during the Supplemental Extended Reporting Period; and

(b) The "claim" arose out of either a "wrongful act" or the first of a series of "interrelated wrongful acts" which occurred on or after the Retroactive Date, if any, shown in the Declarations and before the end of the "policy period".

(4) Once in effect, the Supplemental Extended Reporting Period may not be canceled. The premium for the Supplemental Extended Reporting Period Endorsement will be deemed to be fully earned as of the date it is purchased.

c. There is no separate or additional Aggregate Limit of Insurance for the Basic Extended Reporting Period or the Supplemental Extended Reporting Period. The limit of insurance available during the Basic Extended Reporting Period, and the Supplemental Extended Reporting Period if purchased, shall be the remaining amount, if any, of the Aggregate Limit of Insurance of the respective Insuring Agreement, subject to the remaining amount of the Policy Aggregate Limit of Insurance at the time this Policy was canceled or nonrenewed.

d. The provisions of the Basic Extended Reporting Period and the Supplemental

Extended Reporting Period shall not extend to any federal or state official or agency, or to any receiver, conservator, trustee, liquidator or rehabilitator, or any similar official, acting or appointed to take over the "insured's" business for the operation or liquidation thereof or for any other purpose.

17. Confidentiality

Under Insuring Agreement 5. Extortion Threats, "insureds" must make every reasonable effort not to divulge the existence of this coverage.

18. Territory

This Policy covers "wrongful acts" which occurred anywhere in the world. However, "suits" must be brought in the United States of America (including its territories and possessions), Puerto Rico or Canada.

SECTION VII – DEFINITIONS

1. "Application" means the signed application for this Policy, including any attachments and other materials submitted in conjunction with the signed application.

2. "Business income" means the:

a. Net income (net profit or loss before income taxes) that would have been earned or incurred; and

b. Continuing normal operating expenses incurred, including payroll.

3. "Claim" means:

a. A written demand for monetary or nonmonetary damages, including injunctive relief;

b. A civil proceeding commenced by the service of a complaint or similar proceeding; or

c. Under Paragraph b. of Insuring Agreement 2. Security Breach Liability, a "regulatory proceeding" commenced by the filing of a notice of charges, formal investigative order, service of summons or similar document; against any "insured" for a "wrongful act", including any appeal therefrom.

4. "Computer program" means a set of related electronic instructions, which direct the operation and function of a computer or devices connected to it, which enables the computer or devices to receive, process, store or send "electronic data".

5. "Computer system" means the following which are owned, leased or operated by you:

a. Computers, including Personal Digital Assistants (PDAs) and other transportable or handheld devices, electronic storage devices and related peripheral components;

b. Systems and applications software; and

c. Related communications networks; by which "electronic data" is collected, transmitted, processed, stored or retrieved.

6. "Defense expenses" means the reasonable and necessary fees (attorneys' and experts' fees) and expenses incurred in the defense or appeal of a "claim", including the cost of appeal, attachment or similar bonds (without any obligation on our part to obtain such bonds) but excluding wages, salaries, benefits or expenses of your "employees".

7. "E-commerce activities" means those activities conducted by you in the normal conduct of your business via your web site or your e-mail system.

8. "E-commerce incident" means a:

a. "Virus";

b. Malicious code; or

c. Denial of service attack; introduced into or enacted upon the "computer system" (including "electronic data") or a network to which it is connected, that is designed to damage, destroy, delete, corrupt or prevent the use of or access to any part of the "computer system" or otherwise disrupt its normal operation.

Recurrence of the same "virus" after the "computer system" has been restored shall

constitute a separate "e-commerce incident".

9. "Electronic data" means digital information, facts, images or sounds stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software) on electronic storage devices including, but not limited to, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. "Electronic data" is not tangible property.

"Electronic data" does not include your "electronic data" that is licensed, leased, rented or loaned to others.

10. "Employee" means any natural person who was, now is or will be:

a. Employed on a full- or part-time basis;

b. Furnished temporarily to you to substitute for a permanent employee on leave or to meet seasonal or short-term workload conditions;

c. Leased to you by a labor leasing firm under an agreement between you and the labor leasing firm to perform duties related to the conduct of your business, but does not mean a temporary employee as defined in Paragraph 10.b.;

d. An officer;

e. A director, trustee or manager (if a limited liability company);

f. A volunteer worker; or

g. A partner or member (if a limited liability company); of the "named insured" and those of any institution qualifying as a "subsidiary" under the terms of this Policy, but only while acting within the scope of their duties as determined by the "named insured" or such "subsidiary".

