Section I – Insuring Agreements

Section II – Limits of Insurance

Section III – Deductible

Section IV – Defense And Settlement

Section V – Exclusions

Section VI – Conditions

Section VII – Definitions

Insuring Agreements

The coverage form consists of six separate Insuring Agreements. By nature of the many types of cyber-related exposures, it is not unusual for a significant period of time (months or even years) to lapse between the time an incident occurs that might give rise to a loss, and the time that an insured becomes aware of such incident. Therefore, each Insuring Agreement utilizes a discovery based coverage trigger for the policy period shown in the Declarations, or during the period of time provided in the Extended Period to Discover Loss Condition. "Discover" or "discovered" is a defined term in the policy.

The policy also addresses discovery with respect to any cyber incident, extortion threat, security breach or claim that arises out of the same facts or circumstances and results in a loss that falls under one or more of the Insuring Agreements.

Certain terms that are specific to a particular Insuring Agreement are defined within that Insuring Agreement. If the terms relate to more than one Insuring Agreement, they are defined under Section VII – Definitions.

The policy form introduces a preamble stating that defense expenses under the Security Breach Liability Insuring Agreement are payable within, and not in addition to, the Limit of Insurance. Paid defense expenses will reduce the limit of insurance for this coverage.

 Named Insured

Throughout this policy, the words "you" and "your" refer to the Named Insured shown in the Declarations, and any other person or organization qualifying as a Named Insured under this policy. The words "we", "us", and "our" refer to the company providing this insurance.

As with the CGL form, this definition has special significance when used within the body of the coverage form. For example, when an exclusion applies to "you", that means that only the named insured is affected by the exclusion. This is also true when an insuring agreement or a condition refers to "you" or "your"; only the named insured is the affected party, and not every person or organization that qualifies as an insured under the coverage form.

These words refer, of course, to the insurer, the insurance company. These terms and the ones discussed in the previous paragraph appear at the beginning of the coverage form as opposed to the remaining defined terms that appear in the Definitions section.

Section I – Insuring Agreements

Coverage under the following Insuring Agreements applies to "loss" (and "defense expenses" under Insuring Agreement 6. Security Breach Liability) resulting directly from a "cyber incident", "extortion threat", "security breach" or "claim" which is "discovered" during the policy period shown in the Declarations or during the period of time provided in the Extended Period To Discover Loss Condition 15.

The first insuring agreement applies to Security Breach Liability coverage provided under the policy. Security Breach Liability covers losses and defense expenses resulting directly from a cyber incident, extortion threat, security breach or claim. Coverage is on a discovery basis, meaning that coverage is triggered when an insured first discovers there has been an incident, threat, breach or claim to which the insurance applies. The discovery must be made either during the policy period shown in the Declarations, or during the Extended Period To Discover Loss provided under the Conditions section.

Example:

The XYZ Policy was effective 1/1/17 to 1/1/18. A disgruntled employee who was fired by the company on 3/1/16 breached the security systems of XYZ on 4/5/16; however, the breach was not discovered by XYZ until 6/1/17. This security breach would be covered under the 1/1/17 to 1/1/18 policy term because it was first discovered by the insured during that policy period.

 Any "cyber incident", "extortion threat", "security breach" or "claim" that arises out of the same facts or circumstances and results in "loss" under one or more of the following Insuring Agreements will be deemed to be related and, as such, will be deemed to have been "discovered" during the earliest policy period that any such related "cyber incident", "extortion threat", "security breach" or "claim" was "discovered".

This is a comprehensive paragraph with a simple outcome – if the same facts or circumstances are the basis of a loss covered under any of the Insuring Agreements covered by the policy, then these facts or circumstances are related and will be considered to be discovered during the first policy period that either a cyber incident, extortion threat, security breach or claim was discovered. The earliest date that the facts and circumstances are discovered will be the policy term that will determine coverage.

Example:

XYZ has renewed their annual cyber policy three times with a current term of 1/1/2017 to 1/1/2018. Their systems were first hacked on 4/1/15 and it was discovered by XYZ on 6/9/2017 that not only had the hackers input a malicious code in 2015 that corrupted financial data, but they also obtained employee personal information and sold this information to third parties throughout 2016. Since all of these facts and circumstances were related to the 4/1/2015 hacking, and this hack was not discovered until 6/9/2017, then 6/9/2017 is the loss date and the policy determining coverage is the 1/1/2017 to 1/1/2018 policy term.

 1.   Security Breach Expense

We will pay for "loss" resulting directly from a "security breach" "discovered" during the policy period.

With respect to this Insuring Agreement:

a. "Loss" means "security breach expenses".

b. "Security breach expenses" means:

(1) Forensics

The costs to establish whether a "security breach" has occurred or is occurring.

If a "security breach" has occurred, the following costs are also included:

(a)  Costs to investigate the cause, scope and extent of a "security breach" and to identify any affected parties; and

(b) Costs to determine any action necessary to remediate the conditions that led to or resulted from a "security breach" including, but not limited to, fees paid for legal and other professional advice on how to respond to the "security breach";

(2) Notification

Costs to notify all parties affected by a "security breach" including, but not limited to, notice to be transmitted through media required by "privacy regulations";

(3) Overtime Salaries

Overtime salaries paid to "employees" assigned to handle inquiries from the parties affected by a "security breach";

(4) Call Center

Fees and costs of a company hired by you for the purpose of operating a call center to handle inquiries from the parties affected by a "security breach";

(5) Post-event Monitoring

Costs to provide credit and identity monitoring services to the affected parties of a "security breach" for up to one year, or longer if required by applicable law, from the date of notification to those affected parties of such "security breach"; and

6) Other Expenses

Any other reasonable expenses incurred by you with our written consent.

"Security breach expenses" do not include any costs or expenses associated with upgrading, maintaining, repairing, remediating or improving a "computer system" as a result of a "security breach".

Analysis:

The policy will pay for loss that is a direct result of a security breach discovered during the policy period. A loss can include any of the following security breach expenses: forensics, notifications, overtime salaries, call center fees and costs, post-event monitoring and other reasonable expenses authorized by the company. These costs are associated with investigation and determination of whether a breach has occurred, including investigating the cause, scope, and extent of the security breach and identifying affected parties. Other costs to remediate the conditions that led to the security breach are also covered, including legal and professional fees paid to respond to the security breach.

• Costs to notify all affected parties of the security breach are covered, including transmitting to the media if required by privacy regulations as defined by the policy.
• Overtime salaries of employees handling inquiries from affected parties are covered as well.
• If the insured hires a company to operate a call center to handle inquiries from parties affected by the security breach, those fees and costs are covered.
• After the security breach, beginning with the date of notification to affected parties for a period of up to one year (or longer if required by law); costs to provide identity and credit monitoring services to those affected by the breach are covered.
• Other reasonable expenses may be covered, if the insured obtains written consent from the insurer prior to incurring such expenses.

Because a purpose of insurance is to restore an insured to his or her pre-loss condition, there is no coverage for costs or expenses to upgrade, remediate or improve a computer system, or to maintain or repair such computer system, even as a result of the security breach.

 2.  Extortion Threats

We will pay for "loss" resulting directly from an "extortion threat" "discovered" during the policy period.

With respect to this Insuring Agreement:

a. "Loss" means "extortion expenses".

b. "Extortion expenses" means:

(1)  Fees and costs of:

(a)  A security firm; or

(b)  A person or organization;

hired with our consent to determine the validity and severity of an "extortion threat" made against you;

(2) Interest costs paid by you for any loan from a financial institution taken by you to pay a ransom demand;

(3) Reward payments paid by you to an "informant" which lead to the arrest and conviction of parties responsible for "loss";

(4) Any other reasonable expenses incurred by you with our written consent, including:

(a)   Fees and costs of independent negotiators; and

(b) Fees and costs of a company hired by you, upon the recommendation of the security firm, to determine how to protect your "electronic data" from further threats; and

(5) Ransom payments made in the form of cash, or virtual currency such as, but not limited to, Bitcoin.

c. "Informant" means a person, other than an "employee", providing information not otherwise obtainable, solely in return for a reward offered by you.

