Press Alt + R to read the document text or Alt + P to download or print.

No preview available

The URL can be used to link to this page

Home My WebLink AboutC20-293 Rule4AGREEMENT FOR SERVICES BETWEEN EAGLE COUNTY, COLORADO AND Rule4, Inc. THIS AGREEMENT (“Agreement”) is effective as of ______________, by and between Rule4, Inc., a Colorado corporation (hereinafter “Contractor” or “Consultant”) and Eagle County, Colorado, a body corporate and politic (hereinafter “County”). RECITALS WHEREAS, the County require cybersecurity services inclusive of firewall rule review and application penetration testing, in addition to occasional services on a time and materials basis (the “Project”) at the county building located at 500 Broadway, Eagle, Colorado (the “Property”) and via remote means as appropriate and reasonable by way of technology; and WHEREAS, Contractor is authorized to do business in the State of Colorado and has the time, skill, expertise, and experience necessary to provide the Services as defined below in paragraph 1 hereof; and WHEREAS, this Agreement shall govern the relationship between Contractor and County in connection with the Services. AGREEMENT NOW, THEREFORE, in consideration of the foregoing and the following promises Contractor and County agree as follows: 1.Services or Work. Contractor agrees to diligently provide all services, labor, personnel and materials necessary to perform and complete the services or work described in Exhibit A (“Services” or “Work”) which is attached hereto and incorporated herein by reference. Phase III on-call Services shall be performed at the rates set forth in Exhibit A and in accordance with a formal estimate for each on-call service to be provided by Contractor and approved by County in writing prior to commencement of any such Work. The Services shall be performed in accordance with the provisions and conditions of this Agreement. a.Contractor agrees to furnish the Services in a timely and expeditious manner consistent with the applicable standard of care. By signing below Contractor represents that it has the expertise and personnel necessary to properly and timely perform the Services. b.In the event of any conflict or inconsistency between the terms and conditions set forth in Exhibit A and the terms and conditions set forth in this Agreement, the terms and conditions set forth in this Agreement shall prevail. 2.County’s Representative. The IT Department’s designee shall be Contractor’s contact with respect to this Agreement and performance of the Services. 3.Term of the Agreement. This Agreement shall commence upon the date first written above, and subject to the provisions of paragraph 11 hereof, shall continue in full force and effect through the 31th day of December, 2021. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD 8/6/2020 C20-293 2 Eagle County Professional Services IT Final 5/14 4. Extension or Modification. This Agreement may be extended for up to three additional one year terms upon written agreement of the parties. Any amendments or modifications shall be in writing signed by both parties. No additional services or work performed by Contractor shall be the basis for additional compensation unless and until Contractor has obtained written authorization and acknowledgement by County for such additional services in accordance with County’s internal policies. Accordingly, no course of conduct or dealings between the parties, nor verbal change orders, express or implied acceptance of alterations or additions to the Services, and no claim that County has been unjustly enriched by any additional services, whether or not there is in fact any such unjust enrichment, shall be the basis of any increase in the compensation payable hereunder. In the event that written authorization and acknowledgment by County for such additional services is not timely executed and issued in strict accordance with this Agreement, Contractor’s rights with respect to such additional services shall be deemed waived and such failure shall result in non-payment for such additional services or work performed. 5. Compensation. County shall compensate Contractor for the performance of the Services in a sum computed and payable as set forth in Exhibit A. Prior to commencement of any of the Phase III Services set forth in Exhibit A, Contractor shall first provide County with a written estimate which shall include an estimate of the labor, materials without any mark up and any additional costs necessary to perform the Services. Each estimate must be approved by County’s Representative prior to commencement of the Services by Contractor and all rates shall be in accordance with the fee schedule for Phase III Services set forth in Exhibit A. The performance of the Services under this Agreement shall not exceed $20,000. Contractor shall not be entitled to bill at overtime and/or double time rates for work done outside of normal business hours unless specifically authorized in writing by County. a. Payment will be made for Services satisfactorily performed within thirty (30) days of receipt of a proper and accurate invoice from Contractor. All invoices shall include detail regarding the hours spent, tasks performed, who performed each task and such other detail as County may request. b. If, at any time during the term or after termination or expiration of this Agreement, County reasonably determines that any payment made by County to Contractor was improper because the Services for which payment was made were not performed as set forth in this Agreement, then upon written notice of such determination and request for reimbursement from County, Contractor shall forthwith return such payment(s) to County. Upon termination or expiration of this Agreement, unexpended funds advanced by County, if any, shall forthwith be returned to County. c. County will not withhold any taxes from monies paid to the Contractor hereunder and Contractor agrees to be solely responsible for the accurate reporting and payment of any taxes related to payments made pursuant to the terms of this Agreement. d. Notwithstanding anything to the contrary contained in this Agreement, County shall have no obligations under this Agreement after, nor shall any payments be made to Contractor in respect of any period after December 31 of any year, without an appropriation therefor by County in accordance with a budget adopted by the Board of County Commissioners in compliance with Article 25, title 30 of the Colorado Revised Statutes, the Local Government Budget Law (C.R.S. 29-1-101 et. seq.) and the TABOR Amendment (Colorado Constitution, Article X, Sec. 20). e. Rates for supplementary hourly work are subject to change with 30 days’ advance written notice to County. The rate for the fixed cost phase is modifiable subject to a mutually agreed upon written change order detailing the factors necessitating the change. 6. Subcontractors. Contractor acknowledges that County has entered into this Agreement in reliance upon the particular reputation and expertise of Contractor. Contractor shall not enter into any subcontractor agreements for the performance of any of the Services or additional services without County’s prior written consent, which may be DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD 3 Eagle County Professional Services IT Final 5/14 withheld in County’s sole discretion. County shall have the right in its reasonable discretion to approve all personnel assigned to the subject Project during the performance of this Agreement and no personnel to whom County has an objection, in its reasonable discretion, shall be assigned to the Project. Contractor shall require each subcontractor, as approved by County and to the extent of the Services to be performed by the subcontractor, to be bound to Contractor by the terms of this Agreement, and to assume toward Contractor all the obligations and responsibilities which Contractor, by this Agreement, assumes toward County. County shall have the right (but not the obligation) to enforce the provisions of this Agreement against any subcontractor hired by Contractor and Contractor shall cooperate in such process. The Contractor shall be responsible for the acts and omissions of its agents, employees and subcontractors. 7. Insurance. Contractor agrees to provide and maintain at Contractor’s sole cost and expense, the following insurance coverage with limits of liability not less than those stated below: a. Types of Insurance. i. Workers’ Compensation insurance as required by law. ii. Auto coverage with limits of liability not less than $1,000,000 each accident combined bodily injury and property damage liability insurance, including coverage for owned, hired, and non-owned vehicles. iii. Commercial General Liability coverage to include premises and operations, personal/advertising injury, products/completed operations, broad form property damage with limits of liability not less than $1,000,000 per occurrence and $1,000,000 aggregate limits. iv. Professional Liability (Errors and Omissions) including Cyber Liability with prior acts coverage for all deliverables, Services and additional services required hereunder, in a form and with insurer or insurers satisfactory to County, with limits of liability of not less than $2,000,000 per claim and $2,000,000 in the aggregate. The insurance shall provide coverage for (i) liability arising from theft, dissemination and/or use of confidential information stored or transmitted in electronic form; (ii) Network Security Liability arising from unauthorized access to, use of or tampering with computer systems including hacker attacks, inability of an authorized third party to gain access to your Software or Services including denial of access or Services unless caused by a mechanical or electrical failure; (iii) liability arising from the introduction of a computer virus into, or otherwise causing damage to, County or a third person’s computer, computer system, network or similar computer related property and the data, software and programs thereon. v. Crime Coverage shall include employee dishonesty, forgery or alteration and computer fraud. If Consultant is physically located on County premises, third party fidelity coverage extension shall apply. The policy shall include coverage for all directors, officers and employees of the Consultant. The bond or policy shall include coverage for extended theft and mysterious disappearance. The bond or policy shall not contain a condition requiring an arrest or conversion. Limits shall be a minimum of $1,000,000 per loss. b. Other Requirements. i. The automobile and commercial general liability coverage shall be endorsed to include Eagle County, its associated or affiliated entities, its successors and assigns, elected officials, employees, agents and volunteers as additional insureds. A certificate of insurance consistent with the foregoing requirements is attached hereto as Exhibit B. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD 4 Eagle County Professional Services IT Final 5/14 ii. Contractor’s certificates of insurance shall include subcontractors, if any as additional insureds under its policies or Contractor shall furnish to County separate certificates and endorsements for each subcontractor. iii. The insurance provisions of this Agreement shall survive expiration or termination hereof. iv. The parties hereto understand and agree that the County is relying on, and does not waive or intend to waive by any provision of this Agreement, the monetary limitations or rights, immunities and protections provided by the Colorado Governmental Immunity Act, as from time to time amended, or otherwise available to County, its affiliated entities, successors or assigns, its elected officials, employees, agents and volunteers. v. Contractor is not entitled to workers’ compensation benefits except as provided by the Contractor, nor to unemployment insurance benefits unless unemployment compensation coverage is provided by Contractor or some other entity. The Contractor is obligated to pay all federal and state income tax on any moneys paid pursuant to this Agreement. 8. Indemnification. The Contractor shall indemnify and hold harmless County, and any of its officers, agents and employees against any losses, claims, damages or liabilities for which County may become subject to insofar as any such losses, claims, damages or liabilities arise out of, directly or indirectly, this Agreement, or are based upon any performance or nonperformance by Contractor or any of its subcontractors hereunder; and Contractor shall reimburse County for reasonable attorney fees and costs, legal and other expenses incurred by County in connection with investigating or defending any such loss, claim, damage, liability or action. This indemnification shall not apply to claims by third parties against the County to the extent that County is liable to such third party for such claims without regard to the involvement of the Contractor. This paragraph shall survive expiration or termination hereof. 9. Ownership of Documents. All documents (including electronic files) and materials obtained during, purchased or prepared in the performance of the Services shall remain the property of the County and are to be delivered to County before final payment is made to Contractor or upon earlier termination of this Agreement. 10. Notice. Any notice required by this Agreement shall be deemed properly delivered when (i) personally delivered, or (ii) when mailed in the United States mail, first class postage prepaid, or (iii) when delivered by FedEx or other comparable courier service, charges prepaid, to the parties at their respective addresses listed below, or (iv) when sent via facsimile so long as the sending party can provide facsimile machine or other confirmation showing the date, time and receiving facsimile number for the transmission, or (v) when transmitted via e-mail with confirmation of receipt. Either party may change its address for purposes of this paragraph by giving five (5) days prior written notice of such change to the other party. COUNTY: Eagle County, Colorado Attention: Jake Klearman 500 Broadway Post Office Box 850 Eagle, CO 81631 Telephone: 970-328-3595 E-Mail: jake.klearman@eaglecounty.us DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD 5 Eagle County Professional Services IT Final 5/14 With a copy to: Eagle County Attorney 500 Broadway Post Office Box 850 Eagle, Co 81631 Telephone: 970-328-8685 Facsimile: 970-328-8699 E-Mail: atty@eaglecounty.us CONTRACTOR: Paul Nelson 3002 Bluff St., Suite 100 Boulder, CO, 80301 720.580.5635 paul@rule4.com 11. Termination. County may terminate this Agreement, in whole or in part, at any time and for any reason, with or without cause, and without penalty therefor with seven (7) calendar days’ prior written notice to the Contractor. Upon termination of this Agreement, Contractor shall immediately provide County with all documents as defined in paragraph 9 hereof, in such format as County shall direct and shall return all County owned materials and documents. County shall pay Contractor for Services satisfactorily performed to the date of termination. 12. Venue, Jurisdiction and Applicable Law. Any and all claims, disputes or controversies related to this Agreement, or breach thereof, shall be litigated in the District Court for Eagle County, Colorado, which shall be the sole and exclusive forum for such litigation. This Agreement shall be construed and interpreted under and shall be governed by the laws of the State of Colorado. 13. Execution by Counterparts; Electronic Signatures. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which shall constitute one and the same instrument. The parties approve the use of electronic signatures for execution of this Agreement. Only the following two forms of electronic signatures shall be permitted to bind the parties to this Agreement: (i) Electronic or facsimile delivery of a fully executed copy of the signature page; (ii) the image of the signature of an authorized signer inserted onto PDF format documents. All documents must be properly notarized, if applicable. All use of electronic signatures shall be governed by the Uniform Electronic Transactions Act, C.R.S. 24-71.3-101 to 121. 14. Other Contract Requirements and Contractor Representations. a. Contractor has familiarized itself with the nature and extent of the Services to be provided hereunder and the Property, and with all local conditions, federal, state and local laws, ordinances, rules and regulations that in any manner affect cost, progress, or performance of the Services. b. Contractor will make, or cause to be made, examinations, investigations, and tests as he deems necessary for the performance of the Services. c. To the extent possible, Contractor has correlated the results of such observations, examinations, investigations, tests, reports, and data with the terms and conditions of this Agreement. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD 6 Eagle County Professional Services IT Final 5/14 d. To the extent possible, Contractor has given County written notice of all conflicts, errors, or discrepancies. e. Contractor shall be responsible for the completeness and accuracy of the Services and shall correct, at its sole expense, all significant errors and omissions in performance of the Services. The fact that the County has accepted or approved the Services shall not relieve Contractor of any of its responsibilities. Contractor shall perform the Services in a skillful, professional and competent manner and in accordance with the standard of care, skill and diligence applicable to contractors performing similar services. Contractor represents and warrants that it has the expertise and personnel necessary to properly perform the Services and shall comply with the highest standards of customer service to the public. Contractor shall provide appropriate supervision to its employees to ensure the Services are performed in accordance with this Agreement. This paragraph shall survive termination of this Agreement. f. Contractor agrees to work in an expeditious manner, within the sound exercise of its judgment and professional standards, in the performance of this Agreement. Time is of the essence with respect to this Agreement. g. This Agreement constitutes an agreement for performance of the Services by Contractor as an independent contractor and not as an employee of County. Nothing contained in this Agreement shall be deemed to create a relationship of employer-employee, master-servant, partnership, joint venture or any other relationship between County and Contractor except that of independent contractor. Contractor shall have no authority to bind County. h. Contractor represents and warrants that at all times in the performance of the Services, Contractor shall comply with any and all applicable laws, codes, rules and regulations. i. This Agreement contains the entire agreement between the parties with respect to the subject matter hereof and supersedes all other agreements or understanding between the parties with respect thereto. j. Contractor shall not assign any portion of this Agreement without the prior written consent of the County. Any attempt to assign this Agreement without such consent shall be void. k. This Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their respective permitted assigns and successors in interest. Enforcement of this Agreement and all rights and obligations hereunder are reserved solely for the parties, and not to any third party. l. No failure or delay by either party in the exercise of any right hereunder shall constitute a waiver thereof. No waiver of any breach shall be deemed a waiver of any preceding or succeeding breach. m. The invalidity, illegality or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision hereof. n. The signatories to this Agreement aver to their knowledge no employee of the County has any personal or beneficial interest whatsoever in the Services or Property described in this Agreement. The Contractor has no beneficial interest, direct or indirect, that would conflict in any manner or degree with the performance of the Services and Contractor shall not employ any person having such known interests. o. The Contractor, if a natural person eighteen (18) years of age or older, hereby swears and affirms under penalty of perjury that he or she (i) is a citizen or otherwise lawfully present in the United States pursuant to DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD 7 Eagle County Professional Services IT Final 5/14 federal law, (ii) to the extent applicable shall comply with C.R.S. 24-76.5-103 prior to the effective date of this Agreement. IN WITNESS WHEREOF, the parties have executed this Agreement the day and year first set forth above. COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its COUNTY MANAGER By: ______________________________ Jeff Shroll, County Manager CONTRACTOR: By:________________________________ Print Name: _________________________ Title: ______________________________ DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD Co-CEO Trent Hein 8 Eagle County Professional Services IT Final 5/14 EXHIBIT A SCOPE OF SERVICES, SCHEDULE, FEES Phase I - Online Housing Application Penetration Testing Rule4 will work with the Eagle County team to perform a thorough penetration test of the Public Housing Online Housing Applications web application. These efforts will include the following tasks: Perform manual, targeted web application penetration testing of the application, following the OWASP Testing Guide, Version 4, and including but not limited to: ● Information gathering ● Configuration and deployment management ● Identity management ● Authentication and authorization ● Session management ● Input validation ● Error handling ● Weak cryptography ● Business logic ● Client-side testing The scope of testing will include access points starting from the following URLs: ● https://application.valleyhomestore.org ● https://authentication.valleyhomestore.org ● https://application.valleyhomestore.org/screening/7011K000001pzxr One round of retesting of remediated findings within 30 days is included and will result in an updated report indicating remediation has occurred, if appropriate. All testing will be performed with the utmost concern for avoiding impact to availability of Eagle County’s systems. Deliverable. The results will be provided in a detailed, written technical report that describes the testing approach, the results, and recommendations based on those results. Phase II – Firewall Rule Review Perform a firewall rule review (estimated at 8-12 hours), which includes: ● Review current rules (12 zones, 153 rules) ● Summarize rules and assign a risk rating (spreadsheet deliverable) ● Provide a summary document containing recommended general changes in practice and approach Phase III – Technical Services Provide operational guidance and hands-on support for the Eagle County team as requested in Rule4 service areas including thought leadership and strategic guidance related to information technology needs. This may relate to remediation or mitigation from Phases I or II or address new needs. Rule4 will obtain Eagle County’s approval for projects or tasks under Phase III — and the associated hours and cost — in writing, prior to undertaking the work in accordance with Section 1 of the Agreement. