Topics Covered:

Section VIII – Conditions

Section IX – Extended Reporting Periods and Run-Off Coverage Period

Section X – Definitions

SECTION VIII – CONDITIONS 

A.    Assignment

No change in, modification of or assignment of interest under this Policy will be effective without our written consent.

B.    Bankruptcy

Bankruptcy or insolvency of any "insured" or of any "insured's" estate will not relieve us of our obligations under this Policy.

C.    Cancellation And Nonrenewal

1. Cancellation

a.  The "named insured" shown in the Declarations may cancel this Policy by mailing or delivering to us advance written notice of cancellation.

b.  We may cancel this Policy by mailing or delivering to the "named insured" written notice of cancellation at least:

(1) 10 days before the effective date of cancellation if we cancel for nonpayment of premium; or

(2) 30 days before the effective date of cancellation if we cancel for any other reason.

c.  We will mail or deliver our notice to the "named insured's" last mailing address known to us.

d.  Notice of cancellation will state the effective date of cancellation. The "policy period" will end on that date.

e.  If this Policy is canceled, we will send the "named insured" any premium refund due. If we cancel, the refund will be prorated. If the "named insured" cancels, the refund may be less than pro rata. The cancellation will be effective even if we have not made or offered a refund.

f.  If notice is mailed, proof of mailing will be sufficient proof of notice.

2. Nonrenewal

If we decide not to renew this Policy, we will mail or deliver to the "named insured" written notice of the nonrenewal not less than 30 days before the expiration date. If notice is mailed, proof of mailing will be sufficient proof of notice.

D.   Changes

This Policy contains all the agreements between the "named insured" and us concerning the insurance afforded. The "named insured" is authorized to make changes in the terms of this Policy with our consent. This Policy's terms can be amended or waived only by endorsement issued by us and made a part of this Policy.

Changes In Exposure

1. Acquisition Or Creation Of Another Entity

If before or during the "policy period" the "organization" acquires:

1. Securities or voting rights in another entity or creates another entity resulting in a "subsidiary"; or
2. Any entity by merger into or consolidation with the "named insured" or an existing "subsidiary"; the "named insured" must:

(1) Give us written notice of the acquisition or creation of such entity within 60 days after the effective date of such action; and

(2) Pay any additional premium that we may require if we agree in writing to add such entity as a "subsidiary".

The newly acquired or created entity will then be covered under this Policy, but only with respect to "cyber incidents", "cyber extortion events", "information security breaches" or "wrongful acts" which occurred after the effective date of such acquisition or creation.

2. Merger Or Acquisition Of Named Insured

1. If during the "policy period":

(1) The "named insured" merges into or consolidates with another entity such that the "named insured" is not the surviving entity; or

(2) Another entity, or person or group of entities and/or persons acting in concert, acquires securities or voting rights which result in ownership or voting control by the other entities or persons of more than 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors, trustees or managers (if a limited liability company) of the "named insured"; then coverage under this Policy will continue as described in Paragraph b. or c. below, as applicable.

b.   Under All First Party Insuring Agreements

If the situation described in Paragraph a. applies, coverage afforded under this Policy will continue until the end of the "policy period", but only for "loss" resulting from "cyber incidents", "cyber extortion events" or "information security breaches" which occurred prior to the effective date of such merger, consolidation or acquisition.

c.   Under Liability Insuring Agreements

If the situation described in Paragraph a. applies, coverage afforded under this Policy will continue until the end of the "policy period", or the expiration of a Run-Off Coverage Period, shown in the Declarations, if purchased, with respect to "claims" for "wrongful acts" which occurred on or after the Retroactive Date, if any, and prior to the effective date of such merger, consolidation or acquisition.

The full annual premium for the "policy period" will be deemed fully earned immediately upon the occurrence of such merger, consolidation or acquisition of the "named insured". The "named insured" must give written notice of such merger, consolidation or acquisition to us within 60 days of such merger, consolidation or acquisition.

3. Cessation Of Subsidiaries

a.    If an entity ceases to be a "subsidiary" during the "policy period", then coverage afforded under this Policy for such former "subsidiary" will continue as described in Paragraph b. or c. below, as applicable.

b.    Under All First Party Insuring Agreements

If the situation described in Paragraph a. applies, coverage afforded under this Policy will continue until the end of the "policy period" or, if applicable, the end of the Extended Discovery Period, but only for "loss" resulting from "cyber incidents", "cyber extortion events" or "information security breaches" which occurred prior to the date such entity ceased to qualify as a "subsidiary".

c.    Under Liability Insuring Agreements

If the situation described in Paragraph a. applies, coverage afforded under this Policy will continue until the end of the "policy period" or the expiration of a Run-Off Coverage Period, shown in the Declarations, if purchased, with respect to "claims" for "wrongful acts" which occurred on or after the Retroactive Date, if any, and prior to the date such entity ceased to qualify as a "subsidiary".

F.    Confidentiality

Under Insuring Agreement A.2. Cyber Extortion Events, "insureds" must make every reasonable effort not to divulge the existence of this coverage.

G.    Examination Of The Organization's Books And Records

We may examine and audit the "organization's" books and records as they relate to this Policy at any time during the "policy period" and up to three years afterward.

H.    Legal Action Against Us

1.  No person or entity has a right:

1. To join us as a party or otherwise bring us into a "suit" asking for damages from an "insured"; or 
2. To sue us under this Policy unless all of its terms have been fully complied with.

A person or entity may sue us to recover on an agreed settlement or on a final judgment against an "insured", but we will not be liable for damages that are not payable under any Liability Insuring Agreement, or that are in excess of the applicable Limit of Insurance. An agreed settlement means a settlement and release of liability signed by us, the "named insured" and the claimant or the claimant's legal representative.

2.   The "insured" may not bring any legal action against us involving "loss":

1. Unless the "insured" has complied with all the terms of this Policy;
2. Until 90 days after an "insured" has filed proof of loss with us; and
3. Unless brought within two years from the date an "insured" reported the "loss" to us.

If any limitation in this condition is prohibited by law, such limitation is amended so as to equal the minimum period of limitation provided by such law.

I.    Other Insurance

Such insurance as is provided by this Policy shall apply only as excess over any other valid and collectible insurance, unless such other insurance is expressly written to be excess over any applicable Limit of Insurance provided by this Policy.