Analysis:

The second Insuring Agreement provides coverage for Extortion Threat expenses. These defined expenses include fees and costs of a security firm, or a person or organization hired to determine the validity and severity of an extortion threat made against the insured, but only if the insurer consents to hiring the security firm, person or organization. If an insured takes out a loan from a financial institution to pay a ransom demand, coverage will include reimbursement of the interest costs paid by the insured for that loan.

In addition, coverage for loss will include reimbursement of reward payments to an informant, if information from the informant leads to the arrest and conviction of parties responsible for the loss. An informant as defined by the policy means anyone other than an employee who provides information that is not otherwise obtainable, solely in return for a reward offered by the insured.

Other reasonable expenses that the insured consents to in writing may be covered, such as fees and costs of independent negotiators and fees and costs of a company hired by the insured to determine how to protect the insured's electronic data from further threats, but only if such hiring was at the recommendation of the security firm.

Ransom payments are covered if made in cash, or virtual currency such as bitcoin.

 3. Replacement Or Restoration Of Electronic Data

We will pay for "loss" of your "electronic data" or "computer programs" stored within a "computer system" resulting directly from a "cyber incident" "discovered" during the policy period.

With respect to this Insuring Agreement:

a. "Loss" means the cost to replace or restore your "electronic data" or "computer programs" as well as the cost of data entry, reprogramming and computer consultation services.

"Loss" does not include the cost to duplicate research that led to the development of your "electronic data" or "computer programs". To the extent that any of your "electronic data" cannot be replaced or restored, we will pay the cost to replace the media on which such "electronic data" was stored with blank media of substantially identical type.

b. "Computer program" means a set of related electronic instructions, which direct the operation and function of a computer or devices connected to it, which enables the computer or devices to receive, process, store or send your "electronic data".

Analysis:

The third Insuring Agreement for Replacement Or Restoration Of Electronic Data includes coverage for loss of electronic data or computer programs if such loss is a direct result of a cyber incident discovered during the policy period. The electronic data or computer programs must have been stored on a computer system, defined as any type of computer. Computer includes any personal data assistants (PDAs) and other transportable or handheld devices, electronic storage devices and related peripheral components; any systems and applications software, or any related telecommunications networks connected to or used in connection with such computer or devices. The computer or devices must be owned by an insured, leased by an insured and operated by an insured employee, or owned and operated by an employee who has agreed in writing to the insured's personal device use policy; or is operated by an authorized third party (with respect to the insured's electronic data), if such third party is under written contract to perform services for the insured.

Example:

An employee of XYZ was using his PDA to update a program spreadsheet that contained company financial records. Once updated, the employee transferred data from the financial records via email to the company's third party accounts payable service contractor. During the current policy term, it was discovered that the employee's PDA had been hacked and as a result, a number of the financial records of the company were compromised. A third party computer consultant was hired to research the algorithms used by the hacker to obtain the data, and to reprogram the computer to prevent further loss of financial records. The current policy will cover the expenses of the computer consultant for their activities; however, it will not cover any costs incurred by XYZ to research and recreate the data that was in the original financial records.

 4.  Business Income And Extra Expense

We will pay for "loss" due to an "interruption" resulting directly from a "cyber incident" or an "extortion threat" "discovered" during the policy period.

With respect to this Insuring Agreement:

a. "Loss" means the actual loss of "business income" you sustain and/or "extra expense" you incur.

b. "Business income" means the:

(1)  Net income (net profit or loss before income taxes) that would have been earned or incurred; and

(2)  Continuing normal operating expenses incurred, including payroll.

c. "Extra expense" means necessary expenses you incur:

(1)  During an "interruption" that you would not have incurred if there had been no "interruption"; or

(2)  To avoid or minimize the suspension of your "e-commerce activities".

"Extra expense" does not include:

(1)  Any costs or expenses associated with upgrading, maintaining, repairing, remediating or improving a "computer system" as a result of a "cyber incident" or "extortion threat"; or

(2)  "Extortion expenses" covered under Insuring Agreement 2. Extortion Threats.

Analysis:

The fourth Insuring Agreement addresses Business Income and Extra Expense coverage for loss due to an interruption that results directly from a cyber incident or an extortion threat discovered during the policy period. Business Income and Extra Expense are the standard coverages. An "interruption" is defined as an unexpected stoppage or slowdown of e-commerce activities or a suspension of such activities in order to mitigate the transmission of a virus to another party. Not included as extra expense are costs associated with upgrading, maintaining, remediating or improving the system that was involved in the attack.

 5.  Public Relations Expense

We will pay for "loss" due to "negative publicity" resulting directly from a "cyber incident" or a "security breach" "discovered" during the policy period.

With respect to this Insuring Agreement:

a. "Loss" means "public relations expenses".

b. "Public relations expenses" means:

    (1)  Fees and costs of a public relations firm; and

    (2) Any other reasonable expenses incurred by you with our written consent;

to protect or restore your reputation solely in response to "negative publicity".

c.  "Negative publicity" means information which has been made public that has caused, or is reasonably likely to cause, a decline or deterioration in the reputation of the "named insured" or of one or more of its products or services.

Analysis:

The fifth Insuring Agreement provides Public Relations Expense coverage. If a cyber incident or security breach discovered during the policy period results in negative publicity, loss includes coverage for public relations expenses. Public relations expenses are defined as fees and costs of a public relations firm; and other reasonable expenses of the insured that the insurer consents to. These expenses are to protect or restore the insured's reputation solely in response to the negative publicity. Negative publicity is defined as information that has been made public and caused, or is reasonably likely to cause, a decline or deterioration in the reputation of the named insured (as shown in the Declarations and including any subsidiary), or of one or more of its products or services. Negative publicity can be extremely costly – there have been several cyber breaches that generated a significant amount of publicity for the organizations involved. When personal data of thousands of people are exposed, the costs to negate negative publicity can be high.

Example:

Because the loss of financial data at XYZ Company led to negative publicity in the newspapers, the company lost a number of customers. To respond to the negative publicity, XYZ hired a public relations firm and sent out letters to each of their customers advising of the steps they were taking to prevent further breach of data, and offering affected customers three months of identity theft protection. Hiring the public relations firms and the costs associated with sending out the customer letters will be covered public relations expenses.

 6.  Security Breach Liability

a. We will pay for:

(1) "Loss" that the "insured" becomes legally obligated to pay and "defense expenses" as a result of a "claim" "discovered" during the policy period for a "wrongful act" or a series of "interrelated wrongful acts" taking place before the end of the policy period.

(2) "Loss" and "defense expenses" as a result of a "claim" in the form of a "regulatory proceeding" "discovered" during the policy period in response to a "wrongful act" or a series of "interrelated wrongful acts" taking place before the end of the policy period.

Analysis:

The sixth Insuring Agreement addresses several coverage aspects of Security Breach Liability. Covered loss under the policy includes the insured's legal obligation to pay loss and defense expenses as a result of a wrongful act claim, or a series of interrelated wrongful acts, that take place before the end of the policy period. A "wrongful act" is actual or alleged neglect, breach of duty, neglect, or omission that results in a breach or a system transmitting a virus to another party.

In addition, covered loss includes loss and defense expenses for regulatory proceedings that result from a claim discovered during the policy period, if such loss and defense expenses are in response to a wrongful act or a series of interrelated wrongful acts that take place before the end of the policy period. Examples of a regulatory proceeding or an arbitration are a proceeding before a board, commission or tribunal.

Note that the agreement only applies to those sums the insured becomes legally obligated to pay and not to all sums; a clarifying point that the policy does have limits to its payout amount. In addition, the coverage applies to wrongful acts, which is a defined term.

The coverage and the duty to defend end when the insurer has used up the applicable limit of insurance for defense expenses, or the payment of judgments or settlements. Therefore, the duty to defend ends once the defense expenses (a defined term) have reached the Limit of Insurance shown in the Declarations for Security Breach Liability. Defense expenses are not considered separate supplementary payments like those found in a general liability policy.

 b. With respect to this Insuring Agreement:

  (1)  "Loss" means:

(a.) Compensatory damages, settlement amounts and costs awarded pursuant to judgments or settlements;

(b.) Punitive and exemplary damages to the extent such damages are insurable by law;

(c.) Under Paragraph 6.a.(2), fines or penalties assessed against the "insured" to the extent such fines or penalties are insurable by law.