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD 9 Eagle County Professional Services IT Final 5/14 Fees Phase I. Online Housing Application Penetration Testing Discounted Fixed Cost $8,640.00 Phase II. Firewall Rule Review Discounted Hourly Rates for Eagle County Phase III Discounted Hourly Rates Apply Estimated Hours: 12 Estimated Cost: $2,580.00 Phase III. Technical Services Discounted Hourly Rates Principal Engineer: $215.00 Senior Engineer: $195.00 Engineer: $160.00 QA: $120.00 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD 10 Eagle County Professional Services IT Final 5/14 EXHIBIT B INSURANCE CERTIFICATE DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. INSURER(S) AFFORDING COVERAGE INSURER F : INSURER E : INSURER D : INSURER C : INSURER B : INSURER A : NAIC # NAME:CONTACT (A/C, No):FAX E-MAILADDRESS: PRODUCER (A/C, No, Ext):PHONE INSURED REVISION NUMBER:CERTIFICATE NUMBER:COVERAGES IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. OTHER: (Per accident) (Ea accident) $ $ N / A SUBR WVD ADDL INSD THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. $ $ $ $PROPERTY DAMAGE BODILY INJURY (Per accident) BODILY INJURY (Per person) COMBINED SINGLE LIMIT AUTOS ONLY AUTOSAUTOS ONLY NON-OWNED SCHEDULEDOWNED ANY AUTO AUTOMOBILE LIABILITY Y / N WORKERS COMPENSATION AND EMPLOYERS' LIABILITY OFFICER/MEMBER EXCLUDED? (Mandatory in NH) DESCRIPTION OF OPERATIONS below If yes, describe under ANY PROPRIETOR/PARTNER/EXECUTIVE $ $ $ E.L. DISEASE - POLICY LIMIT E.L. DISEASE - EA EMPLOYEE E.L. EACH ACCIDENT EROTH-STATUTEPER LIMITS(MM/DD/YYYY)POLICY EXP(MM/DD/YYYY)POLICY EFFPOLICY NUMBERTYPE OF INSURANCELTRINSR DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) EXCESS LIAB UMBRELLA LIAB $EACH OCCURRENCE $AGGREGATE $ OCCUR CLAIMS-MADE DED RETENTION $ $PRODUCTS - COMP/OP AGG $GENERAL AGGREGATE $PERSONAL & ADV INJURY $MED EXP (Any one person) $EACH OCCURRENCE DAMAGE TO RENTED $PREMISES (Ea occurrence) COMMERCIAL GENERAL LIABILITY CLAIMS-MADE OCCUR GEN'L AGGREGATE LIMIT APPLIES PER: POLICY PRO-JECT LOC CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) CANCELLATION AUTHORIZED REPRESENTATIVE ACORD 25 (2016/03) © 1988-2015 ACORD CORPORATION. All rights reserved. CERTIFICATE HOLDER The ACORD name and logo are registered marks of ACORD HIRED AUTOS ONLY 07/21/2020 Hiscox Inc. 520 Madison Avenue 32nd Floor New York, NY 10022 (888) 202-3007 contact@hiscox.com Hiscox Insurance Company Inc 10200 Rule4, Inc. 3002 Bluff St Suite 100 Boulder, CO 80301 X X X CGL is on BOP Form A X N UDC-2389538-BOP-19 10/18/2019 10/18/2020 2,000,000 100,000 5,000 S/T Each Occ. 4,000,000 S/T Gen. Agg. A X X UDC-2389538-BOP-19 10/18/2019 10/18/2020 Eagle County Government 500 Broadway / PO Box 850 Eagle CO 81631 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD T e c hnolo gy & Cyber Insu ranc e Po licy AB-TEO-POL-COV 12/2019 © 2019 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD Technology & Cyber Insurance Policy Declarations Insurance coverage underwritten by HSB Specialty Insurance Company | One State Street | Hartford, CT 06102-5024 This contract is delivered as a surplus line coverage under the ‘Nonadmitted Insurance Act’. The insurer issuing this contract is not licensed in Colorado but is an eligible nonadmitted insurer. There is no protection under the provisions of the ‘Colorado Insurance Guaranty Association Act’. This Technology & Cyber Insurance Policy is issued and delivered as surplus lines coverage pursuant to applicable surplus lines statutes. The surplus lines broker responsible for placement of this coverage is responsible for compliance with applicable surplus lines laws and regulations including completion of any declarations/affidavits and payment of any taxes. This Policy contains one or more Insuring Agreements, some of which provide liability for Claims first made against any Insured during the Policy Period, or any applicable Extended Reporting Period, and reported to us pursuant to the terms of this Policy. Claim Expenses shall reduce the applicable Aggregate Limit of Insurance and Sub-Limits of Insurance and are subject to the applicable Retentions. Please read the entire Policy carefully. Policy Number: Policy Issue Date: Home State: 6603772-01 01/17/2020 CO This Declaration is attached to and forms part of the Policy. ITEM 1: Named Insured: DBA: Rule4, Inc. Not Applicable 3002 Bluff Street Boulder, CO 80301 ITEM 2: Policy Period: Effective Date: Expiration Date: 01/18/2020at 12:01 AM local time of the Named Insured 01/18/2021at 12:01 AM local time of the Named Insured ITEM 3: Policy Premium:$3,250.00 ITEM 4: Aggregate Limit of Insurance:$3,000,000. ITEM 5: Notice of Claim or Cyber Event:1-888-338-9522 claims@at-bay.com At-Bay Insurance Services, LLC 196 Castro Street, Suite A Mountain View, CA 94041 AB-TEO-000 12/2019 ©2019 Page 1 of 5 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD ITEM 6: Insuring Agreements, Sub-Limits of Insurance, and Retentions included: TECHNOLOGY INSURANCE Insuring Agreements:Inclusion:Sub-Limits of Insurance:Retentions: T. Technology T.1. Technology Liability Included $3,000,000.$5,000. If any Inclusion field for an Insuring Agreement is displayed as “Not Included”, there is no coverage for such Insuring Agreement. CYBER INSURANCE Insuring Agreements:Inclusion:Sub-Limits of Insurance:Retentions: A. Information Privacy A.1. Information Privacy Liability Included $3,000,000.$5,000. A.2. Regulatory Liability Included $3,000,000.$5,000. A.3. Event Response and Management Included $3,000,000.$5,000. A.4. PCI-DSS Liability Included $3,000,000.$5,000. B. Network Security B.1. Network Security Liability Included $3,000,000.$5,000. B.2. Event Response and Recovery Included $3,000,000.$5,000. C. Business Interruption C.1. Direct Business Interruption Included $3,000,000.$5,000. C.2. Contingent Business Interruption Included $3,000,000.$5,000. D. Cyber Extortion D.1. Cyber Extortion Included $3,000,000.$5,000. E. Financial Fraud E.1. Social Engineering Included $250,000.$2,500. E.2. Computer Fraud Included $250,000.$2,500. AB-TEO-000 12/2019 ©2019 Page 2 of 5 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD ITEM 6: Continued Insuring Agreements:Inclusion:Sub-Limits of Insurance:Retentions: F. Media Content F.1. Media Liability Included $3,000,000.$5,000. F.2. Media Event Response Included $3,000,000.$5,000. If any Inclusion field for an Insuring Agreement is displayed as “Not Included”, there is no coverage for such Insuring Agreement. ITEM 7: Claims Made Dates: Claims Made Dates:Date: Technology Retroactive Date:10/18/2018 Cyber & Media Retroactive Date:Not Applicable Continuity Date:10/18/2018 Prior and Pending Litigation Date:10/18/2018 ITEM 8: Policy Forms: Form Title:Form Identification:Form Edition Date: Technology & Cyber Insurance Policy Declarations AB-TEO-000 12/2019 Technology & Cyber Insurance Policy AB-TEO-001 12/2019 Terrorism Risk Insurance Act Disclosure AB-CYB-002 08/2018 Service of Process Endorsement AB-CYB-029 08/2018 Reputational Harm Insuring Agreement AB-CYB-034 02/2019 Contingent and Direct System Failure AB-CYB-045 02/2019 CRC Amendatory Endorsement AB-CYB-CRC_001 06/2019 War & Cyber Terrorism Enhancement AB-CYB-064 10/2019 California Consumer Privacy Act Enhancement AB-CYB-062 10/2019 Law Enforcement Cooperation Enhancement AB-CYB-066 10/2019 Voluntary & Preventative Shutdown Coverage AB-CYB-063 10/2019 AB-TEO-000 12/2019 ©2019 Page 3 of 5 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD Reliance on Other Carrier's Application Endorsement AB-CYB-042 08/2018 AB-TEO-000 12/2019 ©2019 Page 4 of 5 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD Authorized Signature: HSB Specialty Insurance Company David P. Mercier — President Roberta A. O’Brien — Corporate Secretary In witness whereof, HSB Specialty Insurance Company has caused this Policy to be signed by its authorized officers. AB-TEO-000 12/2019 ©2019 Page 5 of 5 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 1 of 40 Technology & Cyber Insurance Policy Insurance coverage underwritten by HSB Specialty Insurance Company | One State Street | Hartford, CT 06102-5024 Considerations: Wherever appearing throughout this Policy, the words "we,” “us,” and "our" refer to the insurer providing this insurance and “Declaration” and “Declarations” refer to the Technology & Cyber Insurance Policy Declarations. Terms which appear in bold face type shall have the meanings set forth in Section V. Definitions. In consideration of payment of the premium, in reliance upon all information provided to us within the Application, and pursuant to the terms, conditions, exclusions, limitations, restrictions, and applicable Retentions of this Policy, we and the Insureds agree as follows: DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 2 of 40 I. Insuring Agreements Coverage is afforded pursuant to those Insuring Agreements included under this Policy, displayed as “Included” in ITEM 6 of the Declarations, and for Claims and Cyber Events reported to us pursuant to the terms of this Policy: T . TECHNOLOGY 1. Technology Liability We shall pay on behalf of the Insured, all Claim Expenses and Damages resulting from a Claim first made against any Insured during the Policy Period or, if exercised, during the Extended Reporting Period, for a Technology Wrongful Act. A . INFORMATION PRIVACY 1. Information Privacy Liability We shall pay on behalf of the Insured, all Claim Expenses and Damages resulting from a Claim first made against any Insured during the Policy Period or, if exercised, during the Extended Reporting Period, for an Information Privacy Wrongful Act. 2. Regulatory Liability We shall pay on behalf of the Insured, all Claim Expenses, Damages, including GDPR Penalties, Regulatory Penalties, and Regulatory Assessments and Expenses resulting from a Regulatory Claim first made against any Insured during the Policy Period or, if exercised, during the Extended Reporting Period, for an Information Privacy Wrongful Act. 3. Event Response and Management We shall pay the Insured Organization for Technical Response Loss, Legal Services Loss, Public Relations Loss, Notification Loss, Reward Expense Loss, and Credit Monitoring Loss incurred by the Insured Organization as a result of an Information Privacy Event first discovered during the Policy Period. 4. PCI-DSS Liability We shall pay the Insured Organization, all PCI-DSS Penalties, PCI-DSS Response Expenses, and Claim Expenses resulting from a PCI-DSS Claim first made against the Insured Organization during the Policy Period or, if exercised, during the Extended Reporting Period, for an Information Privacy Wrongful Act. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 3 of 40 B . NETWORK SECURITY 1. Network Security Liability We shall pay on behalf of the Insured, all Claim Expenses and Damages resulting from a Claim first made against any Insured during the Policy Period or, if exercised, the Extended Reporting Period, for a Network Security Wrongful Act. 2. Event Response and Recovery We shall pay the Insured Organization for Technical Response Loss, Public Relations Loss, Data Recovery Loss, Reward Expense Loss, and System Restoration Loss incurred by the Insured Organization as a result of a Network Security Event first discovered during the Policy Period. C . BUSINESS INTERRUPTION 1. Direct Business Interruption We shall pay the Insured Organization for Business Interruption Loss, Extra Expense, Reward Expense Loss, and Public Relations Loss incurred by the Insured Organization as a direct result of a System Disruption which first occurs during the Policy Period. 2. Contingent Business Interruption We shall pay the Insured Organization for Contingent Business Interruption Loss, Extra Expense, Reward Expense Loss, and Public Relations Loss incurred by the Insured Organization as a direct result of a System Disruption which first occurs during the Policy Period. D . CYBER EXTORTION 1. Cyber Extortion We shall pay the Insured Organization for Extortion Loss, Reward Expense Loss, and Public Relations Loss incurred by the Insured Organization as a direct result of an Extortion Threat first discovered during the Policy Period. E . FINANCIAL FRAUD 1. Social Engineering We shall pay the Insured Organization for Fraudulent Inducement Loss and Reward Expense Loss incurred by the Insured Organization as a direct result of Fraudulent Inducement Instructions it receives and accepts and which are first discovered during the Policy Period. 2. Computer Fraud We shall pay the Insured Organization for Computer Crimes Loss and Reward Expense Loss incurred by the Insured Organization as a direct result of Computer Crimes first discovered during the Policy Period. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 4 of 40 F . MEDIA CONTENT 1. Media Liability We shall pay on behalf of the Insured, all Claim Expenses and Damages resulting from a Claim first made against any Insured during the Policy Period or, if exercised, during the Extended Reporting Period, for a Media Wrongful Act. 2. Media Event Response We shall pay the Insured Organization for Public Relations Loss and Reward Expense Loss incurred by the Insured Organization as a result of a Media Wrongful Act first discovered during the Policy Period. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 5 of 40 II. Limits of Insurance Regardless of the number of Claims first made, Cyber Events first discovered, or number of Insuring Agreements purchased under this Policy: A. A GGREGATE LIMIT OF INSURANCE 1. The Aggregate Limit of Insurance is our maximum liability under this Policy for the duration of the Policy Period or, if exercised, the Extended Reporting Period. 2. We shall have no further obligations or liability under this Policy upon exhaustion of the Aggregate Limit of Insurance, including the continuation of payment of Loss, Damages, or Claims Expenses or the duty to defend or investigate any Claim. B. SUB-LIMITS OF INSURANCE 1. The amounts stated as Sub-Limits of Insurance in ITEM 6 of the Declarations, which are part of and not in addition to the Aggregate Limit of Insurance, are the most we shall pay for all Loss, Damages, and Claims Expenses with respect to the Insuring Agreement to which each such Sub-Limit of Insurance applies, and we shall not be responsible to pay any Loss, Damages, or Claims Expenses under such Insuring Agreement upon exhaustion of such Sub-Limit of Insurance. 2. Subject to II.A.1., II.A.2., and II.B.1. above, the most we shall pay for all Loss, Damages, and Claim Expenses shall be: a. with respect to any Cyber Events or Claims which are covered under more than one Insuring Agreement, the sum of the Sub-Limits of Insurance available under the Insuring Agreements to which such Cyber Events or Claims apply; and b. with respect to any Related Incidents, the sum of the Sub-Limits of Insurance available under the Insuring Agreements to which such Related Incidents apply. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 6 of 40 III. Retention 1. Our liability shall apply only to that portion of Loss, Damages, and Claims Expenses arising from each Claim or Cyber Event which exceeds the Retention applicable to the Insuring Agreement affording coverage to such Claim or Cyber Event. Payment of such Retention is the Named Insured’s responsibility and remains uninsured under this Policy. 2. If a Claim is covered under more than one Third Party Coverage, each Retention shall apply separately but the sum of such Retentions shall not exceed the largest applicable Retention. 3. If a Cyber Event is covered under more than one First Party Coverage, each Retention shall apply separately but the sum of such Retentions shall not exceed the largest applicable Retention. 4. The largest applicable Retention amount shall apply as a single Retention for all Claims or Cyber Events resulting from Related Incidents covered under more than one Third Party Coverage or First Party Coverage. 5. Solely with respect to Third Party Coverage and Insured Persons, the Retention shall not apply to an Insured Person if the Insured Organization is: a. not legally permitted to provide indemnification to such Insured Person; or b. unable to provide indemnification solely by reason of its financial insolvency, including such Insured Organization becoming a debtor in possession under Chapter 11 of the United States Bankruptcy Code, as amended, or the foreign equivalent of such; provided, however, that the applicable Insured Organization agrees to repay us any Retention amounts we pay on its behalf, as described in this paragraph III.5.b., at the time such Insured Organization emerges from financial insolvency or bankruptcy. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 7 of 40 IV. Defense & Settlement of Claims A. DEFENSE 1. We shall have the right and duty to defend any Claim covered by a Third Party Coverage even if the allegations are groundless, false, or fraudulent. 2. We shall consult and attempt to reach an agreement with the Insureds regarding the appointment of counsel in the investigation and defense of any Claim, but we retain the right to appoint counsel and to investigate and defend any Claim as we deem necessary. B . SETTLEMENT 1. We shall not settle any Claim without the written consent of the Insured. In the event the Insured refuses to consent to a settlement recommended by us and acceptable to the claimant(s), then: a. we shall pay the sum of all Damages for which the Claim could have settled plus all Claim Expenses incurred up to the time we made our recommendation to the Insured; and b. we shall pay and maintain responsibility for eighty percent (80%) of all Claim Expenses and Damages that are in excess of the amount referenced in paragraph IV.B.1.a. above. This condition, IV.B. Settlement, shall not apply if the total incurred Damages and Claim Expenses do not exceed the applicable Retention amount. C . ALLOCATION 1. If a Claim includes both covered and uncovered matters, then coverage shall apply as follows: a. One hundred percent (100%) of Claim Expenses incurred by the Insureds who are afforded coverage for such Claim shall be considered covered; and b. All remaining Damages incurred by such Insureds from such Claim shall be allocated between covered Damages and uncovered damages based upon the relative legal and financial exposures and benefits of the parties to such matters. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 8 of 40 V. Definitions Wherever appearing throughout this Policy, the following terms appearing in bold face type, whether used in their singular or plural form, shall have the meanings set forth in this Section V. Definitions: Definitions Applicable to All Insuring Agreements 1. Aggregate Limit of Insurance means the amount stated in ITEM 4 of the Declarations. 