J.    Premiums

The "named insured":

1. Is responsible for the payment of all premiums; and
2. Will be the payee for any return premiums we pay.

K.    Reporting, Notice And Duties In The Event Of A Cyber Incident, Cyber Extortion Event, Information Security Breach Or Interruption

The provisions contained within this section apply only to First Party Insuring Agreements:

1. The "insured" must give us written notice of any "cyber incident", "cyber extortion event", "information security breach" or "interruption" that is "discovered" within the "policy period" as soon as practicable, but in no event later than 60 days after the end of the "policy period". If an Extended Discovery Period applies, the "insured" must provide us written notice of any "cyber incident", "cyber extortion event", "information security breach" or "interruption" that is "discovered" within the Extended Discovery Period as soon as practicable, but in no event later than 60 days after the end of the Extended Discovery Period. The "insured" must also cooperate with us in the investigation and settlement of the "loss".
2. Additionally, under Insuring Agreement A.2. Cyber Extortion Events and Insuring Agreement A.3. Replacement Or Restoration Of Electronic Data, the "insured" must:

1. Notify local law enforcement officials;
2. Submit to examination under oath at our request and give us a signed statement of the "insured's" answers; and
3. Give us a detailed, sworn proof of loss within 120 days.
4. In addition, under Insuring Agreement A.2. Cyber Extortion Events, the "insured" must:

(1) Determine that the "cyber extortion event" has actually occurred;

(2) Make every reasonable effort to access the "organization's" "electronic data" from backup, if any, and to remediate the cause of the ransomware;

(3) Make every reasonable effort to immediately notify us before making any ransom payment based upon the "cyber extortion event"; and

(4) Approve any ransom payment based upon the "cyber extortion event".

L.    Reporting, Notice And Duties In The Event Of A Claim Or A Wrongful Act That May Result In A Claim

The provisions contained within this section apply only to Liability Insuring Agreements:

1.  The "insured" must give us written notice of any "claim" made against any "insured" within the "policy period" as soon as practicable, but in no event later than 60 days after the end of the "policy period". If an Extended Reporting Period applies, the "insured" must provide us written notice of any "claim" made against any "insured" within the applicable Extended Reporting Period as soon as practicable, but in no event later than 60 days after the end of the applicable Extended Reporting Period.
2.  If any "insured" receives a "claim", the "insured" must also:

1. Cooperate with us in the investigation and settlement of the "claim";
2. Immediately record the specifics of the "claim" and the date received;
3. Immediately send us copies of any demands, notices, summonses or legal papers received in connection with the "claim";
4. Authorize us to obtain records and other information; and
5. Assist us, upon our request, in the enforcement of any right against any person or entity which may be liable to an "insured" because of a "wrongful act" to which this Policy may also apply.

3.    If during the "policy period" any "insured" becomes aware of any circumstances potentially involving a "wrongful act" that could reasonably be expected to give rise to a "claim", the "insured" must provide us with written notice of the circumstances as soon as practicable, but in no event later than 60 days after the end of the "policy period". If any "insured" becomes aware of any circumstances during any applicable Extended Reporting Period, the "insured" must provide us with written notice of the circumstances as soon as practicable, but in no event later than 60 days after the end of the applicable Extended Reporting Period.

Such notice of any circumstances potentially involving a "wrongful act" must provide:

1. A description, including all relevant dates;
2. The names of the persons involved, including names of the potential claimants;
3. Particulars as to the reasons for anticipating a "claim" which may result;
4. The nature of the alleged or potential damages; and
5. The circumstances by which the "insured" first became aware of the potential "wrongful act".

If a "claim" develops from the same circumstances or from any "interrelated wrongful act", then we will treat that "claim" as if it had first been made against an "insured" on the date the "insured" notified us of it as a potential "claim". We will do so even if that "claim" is first made against an "insured" after the "policy period" or applicable Extended Reporting Period has ended.

4. No "insured" will, except at that "insured's" own cost, voluntarily make a payment, assume any obligation or incur any expense without our consent.

M.    Representations And Severability Of The Application

1. Representations

By accepting this Policy, of which the "application" is a part, the "insured" agrees that:

1. The statements in the Declarations and "application" are accurate and complete;
2. Those statements are based upon representations the "insured" made to us; and
3. We have issued this Policy in reliance upon the "insured's" representations.

2. Severability Of The Application

The "application" shall be considered as a separate "application" by each "employee". With respect to the "application", no knowledge possessed by an "employee" shall be imputed to any other "employee".

However, if we learn that any of the representations or materials were untrue, inaccurate or misleading in any material respect, then we are entitled to treat the Policy as if it had never existed with respect to:

1. Any "employee" who knew of such misrepresentations if such individual was aware that the "application" included the misrepresentations; or
2. Any "organization" if any past or present chief financial officer, chief executive officer, in-house general counsel, managing partner or any person in any equivalent positions of the foregoing, regardless of title, knew of such misrepresentations, even if such individual was not aware that the "application" included the misrepresentations.

N.    Subrogation

With respect to any payments made under this Policy on behalf of any "insured", we shall be subrogated to the "insured's" rights of recovery to the extent of those payments. The "insured" shall execute all papers required and shall do everything necessary to secure and preserve such rights, including the execution of such documents necessary to enable us to bring suit in the "insured's" name.

O.    Territory

This Policy covers "cyber incidents", "cyber extortion events", "information security breaches" or "wrongful acts" which occurred anywhere in the world. However, all "suits" must be brought in the United States of America (including its territories and possessions), Puerto Rico or Canada.

P.    Valuation

1. Settlement

All premiums, limit(s) of insurance, retention amounts, "loss" and any other monetary amounts under this Policy are expressed and payable in the currency of the United States of America. If judgment is rendered, settlement is agreed to or another component of "loss" under this Policy is expressed in any currency other than United States of America dollars, payment under this Policy shall be made in United States dollars at the rate of exchange published in The Wall Street Journal on the date the final judgment is entered, settlement amount is agreed upon or the other component of "loss" is due, respectively.

2. Business Income And Extra Expense

With respect to Insuring Agreement A.4. Business Income And Extra Expense:

1. The amount of "business income loss" will be determined based on consideration of:

(1) The net income generated from the "organization's" business activities before the "interruption" occurred;

(2) The likely net income generated by the "organization's" business activities if no "interruption" had occurred, but not including any net income that would likely have been earned as a result of an increase in the volume of business due to favorable business conditions caused by the impact of the "cyber incident" on customers or on other businesses;

(3) The operating expenses, including payroll, necessary to resume the "organization's" business activities with the same quality of service that existed just before the "interruption"; and

(4) Other relevant sources of information, including the "organization's" financial records and accounting procedures, bills, invoices and other vouchers, and debts, liens and contracts.

However, the amount of "business income loss" will be reduced to the extent that the reduction in the volume of business from the affected business activities is offset by an increase in the volume of business from other channels of commerce such as via telephone, mail or other sources.

b.    The amount of "extra expenses" will be determined based on:

(1) Necessary expenses that exceed the normal operating expenses that would have been incurred in the course of the "organization's" business activities during the "period of restoration" if no "interruption" had occurred. We will deduct from the total of such expenses:

(a) The salvage value that remains of any property bought for temporary use during the "period of restoration" once the "organization's" business activities are resumed; and

(b) Any "extra expenses" that are paid for by other insurance.