"Loss" does not include:

(i)  Civil or criminal fines or penalties imposed by law, except civil fines or penalties as provided under Paragraph (c);

(ii)  The multiplied portion of multiplied damages;

(iii)  Taxes;

(iv)  Royalties;

(v)  The amount of any disgorged profits; or

(vi)  Matters that are uninsurable pursuant to law.

(2)  "Defense expenses" means the reasonable and necessary fees (attorneys' and experts' fees) and expenses incurred in the defense or appeal of a "claim", including the cost of appeal, attachment or similar bonds (without any obligation on our part to obtain such bonds) but excluding wages, salaries, benefits or expenses of your "employees".

(3)  "Wrongful act" means:

Any actual or alleged neglect, breach of duty or omission by an "insured" that results in:

(a)  A "security breach"; or

(b) A "computer system" transmitting, by e-mail or other means, a "virus" to another person or organization.

(4)  "Interrelated wrongful acts" means all "wrongful acts" that have as a common nexus any:

(a)  Fact, circumstance, situation, event, transaction or cause; or

(b) Series of causally connected facts, circumstances, situations, events, transactions or causes.

(5) "Regulatory proceeding" means an investigation, demand or proceeding brought by, or on behalf of, the Federal Trade Commission, Federal Communications Commission or other administrative or regulatory agency, or any federal, state, local or foreign governmental entity in such entity's regulatory or official capacity.

Analysis:

Insuring agreement 6 has particular defined terms used in this section. Loss includes compensatory (money) damages, settlement amounts and judgment or settlement awards. Punitive and exemplary damages will be covered, but only if they are allowed by law. With respect to security breach liability, fines or penalties assessed against the insured in a regulatory proceeding will be paid, but only if they are insurable by law. A number of things are excluded; taxes, royalties, civil or criminal fines not allowed by law, multiplied portion or multiplied damages and matters uninsurable according to law.

Defense expenses include reasonable and necessary attorneys' fees and experts' fees, and expenses in defending or appealing a claim, including the cost of an appeal. Defense expenses also include the costs of attachments or similar bonds (but the insurer is not obligated to obtain such bonds), but wages, salaries, benefits or expenses of the insured's employees are not covered defense expenses.

Wrongful act and interrelated wrongful acts are defined. Interrelated wrongful acts are all those that have common facts, circumstance, causes, or are otherwise related. Regulatory proceedings are investigations by the Federal Trade Commission, Federal Communications Commission or other administrative or regulatory agency.

  Section II – Limits of Insurance

1. Policy Aggregate Limit Of Insurance

The most we will pay for all "loss", and "defense expenses" if covered, under this Policy is the Policy Aggregate Limit Of Insurance shown in the Declarations. The Policy Aggregate Limit of Insurance shall be reduced by the amount of any payment made under the terms of this Policy. Upon exhaustion of the Policy Aggregate Limit of Insurance by such payments, we will have no further obligations or liability of any kind under this Policy.

 Analysis:

The total amount the policy will pay for all covered loss and defense expenses is the Policy Aggregate Limit of Insurance shown in the Declarations. Payment of loss and defense expenses reduce the Policy Aggregate Limit of Insurance, and once this limit is exhausted, the insurer has no further obligations under the policy.

 2.   Aggregate Sublimit(s) Of Insurance

Subject to the Policy Aggregate Limit of Insurance, the most we will pay for all "loss" covered under:

a. Paragraph b.(5) of Insuring Agreement 2. Extortion Threats is the Ransom Payments Aggregate Sublimit Of Insurance, if any, shown in the Declarations;

b. Insuring Agreement 4. Business Income And Extra Expense is the Business Income And Extra Expense Aggregate Sublimit Of Insurance, if any, shown in the Declarations; and

c. Insuring Agreement 5. Public Relations Expense is the Public Relations Expense Aggregate Sublimit Of Insurance, if any, shown in the Declarations.

The Aggregate Sublimit(s) of Insurance in Paragraphs 2.a., 2.b. and 2.c. are part of, not in addition to, the Policy Aggregate Limit of Insurance. Any such Aggregate Sublimit(s) of Insurance shall be reduced by the amount of any payment for "loss" under the Insuring Agreement to which such Aggregate Sublimit of Insurance applies. Upon exhaustion of any Aggregate Sublimit of Insurance by such payments, we will have no further obligations or liability of any kind with respect to "loss" subject to such Sublimit of Insurance.

Analysis:

The Policy Aggregate Limit of Insurance is the maximum limit that applies under the policy for all coverage items described under the Insuring Agreements. However, the following coverage items in the Insuring Agreements are subject to separate aggregate sub-limits shown in the Declarations: Ransom Payments, Business Income and Extra Expense, and Public Relations Expense. These sub-limits are the most the carrier will pay for all loss and defense expenses for these respective coverage items, regardless if the Policy Aggregate Limit of Insurance has not been exhausted. If the policy aggregate is $10 million and the ransom payments sublimit is $800,000, once that $800,000 is paid there is no coverage even though the $10 million has not been reached. If a ransom is $1,000,000, then the insured will have to supply the remaining $200,000 since the policy sub-aggregate is only $800,000.

 Section III – Deductible

Subject to Section II – Limits Of Insurance:

1. Under Insuring Agreements 1. Security Breach Expense, 2. Extortion Threats, 3. Replacement Or Restoration Of Electronic Data and 5. Public Relations Expense:

We will pay only the amount of "loss" which is in excess of the Policy Deductible Amount shown in the Declarations.

2. Under Insuring Agreement 4. Business Income And Extra Expense:

We will pay only the amount of "loss" which exceeds the greater of the following deductible amounts:

a.The Policy Deductible Amount shown in the Declarations; or

b.The amount of "loss" incurred during the Time Deductible shown in the Declarations.

3. Under Insuring Agreement 6. Security Breach Liability:

We will pay only the amount of "loss" and "defense expenses" which is in excess of the Policy Deductible Amount shown in the Declarations resulting from the same "wrongful act" or "interrelated wrongful acts". Such Policy Deductible Amount will be borne by you, self-insured, and at your own risk.

4. In the event a "loss" is covered under more than one Insuring Agreement, only the highest deductible amount applicable to the "loss" shall be applied.

Analysis:

The deductible amount shown in the Declarations applies to each "loss" and the amount the insurer will pay for each "loss" will be reduced by the deductible. If a loss includes more than one coverage item in the Insuring Agreement, such as forensics and notification costs associated with the same security breach, then only the highest deductible amount for these coverage items will apply to the loss.

Example:

The policy for XYZ Company has a $1,000 deductible for all coverages under the Cyber Insurance Policy except for 3. Replacement or Restoration of Electronic Data, which has a $500 deductible. If a loss includes both 2. Security Breach Expenses and 3. Replacement or Restoration of Electronic Data, the applicable deductible for the loss will be the highest deductible amount of $1,000.

Section IV – Defense And Settlement

The provisions contained within this section apply only to Insuring Agreement 6. Security Breach Liability:

1. We shall have the right and duty to select counsel and defend the "insured" against any "claim" covered under Insuring Agreement 6.a.(1) Security Breach Liability, even if the allegations of such "claim" are groundless, false or fraudulent. However, we shall have the right but not the duty to defend the "insured" against a "claim" covered under Insuring Agreement 6.a.(2) Security Breach Liability, and we shall have no duty to defend the "insured" against any "claim" which is not covered under this Insuring Agreement.

2. We may, upon the written consent of the "insured", make any settlement of a "claim" which we deem reasonable. If the "insured" withholds consent to such settlement, our liability for all "loss" resulting from such "claim" will not exceed the amount for which we could have settled such "claim", plus "defense expenses" incurred, as of the date we proposed such settlement in writing to the "insured". Upon refusing to consent to a settlement we deem reasonable, the "insured" shall, at its sole expense, assume all further responsibility for its defense, including all additional costs associated with the investigation, defense and/or settlement of such "claim".