2. Application means all applications, including any information and statements attached thereto, submitted to us by, or on behalf of, any Insured in connection with the underwriting and issuance of this Policy. All such applications, attachments, information, and materials are deemed attached to and incorporated into this Policy. With respect to publicly held companies, Application also means each and every public filing made with the Securities Exchange Commission by or on behalf of any Insured, including but not limited to any Insured Organization’s Annual Report(s), 10-Ks, 8-Ks, and proxy statements, provided that such public filing was filed during the period of time: a. beginning at the start of the twelve (12) month period immediately preceding the first submission to us in connection with the underwriting of this Policy; and b. ending at the effective date of the Policy Period. 3. Bodily Injury means physical injury, sickness, or disease and any resulting mental anguish, mental injury, shock, humiliation, or death. 4. Business Interruption Loss means the following amounts incurred by an Insured Organization during the Period of Restoration: a. net profit before income taxes that would have been earned had no System Disruption of Insured Computer Systems occurred; b. net loss before income taxes that would have been avoided had no System Disruption of Insured Computer Systems occurred; c. the Insured Organization’s continuing normal operating and payroll expenses; and d. costs to retain the services of a third party forensic accounting firm to determine the amounts of Business Interruption Loss described in paragraphs V.4.a.–V.4.c. above, subject to our prior consent. 5. Change of Control means: a. the acquisition by another person, entity, or group of person or entities acting together, of more than fifty percent (50%) of the outstanding securities, or ownership interests representing the majority and present right to control, elect, appoint or designate the Board of Directors, Board of Trustees, Board of Managers, or functional equivalent thereof, of the Named Insured; b. the acquisition by another person, entity, or group of person or entities acting together of all, or substantially all, of the Named Insured’s assets such that the Named insured is not the surviving entity; or DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 9 of 40 c. the merger or consolidation of the Named Insured into or with another entity or group of entities acting together such that the Named Insured is not the surviving entity. 6. Claim means any: a. written demand, request, or assertion seeking monetary damages, or non-monetary or injunctive relief; b. civil proceeding, investigation, or suit commenced by service of a complaint, notice, request for information, or similar proceeding seeking monetary damages or non-monetary or injunctive relief; c. arbitration, mediation, or similar alternative dispute resolution proceeding commenced by the receipt of a complaint, written demand, or similar proceeding seeking monetary damages or non-monetary or injunctive relief; d. criminal proceeding commenced by the filing of charges, arrest or detainment, or a return of an indictment or similar document; e. request to toll or waive a statute of limitations applicable to a Claim referenced in paragraphs V.6.a.-V.6.d. above; f. formal appeal of a Claim referenced in paragraphs V.6.a.-V.6.d. above; g. with respect to Insuring Agreement I.A.2., any Claim referenced in paragraphs V.6.a.–V.6.f. above which is a Regulatory Claim; or h. with respect to Insuring Agreement I.A.4., any Claim referenced in paragraphs V.6.a.–V.6.f. above which is a PCI-DSS Claim. 7. Claim Expenses means reasonable and necessary: a. attorneys’ fees, mediation and arbitration expenses, expert witness and consultant fees and attendance expenses, and other fees and costs incurred by us, or by an Insured with our prior written consent, in the investigation and defense of a Claim; and b. premiums for any appeal bond, injunction bond, attachment bond, or any similar bond, although we shall have no obligation to furnish such bond. Claim Expenses shall not include salaries, wages, or other compensation of any Insured Person; except to the extent that such Claim Expenses are expenses incurred to secure and obtain a member of the Control Group’s attendance at any mediation, arbitration, hearing, depositions, or trial in connection to the investigation and defense of a Claim. 8. Computer Crimes means the intentional, fraudulent, or unauthorized input, destruction, or modification of electronic data or computer instructions into Computer Systems by any entity which is not an Insured Organization or person who is not an Insured Person, provided that such Computer Crimes cause: a. Funds or Securities to be transferred, paid, or delivered; or b. an account of the Insured Organization, or of its customer, to be added, deleted, debited, or credited. 9. Computer Crime Loss means the Insured Organization’s loss of Funds or Securities. 10. Computer System means Insured Computer Systems and External Computer Systems. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 10 of 40 11. Contingent Business Interruption Loss means the following amounts incurred by an Insured Organization during the Period of Restoration: a. net profit before income taxes that would have been earned had no System Disruption of External Computer Systems occurred; b. net loss before income taxes that would have been avoided had no System Disruption of External Computer Systems occurred; c. the Insured Organization’s continuing normal operating and payroll expenses; and d. costs to retain the services of a third party forensic accounting firm to determine the amounts of Contingent Business Interruption Loss described in paragraphs V.11.a.–V.11.c. above, subject to our prior consent. 12. Control Group means an Insured Organization’s Chief Executive Officer, Chief Financial Officer, Chief Security Officer, Chief Technology Officer, Chief Information Officer, Risk Manager, General Counsel, or any functionally equivalent positions, regardless of title. 13. Corporate Information means any confidential or proprietary information of an entity, other than an Insured Organization, which: a. an Insured Organization is contractually or legally required to hold or maintain in confidence; or b. is not known or accessible by the general public. Corporate Information does not include Protected Personal Information. 14. Credit Monitoring Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to: a. establish and maintain call center services to be used by natural persons whose Protected Personal Information was impacted in an Information Privacy Event; b. provide credit monitoring, freezing, or thawing services to natural persons whose Protected Personal Information was impacted in an Information Privacy Event; c. provide identity theft identification and restoration services to those natural persons whose Protected Personal Information was impacted in an Information Privacy Event; and d. retain the services of a Cyber Response Firm to provide consultative and professional services related to Credit Monitoring Loss described in paragraphs V.14.a.–V.14.c. above. Credit Monitoring Loss includes costs and expenses incurred in order to comply with applicable Privacy Regulations and shall follow the law of the applicable jurisdiction which most favors coverage for such costs and expenses. Those costs and expenses not required to comply with Privacy Regulations require our prior consent. 15. Cyber Event means an Information Privacy Event, Network Security Event, Extortion Threat, Fraudulent Inducement Instructions, Computer Crimes, System Disruption, and, with respect to Insuring Agreement I.F.2. only, a Media Wrongful Act. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 11 of 40 16. Cyber Response Firm means: a. any firm listed on our pre-approved response provider list, available upon request from us; or b. a firm not part of paragraph V.16.a. above, but only with our prior written consent. 17. Damages means any amounts an Insured becomes legally obligated to pay on account of any Claim, including: a. compensatory damages, settlements, and judgments; b. awards of prejudgment and post-judgment interest; c. sums for deposit in a consumer redress fund as equitable relief for the payment of consumer claims due to an adverse judgment or settlement; d. punitive, exemplary, or multiplied damages and awards; provided, however, that punitive, exemplary, or multiplied damages and awards shall only be included as Damages to the extent insurable under the applicable laws of any jurisdiction which most favors coverage and which has a substantial relationship to an Insured, us, this Policy, or the Claim giving rise to such Damages; e. with respect to a PCI-DSS Claim under Insuring Agreement I.A.4., any PCI-DSS Penalties and PCI-DSS Response Expenses; and f. with respect to a Regulatory Claim under Insuring Agreement I.A.2., any Regulatory Penalties, GDPR Penalties, and Regulatory Assessments and Expenses. Damages shall not include any: g. fines, penalties, taxes, or sanctions imposed against an Insured; except to the extent such fines, penalties, taxes, or sanctions are insurable under the applicable laws of any jurisdiction which most favors coverage and which has a substantial relationship to an Insured, us, this Policy, or the Claim giving rise to such Damages, and are PCI-DSS Penalties otherwise covered under Insuring Agreement I.A.4., or Regulatory Penalties, GDPR Penalties, or Regulatory Assessments and Expenses otherwise covered under Insuring Agreement I.A.2. of this Policy; h. costs to comply with any injunctive, remedial, preventative, or other non-monetary or declaratory relief; or i. any matters deemed uninsurable under the laws pursuant to which this Policy is construed. Solely with respect to Insuring Agreement I.T.1., Damages shall also include: j. subject to our prior written consent, the direct net cost (excluding any profit or mark-up) of the provision of any future service credits by an Insured Organization, but only to the extent such provision of future service credits will fully and finally resolve a Claim and are issued in lieu of monetary amounts the Insured Organization would otherwise be legally obligated to pay as Damages for a Technology Wrongful Act. Solely with respect to Insuring Agreement I.T.1., Damages shall also not include any: k. restitution, unjust enrichment, or disgorgement; l. the return, offset, or reduction of any charges, fees, commissions, or profits for products provided or services rendered; however, we will pay such amounts if asserted as Damages in connection with an otherwise covered Claim for a Technology Wrongful Act; m. costs incurred by any Insured to re-perform, correct, complete, recall, repair, replace, remove, supplement, or upgrade Technology Products or Technology Services; DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 12 of 40 n. discounts, coupons, prizes, rewards, or other incentives; o. liquidated damages in a contract or agreement, but only to the extent such damages exceed the amount for which the Insured would otherwise have been liable in the absence of the contract or agreement; p. amounts any Insured agrees to indemnify; however, we will pay such amounts to the extent they are explicitly covered under Insuring Agreement I.T.1.; or q. service credits, except as provided in paragraph V.17.j. above. 18. Data Recovery Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to: a. replace and restore corrupted, destroyed, lost, or stolen software; b. re-create and recover corrupted, destroyed, lost, or stolen data in electronic form which is, or was, stored on a Computer System; c. re-create and recover corrupted, destroyed, lost, or stolen data in non-electronic form for which there is no electronic source available; and d. to retain the services of a Cyber Response Firm to provide consultative and professional services related to Data Recovery Loss described in paragraphs V.18.a.–V.18.c. above. 19. Employee means any natural person whose work or service is or was guided and engaged by an Insured Organization, including full-time or part-time laborers, interns, volunteers, seasonal or temporary laborers, or laborers whose service or work is or was leased by or to an Insured Organization. 20. External Computer Systems means any computer hardware, software, firmware, wireless device, voice based telecommunication system, operating system, virtual machine, as well as any data stored thereon, and: a. associated input, output, processing, data storage, and mobile devices, networks, operating systems, application software, networking equipment, storage area networks, and other electronic data storage or backup facilities; b. includes, but is not limited to, associated telephone systems (including “PBX”, “CBX,” “Merlin,” or “VoIP”), remote access systems (including “DISA”), peripheral communication equipment and systems, industrial control systems (including “SCADA”), Internet of things (commonly referred to as “IoT”), media libraries, extranets, and offline electronic data storage facilities; and c. includes, but is not limited to, associated application hosting, cloud services, cloud computing platforms, data hosting, data storage, co-location, data back-up, data processing, and infrastructure as a service; which are operated for an Insured’s benefit by a third party under written contract between such third party and Insured. 21. Extortion Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to: a. make payment of any funds, digital currencies (“crypto-currencies”), marketable goods, services, or other assets to the person or group which is believed to be responsible for, and to have made, such Extortion Threat; b. reduce or mitigate the severity of Extortion Loss described in paragraph V.21.a. above; and c. retain the services of a Cyber Response Firm to provide consultative and professional services related to Extortion Loss described in paragraphs V.21.a. and V.21.b. above. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 13 of 40 22. Extortion Threat means any credible threat or series of related threats made to an Insured by a third party person or group, or by a rogue Employee who is not a member of the Control Group and who is acting in a manner not authorized by the Insured Organization, which threatens to take any of the following actions unless an Insured pays such group or person the funds demanded, or meet some other non-monetary demand, in exchange for the mitigation or removal of such threat: a. cause an Information Privacy Event or Network Security Event; b. alter, corrupt, damage, manipulate, misappropriate, encrypt, delete, or destroy any Computer System, Corporate Data, or Protected Personal Information; c. restrict or inhibit access to a Computer System; or d. any action connected to the continuation or furthering of any already commenced action referenced in paragraphs V.22.a.-V.22.c. above. 23. Extra Expense means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to: a. reduce the Period of Restoration; b. mitigate or reduce expenses resulting from the System Disruption of a Computer System; c. secure Computer Systems such that a similar System Disruption is avoided in the future; and d. retain the services of a Cyber Response Firm to provide consultative and professional services related to Extra Expense described in paragraphs V.23.a.–V.23.c. above. 24. First Party Coverage means Insuring Agreement(s) I.A.3., I.B.2., I.C.1., I.C.2., I.D.1., I.E.1., I.E.2., and I.F.2.. 25. Fraudulent Inducement Instructions means the misrepresentation of one or more facts by a third-party person or entity via email or other means of electronic communication with the intent of misleading an Insured into transferring Funds or Securities. 26. Fraudulent Inducement Loss means an Insured Organization's loss of Funds or Securities. 27. Funds or Securities means any medium of exchange, including any written negotiable or non-negotiable instruments representative of such, which is authorized or adopted by a foreign or domestic government and in current use, including bank notes, travelers' checks, registered check, money orders, currency, bullion, and coins. Funds or Securities does not include any crypto-currencies or crypto-assets. 28. GDPR Penalties means Regulatory Penalties an Insured becomes legally obligated to pay as a result of a Regulatory Claim for such Insured’s actual, alleged or reasonably suspected non-compliance with the General Data Protection Regulation Standard, as amended. 29. Independent Contractor means any natural person, agent, or single person entity who is not an Employee but performs work for an Insured Organization pursuant to a written contract or agreement. 30. Information Privacy Event means any actual or reasonably suspected: a. failure to prevent unauthorized access to Protected Personal Information; b. failure to properly manage, handle, store, protect, disclose, destroy, control, or collect Protected Personal Information; DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 14 of 40 c. violation of any Privacy Regulations, including, but not limited to, the wrongful collection or disclosure of Protected Personal Information; d. failure to comply with those portions of a Privacy Policy which govern the collection, dissemination, confidentiality, integrity, accuracy, disclosure, sale, access, or availability of Protected Personal Information; e. failure to provide natural persons whose Protected Personal Information an Insured stores or maintains to access, delete, or amend their Protected Personal Information as required by any Privacy Regulation, including, but not limited to, the “Right to be Forgotten” or “Right to Erasure” as described in the General Data Protection Regulation Standard, as amended; f. failure to provide notification of any Information Privacy Event as required by any Privacy Regulation; or g. failure to disclose an actual or potential Information Privacy Event as required by any Privacy Regulation. 31. Information Privacy Wrongful Act means any actual or alleged error, misstatement, misleading statement, act, omission, neglect, breach of duty, or other offense committed or attempted by an Insured, based upon or resulting in an Information Privacy Event. 32. Insured means the Insured Organization, any Insured Person, and any “Additional Insured” solely to the extent of coverage afforded by the terms and conditions in paragraph VII.A.2.a. 33. Insured Computer Systems means any computer hardware, software, firmware, wireless device, voice based telecommunication system, operating system, virtual machine, as well as any data stored thereon, and: a. associated input, output, processing, data storage, and mobile devices, networks, operating systems, application software, networking equipment, storage area networks, and other electronic data storage or backup facilities; and b. includes, but is not limited to, associated telephone systems (including “PBX”, “CBX,” “Merlin,” or “VoIP”), remote access systems (including “DISA”), peripheral communication equipment and systems, industrial control systems (including “SCADA”), Internet of things (commonly referred to as “IOT”), media libraries, extranets, and offline electronic data storage facilities; which are rented, leased, owned, or operated by an Insured or which are operated solely for an Insured’s benefit by a third party under written contract between such third party and Insured. 34. Insured Organization means the Named Insured and any Subsidiaries. Insured Organization also means any entity as a debtor in possession or the bankruptcy estate of such Insured Organization under the United States bankruptcy law, or foreign equivalent. 35. Insured Person means any past, current or future natural person: a. Employee, director, officer, trustee, partner, general partner, managing partner, managing member, LLC member, or principal of an Insured Organization, but only with respect to a Wrongful Act or Cyber Event committed within the scope of such natural person’s duties performed on behalf of such Insured Organization; or b. Independent Contractor, but only with respect to a Wrongful Act or Cyber Event committed within the scope of such Independent Contractor’s duties performed on behalf of the Insured Organization and only if the Insured Organization indemnifies such Independent Contractor. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 15 of 40 36. Legal Services Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to: a. determine the applicability of any notifications, communications, actions, or other services required or necessary for the Insured Organization to comply with applicable Privacy Regulations; b. draft and develop letters, documents, or other materials to properly notify the natural persons whose Protected Personal Information was, or may have been, wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of the applicable Information Privacy Event; c. provide any legally required communications and reporting services to any regulatory, administrative, or supervisory authority; and d. retain the services of a Cyber Response Firm to provide legal, consultative, and professional services related to Legal Services Loss described in paragraphs V.36.a.