(2) Necessary expenses that reduce the "business income loss" that otherwise would have been incurred during the "period of restoration".

c.    We will reduce the amount of the "organization's":

(1) "Business income loss", other than "extra expense", to the extent the "organization" can resume business activities, in whole or in part, by using "computer systems" not compromised by the "cyber incident".

(2) "Extra expense" loss to the extent the "organization" can return business activities to normal and discontinue such "extra expense".

d.    If the "organization" does not resume business activities, or does not resume business activities as quickly as possible, we will pay based on the length of time it would have taken to resume business activities as quickly as possible.

Analysis:

As with the exclusions, the Conditions are now arranged alphabetically.The Inspections And Surveys condition has been removed and is now available as an optional endorsement. The

Transfer Of Your Rights And Duties Under This Policy condition is replaced by the Assignment condition. The Separation Of Insured and the Policy Bridge-Discovery Replacing Loss Sustained conditions have not been included. 

Following are the conditions that are revised from the current form; if not noted below the condition remains unchanged.

An Assignment condition has been added and it replaces the condition for Transfer of Your Rights and Duties Under This Policy in the current form. The Assignment condition states that an assignment of interest is not effective without the insurer's written consent. This will ensure that the organization notify the insurer of any proposed assignment of interest to maintain coverage after the assignment.

The Bankruptcy condition has been enhanced in that it will apply in the event of bankruptcy or insolvency of any insured, or any insured's estate, and not just the bankruptcy or insolvency of the named insured or the named insured's estate.

There is no change to the Cancellation condition; however the nonrenewal provision of the condition now requires the insurer to give no less than 30 days notice of nonrenewal prior to the policy's expiration date.

With respect to the Changes in Exposure condition, there are three revised provisions:

1. Under the provision for Acquisition or Creation of Another Entity, if the organization acquires or creates another entity that results in a subsidiary, the insurer requires the named insured to give them 60 days notice (in lieu of the current 90 days), after the effective date of such action. The insurer may require additional premium be paid to add such entity as a subsidiary.
2. Under the Merger or Acquisition of Named Insured provision, if the named insured is merged into or is acquired by another entity, the coverage that continues will only be for loss resulting from cyber incidents, cyber extortion events, information security breaches or wrongful acts which occurred prior to the effective date of the merger, consolidation, or acquisition.
3. Under the provision for Cessation Of Subsidiary, once an entity ceases to be a subsidiary, the coverage that continues will only be for loss resulting from cyber incidents, cyber extortion events, information security breaches or wrongful acts which occurred prior to the date the entity ceased to be a subsidiary.

Consistent with the insuring agreement, the Examination of Your Books and Records condition is now the Examination Of The Organization's Books and Records condition; otherwise the condition is unchanged.

The Other Insurance condition is revised to state that the policy is excess over any other valid and collectible insurance. Further, the defense provision (paragraph b.) that is in the existing form has been removed as it is no longer applicable. 

The Duties in the Event of Claim or Loss condition in the existing forms is being replaced with two separate Reporting, Notice and Duties conditions; one that will apply to the First Party Insuring Agreements and the next to apply to the Liability Insuring Agreements.

The First Party Insuring Agreement condition, Reporting, Notice And Duties In The Event Of A Cyber Incident, Cyber Extortion Event, Information Security Breach Or Interruption, requires that the insured provide notice as soon as practicable, but no later than 60 days after the end of the policy period or Extended Discovery Period, if applicable. This gives the insured a lengthier amount of time to report a cyber incident, cyber extortion event, or information security breach or interruption, after its initial discovery, as the existing condition requires reporting within 30 days of discovery.

Likewise, the Liability Insuring Agreement condition, Reporting, Notice And Duties In The Event Of A Claim Or A Wrongful Act That May Result In A Claim, also gives the insured 60 days after the end of the policy period or Extended Discovery Period, if applicable, rather than 30 days in the existing form. The reporting and notification to the insurer must be done upon receiving a claim or becoming aware of circumstances or conduct that could reasonably be expected to give rise to a claim.

The Representations and Severability of the Application is a binding condition on the insured that the statements in the Declarations and Application are accurate and complete representations made to the insurer. Included in the condition is a severability provision that makes each insured person accountable for the accuracy and completeness of the statements in the application. Knowledge of one insured person cannot be imputed to another insured person; however, if any insured person has knowledge of any misrepresentation in the application, the insurer may void the policy. Also, if certain officers were aware of the misrepresentation – even if those officers were not aware the misrepresentation would be included in the application, that knowledge will be imputed to the organization. For example, the officer of subsidiary 1 of the organization is aware of a cyber event that occurred within their subsidiary network. That officer withheld this information from the organization thinking that the cyber event was no longer taking place so there was no need to make mention of it. The application is therefore completed with no mention of the cyber event. During the policy term, the organization discovers a cyber event that has spread throughout the organization, and after research it is discovered that the cyber event was lying dormant within subsidiary 1's network until it was once again triggered by accessing a specific program within the subsidiary where the cyber event first occurred. In this case, the knowledge of the officer of the subsidiary is imputed to the organization and the insurer may void coverage under the policy since the information was not supplied on the application. 

The Subrogation condition has been revised by removing the language pertaining to the recovery priority of payments portion of the condition (items a., b., and c. in the existing form). Otherwise, the condition remains intact with the insured's rights of recovery being subrogated to the insurer.

The Territory condition has been expanded to pertain to not only wrongful acts, but also cyber incidents, cyber extortion events, or information security breaches which occur anywhere in the world, as long as all suits are brought in the United States of America (including its territories and possessions), Puerto Rico, or Canada.

In the Valuation condition, changes are made to maintain consistency with changes in the policy form. As such, e-commerce activity is replaced with business activity (a broadening of coverage); and the policy provides with respect to Business Income and Extra Expense valuation, that the organization's business income loss will be reduced to the extent it can resume business activities by using computer systems that were not compromised by the cyber incident. Also, extra expense may be reduced to the extent the organization can return business activities to normal and discontinue such extra expense. If the organization does not resume business activities or does not resume business activities as quickly as possible, the insurer will pay based on the length of time it would have taken to resume business activities as quickly as possible.

The following Conditions are removed and not included in CY 00 03 11 21:

Inspections and Surveys Condition – This condition is no longer in the form but is available as a separate optional endorsement.

Separation of Insured condition is removed.

Policy Bridge – Discovery Replacing Loss Sustained is removed.

SECTION IX – EXTENDED DISCOVERY AND REPORTING PERIODS

A.    Extended Discovery Period

This provision applies only to First Party Insuring Agreements:

This Policy provides an Extended Discovery Period without an additional charge that starts at the end of the "policy period" and lasts for 60 days if this Policy is canceled, other than for failure to pay premium, or not renewed by us or the "named insured".