11. "Extortion expenses" means:

a. Fees and costs of:

(1) A security firm; or

(2) A person or organization;

hired with our consent to determine the validity and severity of an "extortion threat" made against you;

b. Interest costs paid by you for any loan from a financial institution taken by you to pay a ransom demand;

c. Reward money paid by you to an "informant" which leads to the arrest and conviction of parties responsible for "loss"; and

d. Any other reasonable expenses incurred by you with our written consent, including:

(1) Fees and costs of independent negotiators;

and

(2) Fees and costs of a company hired by you, upon the recommendation of the security firm, to protect your "electronic data" from further threats.

12. "Extortion threat" means a threat or series of related threats:

a. To perpetrate an "e-commerce incident";

b. To disseminate, divulge or utilize:

(1) Your proprietary information; or

(2) Weaknesses in the source code; within the "computer system" by gaining unauthorized access to the "computer system";

c. To destroy, corrupt or prevent normal access to the "computer system" by gaining unauthorized access to the "computer system";

d. To inflict "ransomware" on the "computer system" or a network to which it is connected; or

e. To publish your client's "personal information".

13. "Extra expense" means necessary expenses you incur:

a. During an "interruption" that you would not have incurred if there had been no

"interruption"; or

b. To avoid or minimize the suspension of your "e-commerce activities".

"Extra expense" does not include any costs or expenses associated with upgrading, maintaining, improving, repairing or remediating any "computer system".

14. "Informant" means a person, other than an "employee", providing information not otherwise obtainable, solely in return for a reward offered by you.

15. "Insured" means any "named insured" and its "employees".

16. "Interrelated wrongful acts" means all "wrongful acts" that have as a common nexus any:

a. Fact, circumstance, situation, event, transaction or cause; or

b. Series of causally connected facts, circumstances, situations, events, transactions

or causes.

17. "Interruption" means:

a. With respect to an "e-commerce incident":

(1) An unanticipated cessation or slowdown of your "e-commerce activities"; or

(2) Your suspension of your "e-commerce activities" for the purpose of avoiding or mitigating the possibility of transmitting a "virus" or malicious code to another person or organization; and, with regard to Paragraphs 17.a.(1) and

17.a.(2), shall be deemed to begin when your "e-commerce activities" are interrupted and ends at the earliest of:

(a) 90 days after the "interruption" begins;

(b) The time when your "e-commerce activities" are resumed; or

(c) The time when service is restored to you.

b. With respect to an "extortion threat", your voluntary suspension of your "e-commerce activities":

(1) Based upon clear evidence of a credible threat; or

(2) Based upon the recommendation of a security firm, if any; and, with regard to Paragraphs 17.b.(1) and 17.b.(2), shall be deemed to begin when your

"e-commerce activities" are interrupted and ends at the earliest of:

(a) 14 days after the "interruption" begins;

(b) The time when your "e-commerce activities" are resumed; or

(c) The time when service is restored to you.

18. "Loss" means:

a. With respect to Insuring Agreements 1. Web Site Publishing Liability, 2. Security Breach Liability and 3. Programming Errors And Omissions Liability:

(1) Compensatory damages, settlement amounts and costs awarded pursuant to

judgments or settlements;

(2) Punitive and exemplary damages to the extent such damages are insurable by law; or

(3) Under Paragraph b. of Insuring Agreement 2. Security Breach Liability, fines or penalties assessed against the "insured" to the extent such fines or penalties are insurable by law.

With regard to Paragraphs 18.a.(1) through 18.a.(3), "loss" does not include:

(a) Civil or criminal fines or penalties imposed by law, except civil fines or

penalties as provided under Paragraph 18.a.(3);

(b) The multiplied portion of multiplied damages;

(c) Taxes;

(d) Royalties;

(e) The amount of any disgorged profits; or

(f) Matters that are uninsurable pursuant to law.

b. With respect to Insuring Agreement 4.

Replacement Or Restoration Of Electronic Data:

The cost to replace or restore "electronic data" or "computer programs" as well as the cost of data entry, reprogramming and computer consultation services.

"Loss" does not include the cost to duplicate research that led to the development of your "electronic data" or "computer programs". To the extent that any "electronic data" cannot be replaced or restored, we will pay the cost to replace the media on which the "electronic data" was stored with blank media of substantially identical type.

c. With respect to Insuring Agreement 5. Extortion Threats: "Extortion expenses" and "ransom payments".

d. With respect to Insuring Agreement 6. Business Income And Extra Expense:

The actual loss of "business income" you sustain and/or "extra expense" you incur.

e. With respect to Insuring Agreement 7. Public Relations Expense: "Public relations expenses".

f. With respect to Insuring Agreement 8. Security Breach Expense: "Security breach expenses".

19. "Named insured" means the institution or institutions shown in the Declarations and any "subsidiary".

20. "Negative publicity" means information which has been made public that has caused, or is reasonably likely to cause, a decline or deterioration in the reputation of the "named insured" or of one or more of its products or services.