Analysis:

This section describes the insurer's right and duty to select counsel and defend the insured against any claim covered under the Security Breach Liability Insuring Agreement. However, the insurer has the right, but no duty, to defend the insured in a regulatory proceeding.

If the insured rejects, or does not consent to, a settlement offer made by the insurer, the insurer will not be liable for any amount greater than the amount for which they could have settled the claim, including defense expenses, on the date they proposed the settlement offer in writing to the insured. Upon such refusal of the insured to the settlement offer, the insurer will not be obligated for any other costs or expenses for that claim.

Example:

The insurer for the XYZ policy will provide defense for a covered claim for Security Breach Liability in a court proceeding. The insurer offers to settle the claim for $5 million, including the defense costs. The insured refuses the settlement offer. The insured continues the defense of the case and ends up settling for $6.5 million. The insurer will only pay $5 million; the insured must cover the additional $1.5 million it spent.

With respect to an arbitration or other regulatory proceeding, for a claim that is not covered by the policy the insurer has the option to provide a defense for the insured; however they are not required to provide a defense for such claim.

Section V – Exclusions

We will not be liable for "loss" or "defense expenses" based upon, attributable to or arising out of:

1. Lightning, earthquake, hail, volcanic action or any other act of nature. However, this exclusion shall not apply to "loss" under Insuring Agreement 1. Security Breach Expense, 5. Public Relations Expense or 6. Security Breach Liability.

2. Any of the following:

a. War, including undeclared or civil war or civil unrest;

b. Warlike action by military force, including action hindering or defending against an actual or expected attack, by any government, sovereign or other authority using military personnel or other agents; or

c. Insurrection, rebellion, revolution, usurped power or action taken by government authority in hindering or defending against any of these.

3. The dispersal or application of pathogenic or poisonous biological or chemical materials, nuclear reaction, nuclear radiation or radioactive contamination, or any related act or incident, however caused.

4. Bodily injury or physical damage to or destruction of tangible property, including loss of use thereof. Bodily injury means bodily injury, sickness or disease sustained by a person, including death resulting from any of these at any time. It also means mental injury, mental anguish, mental tension, emotional distress, pain or suffering or shock sustained by any person.

5. Any unexplained or indeterminable:

a. Failure, malfunction or slowdown of a "computer system"; or

b. Inability to access or manipulate "electronic data".

6. Any disruption in normal computer function or network service or function due to insufficient capacity to process transactions or due to an overload of activity on a "computer system" or network. However, this exclusion shall not apply if such disruption is caused by a "cyber incident".

7. Any disruption of:

a. Internet service; or

b. Any external telecommunication network;

regardless of the cause. However, this exclusion shall not apply if such disruption is caused by a denial of service attack under Paragraph b. of Definition 4. "Cyber incident".

8. Any failure of, reduction in or surge of power, regardless of the cause.

9. Any actual or alleged violation of the Racketeer Influenced and Corrupt Organizations Act (RICO) and its amendments, or similar provisions of any federal, state or local statutory or common law.

10. Any malfunction or failure of any satellite.

11. Any oral or written publication of material, if done by an "insured" or at an "insured's" direction with knowledge of its falsity.

12. An "insured's" assumption of liability by contract or agreement, whether oral or written. However, this exclusion shall not apply to any liability that an "insured" would have incurred in the absence of such contract or agreement.

13. Any actual or alleged patent or trade secret violation, including any actual or alleged violation of the Patent Act, the Economic Espionage Act of 1996 or the Uniform Trade Secrets Act and their amendments.

14. Any of the following:

a. The actual, alleged or threatened discharge, dispersal, seepage, migration, release or escape of "pollutants" at any time;

b. Any request, demand, order or statutory or regulatory requirement that any "insured" or others test for, monitor, clean up, remove, contain, treat, detoxify or neutralize, or in any way respond to, or assess the effects of, "pollutants"; or

c. Any "claim" or "suit" brought by, or on behalf of, any governmental authority for damages because of testing for, monitoring, cleaning up, removing, containing, treating, detoxifying or neutralizing, or in any way responding to, or assessing the effects of, "pollutants".

15. Any "claim", "suit" or other proceeding against an "insured: which was pending or existed prior to the policy period, or arising out of the same or substantially the same facts, circumstances or allegations which are the subject of, or the basis for, such "claim", "suit" or other proceeding.

16. Any actions or activities related to an "insured's" practices as an employer including, but not limited to, refusal to employ, termination of employment, coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution.

This exclusion applies:

a.Whether the injury-causing event described above occurs before employment, during employment or after employment of that person;

b.Whether the insured may be liable as an employer or in any other capacity; and

c.To any obligation to share damages with or repay someone else who must pay damages because of the injury.

17. Any "cyber incident", "extortion threat", "security breach", "wrongful act" or "interrelated wrongful acts" that any "insured" became aware of prior to the effective date of the Policy.

18.The same facts, "cyber incident", "extortion threat", "security breach", "wrongful act" or "interrelated wrongful acts" alleged or contained in any "claim" which has been reported, or in any circumstances of which notice has been given, under any insurance policy of which this Policy is a renewal or replacement.

19. Any criminal, dishonest, malicious or fraudulent act or any willful violation of any statute or regulation committed by an "insured", acting alone or in collusion with others. However, with the exception of "claims" excluded under Exclusion 13., this exclusion shall not apply to dishonest, malicious or fraudulent acts committed by an "employee" which give rise to a "claim" or "loss" covered under Insuring Agreements 1. Security Breach Expense and 6. Security Breach Liability.

With the exception of "claims" excluded under Exclusion 13., we will defend the "insured" against any "claim" alleging such acts or violations until final adjudication is rendered against that "insured". Final adjudication rendered against one "insured" shall not be imputed to any other "insured".

We will not provide indemnification for any "claim" to which any "insured" enters a guilty plea or pleads no contest and we will not provide a defense from the time we become aware that any "insured" intends to so plead.

20. Any action or proceeding brought by, or on behalf of, any governmental authority or regulatory agency including, but not limited to:

a. The seizure or destruction of property by order of a governmental authority; or

b. Regulatory actions or proceedings brought by, or on behalf of, the Federal Trade Commission, Federal Communications Commission or other regulatory agency, except when covered under Paragraph a.(2) of Insuring Agreement 6. Security Breach Liability.

However, this exclusion shall not apply to actions or proceedings brought by a governmental authority or a regulatory agency acting solely in its capacity as a customer of the "named insured" or of a "subsidiary".

21. Any costs or expenses associated with upgrading, maintaining, repairing, remediating or improving a "computer system" regardless of the reason.

22. Any "claim" brought or alleged by one "insured" against another, except for a "claim" brought or alleged by an "employee" against an "insured" as a result of a "security breach".

23. Fines, penalties or assessments imposed pursuant to contract or agreement, whether oral or written, including, but not limited to, Payment Card Industry (PCI) fines, penalties or assessments.

Analysis:

Section V contains the exclusions applicable to the new coverage form. An insurer is not liable for loss or defense expenses based upon, attributable to, or arising out of acts of nature. However, there is an exception to this exclusion with respect to Insuring Agreement 1. Security Breach Expense, 5. Public Relations Expense or 6. Security Breach Liability. The standard exclusions for war, warlike acts, insurrection, and pollution are here. Bodily injury or property damage are excluded as they are covered under the CGL and this policy is designed for cyber coverage.

Most of the exclusions are self-explanatory. Exclusion 15. excludes prior or pending claims or suits. The policy will not apply to any claim or lawsuit that was pending on, or existed prior to, the policy effective date shown in the Declarations; or any claims or lawsuits based on the same or similar facts, circumstances or allegations of a prior or pending claim.

Exclusions 16. and 17. exclude all claims arising out of any employment-related practices of any type. This includes any actions or activities related to an insured's practices as an employer including, but not limited to, refusal to employ, termination of employment, coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution. Exclusion 18. excludes any claims, acts, or incidents that the insured had been aware of, had knowledge of, had been reported, or the circumstances were such that notice has been given under any policy prior to the effective date of this policy. Exclusion 19. excludes loss due to criminal, dishonest, fraudulent or unlawful acts, but provides an exception for those acts committed by an employee which fall under Security Breach Liability and Security Breach Expenses. For claims that are otherwise covered under Security Breach Liability, the policy will provide a defense for the insured against claims alleging such acts or violations until final judgment has been rendered. Further, judgment against one insured will not be imputed to any other insured. If an insured pleads guilty, or no contest, the insurer will no longer provide a defense from the time the insurer becomes aware that the insurer intends to so plead.