The Extended Discovery Period will apply only to "loss" covered under any First Party Insuring Agreement resulting from any "cyber incident", "cyber extortion event" or "information security breach":

1. That occurred prior to the end of the "policy period"; and
2. Is first "discovered" and reported to us during the Extended Discovery Period in accordance with Section VIII Paragraph K. Reporting, Notice And Duties In The Event Of A Cyber Incident, Cyber Extortion Event, Information Security Breach Or Interruption.

However, this Extended Discovery Period terminates immediately upon the effective date of any other insurance obtained by the "named insured" or any "subsidiary", whether from us or another insurer, replacing in whole or in part the coverage afforded under this Policy, whether or not such other insurance provides coverage for "loss" resulting directly from any "cyber incident", "cyber extortion event" or "information security breach" taking place prior to its effective date.

B.    Extended Reporting Periods And Run-Off Coverage Period

This provision applies only to Liability Insuring Agreements:

1. Extended Reporting Periods

This Policy provides a Basic Extended Reporting Period without an additional charge that starts at the end of the "policy period" and lasts for 60 days if this Policy is canceled, other than for failure to pay premium, or not renewed by us or the "named insured".

The "named insured" will have the right to purchase an Additional Extended Reporting Period for the period of time and at the percentage of the expiring premium as stated in the Declarations if this Policy is canceled, other than for failure to pay premium, or not renewed by us or the "named insured". If the Additional Extended Reporting Period is purchased, it will start when the Basic Extended Reporting Period ends.

The Basic or Additional Extended Reporting Period will apply only to "claims" that:

1. Are first made against an "insured" and reported to us during the applicable Extended Reporting Period in accordance with Section VIII Paragraph L. Reporting, Notice And Duties In The Event Of A Claim Or A Wrongful Act That May Result In A Claim; and
2. Arise from "wrongful acts" occurring on or after the Retroactive Date, if any, but prior to the end of the "policy period".

2.    Run-Off Coverage Period

The "named insured" will have the right to purchase a Run-Off Coverage Period for the requested period which shall not exceed six years, in the event of the merger, consolidation or acquisition of the "named insured" or cessation of a "subsidiary".

1. In the event of a merger, consolidation or acquisition of the "named insured", the Run-Off Coverage Period will apply only to "claims" that:

(1) Are first made against an "insured" and reported to us during the Run-Off Coverage Period in accordance with Section VIII Paragraph L. Reporting, Notice And Duties In The Event Of A Claim Or A Wrongful Act That May Result In A Claim; and

(2) Arise from "wrongful acts" occurring on or after the Retroactive Date, if any, and prior to the merger, consolidation or acquisition of the "named insured".

b.    In the event of a cessation of a "subsidiary", the Run-Off Coverage Period will apply only to "claims" that:

(1) Are first made against the "subsidiary" or any "employee" of such "subsidiary" and reported to us during the Run-Off Coverage Period in accordance with Section VIII Paragraph L. Reporting, Notice And Duties In The Event Of A Claim Or A Wrongful Act That May Result In A Claim; and

(2) Arise from "wrongful acts" occurring on or after the later of the retroactive date(s), if any, or the date such entity became a "subsidiary" and prior to the cessation of such "subsidiary".

If Run-Off Coverage is purchased in the event of the cessation of a "subsidiary" and a "claim" is made that is also covered by another policy issued by us or a related company, the maximum we will pay under both policies combined shall not be greater than the Limit of Insurance available under either policy, whichever is greater.

3. Notice of election of the Additional Extended Reporting Period and the Run-Off Coverage Period and full payment of any applicable additional premiums must be received by us within 30 days after the expiration of the "policy period", along with any premium or retention owed for coverage provided under this Policy, otherwise any right to purchase an Additional Extended Reporting Period or Run-Off Coverage Period will lapse at that time. Provided the additional premium and any amount owed are paid in full, the Additional Extended Reporting Period and Run-Off Coverage Period are noncancellable and their additional premiums will be fully earned at the inception of the Additional Extended Reporting Period or the Run-Off Coverage Period.

4. There is no reinstatement of or separate or additional Limit of Insurance for any Extended Reporting Period or Run-Off Coverage Period. The Limit of Insurance available during any purchased Additional Extended Reporting Period or Run-Off Coverage Period shall be the remaining amount of the Limit of Insurance available at the end of the "policy period". Any applicable Extended Reporting Period or Run-Off Coverage Period does not apply to "claims" that are covered under any subsequent insurance purchased by the "named insured" or any "subsidiary", or that would be covered but for the exhaustion of the amount of insurance applicable to such "claims".

Analysis:

This section is similar to the extended reporting period provisions of the existing forms. The provision states that the Extended Discovery Period applies to the First Party Insurance Agreements and the Extended Reporting Periods And Run-Off Coverage Periods applies to the Liability Insuring Agreements. The extended discovery period now applies if the policy is non-renewed as well as if it is cancelled. Further, the extended reporting period has been extended to 60 days from 30 days, and the policy includes an optional run-off coverage period in event of a merger, consolidation, or acquisition of the named insured, or in event a subsidiary ceases to exist.

SECTION X – DEFINITIONS

As with other sections, the definitions have been placed in alphabetical order for ease in locating a term.

1. "Application" means all signed "applications" for this Policy, including any attachments, addenda and other materials submitted in conjunction with the signed "applications".

2. "Business income loss" means the "organization's":

1. Actual loss of net income (net profit or loss before income taxes) that would have been earned or incurred; and
2. Continuing normal operating expenses incurred, including payroll.

C.   "Card company" means any credit card company that requires its merchants to adhere to the Payment Card Industry Data Security Standards.

D.    "Claim" means:

1.  Under Insuring Agreement B.1. Cyber Incident Or Information Security Breach Liability:

1. A written demand against an "insured" for monetary or nonmonetary damages, including injunctive relief;
2. A civil proceeding against an "insured" commenced by the service of a complaint;
3. A written request for mediation or demand for arbitration against an "insured"; or
4. A written request to toll or waive a statute of limitations relating to a potential "claim" described in Paragraphs 1.a. through c.

2.   Under Insuring Agreement B.2. Regulatory Proceeding Liability, an investigation, demand or proceeding brought by, or on behalf of, the Federal Trade Commission, Federal Communications Commission or other administrative or regulatory agency, or any federal, state, local or foreign governmental entity in such entity's regulatory or official capacity commenced by the filing of a notice of charges, formal investigative order, service of summons or similar document against any "insured".

E.    "Computer program" means a set of related electronic instructions, which direct the operation and function of a computer or devices connected to it, which enables the computer or devices to receive, process, store or send the "organization's" "electronic data".