21. "Personal information" means any information not available to the general public for any reason through which an individual may be identified including, but not limited to, an individual's:

a. Social security number, driver's license number or state identification number;

b. Protected health information;

c. Financial account numbers;

d. Security codes, passwords, PINs associated with credit, debit or charge card numbers which would permit access to financial accounts; or

e. Any other nonpublic information as defined in "privacy regulations".

22. "Policy period" means the period of time from the inception date of this Policy shown in the Declarations to the expiration date shown in the Declarations, or its earlier cancellation or termination date.

23. "Pollutants" means any solid, liquid, gaseous or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals and waste. Waste includes materials to be recycled, reconditioned or reclaimed.

24. "Privacy regulations" means any of the following statutes and regulations, and their amendments, associated with the control and use of personally identifiable financial, health or other sensitive information including, but not limited to:

a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191);

b. The Health Information Technology for Economic and Clinical Health Act (HITECH) (American Recovery and Reinvestment Act of 2009);

c. The Gramm-Leach-Bliley Act of 1999;

d. Section 5(a) of the Federal Trade Commission Act (15 U.S.C. 45(a)), but solely for alleged unfair or deceptive acts or practices in or affecting commerce;

e. The Identity Theft Red Flags Rules under the Fair and Accurate Credit Transactions Act of 2003; or

f. Any other similar state, federal or foreign identity theft or privacy protection statute or regulation.

25. "Public relations expenses" means:

a. Fees and costs of a public relations firm; and

b. Any other reasonable expenses incurred by you with our written consent;

to protect or restore your reputation solely in response to "negative publicity".

26. "Ransom payment" means a payment made in the form of cash.

27. "Ransomware" means any software that encrypts "electronic data" held within the "computer system" and demands a "ransom payment" in order to decrypt and restore such "electronic data".

28. "Regulatory proceeding" means an investigation, demand or proceeding brought by, or on behalf of, the Federal Trade Commission, Federal Communications Commission or other administrative or regulatory agency, or any federal, state, local or foreign governmental entity in such entity's regulatory or official capacity.

29. "Security breach" means the acquisition of "personal information" held within the "computer system" or in nonelectronic format while in the care, custody or control of the "insured" or authorized "third party" by a person:

a. Who is not authorized to have access to such information; or

b. Who is authorized to have access to such information but whose access results in the unauthorized disclosure of such information.

30. "Security breach expenses" means:

a. Costs to establish whether a "security breach" has occurred or is occurring;

b. Costs to investigate the cause, scope and extent of a "security breach" and to identify any affected parties;

c. Costs to determine any action necessary to correct or remediate the conditions that led to or resulted from a "security breach";

d. Costs to notify all parties affected by a "security breach";

e. Overtime salaries paid to "employees" assigned to handle inquiries from the parties affected by a "security breach";

f. Fees and costs of a company hired by you for the purpose of operating a call center to handle inquiries from the parties affected by a "security breach";

g. Post-event credit monitoring costs for the parties affected by a "security breach" for up to one year from the date of notification to those affected parties of such "security breach"; and

h. Any other reasonable expenses incurred by you with our written consent.

"Security breach expenses" do not include any costs or expenses associated with upgrading, maintaining, improving, repairing or remediating any "computer system" as a result of a "security breach".

31. "Subsidiary" means any institution in which more than 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors, trustees, managers (if a limited liability company) or persons serving in a similar capacity is owned, in any combination, by one or more "named insured(s)".

32. "Suit" means a civil proceeding in which damages to which this Policy applies are claimed against the "insured". "Suit" includes:

a. An arbitration proceeding in which such damages are claimed and to which the

"insured" submits with our consent; or

b. Any other alternative dispute resolution proceeding in which such damages are

claimed and to which the "insured" submits with our consent.

"Suit" does not include a civil proceeding seeking recognition and/or enforcement of a foreign money judgment.

33. "Third party" means any entity that you engage under the terms of a written contract to perform services for you.

34. "Virus" means any kind of malicious code designed to damage or destroy any part of the "computer system" (including "electronic data") or disrupt its normal functioning.

35. "Wrongful act" means:

a. With respect to Insuring Agreement 1. Web Site Publishing Liability:

Any actual or alleged error, misstatement or misleading statement posted or published by an "insured" on its web site that results in:

(1) Any type of infringement of another's copyright, title, slogan, trademark, trade name, trade dress, service mark or service name;

(2) Any form of defamation against a person or organization; or

(3) A violation of a person's right of privacy.

b. With respect to Insuring Agreement 2. Security Breach Liability:

Any actual or alleged neglect, breach of duty or omission by an "insured" that results in:

(1) A "security breach"; or

(2) A "computer system" transmitting, by e-mail or other means, a "virus" to another person or organization.

c. With respect to Insuring Agreement 3. Programming Errors And Omissions Liability:

Any actual or alleged programming error or omission that results in the disclosure of your client's "personal information" held within the "computer system".