–V.36.c. above. Legal Services Loss includes costs and expenses incurred in order to comply with applicable Privacy Regulations and shall follow the law of the applicable jurisdiction which most favors coverage for such costs and expenses. Those costs and expenses not required to comply with any applicable Privacy Regulations require our prior consent. 37. Loss means: a. Reward Expense Loss, Technical Response Loss, Public Relations Loss, Legal Services Loss, Notification Loss, Credit Monitoring Loss, Data Recovery Loss, System Restoration Loss, Business Interruption Loss, Contingent Business Interruption Loss, Extra Expense, Extortion Loss, Fraudulent Inducement Loss, and Computer Crimes Loss. Loss shall not include: b. salaries, benefits or other compensation payable to Insured Persons, except to the extent covered under Insuring Agreement(s) I.C.1. and I.C.2.; c. an Insured Organization’s internal operating costs, expenses, or fees, except to the extent covered under Insuring Agreement(s) I.C.1. and I.C.2.; d. taxes, fines, penalties, or amounts for injunctive relief or sanctions; e. Funds or Securities in the care, custody, or control of an Insured, except to the extent covered under Insuring Agreement(s) I.D.1., I.E.1., and I.E.2.; or f. costs or expenses incurred to update, improve, enhance, or replace privacy or network security controls, policies or procedures, or Computer Systems to a level beyond that which existed prior to the applicable Cyber Event, except to the extent we have recommended and provided prior consent to incur such costs or expenses, including: i. claim avoidance related costs or expenses anticipated under Extra Expense; and ii. incremental improvement costs or expenses anticipated under System Restoration Loss. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 16 of 40 38. Malicious Code means any software or computer program that is: a. purposefully designed to adversely affect, intentionally harm, or dishonestly monetize any computer hardware, software, firmware, wireless device, operating system, virtual machine, and the data stored thereon or any components thereof, including, but not limited to, industrial control systems (SCADA), IoT, VoIP telephone systems, media libraries, extranets, offline storage facilities (to the extent electronic data is held), mobile devices, input and output devices, data storage devices, networking equipment, and electronic data backup facilities or networks; or b. capable of affecting that which is referenced in paragraph V.38.a. above by inserting itself by a variety of forms, causing damage, possessing the ability to replicate itself, or possessing the capability of spreading copies of itself. Malicious Code includes, but is not limited to, auto-reproduction programs, computer viruses, worms, Trojan horses, spyware, dishonest adware, crime-ware, mine-ware, script or any other software program, computer program, or virus that is functionally equivalent to Malicious Code described in paragraphs V.38.a.and V.38.b. above. 39. Media Content means data, text, images, graphics, music, sounds, photographs, advertisements, video, streaming content, webcasts, podcasts, blog posts, and online forum posts. Media Content does not include computer software, software technology, or the actual goods, products, or services described, illustrated, or displayed in such Media Content. 40. Media Wrongful Act means any actual or alleged error, misstatement, misleading statement, act, omission, neglect, breach of duty, or other offense committed or attempted by an Insured, or by any third party entity or natural person for whom the Insured is legally responsible, in the public dissemination, posting, or display of Media Content, by or on behalf of an Insured, on a voice or video based communication medium, including radio, internet streaming, satellite, cable, television, or any similar communications broadcast, or on an Insured’s website, printed material, social media site, or anywhere else on the internet, which results in the following: a. defamation, libel, slander, or other tort related to disparagement or harm to the character, reputation or feelings of any person or organization, including product disparagement, trade libel, infliction of emotional distress, malicious falsehood, outrage, or outrageous conduct; b. infringement or dilution of title, slogan, logo, trademark, trade name, metatag, domain name, trade dress, service mark, or service name; c. copyright infringement, passing off, plagiarism, piracy, or other misappropriation of intellectual property rights; d. invasion, infringement, or interference with rights of privacy or publicity, including public disclosure of private facts, breach of confidence, intrusion, false light, and commercial appropriation of name or likeness; e. false detention or arrest, harassment, trespass, wrongful entry or eviction, eavesdropping, or other invasion of the right of private occupancy; f. improper deep framing or linking; or g. unfair trade practices or competition, including misrepresentations in advertising, but solely when alleged in conjunction with the alleged conduct referenced in paragraphs V.40.a.–V.40.f. above. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 17 of 40 41. Named Insured means the entity displayed in ITEM 1 of the Declarations. 42. Network Security Event means any actual or reasonably suspected: a. propagation of Malicious Code from a Computer System; b. attack by Malicious Code which infects a Computer System; c. denial of service attack: i. originating from a Computer System; or ii. made against a Computer System; d. gaining of access or use of a Computer System by: i. an unauthorized person; or ii. an authorized person for purposes not authorized by an Insured Organization; e. acquisition, access, loss, or disclosure of Corporate Information not authorized by an Insured Organization; f. theft of a password or access code by electronic or non-electronic means from a Computer System, the Insured Organization’s premises, or directly from an Insured Person; g. the failure to provide any authorized user access to the Insured Organization’s website or Computer System due to the failure or violation of the security of a Computer Systems; or h. the failure to protect Computer Systems which results in, or is based upon, a Network Security Event referenced in paragraphs V.42.a.-V.42.g. above. Network Security Event includes any of the foregoing, regardless of whether such Network Security Event is a specifically targeted attack or a generally distributed attack. 43. Network Security Wrongful Act means any actual or alleged error, misstatement, misleading statement, act, omission, neglect, breach of duty, or other offense committed or attempted by an Insured, based upon or resulting in a Network Security Event. 44. Notification Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to: a. provide any legally required notification services to those natural persons whose Protected Personal Information was wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of the applicable Information Privacy Event; b. complete mailing or other communications duties to notify those natural persons whose Protected Personal Information was wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of the applicable Information Privacy Event; c. provide information on the availability of any related services or resources to those natural persons whose Protected Personal Information was wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of the applicable Information Privacy Event; and d. retain the services of a Cyber Response Firm to provide consultative and professional services related to Notification Loss described in paragraphs V.44.a.-V.44.c. above. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 18 of 40 Notification Loss includes costs and expenses incurred in order to comply with applicable Privacy Regulations and shall follow the law of the applicable jurisdiction which most favors coverage for such costs and expenses. Those voluntary costs and expenses not required to comply with any applicable Privacy Regulations require our prior consent. 45. PCI Data Security Standards means generally accepted and published rules, regulations, standards, or guidelines which relate to data security and the safeguarding, disclosure, and handling of Protected Personal Information and which are adopted or required by the Payment Card Industry Data Security Standards Council or any payment provider whose payment method is accepted for processing. 46. PCI-DSS Claim means any Claim, brought by or on behalf of a Payment Card Association or entity processing or providing payment card transactions, based upon an Insured Organization’s actual, alleged, or potential non-compliance with PCI Data Security Standards, including but not limited to: a. failure to properly protect, handle, manage, store, destroy, or control payment account or payment card data, including applicable Protected Personal Information; or b. non-compliance with EMV specifications or mobile payment security requirements. PCI-DSS Claim includes an investigation into a potential violation of PCI Data Security Standards, which may reasonably be expected to give rise to a PCI-DSS Claim. 47. PCI-DSS Penalties means monetary assessments, fines, penalties, chargebacks, reimbursements, and fraud recoveries, including card reissuance costs, the Insured Organization is legally obligated to pay due to a PCI- DSS Claim and its non-compliance under a payment card processing agreement or merchant services agreement pertaining to PCI Data Security Standards. 48. PCI-DSS Response Expenses means reasonable and necessary costs and expenses to retain the services of: a. a third party forensic firm that is a qualified Payment Card Industry Forensic Investigator, to determine the cause and scope of the Information Privacy Event which led to a PCI-DSS Claim; and b. a Qualified Security Assessor (QSA) to validate an Insured Organization’s adherence to PCI Data Security Standards following a PCI-DSS Claim. 49. Period of Restoration means the continuous period of time that: a. begins with the earliest date a System Disruption first occurred; and b. ends on the date when Insured Computer Systems or External Computer Systems are, or could have been, repaired or restored with reasonable speed to the same functionality and level of service which existed prior to the System Disruption. A Period of Restoration shall not exceed one hundred eighty (180) days from the date the applicable System Disruption first occurred; provided, however, that the end of the Policy Period shall not cut short the Period of Restoration. 50. Policy means, collectively, the Declarations, Application, each included Insuring Agreement, and all forms and endorsements, stated in ITEM 8 of the Declarations, which are attached to and form part of this Policy. 51. Policy Period means the period of time from the Effective Date to the Expiration Date, as set forth in ITEM 2 of the Declarations, or the effective date of termination of this Policy, whichever is earlier. 52. Pollution means any liquid, gaseous, solid or thermal irritant or contaminant, including vapor, smoke, fumes, acids, chemicals and material to be recycled, reconditioned or reclaimed. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 19 of 40 53. Privacy Policy means an Insured Organization’s written or electronic policies which govern the collection, dissemination, confidentiality, integrity, accuracy, disclosure, sale, access, or availability of Protected Personal Information. 54. Privacy Regulations means any local, state, federal, or foreign identity theft or privacy protection laws, statutes, legislation, or regulations which require commercial entities which collect, process, or maintain Protected Personal Information to post privacy policies, adopt specific privacy or security controls, or notify individuals in the event that Protected Personal Information has potentially or actually been compromised, accessed, or acquired without their authorization. Privacy Regulations explicitly include, but are not limited to, the Gramm-Leach Bliley Act of 1999, Health Insurance Portability and Accountability Act of 1996, California Database Breach Act, Minnesota Plastic Card Security Act, and General Data Protection Regulation Standard, and regulations issued pursuant to such Acts or Standards, as amended if applicable. 55. Property Damage means damage to, loss of use of, or destruction of any tangible property other than electronic or non-electronic data or Protected Personal Information. 56. Protected Personal Information means any of the following information or data, regardless of whether such data or information is in electronic, non-electronic, or any other format: a. any natural person’s social security number, name, e-mail address, driver’s license or state identification number, address, and telephone number; b. any natural person’s personally identifiable pictures or videos, internet browsing history, security access codes, or passwords, and account histories; c. any natural person’s medical or healthcare data, biometric records, or any other protected health information (“PHI”); d. any natural person’s credit card or debit card number, account number, or any other protected financial information; or e. any other non-public personal information or data of a natural person as specified in any Privacy Regulations. Protected Personal Information does not include Corporate Information. 57. Public Relations Loss means reasonable and necessary public relations related costs and expenses incurred or paid by an Insured Organization to: a. protect or restore the Insured Organization’s reputation; b. mitigate financial harm to the Insured Organization’s business; and c. retain the services of a Cyber Response Firm to provide public relations or crisis communications consultative and professional services related to Public Relations Loss described in paragraphs V.57.a. and V.57.b. above. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 20 of 40 58. Regulatory Assessments and Expenses means reasonable and necessary costs and expenses an Insured becomes legally obligated to pay on account and as a direct result of a Regulatory Claim to retain the services of a Cyber Response Firm to perform a legally required audit or assessment, including related consultative and professional services, of the Insured Organization’s privacy practices or Computer Systems. Regulatory Assessments and Expenses includes costs and expenses incurred in order to comply with applicable Privacy Regulations and shall follow the law of the applicable jurisdiction which most favors coverage for such costs and expenses. Those costs and expenses not required to comply with any applicable Privacy Regulations require our prior consent. 59. Regulatory Claim means any Claim brought by, or on behalf of, the Federal Trade Commission, the Federal Communications Commission, any supervisory authority enforcing the General Data Protection Regulation Standard, or any state attorney general, government licensing entity, regulatory authority, or any federal, state, local, or foreign governmental entity in such entity’s official capacity. Regulatory Claim includes an investigation into a potential violation of Privacy Regulations, which may reasonably be expected to give rise to a Regulatory Claim. 60. Regulatory Penalties means civil fines or penalties resulting from a Regulatory Claim, including GDPR Penalties, imposed against an Insured by the Federal Trade Commission, the Federal Communications Commission, any supervisory authority enforcing the General Data Protection Regulation Standard, or any state attorney general, government licensing entity, regulatory authority, or any federal, state, local, or foreign governmental entity in such entity’s official capacity. 61. Related Incident means all Wrongful Acts and Cyber Events which share as a common nexus any act, fact, circumstance, situation, event, transaction, cause, or series of related acts, facts, circumstances, situations, events, transactions, or causes, and all: a. Cyber Events arising out of any Related Incident shall be considered one single Cyber Event, and such Cyber Event shall be considered first discovered on the date the earliest of such Cyber Events is first discovered, regardless of whether such date is before or during the Policy Period; and b. Claims arising out of all Related Incidents shall be considered one single Claim, and such Claim shall be considered first made on the date the earliest of such Claims is first made, regardless of whether such date is before or during the Policy Period. 62. Retention means the amounts stated as Retention in ITEM 6 of the Declarations with respect to the Insuring Agreement to which each such stated Retention amount applies. 63. Reward Expense Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to an informant for information not otherwise available which leads to the arrest and conviction of a natural person or an entity responsible for the Cyber Event which resulted in a covered Loss under this Policy. Reward Expense Loss requires our prior consent. 64. Subsidiary means: a. any corporation, partnership, limited liability company or other entity in which the Named Insured owns, directly or indirectly through one or more Subsidiaries, more than fifty percent (50%) of such entity’s outstanding securities or voting rights representing the present right to elect, appoint or exercise a majority control over such entity’s board of directors, board of trustees, board of managers, natural person general partners, or functional equivalent; DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 21 of 40 b. any entity operated as a joint venture in which the Named Insured owns, directly or indirectly through one or more Subsidiaries, exactly fifty percent (50%) of the issued and outstanding voting stock and whose management and operation an Insured Organization solely controls, pursuant to a written agreement with the owner(s) of the remaining issued and outstanding voting stock; or c. any non-profit entity over which the Named Insured, directly or indirectly through one or more Subsidiaries, exercises management control. 65. System Disruption means the measurable interruption, suspension, degradation, or failure in the service of: a. with respect to Insuring Agreement I.C.1., Insured Computer Systems; or b. with respect to Insuring Agreement I.C.2., External Computer Systems; directly caused by a Network Security Event or Information Privacy Event. 66. System Restoration Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to: a. restore Computer Systems, including replacing or reinstalling software programs contained therein, to their level of functionality immediately prior to the applicable Network Security Event: b. remove any Malicious Code from Computer Systems resulting from the applicable Network Security Event; c. restore the configuration of Computer Systems to an adequacy at or higher to that which was present immediately prior to the applicable Network Security Event; and d. retain the services of a Cyber Response Firm to provide consultative and professional services related to System Restoration Loss described in paragraphs V.66.a.–V.66.c. above. 67. Technical Response Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to: a. investigate and determine the cause of the applicable Information Privacy Event or Network Security Event; b. mitigate or contain an ongoing Information Privacy Event or Network Security Event; c. identify and catalog natural persons whose Protected Personal Information was wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of an applicable Information Privacy Event; d. identify and catalog organizations whose Corporate Information was wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of an applicable Network Security Event; and e. retain the services of a Cyber Response Firm to provide consultative and professional services related to Technical Response Loss described in paragraphs V.67.a.–V.67.d. above. 68. Third Party Coverage means Insuring Agreement(s) I.A.1., I.A.2., I.A.4., I.B.1., I.F.1., and I.T.1. 69. Wrongful Act means any Information Privacy Wrongful Act, Network Security Wrongful Act, Media Wrongful Act, or Technology Wrongful Act. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 22 of 40 Definitions Applicable to Technology Liability Insuring Agreement 70. Breach of Contract means an unintentional breach of a written contract by an Insured; provided such written contract: a. is entered into between an Insured Organization and a customer; and b. expressly sets forth an Insured’s agreement to provide Technology Products and/or Technology Services. 71. Contractual Indemnity means an indemnification obligation owed by an Insured Organization to a customer under a written contract to provide Technology Products and/or Technology Services, but only to the extent that: a. the indemnification obligation arises out of an actual or alleged act, error, or omission committed or attempted by or on behalf of an Insured; and b. the indemnification obligation does not arise solely out of any act, error, or omission by the customer whom the Insured Organization is obligated to indemnify. 