F.    "Content" means any type of communicative or informational material, regardless of its nature or form, including material disseminated electronically, such as via a web site or electronic mail.

G.    "Computer system" means any computer, including any transportable or handheld devices, electronic storage devices and related peripheral components; any systems and applications software, or any related telecommunications networks connected to or used in connection with such computer or devices.

H.    "Cyber extortion event" means a demand for ransom payments made to the "organization" in connection with the actual or threatened:

1. Perpetration of a "cyber incident" or "information security breach"; or
2. Theft, disclosure, destruction, publication or use of the "organization's" confidential corporate or proprietary information that is stored on the "organization's computer system" or on a "third party computer system".

I.   "Cyber extortion expenses" means:

1. Interest costs paid by the "organization" for any loan from a financial institution taken by the "organization" to pay a ransom demand;
2. Reward payments paid by the "organization" to a person, other than an "employee", providing information not otherwise obtainable, solely in return for a reward offered by the "organization", and which lead to the arrest and conviction of parties responsible for the "cyber extortion event";
3. Any other reasonable expenses incurred by the "organization" with our written consent, including:

1. Fees and costs of independent negotiators; and
2. Fees and costs of a company hired by the "organization", upon the recommendation of the security firm, to protect the "organization's" "electronic data" from further threats; and

4.    Ransom payments made by the "organization", including payments made in the form of virtual currency such as, but not limited to, bitcoin, as a result of a "cyber extortion event".

J.    "Cyber incident" means any:

1. Unauthorized access to or use of the "organization's computer system" (including the "organization's" "electronic data").
2. Malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into the "organization's computer system" (including the "organization's" "electronic data") and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of the "organization's computer system" (including the "organization's" "electronic data") or otherwise disrupt its normal functioning or operation.

Recurrence of the same malicious code, virus, or any other harmful code after the "organization's computer system" has been restored shall constitute a separate "cyber incident".

3.   Denial of service attack specifically directed at an "organization" which disrupts, prevents or restricts access to or use of the "organization's computer system", or otherwise disrupts its normal functioning or operation.

K.   "Cyber incident or information security breach expenses":

1. Means any of the following:

a.   The costs to establish whether a "cyber incident" or "information security breach" has occurred or is occurring.

If a "cyber incident" or "information security breach" has occurred, the following costs are also included:

(1) Costs to investigate the cause, scope and extent of a "cyber incident" or "information security breach" and to identify any affected parties; and

(2) Costs to determine any action necessary to remediate the conditions that led to or resulted from a "cyber incident" or "information security breach" including, but not limited to, fees paid for legal and other professional advice on how to respond to the "cyber incident" or "information security breach";

b.    Fees and costs of a public relations firm, and any other reasonable expenses incurred by the "organization" with our written consent, to protect or restore the "organization's" reputation solely in response to information which has been made public that has caused, or is reasonably likely to cause, a decline or deterioration in the reputation of the "organization", or of one or more of its products or services;

c.   Costs incurred to notify all parties affected by an "information security breach" as required by any "privacy regulation";

d.   Overtime salaries paid to "employees" assigned to handle inquiries from the parties affected by an "information security breach";

e.   Fees and costs of a company hired by the "organization" for the purpose of operating a call center to handle inquiries from the parties affected by an "information security breach";

f.   Costs to provide credit and identity monitoring services to natural persons affected by an "information security breach" for up to one year, or longer if required by applicable law, from the date of notification to those affected natural persons of such "information security breach"; and

g.   Any other reasonable expenses incurred by the "organization" with our written consent.

2.  Does not include:

1. Any costs or expenses associated with upgrading, maintaining, repairing, remediating, replacing or improving "electronic data", any "computer program" or any "computer system"; or
2. Chargebacks, interchange fees or rates, discount fees, processing fees, or any costs to replace any payment cards whose card numbers were or may have been compromised.

L.    "Data restoration expenses":

1. Means the cost to replace or restore the "organization's" "electronic data" or "computer programs" stored within the "organization's computer system" as well as the cost of data entry, reprogramming and computer consultation services. To the extent that any of the "organization's" "electronic data" cannot be replaced or restored, we will pay the cost to replace the media on which such "electronic data" was stored with blank media of substantially identical type.
2. Does not include:

1. The cost to duplicate research that led to the development of the "organization's" "electronic data" or "computer programs";
2. Any costs or expenses associated with upgrading, maintaining, repairing, remediating or improving "electronic data" or any "computer program" to a level beyond the condition in which it existed immediately preceding the "cyber incident"; or
3. Any costs or expenses associated with upgrading, maintaining, repairing, remediating, replacing or improving any "computer system".

 

M.    "Defense costs" means all reasonable costs, charges, fees (including attorneys' fees and experts' fees) and expenses incurred in investigating, defending, opposing or appealing any "claim" and the premium for appeal, attachment or similar bonds. "Defense costs" shall not include any salaries, wages, fees or benefits of "employees".

N.   "Discover" or "discovered" means the time when any "insured" first becomes aware of facts which would cause a reasonable person to assume that a "cyber incident", "cyber extortion event", "information security breach" or "interruption" has occurred, regardless of when the "cyber incident", "cyber extortion event", "information security breach" or "interruption" occurred, even though the exact amount or details of "loss" may not then be known.

O.    "Electronic data" means information, facts, images or sounds stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software) on electronic storage devices including, but not limited to, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. "Electronic data" is not tangible property.

"Electronic data" does not include the "organization's" "electronic data" that is licensed, leased, rented or loaned to others.

P.    "Employee" means any natural person whose labor or service is, was or will be engaged and directed by the "organization" and includes part-time, seasonal or temporary workers, interns, volunteers, leased workers and "executives", but only while acting within the scope of their duties as determined by the "organization". "Employee" does not include independent contractors.

Q.    "Executive" means any natural person who was, is now or will be a duly elected or appointed director, trustee, officer, member of the Board of Managers or the equivalent position of an "organization".

R.    "Extra expenses":

1. Means necessary expenses the "organization" incurs:

1. During the "period of restoration" that the "organization" would not have incurred if there had been no "interruption"; or
2. To avoid or minimize the "interruption".

2. Does not include:

1. Any costs or expenses associated with upgrading, maintaining, repairing, remediating, replacing or improving "electronic data", any "computer program" or any "computer system";
2. "Cyber incident or information security breach expenses";
3. "Cyber extortion expenses"; or
4. "Data restoration expenses".

S.    "Information security breach" means any unauthorized access, acquisition, retention or use of:

1. "Personal information"; or
2. Any confidential corporate or proprietary information of any third party that is not available to the general public and which the "insured" is obligated to maintain in confidence pursuant to a written agreement; while in the care, custody or control of an "insured" or entity that the "organization" engaged under the terms of a written contract to perform services for or on behalf of an "insured".