Exclusions 20. and 21. exclude claims and defense for governmental acts and seizures, except for those acts or proceedings that are brought by a government or regulatory agency while acting solely as a customer of the first named insured or as a subsidiary as defined by the policy.

Exclusion 22. excludes any claim for maintaining, repairing, remediating, improving or upgrading a computer system, regardless of the reason.

Exclusion 23. is commonly known as the fellow employee exclusion. It excludes any claim brought by one insured against another insured. However, there is an exception for claims brought or alleged by an employee against another insured as a result of a security breach, as defined by the policy.

Exclusion 24. excludes any and all fines, penalties or assessments imposed by any contract or agreement, oral or written.

Section VI – Conditions

1. Cancellation

a.The first "named insured" shown in the Declarations may cancel this Policy by mailing or delivering to us advance written notice of cancellation.

b.We may cancel this Policy by mailing or delivering to the first "named insured" written notice of cancellation at least:

(1) 10 days before the effective date of cancellation if we cancel for nonpayment of premium; or

(2)  30 days before the effective date of cancellation if we cancel for any other reason.

We will mail or deliver our notice to the first "named insured's" last mailing address known to us.

Notice of cancellation will state the effective date of cancellation. The policy period will end on that date.

If this Policy is canceled, we will send the first "named insured" any premium refund due. If we cancel, the refund will be prorated. If the first "named insured" cancels, the refund may be less than pro rata. The cancellation will be effective even if we have not made or offered a refund.

If notice is mailed, proof of mailing will be sufficient proof of notice.

Changes

1. This Policy contains all the agreements between you and us concerning the insurance afforded. The first "named insured" shown in the Declarations is authorized to make changes in the terms of this Policy with our consent. This Policy's terms can be amended or waived only by endorsement issued by us and made a part of this Policy.

2. Examination Of Your Books And Records

We may examine and audit your books and records as they relate to this Policy at any time during the policy period shown in the Declarations and up to three years afterward.

3. Inspections And Surveys

a.We have the right to:

    (1)  Make inspections and surveys at any time;

    (2)  Give you reports on the conditions we find; and

    (3)  Recommend changes.

We are not obligated to make any inspections, surveys, reports or recommendations, and any such actions we do undertake relate only to insurability and the premiums to be charged. We do not make safety inspections. We do not undertake to perform the duty of any person or organization to provide for the health or safety of workers or the public. And we do not warrant that conditions:

    (1)  Are safe or healthful; or

    (2)  Comply with laws, regulations, codes or standards.

Paragraphs 4.a. and 4.b. of this condition apply not only to us, but also to any rating, advisory, rate service or similar organization which makes insurance inspections, surveys, reports or recommendations.

1. Premiums

The first "named insured" shown in the Declarations:

a.Is responsible for the payment of all premiums; and

b.Will be the payee for any return premiums we pay.

2. Transfer Of Your Rights And Duties Under This Policy

Your rights and duties under this Policy may not be transferred without our written consent, except in the case of death of an individual "named insured".

If you are a sole proprietor and you die, your rights and duties will be transferred to your legal representative but only while acting within the scope of duties as your legal representative. Until your legal representative is appointed, anyone having proper temporary custody of your property will have your rights and duties but only with respect to that property.

3. Subrogation

With respect to any payment made under this Policy, we shall be subrogated to the "insured's" rights of recovery to the extent of such payment. The "insured" shall execute all papers required and shall do everything necessary to secure and preserve such rights, including the execution of such documents necessary to enable us to bring suit in the "insured's" name. Any recoveries, less the cost of obtaining them, will be distributed as follows:

a.To you, until you are reimbursed for any "loss" you sustain that exceeds the sum of the Policy Limit of Insurance and the Deductible Amount, if any;

b.Then to us, until we are reimbursed for the payment made under this Policy; and

c.Then to you, until you are reimbursed for that part of the payment equal to the Deductible Amount, if any.

1. Bankruptcy

Your bankruptcy, or the bankruptcy of your estate if you are a sole proprietor, will not relieve us of our obligations under this Policy.

2. Representations

You represent that all information and statements contained in the "application" are true, accurate and complete. All such information and statements are the basis for our issuing this Policy and shall be considered as incorporated into and shall constitute a part of this Policy. Misrepresentation of any material fact may be grounds for the rescission of this Policy.

2. Changes In Exposure

a.Acquisition Or Creation Of Another Organization

If before or during the policy period:

(1)  You acquire securities or voting rights in another organization or create another organization which, as a result of such acquisition or creation, becomes a "subsidiary"; or

(2)  You acquire any organization through merger or consolidation;

then such organization will be covered under this Policy but only with respect to "wrongful acts" or "loss" which occurred after the effective date of such acquisition or creation provided, with regard to Paragraphs 10.a.(1) and 10.a.(2), you:

(a) Give us written notice of the acquisition or creation of such organization within 90 days after the effective date of such action;

(b)  Obtain our written consent to extend the coverage provided by this Policy to such organization; and

(c)  Upon obtaining our consent, pay us an additional premium.

Acquisition Of Named Insured

If during the policy period:

(1) The "named insured" merges into or consolidates with another organization, such that the "named insured" is not the surviving organization; or

(2)  Another organization, or person or group of organizations and/or persons acting in concert, acquires securities or voting rights which result in ownership or voting control by the other organization(s) or person(s) of more than 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors, trustees or managers (if a limited liability company) of the "named insured";

then the coverage afforded under this Policy will continue until the end of the policy period, but only with respect to "claims" arising out of "wrongful acts" or "loss" which occurred prior to the effective date of such merger, consolidation or acquisition.

The full annual premium for the policy period will be deemed to be fully earned immediately upon the occurrence of such merger, consolidation or acquisition of the "named insured".

The "named insured" must give written notice of such merger, consolidation or acquisition to us as soon as practicable, together with such information as we may reasonably require.

Cessation Of Subsidiaries

If, before or during the policy period, an organization ceases to be a "subsidiary", the coverage afforded under this Policy with respect to such "subsidiary" will continue until the end of the policy period but only with respect to "claims" arising out of "wrongful acts" or "loss" which occurred prior to the date such organization ceased to be a "subsidiary".

1. Other Insurance

a.If any covered "claim" or "loss" is insured by any other valid policy, then this Policy shall apply only in excess of the amount of any deductible, retention and limit of insurance under such other policy, whether such other policy is stated to be primary, contributory, excess, contingent or otherwise, unless such other policy is written specifically excess of this Policy by reference in such other policy to this Policy's policy number.

When this Policy is excess, we shall have no duty under Insuring Agreement 6. Security Breach Liability to defend the "insured" against any "suit" if any other insurer has a duty to defend the "insured" against that "suit". If no other insurer defends, we will undertake to do so, but we will be entitled to the "insured's" rights against all those other insurers.

2. Legal Action Against Us

a.No person or organization has a right:

(1)  To join us as a party or otherwise bring us into a "suit" asking for damages from an "insured"; or

(2)  To sue us under this Policy unless all of its terms have been fully complied with.

A person or organization may sue us to recover on an agreed settlement or on a final judgment against an "insured", but we will not be liable for damages that are not payable under Insuring Agreement 6. Security Breach Liability, or that are in excess of the Policy Aggregate Limit of Insurance. An agreed settlement means a settlement and release of liability signed by us, the first "named insured" and the claimant or the claimant's legal representative.

You may not bring any legal action against us involving "loss":

    (1)  Unless you have complied with all the terms of this Policy;

    (2)  Until 90 days after you have filed proof of loss with us; and

    (3)  Unless brought within two years from the date you reported the "loss" to us.

If any limitation in this condition is prohibited by law, such limitation is amended so as to equal the minimum period of limitation provided by such law.