72. Errors & Omissions means any error, misstatement, misleading statement, act, omission, neglect, or breach of duty. 73. Intellectual Property Infringement means intellectual property infringement, including but not limited to misappropriation of trade secret, copyright infringement, trade dress infringement, trademark infringement, trademark dilution, cybersquatting violation, improper deep-linking or deep-framing, or publicity rights violation; provided, however, that Intellectual Property Infringement shall not mean or include any infringement, violation, misuse, abuse, misappropriation, or disclosure of, or assertion of any right to, or interest in, any patent or patent right. 74. Personal Injury means the following: a. false arrest, detention, or imprisonment; b. malicious prosecution; c. defamation, including but not limited to libel, slander, product disparagement, or trade libel; d. wrongful entry, wrongful eviction, or other invasion or infringement of the right to private occupancy; or e. invasion or infringement of the right to privacy or publicity, including but not limited to intrusion upon seclusion, publication of private facts, false light, or misappropriation of name or likeness. 75. Technology Products means information technology or telecommunications hardware or software, or related electronic equipment, that is assembled, created, designed, developed, manufactured, sold, or distributed by or on behalf of an Insured, for others for a fee or other consideration. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 23 of 40 76. Technology Services means information technology or telecommunications services performed by or on behalf of an Insured, for others for a fee or other consideration, including: a. information technology or telecommunications: i. consulting, staffing, training, and support services; ii. network or data security services; iii. network or system design, development, installation, repair, maintenance, and support services; iv. network or system operations and management, including data center, co-location, and cloud computing services, and services as Infrastructure-as-a-Service (IaaS); v. hardware sales, installation, testing, repair, maintenance, and support services; or b. software or application hosting, design, development, programming, installation, testing, repair, maintenance, and support services, including services as: i. Software-as-a-Service (SaaS); ii. Platform-as-a-Service (PaaS); iii. Application Service Provider (ASP); or c. data processing, management, and hosting services, including: i. data entry and analysis services; ii. data conversion and destruction services; iii. data backup and recovery services; or d. provision of internet, email, video, voice, text, data, and broadband services; e. digital and internet marketing services; f. website development and design services; and g. web portal or web hosting services. Technology Services also means information technology or telecommunications services that are provided in conjunction with Technology Products. 77. Technology Wrongful Act means any actual or alleged Errors & Omissions, Breach of Contract, Contractual Indemnity, Intellectual Property Infringement, or Personal Injury committed or attempted by an Insured, or by any person or entity on behalf of an Insured Organization, in the: a. rendering or provision of Technology Services to others; b. failure to render or provide Technology Services to others; or c. failure of Technology Products to perform the function or serve the purpose intended. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 24 of 40 VI. Exclusions A. EXCLUSIONS APPLICABLE TO ALL INSURING AGREEMENTS This Policy shall not apply to any Loss, Damages, or Claim Expenses on account of any Wrongful Act, any Cyber Event, or any Claim: 1. Conduct based upon, arising out of, or attributable to any Insured’s: a. fraudulent, criminal, or malicious error, act or omission; b. intentional or deliberate violation of the law; or c. gaining of any profit, remuneration, or advantage to which such Insured was not legally entitled. However, this exclusion shall not apply to: d. Claim Expenses or our duty to defend any such Claim; or e. Damages unless a final, non-appealable, adjudication establishes that such Insured committed such conduct, act, or violation. Provided that: f. no such conduct pertaining to any Insured Person shall be imputed to any other Insured Person; g. any such conduct pertaining to past, present, or future members of the Control Group shall be imputed to the Insured Organization; provided, however, if such member of the Control Group acted deliberately outside his or her capacity as such then such conduct shall not be imputed to the Insured Organization; and h. for First Party Coverage only, this exclusion shall not apply to an intentionally dishonest or fraudulent act or omission, willful violation of any statute, rule of law, or gaining any profit, remuneration, or advantage by an Employee. 2. Contract for breach of any express, implied, actual or constructive contract, warranty, or guarantee. However, this exclusion shall not apply to: a. liability assumed by an Insured, but only to the extent that such assumed liability would have attached to the Insured in the absence of such contract, warranty, or guarantee; b. an Insured’s contractual obligation to maintain the confidentiality or security of Protected Personal Information; c. an Insured’s obligation under an implied or statutory standard of care obligation to prevent an Information Privacy Event or Network Security Event; DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 25 of 40 d. with respect to Insuring Agreement I.A.1., an unintentional violation by an Insured to comply with an Insured Organization’s Privacy Policy; e. solely with respect to Insuring Agreement I.A.4., a PCI-DSS Claim; f. solely with respect to Insuring Agreement I.F.1., any actual or alleged misappropriation of idea under implied contract; g. solely with respect to Insuring Agreement I.A.1., an Insured’s unintentional breach of contract or agreement with a business associate, as defined in the U.S. Health Insurance Portability and Accountability Act (HIPAA), as amended, or the Health Information Technology for Economic and Clinical Health Act (HITECH), as amended; or h. solely with respect to Insuring Agreement I.T.1., an otherwise covered Claim for Breach of Contract or Contractual Indemnity. 3. Bodily Injury alleging, based upon, arising out of, or attributable to Bodily Injury. However, this exclusion shall not apply to: a. solely with respect to Insuring Agreement I.F.1., emotional distress, mental anguish, humiliation, or loss of reputation resulting from a Media Wrongful Act; b. solely with respect to Insuring Agreement I.A.1., emotional distress, mental anguish, or mental injury resulting from an Information Privacy Wrongful Act; or c. solely with respect to Insuring Agreement I.T.1., any actual or alleged unintentional infliction of emotional distress, but only when asserted in conjunction with and based upon the same allegations as an otherwise covered Claim for Personal Injury. 4. Property Damage alleging, based upon, arising out of, or attributable to Property Damage. 5. Prior Notice alleging, based upon, arising out of, or attributable to any fact, circumstance, situation, event, Cyber Event, or Wrongful Act which was the subject of any notice of claim or potential claim given by or on behalf of any Insured under any policy of insurance of which this Policy is a direct or indirect renewal or replacement, or which it succeeds in time. 6. Prior Knowledge alleging, based upon, arising out of, or attributable to any fact, circumstance, situation, event, Cyber Event, or Wrongful Act that is, or reasonably would be regarded as, the basis for a Claim or Cyber Event about which any member of the Control Group had knowledge prior to the Continuity Date set forth in ITEM 7 of the Declarations. 7. Pending or Prior Proceedings alleging, based upon, arising out of, or attributable to any fact, circumstance, situation, event, Cyber Event, or Wrongful Act underlying or alleged in any prior or pending civil, criminal, administrative or regulatory proceeding or litigation against an Insured as of, or prior to, the Prior and Pending Litigation Date set forth in ITEM 7 of the Declarations. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 26 of 40 8. Pollution alleging, based upon, arising out of, or attributable to: a. the actual, alleged or threatened discharge, release, seepage, migration, or disposal of Pollution; b. any request that any Insured test for, monitor, clean up, remove, contain, treat, detoxify, or neutralize Pollution, including any voluntary decision to do so; or c. any request or requirement brought by or on behalf of any governmental authority relating to testing, monitoring, cleaning, removing, containing, treating, neutralizing, or in any way responding to or assessing the effects of Pollution. 9. War alleging, based upon, arising out of, or attributable to war, invasion, acts of foreign enemies, hostilities or warlike operations (whether war is declared or not), strike, lock-out, riot, civil war, rebellion, revolution, insurrection, civil commotion assuming the proportions of or amounting to an uprising, or military or usurped power. 10. Nuclear, Biological, and Chemical Contamination alleging, based upon, arising out of, or attributable to any planning, construction, maintenance, or use of any nuclear reactor, nuclear storage, disposal, waste or radiation site, or any other nuclear facility or site, the transportation of nuclear material, or any nuclear reaction or radiation, or radioactive, biological or chemical contamination, regardless of its cause. 11. Natural Disaster alleging, based upon, arising out of, or attributable to fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, act of God, nature or any other related physical event. 12. Intellectual Property alleging, based upon, arising out of, or attributable to any infringement, violation, or misappropriation of, or assertion of any right to, or interest in, any patent, copyright, trademark, trade dress or any other intellectual property right. However, this exclusion shall not apply to: a. solely with respect to Insuring Agreement I.F.1., an otherwise covered Claim for a Media Wrongful Act, except to the extent such Claim alleges that Media Content consisted of computer software or software technology which infringed upon copyrighted software; b. solely with respect to Insuring Agreement I.A.1., any Claim arising out of any actual, alleged, or reasonably suspected failure by an Insured to properly disclose, handle, manage, store, destroy, protect, use or otherwise control Protected Personal Information resulting from an Information Privacy Event; c. solely with respect to Insuring Agreement I.B.1., any Claim arising out of the actual or alleged disclosure of Corporate Information resulting from a Network Security Event; or d. solely with respect to Insuring Agreement I.T.1., an otherwise covered Claim for Intellectual Property Infringement. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 27 of 40 13. Fees or Chargebacks alleging, based upon, arising out of, or attributable to any fees, expenses, or costs paid to or charged by an Insured, including chargebacks, transfer fees, transaction fees, merchant service fees, or prospective service fees. However, this exclusion shall not apply to: a. solely with respect to Insuring Agreement I.A.4., any PCI-DSS Claim; or b. solely with respect to Insuring Agreement I.T.1., the extent such amounts constitute otherwise covered Damages resulting from a Claim for a Technology Wrongful Act. 14. Unsolicited Communications alleging, based upon, arising out of, or attributable to any violation of the Telephone Consumer Protection Act of 1991, as amended, or any similar federal, state, local, common, or foreign law or regulation relating to the unsolicited electronic dissemination of faxes, e-mails, or other communications, or a natural person’s or entity’s right of seclusion. However, this exclusion shall not apply to: a. solely with respect to Insuring Agreements I.A.1. and I.A.2., a Claim resulting from any Insured’s actual, alleged or reasonably suspected violation of any Privacy Regulation; or b. solely with respect to Insuring Agreements I.A.1. and I.A.2., a Claim resulting from any Insured’s actual or alleged failure to adequately protect Computer Systems resulting in the release of Protected Personal Information. 15. Consumer Protection Laws alleging, based upon, arising out of, or attributable to any Insured’s violation of the Truth in Lending Act, Fair Debt Collection Practices Act, Fair Credit Reporting Act, or the Fair and Accurate Credit Transactions Act or any amendments thereto or any rules or regulations promulgated thereunder, or any similar federal, state, local, common, or foreign law, rule, or regulation. However, this exclusion shall not apply to: a. solely with respect to Insuring Agreement I.A.1., any Claim arising out of the actual or alleged disclosure or theft of Protected Personal Information resulting from an Information Privacy Event. 16. Infrastructure alleging, based upon, arising out of, or attributable to any failures of infrastructure, including an interruption, electrical disturbance, surge, spike, brownout, blackout, or outages to electricity, gas, water, or Internet access service and Domain Name System (DNS) service provided by the service provider that hosts an Insured Organization’s website, telecommunications, or other infrastructure. However, this exclusion shall not apply to failures, interruptions, disturbances or outages of telephone, cable or telecommunications systems, networks or infrastructure: a. under an Insured’s direct operational control; or b. solely with respect to Insuring Agreement(s) I.A.1. and I.B.1., which are the result of an actual or alleged Information Privacy Wrongful Act or Network Security Wrongful Act. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 28 of 40 However, solely with respect to Insuring Agreement I.T.1., this exclusion shall also not apply to: c. a failure or interruption of service provided by External Computer Systems which results in an actual or alleged Technology Wrongful Act; or d. an otherwise covered Claim for a Technology Wrongful Act resulting directly from an Insured Organization’s provision of services as a telecommunications, internet access, or infrastructure service provider. B. EXCLUSIONS APPLICABLE TO PARTICULAR INSURING AGREEMENTS This Policy shall not apply to any Loss, Damages, or Claim Expenses on account of any Wrongful Act, any Cyber Event, or any Claim: 1. Prior Acts Exclusively with respect to Third Party Coverage, alleging, based upon, arising out of, or attributable to any Wrongful Act: a. taking place, in whole or in part, prior to: i. with respect to Insuring Agreement I.T.1., Technology Liability, the date set forth as the “Technology Retroactive Date” in ITEM 7 of the Declarations; and ii. with respect to Insuring Agreement(s) I.A.1., I.A.2., I.A.4., I.B.1., and I.F.1., the date set forth as the “Cyber & Media Retroactive Date” in ITEM 7 of the Declarations; or b. by a Subsidiary or any of its Insured Persons, occurring at any time during which such entity was not a Subsidiary. 2. Insured vs. Insured Exclusively with respect to Third Party Coverage, brought by or on behalf of any: a. Insured; b. entity, if ten percent (10%) or more of its equity is owned, controlled, operated or managed, directly or indirectly, by any Insured at the time the Wrongful Act is committed or Claim is made; or c. successor or assignee of any Insured. However, this exclusion shall not apply to any Claim: d. brought by or on behalf of an Insured Person for a Wrongful Act, but only to the extent such Insured Person did not commit or contribute to such Wrongful Act or to such extent such Insured Person is alleging an Insured Organization failed to comply or act in accordance with a Privacy Regulation; e. brought by or on behalf of an Employee alleging employee-related invasion of privacy or employee- related wrongful infliction of emotional distress, but only to the extent that such Claim arises out of the loss of Protected Personal Information resulting from an Information Privacy Wrongful Act; or f. brought by or on behalf of any “Additional Insured”, as described in paragraph VII.A.2.a., against any other Insured for a Wrongful Act. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 29 of 40 3. Securities Exclusively with respect to Third Party Coverage, alleging, based upon, arising out of, or attributable to any Insured’s: a. purchase, sale, or offer, or solicitation of an offer, to purchase or sell securities; b. violation of the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Company Act of 1940, the Investment Advisors Act, the Organized Crime Control Act of 1970, or any other federal, state or local securities law, and any amendments thereto or any rules or regulations circulated thereunder, or any similar federal, state or common law; or c. with respect to Insuring Agreement I.T.1., provision of any financial, investment, credit, or debt advice or counseling; or failure of an investment to perform as expected or desired; or promise or guarantee of the future performance of any investment value, interest, or rate of return. However, paragraph VI.B.3.b. of this exclusion shall not apply to: d. solely with respect to Insuring Agreement(s) I.A.1., I.A.2., and I.A.4., any Claim alleging a failure to disclose an actual, reasonably suspected or potential Information Privacy Event if such disclosure is required by any Privacy Regulations. 4. Governmental Seizure Exclusively with respect to First Party Coverage, alleging, based upon, arising out of, or attributable to any confiscation, nationalization, seizure, or destruction of a Computer System or electronic data held or processed by an Insured or by order of any governmental or public authority. 5. Employment Practices or Discrimination Exclusively with respect to Third Party Coverage, alleging, based upon, arising out of, or attributable to any employment practices or illegal discrimination of any kind, or any employment relationship, or the nature, terms or conditions of employment, including claims for workplace torts, wrongful termination, dismissal or discharge, or any discrimination, harassment, or breach of employment contract. However, this exclusion shall not apply to: a. solely with respect to Insuring Agreement(s) I.A.1., I.A.2., and I.A.4., that portion of any Claim alleging Employee related invasion of privacy or wrongful infliction of emotional distress, provided that such Claim arises out of the actual or alleged disclosure or theft of Protected Personal Information resulting from an Information Privacy Wrongful Act. 6. Antitrust Exclusively with respect to Third Party Coverage, alleging, based upon, arising out of, or attributable to any antitrust violation, unfair competition, deceptive trade practices, or restraint of trade, including violations of any local, state, federal, or foreign laws governing the foregoing, whether brought by or on behalf any individuals, entities, the Federal Trade Commission, or any other federal, state, local, or foreign government agency. However, this exclusion shall not apply to: a. solely with respect to Insuring Agreement I.A.2., a Regulatory Claim resulting directly from a violation of Privacy Regulations; DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 30 of 40 b. solely with respect to Insuring Agreement I.F.1., a Claim for a Media Wrongful Act as defined in paragraph V.40.g.; or c. solely with respect to Insuring Agreement I.T.1., a Claim for unfair competition, deceptive trade practices, or false designation of origin, but only to the extent that such Claim is asserted in conjunction with and based upon the same allegations as an otherwise covered Claim for Intellectual Property Infringement. 7. Advertising & Representations alleging, based upon, arising out of, or attributable to: a. exclusively with respect to Insuring Agreement(s) I.F.1. and I.F.2, any inaccurate, inadequate, or incomplete description of the price of goods, products or services, cost guarantees, cost representations, or contract price estimates, the authenticity of any goods, products or services, or the failure of any goods or services to conform with any represented quality of performance; or b. exclusively with respect to Insuring Agreement I.T.1., any false or misleading advertising. However, paragraph VI.B.7.b. of this exclusion shall not apply to: c. an otherwise covered Claim for Intellectual Property Infringement under Insuring Agreement I.T.1. that is based upon an Insured’s actual or alleged unauthorized use of a third party’s trademark. 