T.    "Insured" means the "organization" and "employees".

U.    "Interrelated wrongful acts" means all causally connected "wrongful acts" arising out of the same or substantially the same facts, circumstance or allegations which are the subject of or the basis for any "claim".

V.    "Interruption" means an unanticipated cessation or slowdown of the "organization's" business activities.

W.    "Liability loss":

1. Means any of the following:

1. Compensatory awards or judgments, including prejudgment and post-judgment interest;
2. Monetary settlements; or
3. Punitive, exemplary and multiple damages where insurable under the applicable law which most favors coverage for such damages.

2.  Shall not include:

1. Taxes, fines or penalties imposed by law, other than punitive, exemplary or multiple damages that are considered insurable by the applicable law which most favors coverage for such damages;
2. Liquidated damages stipulated to in a contract in excess of any amounts the "insured" is liable for in the absence of such contract;
3. Any amounts that are uninsurable under the law pursuant to which this Policy shall be construed;
4. Restitution, disgorgement, royalties, unjust enrichment or any profits or advantage the "insured" was not legally entitled to;
5. The cost to comply with any order or agreement to provide any equitable relief, including injunctive relief; or
6. Chargebacks, interchange fees or rates, discount fees, processing fees or any costs to replace any payment cards whose card numbers were or may have been compromised.

X.    "Loss" means:

1. "Cyber incident or information security breach expenses" under Insuring Agreement A.1. Cyber Incident Or Information Security Breach Expense;
2. "Cyber extortion expenses" under Insuring Agreement A.2. Cyber Extortion Events;
3. "Data restoration expenses" under Insuring Agreement A.3. Replacement Or Restoration Of Electronic Data;
4. "Business income loss" and "extra expenses" under Insuring Agreement A.4. Business Income And Extra Expense;
5. "Liability loss" and "defense costs" under Insuring Agreement B.1. Cyber Incident Or Information Security Breach Liability; and
6. "Regulatory loss" and "defense costs" under Insuring Agreement B.2. Regulatory Proceeding Liability.

Y.    "Named insured" means the individual or entity shown in the Declarations.

Z.    "Organization" means the "named insured" and any "subsidiary".

AA.   "Organization's computer system" means any "computer system" which collects, transmits, processes, stores or retrieves the "organization's" "electronic data", and is:

1. Owned by the "organization";
2. Leased by the "organization" and operated by any "insured"; or
3. Owned and operated by an "employee" who has agreed in writing to the "organization's" personal device use policy.

BB.   "Over redemption or under redemption" means price discounts, prizes, awards or other valuable consideration given in excess of or below the total contracted, expected or posted amount.

CC.   "Payment card industry loss":

1. Means any of the following:

1. Assessments, including card reissuance costs and fraud recoveries, and contractual fines or penalties that the "organization" is legally obligated to pay under the terms of a "payment card service agreement", if any;
2. Compensatory awards or judgments, including prejudgment and post-judgment interest;
3. Monetary settlements; or
4. Punitive, exemplary and multiple damages where insurable under the applicable law which most favors coverage for such damages.

2. Shall not include:

1. Taxes, fines, penalties or assessments imposed by law, other than punitive, exemplary or multiple damages that are considered insurable by the applicable law which most favors coverage for such damages or assessments and contractual fines or penalties that the "organization" is legally obligated to pay under the terms of a "payment card service agreement";
2. Any amounts that are uninsurable under the law pursuant to which this Policy shall be construed;
3. Restitution, disgorgement, royalties, unjust enrichment or any profits or advantage the "insured" was not legally entitled to; or
4. Interchange fees or rates, discount fees, processing fees.

DD.   "Payment card service agreement" means a written contract between an "organization" and acquiring bank, payment card processor or payment card brand that establishes the terms and conditions regarding acceptance or processing of payment cards, including rules requiring the merchant to comply with Payment Card Industry Data Security Standards.

EE.   "Period of restoration" means the period of time:

1. Beginning immediately after the end of the Waiting Period shown in the Declarations; and
2. Ending when the "organization's computer system" is or could have been repaired or restored with reasonable speed to the same functionality and level of service that existed prior to the "interruption".

However, in no event will the "period of restoration" exceed 180 days, unless a different Maximum Restoration Period Days is shown in the Declarations.

The expiration date of this Policy will not cut short the "period of restoration".

FF.   "Personal information" means any information not available to the general public for any reason through which an individual may be identified including, but not limited to, an individual's:

1. Social security number, driver's license number or state identification number;
2. Protected health information;
3. Financial account numbers;
4. Security codes, passwords, PINs associated with credit, debit or charge card numbers which would permit access to financial accounts;
5. Biometric data; or
6. Any other nonpublic information as defined in "privacy regulations".
7. "Policy period" means the period of time from the inception date of the Policy shown in the Declarations to the expiration date specified in the Declarations or its earlier cancellation or termination date.

HH.   "Pollutants" means any solid, liquid, gaseous or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals and waste. Waste includes materials to be recycled, reconditioned or reclaimed.

II.   "Privacy regulations" means any of the following statutes and regulations, and their amendments, associated with the control and use of personally identifiable financial, health, biometric or other sensitive information including, but not limited to:

1. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191);
2. The Health Information Technology for Economic and Clinical Health Act (HITECH) (American Recovery and Reinvestment Act of 2009);
3. The Gramm-Leach-Bliley Act of 1999;
4. Section 5(a) of the Federal Trade Commission Act (15 U.S.C. 45(a)), but solely for alleged unfair or deceptive acts or practices in or affecting commerce;
5. The Identity Theft Red Flags Rules under the Fair and Accurate Credit Transactions Act of 2003;
6. The European Union General Data Protection Regulation (GDPR);
7. Children's Online Privacy Protection Act of 1998 ("COPPA"); or
8. Any other similar state, federal or foreign identity theft or privacy protection statute or regulation.

JJ.   "Regulatory loss":

1. Means any of the following:

1. The sum of money which an "organization" is legally obligated to deposit in a fund as equitable relief for the payment of consumer claims due to a settlement or an adverse judgment resulting from a "claim"; or
2. Fines or penalties assessed against an "organization" by a governmental or regulatory agency where insurable under the applicable law which most favors coverage for such fines or penalties.

2. Shall not include:

1. Any amounts that are uninsurable under the law pursuant to which this Policy shall be construed; 
2. Restitution, disgorgement, royalties, unjust enrichment or any profits or advantage an "insured" was not legally entitled to; or
3. Chargebacks, interchange fees or rates, discount fees, processing fees or any costs to replace any payment cards whose card numbers were or may have been compromised.