3. Separation Of Insureds

Except with respect to the Policy Aggregate Limit of Insurance, and any rights or duties specifically assigned in Insuring Agreement 6. Security Breach Liability to the first "named insured", this Policy applies separately to each "insured" against whom "claim" is made.

4. Duties In The Event Of Claim Or Loss

After a situation that results in, or may result in, a "loss" covered under this Policy is "discovered", you must notify us in writing as soon as practicable, but not to exceed 30 days from the date "discovered", and cooperate with us in the investigation and settlement of the "claim" or "loss". Additionally:

a.Under Insuring Agreements 2. Extortion Threats and 3. Replacement Or Restoration Of Electronic Data, you must:

    (1)  Notify local law enforcement officials;

    (2)  Submit to examination under oath at our request and give us a signed statement of your answers; and

    (3)  Give us a detailed, sworn proof of loss within 120 days.

    (4)  In addition, under Insuring Agreement 2. Extortion Threats, you must:

         (a)  Determine that the "extortion threat" has actually occurred;

         (b)  With respect to "ransomware", make every reasonable effort to access your "electronic data" from backup, if any, and to remediate the cause of the "ransomware";

         (c)  Make every reasonable effort to immediately notify us before making any ransom payment based upon the "extortion threat"; and

         (d)  Approve any ransom payment based upon the "extortion threat".

Under Insuring Agreement 6. Security Breach Liability, you must:

    (1) Immediately record the specifics of the "claim" and the date "discovered";

    (2)  Immediately send us copies of any demands, notices, summonses or legal papers received in connection with the "claim";

    (3)  Authorize us to obtain records and other information; and

    (4)  Assist us, upon our request, in the enforcement of any right against any person or organization which may be liable to you because of a "loss" to which this Policy may also apply.

You will not, except at your own cost, voluntarily make a payment, assume any obligation or incur any expense without our consent.

5. Extended Period To Discover Loss

We will pay for "loss" (and "defense expenses" under Insuring Agreement 6. Security Breach Liability) resulting directly from any "cyber incident", "extortion threat", "security breach" or "claim" taking place prior to the effective date of cancellation of this Policy, which is "discovered" no later than 60 days from the date of that cancellation. However, this extended period to "discover" such "loss" terminates immediately upon the effective date of any other insurance obtained by you, whether from us or another insurer, replacing in whole or in part the coverage afforded under this Policy, whether or not such other insurance provides coverage for "loss" resulting directly from any "cyber incident", "extortion threat", "security breach" or "claim" taking place prior to its effective date.

6. Valuation – Settlement

a.All premiums, limit(s) of insurance, deductible amounts, "loss" and any other monetary amounts under this Policy are expressed and payable in the currency of the United States of America. If judgment is rendered, settlement is agreed to or another component of "loss" under this Policy is expressed in any currency other than United States of America dollars, payment under this Policy shall be made in United States dollars at the rate of exchange published in The Wall Street Journal on the date the final judgment is entered, settlement amount is agreed upon or the other component of "loss" is due, respectively.

With respect to "loss" covered under Insuring Agreement 4. Business Income And Extra Expense:

(1)  The amount of "business income" will be determined based on consideration of:

       (a)  The net income generated from your "e-commerce activities" before the "interruption" occurred;

       (b)  The likely net income generated by your "e-commerce activities" if no "interruption" had occurred, but not including any net income that would likely have been earned as a result of an increase in the volume of business due to favorable business conditions caused by the impact of the "cyber incident" on customers or on other businesses;

       (c)  The operating expenses, including payroll, necessary to resume your "e-commerce activities" with the same quality of service that existed before the "interruption"; and

       (d)  Other relevant sources of information, including your financial records and accounting procedures, bills, invoices and other vouchers, and debts, liens and contracts.

However, the amount of "business income" will be reduced to the extent that the reduction in the volume of business from the affected "e-commerce activities" is offset by an increase in the volume of business from other channels of commerce such as via telephone, mail or other sources.

 (2)  The amount of "extra expense" will be determined based on:

       (a)  Necessary expenses that exceed the normal operating expenses that would have been incurred in the course of your "e-commerce activities" during the period of coverage if no "interruption" had occurred. We will deduct from the total of such expenses the salvage value that remains of any property bought for temporary use during the period of coverage once your "e-commerce activities" are resumed; and

      (b)  Necessary expenses that reduce the "business income" "loss" that otherwise would have been incurred during the period of coverage.

7. Confidentiality

Under Insuring Agreement 2. Extortion Threats, "insureds" must make every reasonable effort not to divulge the existence of this coverage.

8. Territory

This Policy covers "wrongful acts" which occurred anywhere in the world. However, "suits" must be brought in the United States of America (including its territories and possessions), Puerto Rico or Canada.

9. Policy Bridge – Discovery Replacing Loss Sustained

a.If this Policy replaces insurance that provided you with an extended period of time after cancellation in which to "discover" "loss" resulting directly from any "cyber incident", "extortion threat", "security breach" or "claim" and which did not terminate at the time this Policy became effective:

(1)  We will not pay for any "loss" resulting directly from any "cyber incident", "extortion threat", "security breach" or "claim" that occurred during the policy period of that prior insurance which is "discovered" during such extended period of time, unless the amount of that "loss" exceeds the Limit of Insurance and Deductible Amount of that prior insurance. In that case, we will pay for the excess "loss" subject to the terms and conditions of this Policy.

(2)  However, any payment we make for the excess "loss" will not be greater than the difference between the Limit of Insurance and Deductible Amount of that prior insurance and the Limit Of Insurance shown in the Declarations. We will not apply the Deductible Amount shown in the Declarations to this excess "loss".

Condition 11. Other Insurance does not apply to this condition.

Analysis:

The majority of conditions found in the Commercial Cyber Liability Policy are consistent with those found in the typical ISO general liability and umbrella policies. The conditions that are applicable specifically to this policy, or differ significantly from the other liability policies are explained as follows:

Condition 7. Subrogation

This is a separate condition from the Transfer of Rights of Recovery condition, and it describes the insured's responsibility to execute the required papers and documents necessary to enable the insurer to bring suit in the name of the insured, and also describes how the insurer will receive and distribute recoveries under the policy. Any recoveries received will be reduced by the cost incurred in obtaining such recoveries. The remaining sums will be distributed first to the insured, up to the amount of the policy limit of insurance plus deductible; then to the insurer for any payments made under the policy; and the remaining amount will be reimbursed to the insured, up to the amount of the deductible, if any.

Condition 10. Changes In Exposure

This condition describes how coverage will be afforded under the policy in the event of acquisitions of organizations, the creation and cessation of subsidiaries, or due to mergers and consolidations. If the named insured acquires or creates another organization that becomes a subsidiary (as defined), or if the named insured acquires an organization through merger or consolidation, then that organization will be covered by the policy as of the effective date of the acquisition or creation:

• if reported in writing to the insurer within 90 days of the effective date of such action; and
• obtain the insurer's written consent to extend coverage to the organization; and
• upon consent, pay the additional premium due.

If the named insured merges or consolidates with another organization and is no longer the surviving organization; or another organization or group acquires controlling ownership of more than 50% of the voting rights of the named insured, then coverage will continue until the end of the policy period but only for claims arising out of wrongful acts or loss which occurred before the effective date of the merger, consolidation or acquisition; and the premium will be fully earned as of the date of the merger, consolidation or acquisition. The named insured must give written notice to the insurer as soon as practicable, with such information as reasonably required by the insurer.

If an organization ceases to be a subsidiary before or during the policy period, coverage will continue for that subsidiary until the end of the policy period but only for claims arising out of wrongful acts or loss that occurred before the date the organization ceased to be a subsidiary.

Condition 14. Duties In The Event Of Claim Or Loss

The named insured must notify the insurer in writing as soon as practicable but not more than 30 days from the date that a situation that results in, or may result in, a loss is discovered and the named insured must cooperate with the insurer in the investigation and settlement of a claim or loss.