8. Government Action & Licensing Exclusively with respect to Insuring Agreement(s) I.F.1., I.F.2., and I.T.1., alleging, based upon, arising out of, or attributable to any governmental investigation or enforcement of any federal, state, or local regulation, or any action brought by or on behalf of the Federal Trade Commission, the Federal Communications Commission, or any other federal, state, or local government agency, or ASCAP, SESAC, BMI or other licensing or rights entities in such entity’s regulatory, quasi-regulatory, or official capacity, function or duty. However, solely with respect to Insuring Agreement I.T.1., this exclusion shall not apply to: a. any Claim made by a government agency or entity in its capacity as a customer of the Insured Organization for an otherwise covered Technology Wrongful Act. 9. Contest or Game of Chance Exclusively with respect to Insuring Agreement(s) I.F.1., I.F.2., and I.T.1 alleging, based upon, arising out of, or attributable to any gambling, contest, game of chance, lottery, or promotional game, including the redemption of coupons, discounts, awards, prizes, or tickets related thereto. C . EXCLUSIONS APPLICABLE TO F INANCIAL F RAUD INSURING AGREEMENTS Exclusively with respect to Insuring Agreement(s) I.E.1. and I.E.2., this Policy shall not apply to any Computer Crimes Loss, Fraudulent Inducement Loss, or Reward Expense Loss on account of any Computer Crimes or any Fraudulent Inducement Instructions: DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 31 of 40 1. Financial Fraud of Intellectual Property for the loss of confidential information, including trade secrets, formulas, patents, customer information, negatives, drawings, manuscripts, prints, and other records of a similar nature, or other confidential information, intellectual property of any kind, data or computer programs. 2. Interest Income for or applicable to any potential income, including interest and dividends, not realized by the Insured Organization or a customer of the Insured Organization. 3. Forged or Altered Instruments resulting directly from forged, altered, or fraudulent negotiable instruments, securities, documents or written instructions or instructions used as source documentation to enter electronic data or send instructions. D . EXCLUSIONS APPLICABLE TO TECHNOLOGY LIABILITY INSURING AGREEMENT Exclusively with respect to Insuring Agreement I.T.1., this Policy shall not apply to any Claim Expenses or Damages on account of any Technology Wrongful Act or any Claim: 1. Discontinued Products or Services alleging, based upon, arising out of, or attributable to any commercial decision to discontinue a product or service, but only to the extent that an Insured Organization is obligated by a written contract to continue providing such product or service. 2. Non-Compete or Exclusivity alleging, based upon, arising out of, or attributable to any breach of non-compete, non-solicitation, exclusivity, or other similar commercial terms in an Insured Organization’s contract or agreement with a customer. 3. Business Partner Dispute alleging, based upon, arising out of, or attributable to any commercial dispute between an Insured and any distributor, supplier, reseller, manufacturer, or other business partner or business associate with whom an Insured deals, but only to the extent such a Claim is based upon: a. any compensation or remuneration, including any commission or royalty, that is promised or owed by an Insured to such distributor, supplier, reseller, manufacturer, or other business partner or business associate; or b. an Insured’s decision to cease dealing with such distributor, supplier, reseller, manufacturer, or other business partner or business associate. 4. Proprietary Information alleging, based upon, arising out of, or attributable to: a. any misappropriation, misuse, abuse, or disclosure of any trade secrets, ideas, designs, concepts, or confidential information that any person or entity accessed or possessed before they became an Insured Person or Subsidiary of the Insured Organization; or DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 32 of 40 b. any dispute between an Insured and any present or former employee, agent, independent contractor, joint venturer, partner, officer, director, or trustee regarding ownership of or rights to any information, material, content, designs, concepts, products, or services provided by such person to an Insured. 5. Recall, Repair, or Replace alleging, based upon, arising out of, or attributable to any costs or expenses incurred by any Insured or others to recall, repair, replace, remove, supplement, or upgrade an Insured’s products, including any third party products which incorporate an Insured’s products or services. However, this exclusion shall not apply to: a. any Claim brought by a third party for the loss of use of Technology Products or any third party products that incorporate an Insured’s products or services. 6. Transfer of Funds or Securities for any actual or alleged loss, theft, or transfer of Funds or Securities or any crypto-currencies or crypto- assets: a. owned by an Insured; b. in an Insured’s care, custody, or control; or c. in the care, custody, or control of any third party; including but not limited to the value of any Funds or Securities, or any crypto-currencies or crypto- assets, transferred by or on behalf of any Insured. 7. Third Party Defect alleging, based upon, arising out of, or attributable to any defect in or failure of any Technology Products that is solely caused by a third party, including but not limited to any third party hardware or software supplier, vendor, or manufacturer. However, this exclusion shall not apply to: a. Claim Expenses paid by us on an Insured’s behalf to defend such Claims; or b. any amount an Insured is legally able to recover under a written contract or agreement. 8. Third Party E-Commerce alleging, based upon, arising out of, or attributable to any liability for third party goods or products that are marketed, sold, or distributed by a third party on an e-commerce website or application that is hosted or published by or on behalf of an Insured. 9. Other Professional Services alleging, based upon, arising out of, or attributable to any performance of or failure to perform services as an accountant, architect, attorney, engineer (but not software engineer), healthcare provider, insurance or real estate agent/broker, investment advisor, securities broker/dealer, or surveyor. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 33 of 40 VII. Conditions A. INSURED EXTENSIONS Third Party Coverage shall extend to apply as follows: 1. Spousal, Domestic Partner, Estates, and Legal Representatives a. In the event of an Insured Person’s death, incapacity, or bankruptcy, any Claim made against such Insured Person’s estate, heirs, executors, administrators, assigns, and legal representatives shall be considered to be a Claim made against such Insured Person, but only to the extent such Insured Person would otherwise be covered under this Policy; and b. In the event of a Claim made against an Insured Person’s lawful spouse or domestic partner, such Claim shall be considered to be a Claim made against such Insured Person, but only for a Wrongful Act actually or allegedly committed by such Insured Person other than such spouse or domestic partner. 2. Additional Insureds a. If an Insured Organization is required by written contract to provide coverage for any person or entity under this Policy (hereinafter an “Additional Insured”), then such person or entity shall be considered an “Additional Insured” under this Policy, but only for liability arising out of Wrongful Acts actually or allegedly committed or attempted by or on behalf of an Insured Organization, and not for any liability arising solely out of any act, error, or omission by such “Additional Insured”; provided, however, that coverage afforded to an “Additional Insured” shall only extend to actual or alleged Wrongful Acts committed or attempted after such written contract was executed. B. S UBSIDIARIES 1. Coverage for Subsidiaries With respect to any Insured Organization which is a Subsidiary, coverage afforded under this Policy for such Subsidiary, and its Insured Persons, shall only apply to: a. Loss resulting from Cyber Events which occurred after the effective date that such entity became a Subsidiary and prior to the date that such entity ceased to be a Subsidiary; and b. Claims for Wrongful Acts which actually or allegedly occurred after the effective date that such entity became a Subsidiary and prior to the date that such entity ceased to be a Subsidiary. Any entity which ceases to be a Subsidiary during the Policy Period shall be afforded coverage through the expiration date of the current Policy Period but only with respect to Wrongful Acts and Cyber Events which occurred before the date it ceased to be a Subsidiary. 2. Subsidiary Acquisition or Creation If, during the Policy Period, an Insured Organization acquires or creates another entity whose gross revenues exceed twenty five percent (25%) of the consolidated gross revenues of the Insured Organization, as of the most recent fiscal year prior to the effective date of this Policy, and such that the DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 34 of 40 acquired or created entity becomes a Subsidiary, then such Subsidiary shall only be considered an Insured Organization for a period of ninety (90) days following its acquisition or formation unless: a. the Named Insured provides us written notice within sixty (60) days of the full particulars of such entity and agrees to any additional premium and amendments to this Policy relating to such entity; and b. we have ratified our acceptance of such entity as a Subsidiary by endorsement to this Policy. C. C HANGE OF C ONTROL & AUTOMATIC RUN-OFF If a Change of Control occurs during the Policy Period, then: 1. Third Party Coverage under this Policy shall: a. continue in full force and effect until the expiration date of the current Policy Period with respect to Claims for Wrongful Acts committed before such Change of Control; and b. cease with respect to Claims for Wrongful Acts committed after such Change of Control; 2. First Party Coverage under this Policy shall: a. continue in full force and effect until the expiration date of the current Policy Period with respect to Loss for Cyber Events which occurred before such Change of Control; and b. cease with respect to Loss for Cyber Events which occurred after such Change of Control; 3. The Named Insured shall have the right to give us notice that it desires to purchase an Extended Reporting Period, in accordance to the conditions set forth in section VII.D.2., Extended Reporting Period, of this Policy; and 4. This Policy may not be canceled by the Named Insured, and the entire premium shall be deemed fully earned. D. E XTENDED R EPORTING P ERIOD 1. Automatic Discovery Reporting Period If this Policy does not renew or otherwise terminates for a reason other than failure to pay premium, then following the effective date of such event the Named Insured shall have the right, for a period of sixty (60) days following such event, to give us written notice of Claims made against any Insured during such sixty (60) day period for any Wrongful Acts committed prior to the effective date of such Policy termination or end of the Policy Period, whichever is applicable. 2. Extended Reporting Period An “Extended Reporting Period,” if purchased, means the period of time in which the Named Insured may give us written notice of Claims first made against any Insured under this Policy, and shall be extended to apply to Claims first made during such Extended Reporting Period but only with respect to; a. Claims for Wrongful Acts which occurred prior to the effective date of Policy termination, the end of the Policy Period, or effective date of Change of Control (whichever is applicable); and DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 35 of 40 b. Claims for Wrongful Acts made against persons or entities which were Insureds as of the effective date of Policy termination, the end of the Policy Period, or effective date of Change of Control (whichever is applicable). If this Policy does not renew or otherwise terminates for a reason other than for failure to pay premium, or upon the occurrence of a Change of Control, then upon the effective date of such event: c. the Named Insured shall have the right to give us notice that it desires to purchase an Extended Reporting Period for Third Party Coverage at any of the following additional periods and associated premium amounts, which are represented as a percentage of the annualized premium of the Policy to which the Extended Reporting Period applies: i. one (1) year for seventy five percent (75%); or ii. two (2) years for one hundred twenty five percent (125%); d. the Named Insured, or a party acting on its behalf, may send us a request for the purchase of an Extended Reporting Period outside the additional periods and amounts indicated in VII.D.2.c. above, and we may, at our discretion, subsequently provide a quote for such request; e. any Claim made during a purchased Extended Reporting Period shall be deemed to have been made during the Policy Period immediately preceding the Extended Reporting Period; f. the Aggregate Limit of Insurance and Sub-Limits of Insurance available for any purchased Extended Reporting Period shall not be increased or renewed, unless we expressly provide such amendment via an endorsement to this Policy; g. the Named Insured’s right to purchase an Extended Reporting Period shall lapse unless we receive written notice from the Named Insured, or a party acting on its behalf, of the election to purchase such Extended Reporting Period within sixty (60) days after this Policy’s termination or expiration date or, if applicable, the effective date of any Change of Control; and h. the entire premium charged for any purchased Extended Reporting Period is due at the time of purchase and shall be considered fully earned as of the effective date of such Extended Reporting Period. E. NOTICE 1. Notice of Claims and Cyber Events An Insured shall, as a condition precedent to our obligations under this Policy, give us written notice as soon as practicable after any member of the Control Group: a. first becomes aware of any Claim made against an Insured; or b. discovers any Cyber Event; Provided further, and notwithstanding VII.E.1.a. and VII.E.1.b. above: c. all such notice of Claims made or Cyber Events discovered must be noticed to us no later than ninety (90) days after the end of the Policy Period or termination of this Policy, whichever is earlier; and DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 36 of 40 d. if an Extended Reporting Period is purchased pursuant to section VII.D.2., all Claims made during such Extended Reporting Period must be reported to us no later than the end of the Extended Reporting Period; All such notices described in this clause VII.E.1. must include the following details related to the applicable Cyber Event or Claim: e. all pertinent facts, particulars, and dates, including the nature of such Cyber Event and its potential consequences and Damages; f. the identities of those persons allegedly involved or affected; and g. with respect to notices related to First Party Coverage, the business operations, Computer Systems, or other assets affected. 2. Notice of Circumstances If, during the Policy Period, any member of the Control Group first becomes aware of any circumstances which may reasonably give rise to a Claim under this Policy, then any Claim which arises out of such circumstances shall be deemed to have been first made at the time such written notice was received by us, but only to the extent that such written notice includes the following details and is received by us during the Policy Period: a. details on why the Insured believes a Claim may be forthcoming; b. all pertinent facts, particulars, and dates, including the nature of such circumstances, why the Insured believes a Claim may reasonably be forthcoming, and its potential consequences and Damages; and c. the identities of those persons allegedly involved or affected. 3. Notice Delivery All notices described within this condition VII.E., Notice, shall be given to us in writing, either electronically or non-electronically, at the address set forth in ITEM 5 of the Declarations. All such notices shall be effective on the date we receive such notice. If such notice is mailed or transmitted by electronic mail, the date of such mailing or transmission shall constitute the date that such notice was given to us, and proof of mailing or transmission shall be sufficient proof of notice. F . O BLIGATIONS In connection with all Claims and Cyber Events under this Policy, the Insured agrees to the following: 1. The Insured shall cooperate with and assist us in the effort to defend and settle any Claim, including: a. attending hearings and trials, assisting in securing and giving evidence, obtaining the attendance of witnesses, and enforcing the Insured’s rights of contribution or indemnity against any person or entity which may be liable to such Insured because of an act or omission covered under any Third Party Coverage; and b. delivering to us copies of all demands, legal papers, other related legal documents and invoices the Insured receive, as soon as practicable. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 37 of 40 2. The Insured shall not settle any Claim, incur any Claim Expenses, or otherwise assume any contractual obligation or admit any liability with respect to any Claim without our written consent, which shall not be unreasonably withheld. We shall not be liable for any settlement, Claim Expenses, assumed obligation, or admission to which we have not provided such consent. G . POLICY TERMINATION 1. We may only cancel this Policy prior to the expiration date of the Policy Period if the Named Insured fails to pay premium prior to its due date. If such cancellation is being considered, we shall deliver a written notice of pending cancellation. Such notice shall be delivered at least twenty (20) days prior to the date that such cancellation is proposed to become effective. If the full premium due is remitted to us prior to the proposed cancellation effective date, then such cancellation shall not go into effect. 2. The Named Insured may cancel this Policy at any time and for any reason by delivering such instructions to us by mail or electronic mail. Such instructions may be delivered directly by the Named Insured or through any person or entity contracted to act on the Named Insured’s behalf for the placement of this Policy. 3. If this Policy is canceled for any reason prior to the end of the Policy Period, we shall refund the unearned premium computed pro rata. Such premium adjustment shall be made as soon as practicable upon termination of the Policy, but payment or tender of any unearned premium by us shall not be a condition precedent to the effectiveness of such termination. 4. We are not required to renew or offer to renew this Policy upon the expiry of its Policy Period. H . LOSS CALCULATIONS FOR BUSINESS INTERRUPTION AND P UBLIC R ELATIONS 1. In determining and calculating the amount of Public Relations Loss covered under this Policy, we shall give due consideration to the prior experience of the Insured Organization’s public and market perception before the beginning of the applicable Cyber Event or Media Wrongful Act, and we shall make this assessment at our sole discretion, in good faith, and as we deem reasonable and necessary. 2. In determining and calculating the amount of Contingent Business Interruption Loss, Business Interruption Loss, and Extra Expense covered under this Policy, we shall give due consideration to the prior experience of the Insured Organization’s business before the beginning of the applicable System Disruption and to the probable business such Insured Organization could have performed had no System Disruption occurred. I . REPRESENTATIONS & SEVERABILITY We have relied upon the representations and statements in the Application in granting this Policy to the Insured, with such representations and statements forming the basis of coverage under this Policy. With respect to such representations and statements contained in the Application: 1. no knowledge possessed by an Insured Person shall be imputed to any other Insured Person, and the Application shall be considered to be separate for each Insured Person; 2. in the event the Application contains misrepresentations made with the actual intent to deceive or contains misrepresentations which materially affect either the acceptance of the risk or the hazard DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 38 of 40 assumed by us under this Policy, then no coverage shall be afforded under this Policy based upon, arising from, or in any way attributable to any such misrepresentations with respect to: a. any Insured Person who knew of such misrepresentations, regardless of if such Insured Person knew such Application contained such misrepresentations; and b. an Insured Organization if any past or present member of the Control Group knew of such misrepresentations, regardless of if such member of the Control Group knew such Application contained such misrepresentations. 