KK.   "Subsidiary" means any entity in which:

1. More than 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors or an equivalent position is owned, in any combination, by the "organization"; or
2. The "organization" has the right, pursuant to a written contract or the bylaws, charter, operating agreement or similar documents of an entity, including a limited liability company or joint venture, to elect, appoint or designate a majority of the board of directors or equivalent executives of such entity.

LL.    "Suit" means a civil proceeding in which damages to which this Policy applies are claimed against the "insured". "Suit" includes:

1. An arbitration proceeding in which such damages are claimed and to which the "insured" submits with our consent; or
2. Any other alternative dispute resolution proceeding in which such damages are claimed and to which the "insured" submits with our consent.

"Suit" does not include a civil proceeding seeking recognition and/or enforcement of a foreign money judgment.

MM.   "Third party computer system" means any "computer system" which collects, transmits, processes, stores or retrieves the "organization's" "electronic data" and that is operated by any entity, including any cloud service provider, that the "organization" engages under the terms of a written contract to perform services for the "insured" or on the "insured's" behalf, but only with respect to the "organization's" "electronic data".

NN.   "Wrongful act" means:

1. With respect to Insuring Agreement B.1. Cyber Incident Or Information Security Breach Liability and Insuring Agreement B.2. Regulatory Proceeding Liability:

Any actual or alleged neglect, breach of duty, act, error or omission by an "insured" that results in or is based upon:

1. A "cyber incident";
2. An "information security breach";
3. A "privacy regulation" violation; or
4. The "organization's computer system" or a "third party computer system" transmitting, by e-mail or other means, malicious code, virus or any other harmful code to another person's or entity's "computer system".

2. With respect to Insuring Agreement B.3. Payment Card Industry Liability:

Any actual or alleged noncompliance with Payment Card Industry Data Security Standards.

3. With respect to Insuring Agreement B.4. Media Liability:

Any actual or alleged error, misstatement or misleading statement arising out of the gathering, recording, collecting, writing, editing, publishing, exhibiting, broadcasting or releasing of "content" that results in:

1. Any type of defamation, disparagement or harm to the character, reputation or feelings of a person or entity, including libel, slander, product disparagement or trade libel;
2. Any type of negligent or intentional infliction of emotional distress, outrage or outrageous conduct;
3. Any actual or alleged negligent act, error or omission, misstatement or misleading statement committed by, or on behalf of, the "organization";
4. Any type of invasion, infringement or interference with the right of privacy or publicity, including:

(1) Eavesdropping;

(2) False light;

(3) Public disclosure of private facts;

(4) Misappropriation of name or likeness; or

(5) Trespassing or wrongful entering;

e.   False arrest, detention or imprisonment, abuse of process or malicious prosecution;

f.   Any type of infringement of copyright, plagiarism or misappropriation of ideas or information; or

g.   Any type of infringement or dilution of title, slogan, trademark, trade name, trade dress, service mark or service name.

Analysis:

Definitions With No Change

The following definitions are consistent with how the terms are defined in the existing forms, except that the term business income loss has been renamed:

Application

Computer Program

Content (this definition was found in the Media and Information Security Protection Cyber Policy, but is now incorporated into this Information Security Protection Cyber Policy form)

Electronic Data 

Interrelated Wrongful Acts

Pollutants

Suit

Revised Definitions:

The following terms are revised from their current definition, largely to correspond to changes in the policy form:

Claim – This definition has been revised to more closely relate to the coverages being provided, with the addition of a written demand for mediation and a demand for arbitration. In addition, the definition has been expanded to include a paragraph for the Payment Card Industry Liability Insuring Agreement. Such claims must be brought by a card company, issuing bank, payment card processors or an acquiring financial institution. 

Computer system – This definition has been revised to remove PDAs as that term is no longer applicable in the new forms, but it still includes transportable or handheld devices. In addition, since organization's computer system and third-party computer system are both newly defined terms, the paragraph in the definition that described the ownership and operation of the computer system has been removed from this definition.The definition still includes electronic storage devices and related peripheral components; any systems and applications software, or any related telecommunications networks connected to or used in connection with such computer or devices.

Cyber extortion event – The portion of the definition for extortion expenses which provided for security firm costs or the costs of a person or organization hired to determine the validity and severity of an extortion threat is no longer included in the definition. This is because the definition of cyber incident and information security breach expenses includes this type of loss resulting from a cyber incident.

Cyber incident – This definition has been updated to include unauthorized access to or use of the organization's computer system and malicious code, virus or any other harmful code designed to also exploit the organization's computer system or otherwise disrupt its normal functioning or operation. Also, the term hacker attack has been removed.

Cyber incident or information security breach expenses – This definition replaces the definition of security breach expense, as that definition did not apply to cyber incidents. The new definition  includes the costs to establish whether a cyber incident has occurred or is occurring, investigative costs in relation to the cause, scope and extent of a cyber incident, costs identify any affected parties, and costs to determine any remedial actions, including but not limited to, legal fees or fees paid for professional advice on how to respond to the cyber incident, as well as public relation expenses. All of these costs are in connection with the cyber incident.

Defense costs – This definition replaces the definition for defense expenses, and is consistent with that definition, except that the term defense costs also includes expenses incurred in investigating or opposing any claim.

Discover or discovered – This definition has been revised to remove its application to claims, but otherwise is unchanged.

Employee – The updated definition now includes temporary workers, interns, and executives, but does not include independent contractors.

Executive – The positions that are included in this definition were previously included within the definition of employee. Executive means any natural person who is, was, or will be a duly elected or appointed director, trustee, officer, member of the Board of Managers, or equivalent position of an organization.

Extra expenses – The revised definition makes it clear that extra expenses do not include any cyber incident or information security breach expenses, or any data restoration expenses. Otherwise, the definition is unchanged.

Information security breach – This updated definition replaces the definition of security breach in the existing forms, which only applied to the acquisition of personal information. The revised definition is much broader and includes any unauthorized access, acquisition, retention or use of  personal information, or any confidential corporate or proprietary information of any third party, that is not available to the general public and which the insured has a legal obligation to maintain in confidence. So for example, if a vendor accesses employee information from the organization's computer system and uses that information to contact the employees directly to try and sell them products or services, that unauthorized access would be an information security breach.

Insured – In the new forms there are definitions for named insured, employee, and organization.  Insured now means the named insured (an organization), its subsidiaries and employees. 

Interruption – In the revised definition reference to e-commerce has been removed because the definition of cyber incident includes the introduction of malicious code into a computer system, which includes ransomware. The definition is enhanced to mean an unanticipated cessation or slowdown of the organization's business activities. In this manner, the definition is broadened by not limiting the interruption to e-commerce activities alone. Also, the reference to time element is removed from this definition as it is now addressed in the definition of period of restoration, which makes more sense to have it there.