Additionally:

Under Insuring Agreements 2. Extortion Threats and 3. Replacement Or Restoration Of Electronic Data, the named insured must:

• Notify local law enforcement officials;
• Submit to examination under oath at the insurer's request and give a signed statement of its answers;
• Give the insurer a detailed, sworn proof of loss within 120 days; and
• Additionally, under Insuring Agreement 2. Extortion Threats, determine that the extortion threat actually occurred; and with respect to ransomware:
• make every reasonable effort to access the electronic data from backup, if any was done and to remediate the cause of the ransomware; 
• make every reasonable effort to immediately notify the insurer before making any ransom payment based on the extortion threat; and approve any ransom payment based upon an extortion threat.

Under Insuring Agreement 6. Security Breach Liability, the named insured must:

• Immediately record the specifics of the claim and the date received;
• Immediately send the insurer copies of any demands, notices, summonses or legal papers received in connection with the claim;
• Authorize the insurer to obtain records and other information; and
• Upon the insurer's request, assist in the enforcement of any right against any person or organization, which may be liable to the insured because of loss to which the policy may also apply.
• The named insured is also not to voluntarily make a payment, assume any obligations or incur any expenses without the insurer's consent.

This condition provides the named insured an additional 60 days from the date of cancellation to discover a cyber incident, extortion threat, security breach or claim. However, this extended period terminates upon the effective date of any other insurance that replaces any part of the coverage afforded by this policy, regardless if such other insurance covers the loss.

Example:

XYZ Company had a policy that was cancelled on 12/31/2015 that provided an extended period to discover loss condition. On 1/1/2016, XYZ obtained a new policy with a different carrier. On 2/15/16, XYZ discovered a security breach that would have been provided coverage under the policy cancelled on 12/31/2015. However, since XYZ has a new policy effective 1/1/2016, the new policy will be policy that provides coverage, regardless if the loss will or will not be covered under this new policy.

 Condition 16. Valuation – Settlement

The first part of this condition states that the currency amounts expressed and payable under the policy are in the currency of the United States of America, regardless of how or where judgment is rendered or settlement is agreed to. The rate of exchange used will be that published in The Wall Street Journal on the date the final judgment is entered, settlement amount is agreed upon or the other component of loss is due, respectively.

The second part of the condition describes how net income will be valued for business income and extra expense coverage, with respect to e-commerce activities, as defined in the policy.

Condition 17. Confidentiality

This condition requires the insured to make every reasonable effort not to divulge the existence of extortion coverage under Insuring Agreement 2. Extortion Threats. If knowledge of coverage were made known, the company would be a target for extortionists since they would assume they would readily be paid.

Condition 18. Territory

This policy covers wrongful acts that occurred anywhere in the world. However, suits must be brought in the United States of America (including its territories and possessions), Puerto Rico or Canada.

 Condition 19. Policy Bridge – Discovery Replacing Loss Sustained

If the policy is replacing insurance that provided the named insured with an extended period of time after cancellation to discover loss from any cyber incident, extortion threat, security breach, or claim which did not terminate when this policy became effective:

The insurer does not have to pay for any loss that occurred during the policy period of that prior insurance which is discovered during that extended period of time, unless the loss exceeds the limit of insurance and deductible amount of that prior insurance. In that case, the insurer is to pay for the amount of the excess loss, subject to the terms and conditions of the policy.

However, payment made for the excess loss will not be greater than the difference between the limit of insurance and deductible of the prior insurance, and the Limit of Insurance shown in the Declarations. The insurer is not to apply the deductible amount shown in the Declarations to this excess loss.

Example:

XYZ Company had a policy expiring on 12/31/2016 which provided an additional 60 days extended period of time after cancellation to discover a loss, and this extended period of time did not terminate if the named insured obtained a new policy. The Limit of Insurance on the cancelled policy was $1,000,000, subject to a $5,000 deductible amount. XYZ Company obtained a new policy effective 1/1/2017 at the same Limit of Insurance and deductible as the cancelled policy. XYZ experienced a security breach on 1/26/2017, with total loss amount of $1,300,000. The cancelled policy will pay the first $995,000 (1,000,000 less 5,000 deductible) of the loss; and the new policy will pay the excess loss amount of $300,000 (no deductible applies).

Section VII – Definitions

1. "Application" means the signed application for this Policy, including any attachments and other materials submitted in conjunction with the signed application.

2. "Claim" means:

a.A written demand for monetary or nonmonetary damages, including injunctive relief;

b.A civil proceeding commenced by the service of a complaint or similar proceeding; or

c.Under Paragraph a.(2) of Insuring Agreement 6. Security Breach Liability, a "regulatory proceeding" commenced by the filing of a notice of charges, formal investigative order, service of summons or similar document;

against any "insured" for a "wrongful act", including any appeal therefrom.

3. "Computer system" means any computer, including Personal Digital Assistants (PDAs) and other transportable or handheld devices, electronic storage devices and related peripheral components; any systems and applications software, or any related telecommunications networks connected to or used in connection with such computer or devices:

a.Which collects, transmits, processes, stores or retrieves your "electronic data"; and

Which is:

    (1)  Owned by you;

    (2)  Leased by you and operated by any "insured";

    (3)  Owned and operated by an "employee" who has agreed in writing to your personal device use policy; or

    (4)  Operated by an authorized "third party", but only with respect to your "electronic data".

4. "Cyber incident" means:

a.Any:

    (1)  "Hacker" attack;

    (2)  Malicious code; or

    (3)  "Virus";

that is directed at, enacted upon or introduced into a "computer system" (including your "electronic data") and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, use or prevent or restrict access to or the use of any part of a "computer system" (including your "electronic data") or otherwise disrupt its normal functioning or operation.

Recurrence of the same "virus" after a "computer system" has been restored shall constitute a separate "cyber incident".

Any denial of service attack specifically directed at you which disrupts, prevents or restricts access to or use of a "computer system", as defined in Paragraph 3.b.(1), (2) or (3), or otherwise disrupts its normal functioning or operation.

5. "Discover" or "discovered" means the time when any "insured" first becomes aware of facts which would cause a reasonable person to assume that a "loss" covered by this Policy has been or will be incurred, regardless of when the act or acts causing or contributing to such "loss" occurred, even though the exact amount or details of "loss" may not then be known.

6. "Discover" or "discovered" also means the time when any "insured" first receives notice of an actual or potential "claim" in which it is alleged that you are liable to a third party under circumstances which, if true, would constitute a "loss" under this Policy.

7. "E-commerce activities" means those activities conducted by you in the normal conduct of your business via your web site or your e-mail system.

8. "Electronic data" means information, facts, images or sounds stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software) on electronic storage devices including, but not limited to, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. "Electronic data" is not tangible property.

9. "Electronic data" does not include your "electronic data" that is licensed, leased, rented or loaned to others.

10. "Employee" means any natural person who was, now is or will be:

a.Employed on a full- or part-time basis;

b.Furnished temporarily to you to substitute for a permanent employee on leave or to meet seasonal or short-term workload conditions;

c.Leased to you by a labor leasing firm under an agreement between you and the labor leasing firm to perform duties related to the conduct of your business, but does not mean a temporary employee as defined in Paragraph 8.b.;

d.An officer;

e.A director, trustee or manager (if a limited liability company);

f.A volunteer worker; or

g.A partner or member (if a limited liability company);

of the "named insured" and those of any organization qualifying as a "subsidiary" under the terms of this Policy, but only while acting within the scope of their duties as determined by the "named insured" or such "subsidiary".

"Extortion threat" means a threat or series of related threats:

a.To perpetrate a "cyber incident";

To disseminate, divulge or utilize:

    (1)  Your proprietary information; or

    (2)  Weaknesses in the source code;

within a "computer system" by gaining unauthorized access to such "computer system";

To destroy, corrupt or prevent normal access to a "computer system" (including your "electronic data") by gaining or having gained unauthorized access to a "computer system";

To inflict "ransomware" on a "computer system"; or

To publish your client's or "employee's" "personal information".

"Extortion threat" does not include a threat or series of threats to any "third party".

11. "Hacker" means a person who accesses a "computer system" (including your "electronic data") who is:

a.Not authorized to have such access; or

Authorized to have such access but who uses such access in an unauthorized manner.

12. "Insured" means any "named insured" and its "employees".