3. we shall not be entitled under any circumstances to void or rescind this Policy with respect to any Insured. J . OTHER INSURANCE 1. If any Loss, Damages, or Claim Expenses or other amounts covered under this Policy are covered under any other valid and collectible insurance, then this Policy shall apply only to the extent that the amount of such Loss, Damages, or Claim Expenses are in excess of the amount of such other insurance whether such other insurance is specified as primary, contributory, excess, contingent or otherwise. However, paragraph VII.J.1. above shall not apply if such other insurance is written explicitly to serve as excess insurance over the Aggregate Limit of Insurance or Sub-Limits of Insurance provided by this Policy. 2. The conditions set forth in VII.D.1., Automatic Discovery Reporting Period, and VII.E.2., Notice of Circumstances, shall not apply to Claims that are covered under any subsequent insurance purchased by an Insured or for an Insured’s benefit, or that would be covered by any subsequent insurance but for the exhaustion of the amount of insurance limits applicable and available under such subsequently placed insurance. K . SUBROGATION 1. In the event of any payment by us of Loss, Damages, or Claim Expenses or other amounts under this Policy, we are subrogated to the Insured’s rights of recovery against any person or organization, and the Insureds shall execute and deliver instruments, papers, and whatever else is necessary to secure such rights and enable us to effectively bring suit or otherwise pursue subrogation rights in the name of the Insureds under this Policy. 2. However, we shall not subrogate as described in paragraph VII.K.1. above: a. against any Insured Person, unless such Insured Person was in violation of paragraph VI. A.1.; or b. if an Insured agreed in writing to waive such Insured’s right of recovery or subrogation against any person or entity prior to the Cyber Event or Wrongful Act which gave rise to the Claim or Loss connected with such subrogation. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 39 of 40 L . RECOVERIES All recoveries from third parties for payments of Loss, Damages, or Claim Expenses shall be applied in the following order of priority after first deducting the costs and expenses incurred in obtaining such recovery: 1. to us, to reimburse us for any Retention we paid on an Insured’s behalf and for any Damages, Loss, or Claims Expenses we paid under this Policy; and 2. to the Insured, to reimburse the Insured for any Retention such Insured paid and for any other amounts not covered under this Policy. Provided, that such recoveries shall not include any recovery from insurance, reinsurance, security, or indemnity taken for our benefit, or any portion of a Retention we waived. M . AUTHORIZATION The Named Insured has the authority to act on behalf of all Insureds and is responsible for the payment of premiums and receiving of notices of cancellation, nonrenewal, or any change to coverage provided under this Policy. All Insureds agree to this authority and have delegated, individually and collectively, all such authority exclusively to the Named Insured. Provided, however, that nothing within this condition, VII.M. Authorization, shall relieve any Insured from giving any notice to us that is required under this Policy. N . ASSIGNMENT This Policy, including any rights or duties herein, may not be transferred or assigned to another party unless we have provided our prior written consent to such transfer or assignment. O . ACTION AGAINST U S No action shall lie against us unless, as a condition precedent thereto, the Insured has been in full compliance with all terms of this Policy. No person or entity shall have any rights under this Policy to join us as a party to any action against any Insured to determine such Insured’s liability, nor shall we be impleaded by such Insured or the legal representatives of such Insured. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD AB-TEO-001 12/2019 Page 40 of 40 P . DISPUTES & RESOLUTIONS This condition, VII.P. Disputes & Resolutions, provides the terms and conditions applicable to disputes which may arise between us and any Insured or amongst various Insureds. If any limitation in this section is deemed to be inconsistent with applicable law, such limitation is amended so as to equal the minimum period of limitation provided by such law. 1. If any dispute persists between us and any Insured as it relates to this Policy, or any term or condition herein, we and such Insureds agree to make a determined effort to solve such dispute via alternative dispute mediation or through a third-party mediator. The costs to procure such mediation shall be paid by us, if applicable, but our payments of such costs shall not persist past a single alternative dispute mediation effort. 2. In the event of a disagreement between or amongst any Insureds, the Named Insured shall have exclusive authority to act on behalf of all other Insureds with respect to negotiation of settlements and the decision to appeal or not to appeal any judgment. Q . BANKRUPTCY Bankruptcy or insolvency of any Insured, including any Insured Person’s estate, does not relieve us of any of our obligations, rights or defenses under this Policy. R . STATE AMENDATORY INCONSISTENCY If there is an inconsistency between any term or condition of this Policy, those terms and conditions which are more favorable to the Insured’s coverage shall apply to the extent permitted by law. Provided, however, that with respect to any time period relating to notice of cancellation provided under this Policy, we shall apply the applicable state law. S . TERRITORY Coverage provided under this Policy shall extend to Cyber Events and Wrongful Acts occurring or discovered, Claims made, and Losses incurred anywhere in the world. T . HEADINGS The titles, headings, and subheadings of certain paragraphs, sections, conditions, or provisions of this Policy, and any endorsements attached thereto, are intended solely for convenience and reference and form no part of the terms and conditions of coverage under this Policy. DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD This endorsement is attached to, forms part of, and modifies: Policy number: 6603772-01 Named Insured: Rule4, Inc. Terrorism Risk Insurance Act Disclosure Includes copyrighted material of National Association of Insurance Commissioners with its permission This endorsement is attached to and made part of this Policy in response to the disclosure requirements of the Terrorism Risk Insurance Act, as amended. NOTICE OF TERRORISM INSURANCE COVERAGE Applicable Premium The portion of annual premium that is attributable to coverage for acts of terrorism is $0, and does not include any charges for the portion of losses covered by the United States government under the Act. Informational Notice The following notice does not change coverage under this Policy but is provided in compliance with the Terrorism Risk Insurance Act, as amended. Coverage for acts of terrorism is included in this policy. This provides notification that under the Terrorism Risk Insurance Act, as amended in 2015, the definition of act of terrorism has changed. As defined in Section 102(1) of the Act: The term “act of terrorism” means any act or acts that are certified by the Secretary of the Treasury— in consultation with the Secretary of Homeland Security, and the Attorney General of the United States—to be an act of terrorism; to be a violent act or an act that is dangerous to human life, property, or infrastructure; to have resulted in damage within the United States, or outside the United States in the case of certain air carriers or vessels or the premises of a United States mission; and to have been committed by an individual or individuals as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion. Under this coverage, any losses resulting from certified acts of terrorism may be partially reimbursed by the United States Government under a formula established by the Terrorism Risk Insurance Act, as amended. However, this policy may contain other exclusions which might affect coverage, such as an exclusion for nuclear events. Under the formula, the United States Government generally reimburses 85% through 2015; 84% beginning on January 1, 2016; 83% beginning on January 1, 2017; 82% beginning on January 1, 2018; 81% beginning on January 1, 2019 and 80% beginning on January 1, 2020, of covered terrorism losses exceeding the statutorily established deductible paid by the insurance company providing the coverage. The Terrorism Risk Insurance Act, as amended, contains a $100 billion cap that limits U.S. Government reimbursement as well as insurers’ liability for losses resulting from certified acts of terrorism when the amount of such losses exceeds $100 billion in any one calendar year. If the aggregate insured losses for all insurers exceed $100 billion, coverage may be reduced. All other terms, conditions, and exclusions of the Policy shall remain unchanged. AB-CYB-002 08/2018 ©2018 Page 1 of 1 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD This endorsement is attached to, forms part of, and modifies: Policy number: 6603772-01 Named Insured: Rule4, Inc. Service of Process Endorsement Insurance coverage underwritten by HSB Specialty Insurance Company | One State Street | Hartford, CT 06102-5024 In consideration of the premium charged, it is agreed that the Policy is amended as follows: This Policy is subject to the following: 1)The following provision applies to Alabama, Alaska, Arizona, Arkansas, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Kentucky, Louisiana, Mississippi, Missouri, Nevada, New Mexico, North Carolina, Oklahoma, Oregon, Puerto Rico, South Dakota, Tennessee, Texas, Washington, and West Virginia only: We designate the Superintendent of Insurance, Insurance Commissioner, Director of Insurance, or other officer specified by law, pursuant to the laws of the State where this Policy is delivered, as our true and lawful attorney upon whom may be served any lawful process in any action, suit or proceeding instituted in the State in which this Policy is delivered, by, or on behalf of, the Named Insured or any beneficiary hereunder arising out of this Policy. We designate the Corporate Secretary of HSB Specialty Insurance Company, One State Street, Hartford, CT 06102 as the person whom the said officer is authorized to mail such process or true copy thereof. 2)The following provision applies to California only: A surplus lines insurer shall be sued, upon any cause of action arising in the State under any contract issued by it as a surplus lines contract pursuant to the laws the state of California. A surplus lines insurer issuing such Policy is deemed to have authorized service of process against it in the manner and to the effect as provided in the laws of the state of California. Service of legal process against the insurer may be made in any such action by service upon the designated agent. The designated agent for service of process is: Sarah Espinosa, The Hartford Steam Boiler Inspection and Insurance Company, 2300 Clayton Road, Suite 1350, Concord, California 94520. 3)The following provision applies to Illinois only: We designate the Director of the Illinois Department of Insurance and his successor or successors in office, at 320 W. Washington, Bicentennial Building, Springfield, IL 62727, as our true and lawful attorney upon whom may be served any lawful process in any action, suit or proceeding instituted by, or on behalf of, the Insured or any beneficiary hereunder arising out of this contract of insurance. We designate the Corporate Secretary of HSB Specialty Insurance Company, One State Street, Hartford, CT 06102 as the person to whom the said officer is authorized to mail such process or true copy thereof. 4)The following provision applies to Iowa only: AB-CYB-029 08/2018 ©2018 Page 1 of 2 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD An eligible surplus lines insurer may be sued upon a cause of action arising in Iowa under a surplus lines insurance Policy or contract placed by the insurer or upon evidence of insurance placed by the insurer and issued or delivered in Iowa by a surplus lines insurance producer. We designate the Corporate Secretary of HSB Specialty Insurance Company, One State Street, Harford, CT 06102 as the person upon whom service of process can be made. 5)The following provision applies to Maine only: An unauthorized insurer shall be sued, upon any cause of action arising in the State under any contract issued by it as a surplus lines contract pursuant to the laws of the state of Maine. An unauthorized insurer issuing such Policy is deemed to have authorized service of process against it in the manner and to the effect as provided in the laws of the state of Maine. Service of legal process against the insurer may be made in any such action by service of two copies upon the designated agent. The designated agent for service of process is: Charles C. Soltan, Esq., 96 State Street, 2nd Floor, Augusta, Maine 04330. 6)The following provision applies to New York only: The Superintendent of the New York State Department of Financial Services and his/her successors is appointed by the excess lines insurer issuing this Policy to be its true and lawful attorney upon whom may be served all lawful process in any proceeding instituted by or on behalf of an Insured or beneficiary arising out of this insurance Policy and the excess lines insurer signifies its agreement that service of process in such manner is of the same legal force and validity as personal service of process in New York State upon the insurer. 7)The following provision applies to Pennsylvania only: It is agreed that in the event we fail to pay any amount claimed to be due under this Policy we will submit, at the Insured’s request, to the jurisdiction of any court of competent jurisdiction within the United States of America and will comply with all requirements necessary to give such court jurisdiction. All matters arising hereunder shall be determined in accordance with the law and practice of such court. It is further agreed that in any such action instituted against any Insured under this contract, we will abide by the final decision of such court or of any appellate court in the event of an appeal. Service of process shall be made pursuant to the procedures provided by 42 Pa. C.S. Chapter 53 Subchapter B (relating to interstate and international procedure). When making service of process by mail, such process shall be mailed to the Corporate Secretary of HSB Specialty Insurance Company, One State Street, Hartford, CT 06102. The above named is authorized and directed to accept service of process on our behalf for any action or upon any request of the Insured to give a written undertaking to the Insured that they will enter a general appearance for us in the event such an action shall be instituted. Further, pursuant to any statute of any state, territory or district of the United States of America, which makes provisions therefore, we hereby designate the Superintendent, Commissioner or Director of Insurance or other officer specified for that purpose in the statute or his successor or successors in office, as the true and lawful attorney upon whom any lawful process may be served in any action, suit or proceeding instituted by, or on behalf of, the Insured or any beneficiary hereunder arising out of this contract of insurance, and hereby designate the above named as the person on whom such process or a true copy thereof shall be served. All other terms, conditions, and exclusions of the Policy shall remain unchanged. AB-CYB-029 08/2018 ©2018 Page 2 of 2 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD This endorsement is attached to, forms part of, and modifies: Policy number: 6603772-01 Named Insured: Rule4, Inc. Reputational Harm Insuring Agreement Insurance coverage underwritten by HSB Specialty Insurance Company | One State Street | Hartford, CT 06102-5024 In consideration of the premium charged, it is agreed that the Policy is amended as follows: 1)The following is added to ITEM 6 of the Declarations: Insuring Agreement:Inclusion:Sub-Limit of Insurance:Retention: G. Reputational Harm G.1. Reputational Harm Included $3,000,000.$5,000. 2)The following is added to the Declarations: Reputational Harm Indemnity Period:180 days. 3)The following is added to section I. Insuring Agreements: G. REPUTATIONAL HARM 1. Reputational Harm We shall pay the Insured Organization for Reputational Harm Loss and Public Relations Loss incurred by the Insured Organization as a direct result of a Reputational Harm Event which first occurs during the Policy Period. 4)The following are added to section V. Definitions: a)Adverse Publication means a publication, report, communication, opinion, or media of any other form which: i)disseminates any previously non-public information: ii)specifically states or references an Insured Organization or Covered Brand; and iii)is disseminated or publicized to the general public via any electronic or non-electronic medium or media channel including, but not limited to, television, print media, radio or electronic networks, the internet, or electronic mail. AB-CYB-034 02/2019 ©2019 Page 1 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD b)Covered Brand means any brand owned exclusively by, or licensed exclusively to, an Insured Organization. c)Reputational Harm Event means the first appearance of a publicly available Adverse Publication which: i)directly states or alleges that an Insured Organization has experienced an Information Privacy Event or Network Security Event, regardless of the factual accuracy of any statement(s) contained therein; ii)is reasonably expected to cause, or has already caused, material damage, harm, or tarnish to the public perception and reputation of an Insured Organization, including, but not limited to, damage to such Insured Organization’s goodwill amongst its customers, suppliers, or community with whom such Insured Organization habitually deals with in the course of its business; and iii)is reasonably expected to lead, or has already led, to an Insured Organization’s provable loss of income. d)Reputational Harm Indemnity Period means the continuous period of time that: i)begins with the date the Reputational Harm Event first occurred; and ii)ends on the date when the number of days stated in the Declarations as the Reputational Harm Indemnity Period have elapsed. The Reputational Harm Indemnity Period shall not be cut short or reduced by the intervening expiration of the Policy Period, if applicable. e)Reputational Harm Loss means the following amounts incurred by an Insured Organization during the Reputational Harm Indemnity Period: i)net profit before income taxes that would have been earned had no Reputational Harm Event occurred; ii)net loss before income taxes that would have been avoided had no Reputational Harm Event occurred; and iii)costs to retain the services of a third party forensic accounting firm to determine the amounts of Reputational Harm Loss described in paragraphs 4)e)i) and 4)e)ii) above, subject to our prior consent. The amount of Reputational Harm Loss will be determined and calculated in accordance with section VII. Conditions, Loss Calculation for Reputational Harm Loss, as detailed in item 10) of this endorsement. 5)The following is added to section V. Definitions, 15. Cyber Event: Cyber Event also means a Reputational Harm Event. 6)The following is added to section V. Definitions, 24. First Party Coverage: First Party Coverage also means Insuring Agreement I.G.1., Reputational Harm. AB-CYB-034 02/2019 ©2019 Page 2 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD 7)The following is added to section V. Definitions, 37. Loss: Loss also means Reputational Harm Loss. For the purposes of this endorsement and solely with respect to Insuring Agreement I.G.1., Reputational Harm, Loss shall not include: a)variable costs, including the cost of raw materials and other costs, that would have been incurred by the Insured Organization during the applicable Reputational Harm Indemnity Period but were saved as a result of the Reputational Harm Event. 8)Section V. Definitions, 37. Loss, paragraph c., is deleted and replaced with the following: c.an Insured Organization’s internal operating costs, expenses, or fees, except to the extent covered under Insuring Agreement(s) I.C.1., I.C.2., and I.G.1.; 9)The following is added to section VI. Exclusions, B., Exclusions Applicable to Particular Insuring Agreements: Exclusively with respect to Insuring Agreement I.G.1., Reputational Harm: based upon or resulting from an Adverse Publication which: a)does not specifically state or refer to an Insured Organization or a Covered Brand; b)does not specifically state or refer to an alleged or actual Information Privacy Event or Network Security Event experienced by an Insured Organization; or c)is disseminated and directed to an Insured and is not available to the general public. 