Loss – The revised definition spells out what the term means under each of the insuring agreements, rather than referring back to the agreements section. Loss means–cyber incident or information security breach expenses, cyber extortion expenses, data restoration expenses, business income loss, extra expenses, liability loss, regulatory loss, payment card industry loss and defense costs– as they apply to each coverage. 

Named insured  – This updated definition removes subsidiary, as that is now included in the definition of Insured. The definition now means the individual or entity shown in the Declarations.

Period of restoration – means the period of time beginning immediately after the end of the Waiting Period shown in the Declarations and ending when the organization's computer system is or could have been repaired or restored with reasonable speed to the same functionality and level of service that existed prior to the interruption. The period of restoration is 180 days (which can be amended). In the previous definition of Interruption, the period was limited to 90 days. 

Personal information – The revised definition adds biometric data to the list, but is otherwise unchanged.

Privacy regulations – This definition is new, but was described in the definition of loss. The newly revised definition applies to the Regulatory Proceeding Liability coverage, and is enhanced to include the sum of money an organization is required to deposit in an equitable relief fund for paying customer claims in connection with a settlement or adverse judgment resulting from a claim. 

Subsidiary – This definition is broadened to include not just entities receiving more than 50% of majority voting rights; but now also includes any entity in which the organization has the written right to elect, appoint or designate a majority of the board of directors or equivalent executives of such an entity. 

Wrongful act – Instead of having only one definition limited to a security breach or a computer system transmitting, by e-mail or other means, a virus to another person or organization, wrongful act is now defined differently, depending on its applicable insuring agreement. 

For the Cyber Incident Or Information Security Breach Liability and the Regulatory Proceeding Liability insuring agreements, wrongful act means any actual or alleged neglect, breach of duty, act, error or omission by an insured that results in or is based upon a cyber incident, an information security breach, a privacy regulation violation, or the organization's computer system or a third party computer system transmitting, by e-mail or other means, malicious code, virus or any other harmful code to another person or entity's computer system. 

Under the Payment Card Industry Liability Insuring Agreement, wrongful act means any actual or alleged noncompliance with Payment Card Industry Data Security Standards. 

Under the Media Liability Insuring Agreement, wrongful act is consistent with the definition found in the Media Liability ISP policy.

New Definitions:

This analysis is for the new definitions being added.

Card company – While a similar definition appeared in form CY 20 12, that form is being withdrawn since Payment Card Industry coverage is being provided in the new form. Card company means any credit card company that requires its merchants to adhere to the Payment Card Industry Data Standards. 

Data restoration expenses – This new definition separates out the data restoration expense part of the loss to stand on its own. The definition includes the cost to replace or restore the organization's electronic data or computer programs stored within its computer system to its pre-loss condition before the cyber incident. It also includes the cost of data entry, reprogramming and computer consultation services in connection with the cyber incident. So for example, if a cyber incident destroys certain computer data and it cannot be accessed without manual re-entry of the data and reprogramming that data into the system, these expenses will be part of the data restoration expenses.

Liability loss – Under the forms being withdrawn, the definition of liability loss was part of the definition of loss. Liability loss is applicable to loss paid under the Cyber Incident And Information Security Breach and the Media Liability Insuring Agreements. It is defined to mean compensatory awards or judgments, or punitive, exemplary and multiple damages where insurable by the law most favoring such damages. Liability loss does not include any costs to comply with orders or agreements to provide equitable relief, including injunctive relief or chargebacks, interchange fees or rates, discount fees, processing fees, or costs to replace any payment cards whose numbers were or may have been compromised. In application, assume a cyber incident has breached computer systems of an organization in several states, compromising the personal information of millions of the organization's customers across these states. The plaintiffs' attorney may select among the affected states and request damages be awarded based on the laws of the state that will provide the most favorable outcome to the affected customers in the class action suit. 

Organization – This new definition means the named insured and any subsidiary. 

Organization's computer system – This term was included within the definition of computer system, but now has its own definition. Organization's computer system means any computer system which collects, transmits, processes, stores or retrieves the organization's electronic data; and is owned or leased by the organization and operated by any insured; or owned and operated by an employee who has agreed in writing to the organization's personal device use policy. This broadens the definition to include those insured organizations who permit employees to use their personal devices, as long as they are aware of the organization's policies regarding such use and acknowledge this in writing.

Over redemption or under redemption – The term over redemption is defined in the existing forms, but the new definition now includes under redemption. Over redemption or under redemption means price discounts, prizes, awards or other valuable consideration that either exceeds or is below the amount that has been contracted for, or is expected or posted. 

Payment card industry loss – This new definition applies only to the Payment Card Industry Liability Insuring Agreement. The definition includes the same types of loss that are included within the definition of liability loss, but unlike liability loss payment card industry loss does not exclude chargebacks or costs to replace payment cards whose numbers were or may have been compromised. Payment card industry loss includes loss specific to credit cards, including payments of assessments, card reissuance costs, fraud recoveries, and contractual fines or penalties the organization must legally pay under the terms of a payment card service agreement, if any. 

Payment card service agreement – This definition also applies to the payment card industry and its data security standards. Payment card service agreement means a written contract between an organization and acquiring bank, payment card processor or payment card brand that establishes the terms and conditions regarding acceptance or processing of payment cards, including the rules requiring the merchant to comply with Payment Card Industry Data Security Standards. 

Regulatory loss – This definition applies only to the Regulatory Proceeding Liability coverage. The type of loss described was in the Security Breach Liability Insuring Agreement of the forms being replaced; however, this new definition is enhanced to include the sum of money an organization is legally required to deposit in an equitable relief fund for the payment of consumer claims due to a settlement or adverse judgment resulting from a claim.

Third party computer system – While a similar description was included in the definition of computer system in the forms being replaced, this is a new definition that specifically defines a third party computer system. It means any computer system which collects, transmits, processes, stores or retrieves the organization's electronic data. It can be any entity or cloud service provider that the organization contracts with in writing to perform services by or on behalf of the insured, but only with respect to the organization's electronic data. Examples of such entities might be Google, Apple, or Microsoft.

Deletion of Defined Terms:

To conform with changes in the new forms, the following definitions are no longer needed and thus have been removed:

E-commerce activities – this definition has been replaced by the undefined and broader term: business activity.

Hacker – this term is no longer used in defining a cyber incident.

Informant – this term is now included in the definition of cyber extortion expenses.

Negative publicity – this term is now included in the definition of cyber incident and information security breach expenses.

Public relations expenses – this term is also now included in the definition of cyber incident and information security breach expenses.

Ransomware – while this term has been removed, the definition of cyber incident includes malicious code, virus or any other harmful code, which includes ransomware.

Regulatory proceeding – this term is now included in the definition of a claim.

Virus – this term has been removed as a stand-alone definition.

Includes copyrighted  material of Insurance Services Office, Inc., with its permission.