13. "Interrelated wrongful acts" means the definition set forth in Insuring Agreement 6. of Section I – Insuring Agreements.

14. "Interruption" means:

a.With respect to a "cyber incident":

(1)  An unanticipated cessation or slowdown of your "e-commerce activities"; or

(2)  Your suspension of your "e-commerce activities" for the purpose of avoiding or mitigating the possibility of transmitting a "virus" or malicious code to another person or organization; and, with regard to Paragraphs 13.a.(1) and 13.a.(2), shall be deemed to begin when your "e-commerce activities" are interrupted and ends at the earliest of:

         (a)  90 days after the "interruption" begins;

         (b)  The time when your "e-commerce activities" are resumed; or

         (c)  The time when service is restored to you.

With respect to an "extortion threat", your voluntary suspension of your "e-commerce activities":

    (1)  Based upon clear evidence of a credible threat; or

    (2)  Based upon the recommendation of a security firm, if any;

and, with regard to Paragraphs 13.b.(1) and 13.b.(2), shall be deemed to begin when your "e-commerce activities" are interrupted and ends at the earliest of:

         (a)  14 days after the "interruption" begins;

         (b)  The time when your "e-commerce activities" are resumed; or

         (c)  The time when service is restored to you.

15. "Loss" means the definitions set forth in each of the respective Insuring Agreements 1. through 6. of Section I – Insuring Agreements.

16. "Named insured" means the entity or entities shown in the Declarations and any "subsidiary".

17. "Personal information" means any information not available to the general public for any reason through which an individual may be identified including, but not limited to, an individual's:

a.Social security number, driver's license number or state identification number;

b.Protected health information;

c.Financial account numbers;

d.Security codes, passwords, PINs associated with credit, debit or charge card numbers which would permit access to financial accounts; or

e.Any other nonpublic information as defined in "privacy regulations".

18. "Pollutants" means any solid, liquid, gaseous or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals and waste. Waste includes materials to be recycled, reconditioned or reclaimed.

19. "Privacy regulations" means any of the following statutes and regulations, and their amendments, associated with the control and use of personally identifiable financial, health or other sensitive information including, but not limited to:

a.The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191);

b.The Health Information Technology for Economic and Clinical Health Act (HITECH) (American Recovery and Reinvestment Act of 2009);

c.The Gramm-Leach-Bliley Act of 1999;

d.Section 5(a) of the Federal Trade Commission Act (15 U.S.C. 45(a)), but solely for alleged unfair or deceptive acts or practices in or affecting commerce;

e.The Identity Theft Red Flags Rules under the Fair and Accurate Credit Transactions Act of 2003; or

f.Any other similar state, federal or foreign identity theft or privacy protection statute or regulation.

20. "Ransomware" means any software that is used to demand a ransom payment by:

a.Restricting access to a "computer system"; or

b.Encrypting your "electronic data" held within a "computer system".

21. "Security breach" means the acquisition of "personal information" held within a "computer system" or in non-electronic format while in the care, custody or control of the "insured" or authorized "third party" by a person:

a.Not authorized to have access to such information; or

b.Authorized to have access to such information but whose access results in the unauthorized disclosure of such information.

22. "Subsidiary" means any organization in which more than 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors, trustees, managers (if a limited liability company) or persons serving in a similar capacity is owned, in any combination, by one or more "named insured(s)".

23. "Suit" means a civil proceeding in which damages to which this Policy applies are claimed against the "insured". "Suit" includes:

a.An arbitration proceeding in which such damages are claimed and to which the "insured" submits with our consent; or

b.Any other alternative dispute resolution proceeding in which such damages are claimed and to which the "insured" submits with our consent.

"Suit" does not include a civil proceeding seeking recognition and/or enforcement of a foreign money judgment.

24. "Third party" means any entity that you engage under the terms of a written contract to perform services for you.

25. "Virus" means any kind of malicious code designed to damage or destroy any part of a "computer system" (including your "electronic data") or disrupt its normal functioning.

26. "Wrongful act" means the definition set forth in Insuring Agreement 6. of Section I – Insuring Agreements.

Analysis:

While the majority of definitions are easily read and self-explanatory, a few definitions warrant additional explanation:

 3.   "Computer System"

This definition has been enhanced to expressly include devices that are:

• owned or leased by the named insured, and operated by any insured;
• owned and operated by an employee who has agreed to the named insured's personal device use policy; and
• operated by an authorized third party (e.g., a cloud service provider) but only with respect to the named insured's electronic data.

Any computer includes Personal Digital Assistants (PDAs) and other transportable or handheld devices, electronic storage devices and related peripheral components; any systems and applications software, or any related telecommunications networks connected or used in connection with such computer or devices that collect, transmit, process, stores or retrieves the insured's "electronic data".

 4.  "Cyber Incident"

This enhanced definition replaces the prior definition for "e-commerce incident". A cyber incident is any:

Hacker attack, malicious code or virus that is directed at, enacted upon or introduced into a computer system (including the named insured's electronic data), and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, use or prevent or restrict access to or the use of any part of a computer system or otherwise disrupt its normal functioning or operation. Recurrence of the same virus after a computer system has been restored constitutes a separate cyber incident.

Denial of service attack specifically directed at the named insured which disrupts, prevents or restricts access to or use of a computer system (other than a computer system operated by an authorized third party) or otherwise disrupts its normal functioning.

 5.   "Discover" or "Discovered"

This definition has two components:

The time when any insured first becomes aware of facts which would cause a reasonable person to assume that a loss covered by this policy has been or will be incurred, regardless of when the act or acts causing or contributing to such loss occurred, even though the exact amount or details of loss may not then be known.

It also means the time when any insured first receives notice of an actual or potential claim in which it is alleged that the named insured is liable to a third party under circumstances, which, if true, would constitute a loss under this policy.

 6.   "E-Commerce Activities"

Those activities conducted by the named insured in the normal conduct of its business via its website or its email system.

 7. "Electronic Data"

Information, facts, images or sounds stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software) on electronic storage devices including, but not limited to, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.

Electronic data is not tangible property.

Electronic data does not include the named insured's electronic data licensed, leased, rented or loaned to others.

 9. "Extortion Threat"

A threat or a series of related threats to:

• Perpetrate a cyber incident;
• Disseminate, divulge or utilize the named insured's proprietary information or weaknesses in the source code within a computer system by gaining unauthorized access to such computer system;
• Destroy, corrupt or prevent normal access to a computer system (including named insured's electronic data) by gaining unauthorized access or having gained unauthorized access to a computer system;
• Inflict ransomware on a computer system; or
• Publish the insured's client's or employee's personal information.

Extortion threat does not include a threat or series of threats to any third party. A hacker could threaten to give the insured's secret formula to its competitor, threaten to expose confidential client information or similar actions.

 10. "Hacker"

A person who accesses a computer system (including the named insured's electronic data) who is not authorized to have such access, or authorized to have such access but who uses such access in an unauthorized manner.

 16. "Personal Information"

Any information not available to the general public for any reason through which an individual may be identified including, but not limited to, an individual's:

• Social security number, driver's license number or state identification number;
• Protected health information;
• Financial account numbers;
• Security codes, passwords, PINs associated with credit, debit or charge card numbers which would permit access to financial accounts; or
• Any other nonpublic information as defined in privacy regulations.

"Ransomware"

Any software used to demand a ransom payment by either restricting access to a computer system; or encrypting the insured's electronic data held within a computer system. In order to regain access to the information the insured must pay a ransom in order to obtain a code that unlocks the files.

 20. "Security Breach"

The acquisition of personal information held within a computer system or in non-electronic format while in the care, custody or control of the insured or authorized third party by a person:

Not authorized to have access to such information; or

Authorized to have access to such information but whose access results in the unauthorized disclosure of such information.

 23. "Third Party"

Any entity the named insured engages under the terms of a written contract to perform services for the named insured.

 24. "Virus"

Any kind of malicious code designed to damage or destroy any part of a computer system (including the named insured's electronic data), or disrupt its normal functioning.

Includes copyrighted material of Insurance Services Office, Inc., with its permission.

Original post: December 27, 2017

Updated: March 20, 2018

.