10)The following is added to section VII. Conditions: LOSS CALCULATION FOR REPUTATIONAL HARM LOSS In determining and calculating the amount of Reputational Harm Loss covered under this Policy, we shall use reasonable projections and give due consideration to: 1.the experience of the Insured Organization’s business prior to the first occurrence of the Reputational Harm Event; 2.the public and market perception of the Insured Organization prior to the first occurrence of the Reputational Harm Event; and 3.the Insured Organization’s net profit or net loss during the twelve (12) months immediately preceding the date of the Reputational Harm Event’s first occurrence; and 4.market and industry trends, variations, and circumstances, including, but not limited to, seasonable influences and economic conditions, which would have affected the Insured Organization’s business and operations regardless of the occurrence of the Reputational Harm Event. We shall determine and calculate the amount of Reputational Harm Loss at our sole discretion, in good faith, and as we deem reasonable and necessary. Any disputes between us and the Insured over such AB-CYB-034 02/2019 ©2019 Page 3 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD determination and calculation shall be subject to the terms set forth in section VII., P., Disputes & Resolutions. 11)The following is added to section VII. Conditions, E. Notice, 1.: Solely with respect to a Reputational Harm Event, and notwithstanding all other terms set forth in section VII.E.1., an Insured shall: a)give us written notice of any discovered Reputational Harm Event during the applicable Reputational Harm Indemnity Period following the first occurrence of such Reputational Harm Event. Any notice of a Reputational Harm Event described in paragraph 11)a) above must include details and clear evidence that: b)such Reputational Harm Event is reasonably expected to lead, or already has led, to Reputational Harm Loss; and c)such Reputational Harm Loss is directly attributable to such Reputational Harm Event. All other terms, conditions, and exclusions of the Policy shall remain unchanged. AB-CYB-034 02/2019 ©2019 Page 4 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD This endorsement is attached to, forms part of, and modifies: Policy number: 6603772-01 Named Insured: Rule4, Inc. Contingent and Direct System Failure Insurance coverage underwritten by HSB Specialty Insurance Company | One State Street | Hartford, CT 06102-5024 In consideration of the premium charged, it is agreed that the Policy is amended as follows: 1)The following is added to the Policy: The applicable and respective values of Direct System Failure Limit, Contingent System Failure Limit and System Failure Waiting Period are stated in the following table. Value Direct System Failure Limit:$3,000,000. Contingent System Failure Limit:$3,000,000. System Failure Waiting Period:8 hours. 2)The following is added to section II. Limits of Insurance: The following provisions shall apply solely with respect to coverage provided under Insuring Agreements I.C.1. and I.C.2., in addition and subject to the provisions of section II. Limits of Insurance, and notwithstanding anything in the Policy to the contrary. a)With respect to coverage provided and applied under Insuring Agreements I.C.1., the Direct System Failure Limit is: i)part of and not in addition to the Aggregate Limit of Insurance and the applicable Sub-Limit of Insurance stated in ITEM 6 of the Declarations for Insuring Agreements I.C.1.. b)With respect to coverage provided and applied under Insuring Agreements I.C.2., the Contingent System Failure Limit is: i)part of and not in addition to the Aggregate Limit of Insurance and the applicable Sub-Limit of Insurance stated in ITEM 6 of the Declarations for Insuring Agreements I.C.2.. AB-CYB-045 02/2019 ©2019 Page 1 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD 3)The following is added to the section III. Retention: In addition and subject to all other provisions of Section III. Retention and solely with respect to coverage provided under Insuring Agreements I.C.1. and I.C.2., if a System Disruption of Computer Systems results from a System Failure then: a)for each such System Disruption: i)our liability shall apply only after the System Failure Waiting Period has elapsed; and ii)only to that portion of Loss incurred by the Insured Organization after such System Failure Waiting Period has elapsed; and b)if the applicable System Disruption is covered under both Insuring Agreements I.C.1. and I.C.2.: i)the sum of the System Failure Waiting Periods shall not exceed the largest applicable System Failure Waiting Period; and c)if such System Disruption is also the result of a Network Security Event or Information Privacy Event: i)the System Failure Waiting Period shall apply only to that portion of the System Disruption which is a direct result of a System Failure. 4)Section V. Definitions, 49. Period of Restoration, is deleted and replaced with the following: 49. Period of Restoration means the continuous period of time that: a.begins: i.with respect to a System Disruption that is not caused by a System Failure, with the earliest date a System Disruption first occurred; or ii.with respect to a System Disruption that is caused by a System Failure, with the expiration of the System Failure Waiting Period; and b.ends on the date when Insured Computer Systems or External Computer Systems are, or could have been, repaired or restored with reasonable speed to the same functionality and level of service which existed prior to the System Disruption. A Period of Restoration shall not exceed one hundred eighty (180) days from the date the applicable System Disruption first occurred; provided, however, that the end of the Policy Period shall not cut short the Period of Restoration. 5)Section V. Definitions, 65. System Disruption, is deleted and replaced with the following: 65.System Disruption means the measurable interruption, suspension, degradation, or failure in the service of: a.with respect to Insuring Agreement I.C.1., Insured Computer Systems; and AB-CYB-045 02/2019 ©2019 Page 2 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD b.with respect to Insuring Agreement I.C.2., External Computer Systems; directly caused by a Network Security Event, Information Privacy Event, or System Failure. 6)The following are added to section V. Definitions: a)Contingent System Failure Limit means, solely with respect to coverage provided under Insuring Agreements I.C.2., the amount stated as the value of Contingent System Failure Limit within the table under part 1) of this endorsement. The Contingent System Failure Limit is the most we shall pay, and represents our maximum liability, for all Contingent Business Interruption Loss, Extra Expense, Public Relations Loss, and Reward Expense Loss, combined, resulting from a System Disruption of External Computer Systems caused by a System Failure. b)Direct System Failure Limit means, solely with respect to coverage provided under Insuring Agreements I.C.1., the amount stated as the value of Direct System Failure Limit within the table under part 1) of this endorsement. The Direct System Failure Limit is the most we shall pay, and represents our maximum liability, for all Business Interruption Loss, Extra Expense, Public Relations Loss, and Reward Expense Loss, combined, resulting from a System Disruption of Insured Computer Systems caused by a System Failure. c)Human Error or Omission means an operating error or omission by: i)an Employee; or ii)an entity which is not an Insured Organization, or a person who is not an Insured Person, in their provision, fulfillment or delivery of services to an Insured Organization. Human Error or Omission includes, but is not limited to, errors or omissions in the selection, utilization, choice, or incorrect or inappropriate intervention of computer programs, software and parameters. d)Infrastructure Power Failure means a failure, surge or capacity reduction of an electrical system, network or infrastructure under the direct operational control of the Insured Organization. e)Programming Error means an error that occurs during the programming, development or encoding of any computer software, program, application, firmware, or operating system that results in an interruption of the Insured Organization’s operations or the malfunction or inoperability of Computer Systems. f)System Failure means any unplanned and measurable interruption, suspension, degradation, or failure in the service of Computer Systems which is not directly caused by a Network Security Event or Information Privacy Event. System Failure includes, but is not limited to, an unplanned: i)Human Error or Omission; ii)Programming Error; or AB-CYB-045 02/2019 ©2019 Page 3 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD iii)Infrastructure Power Failure. g)System Failure Waiting Period means the number of hours stated as the value of System Failure Waiting Period within the table under part 1) of this endorsement. The System Failure Waiting Period begins at the date and time the actual System Disruption starts and ends after the number of System Failure Waiting Period hours have elapsed. 7)The following is added to section VI. Exclusions, B.: Exclusively with respect to Insuring Agreement I.C.1., this Policy shall not apply to any Loss resulting from a System Disruption caused by a System Failure: a)if such System Failure is attributable to a Programming Error made to Insured Computer Systems. However, this exclusion shall not apply if: b)the Insured Organization can provide us evidence that the applicable Programming Error arises from a computer software, program, application, firmware, or operating system (including previous versions thereof) that is, or previously was, fully developed and successfully tested in its operational environment for twenty five (25) or more days. All other terms, conditions, and exclusions of the Policy shall remain unchanged. AB-CYB-045 02/2019 ©2019 Page 4 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD This endorsement is attached to, forms part of, and modifies: Policy number: 6603772-01 Named Insured: Rule4, Inc. CRC Amendatory Endorsement Insurance coverage underwritten by HSB Specialty Insurance Company | One State Street | Hartford, CT 06102-5024 In consideration of the premium charged, it is agreed that the Policy is amended as follows: 1)Section IV. Defense & Settlement of Claims, B. Settlement, item 1.b., is deleted and replaced with the following: b.we shall pay and maintain responsibility for ninety percent (90%) of all Claim Expenses and Damages that are in excess of the amount referenced in paragraph IV.B.1.a. above. 2)Section V. Definitions, 17. Damages, paragraph f., is deleted and replaced with the following: f.with respect to a Regulatory Claim under Insuring Agreement I.A.2., any: i)Regulatory Penalties; ii)GDPR Penalties; and iii)Regulatory Assessments and Expenses, including any HIPAA/HITECH Betterment Expenses. 3)Section V. Definitions, 18. Data Recovery Loss, is deleted and replaced with the following: 18.Data Recovery Loss means reasonable and necessary costs and expenses incurred or paid by an Insured Organization to: a.replace and restore corrupted, destroyed, lost, stolen or inadvertently or accidentally damaged software; b.re-create and recover corrupted, destroyed, lost, stolen or inadvertently or accidentally damaged data in electronic form which is, or was, stored on a Computer System; c.re-create and recover corrupted, destroyed, lost, stolen or inadvertently or accidentally damaged data in non-electronic form for which there is no electronic source available; and d.to retain the services of a Cyber Response Firm to provide consultative and professional services related to Data Recovery Loss described in paragraphs V.18.a.–V.18.c. above. 4)The following is added to section V. Definitions, 27. Funds or Securities: Funds or Securities also means any tangible, physical, or other assets which maintain a fungible, market, or transferrable monetary value. AB-CYB-CRC_001 06/2019 ©2019 Page 1 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD Funds or Securities includes Funds or Securities: a)that are owned by, or under the care, custody or control of, the Insured Organization; or b)held in escrow by, or under the care, custody or control of, the Insured Organization. 5)The following is added to section V. Definitions, 38. Malicious Code: Malicious Code includes Bricking that is functionally equivalent to Malicious Code described in paragraphs V.38.a. and V.38.b.. 6)Section V. Definitions, 44. Notification Loss, the last paragraph, is deleted and replaced with the following: Notification Loss includes costs and expenses incurred in order to comply with applicable Privacy Regulations and shall follow the law of the applicable jurisdiction which most favors coverage for such costs and expenses. Those voluntary costs and expenses not required to comply with any applicable Privacy Regulations shall be subject to, and require, our prior consent if the total amount of such costs and expenses exceeds $100,000. 7)Section V. Definitions, 49. Period of Restoration, the last paragraph, is deleted and replaced with the following: A Period of Restoration shall not exceed two hundred ten (210) days from the date the applicable System Disruption first occurred; provided, however, that the end of the Policy Period shall not cut short the Period of Restoration. 8)The following is added to section V. Definitions, 58. Regulatory Assessments and Expenses: Regulatory Assessments and Expenses includes HIPAA/HITECH Betterment Expenses, if applicable; provided, however, that: a)our maximum liability under this Policy and the most we shall pay for HIPAA/HITECH Betterment Expenses shall be $25,000; b)the amount set forth in paragraph V.58.a) above is part of and not in addition to: i)the Aggregate Limit of Insurance; and ii)the amount stated in ITEM 6. as the Sub-Limit of Insurance for Insuring Agreement I.A.2. Regulatory Liability of the Declarations; and c)HIPAA/HITECH Betterment Expenses shall only be considered Damages covered under this Policy to the extent such HIPAA/HITECH Betterment Expenses are deemed insurable under the applicable laws of any jurisdiction which most favors coverage and which has a substantial relationship to an Insured, us, this Policy or the Regulatory Claim which gave rise to such HIPAA/HITECH Betterment Expenses. 9)Section V. Definitions, 66. System Restoration Loss, paragraph a., is deleted and replaced with the following: a.restore Computer Systems to their level of functionality immediately prior to the applicable Network Security Event, including: AB-CYB-CRC_001 06/2019 ©2019 Page 2 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD i.replacing or reinstalling software programs contained therein; and ii.replacing or reinstalling computer hardware contained therein; provided, however, that this paragraph V.66.a.ii. is subject to: (a)section V. Definitions, 37. Loss, paragraph f. ii.; and (b)our determination that the replacement or reinstallation of computer hardware is essential to or will reduce the cost of the restoration effort of Computer Systems described in paragraph V.66.a. above; 10)The following is added to section V. Definitions: Bricking means any software or computer program which is purposefully designed to adversely affect and render any computer hardware or “IoT” device, including any critical computer hardware, components, or software program contained therein, as useless, inaccessible, damaged, or non-functional to an extent which is beyond reasonable repair or restoration. 11)The following is added to section V. Definitions: HIPAA/HITECH Betterment Expenses means reasonable and necessary costs and expenses the Insured Organization becomes legally obligated to pay as a direct result of, and as part of, a final settlement or adjudication of a Regulatory Claim to: a)create, iterate or improve the Insured Organization’s internal policies or practices in order to establish or re-establish the Insured Organization’s compliance with the following Privacy Regulations; i)the U.S. Health Insurance Portability and Accountability Act (HIPAA), as amended; and/or ii)the Health Information Technology for Economic and Clinical Health Act (HITECH), as amended. HIPAA/HITECH Betterment Expenses are part of and not in addition to Regulatory Assessments and Expenses. 12)Section VI. Exclusions, B. Exclusions Applicable to Particular Insuring Agreements, item 2. Insured vs. Insured, paragraph b., is deleted and replaced with the following: b.entity, if fifteen percent (15%) or more of its equity is owned, controlled, operated or managed, directly or indirectly, by any Insured at the time the Wrongful Act is committed or Claim is made; or 13)Section VI. Exclusions, C. Exclusions Applicable to Financial Fraud Insuring Agreements, item 3. Forged or Altered Instruments, is deleted and replaced with the following: 3.Forged or Altered Instruments resulting directly from forged, altered, or fraudulent negotiable instruments, securities, documents or written instructions. 14)The following is added to section VII. Conditions, A., 2. Additional Insureds, paragraph a.: AB-CYB-CRC_001 06/2019 ©2019 Page 3 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD Notwithstanding section VII. Conditions, J. Other Insurance, of this Policy, this Policy shall be primary to any insurance maintained by any third party entity afforded coverage as an additional insured pursuant to this section VII.A.2.a.. 15)Section VII. Conditions, B., 2. Subsidiary Acquisition or Creation, is deleted and replaced with the following: 2.Subsidiary Acquisition or Creation If, during the Policy Period, an Insured Organization acquires or creates another entity whose gross revenues exceed thirty five percent (35%) of the consolidated gross revenues of the Insured Organization, as of the most recent fiscal year prior to the effective date of this Policy, and such that the acquired or created entity becomes a Subsidiary, then such Subsidiary shall only be considered an Insured Organization for a period of ninety (90) days following its acquisition or formation unless: a.the Named Insured provides us written notice within ninety (90) days of the full particulars of such entity and agrees to any additional premium and amendments to this Policy relating to such entity; and b.we have ratified our acceptance of such entity as a Subsidiary by endorsement to this Policy. 16)The following is added to section VII. Conditions, J. Other Insurance, item 1.: Additionally, however, subject to and notwithstanding all other terms and conditions of this Policy: a)the Insured’s payment of a retention or deductible under such other insurance shall reduce, by the amount of such payment that would otherwise have been covered under this Policy, the Retention under any applicable Third Party Coverage or First Party Coverage of this Policy, up to the amount that such applicable Retention is considered fully paid by the Insured and satisfied under this Policy; and b)solely with respect to all Insuring Agreement(s) included under this Policy excepting Insuring Agreement I.E.1., Social Engineering, and Insuring Agreement I.E.2., Computer Fraud: i)this Policy shall cover applicable Loss, Claim Expenses and Damages otherwise covered under this Policy on a primary basis. 17)The following is added to section VII. Conditions, K. Subrogation, item 2.: Furthermore, we shall also not subrogate as described in paragraph VII.K.1. above: a)against any entity which is considered an additional insured under this Policy, as set forth under and pursuant to section VII.A.2., Additional Insureds. All other terms, conditions, and exclusions of the Policy shall remain unchanged. AB-CYB-CRC_001 06/2019 ©2019 Page 4 of 4 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD This endorsement is attached to, forms part of, and modifies: Policy number: 6603772-01 Named Insured: Rule4, Inc. War & Cyber Terrorism Enhancement Insurance coverage underwritten by HSB Specialty Insurance Company | One State Street | Hartford, CT 06102-5024 In consideration of the premium charged, it is agreed that the Policy is amended as follows: 1)The following is added to section V. Definitions: For the purposes of this endorsement and subject to the conditions, limitations, and other terms contained herein: a)Cyber Terrorism means the premeditated use of disruptive activities, or the threat to use disruptive activities, against a Computer System, including any associated network and data stored thereon, with the intention to cause harm, to further social, ideological, religious, political, or similar objectives, or to intimidate any person in furtherance of such objectives. Provided further, however, that such activities set forth in item 1)a) directly above shall not be considered Cyber Terrorism when such activities are committed by, or at the express direction of, a government simultaneously engaged in an active conflict involving physical combat by one or more military forces of, or operating at the direction of, nation states or factions in the case of a civil war. 2)Section VI. Exclusions, A. Exclusions Applicable to All Insuring Agreements, item 9. War, is deleted and replaced with the following: 9.War alleging, based upon, arising out of, or attributable to war, invasion, acts of foreign enemies, hostilities or warlike operations (whether war is declared or not), strike, lock-out, riot, civil war, rebellion, revolution, insurrection, or civil commotion assuming the proportions of, or amounting to, an uprising, or military or usurped power. However, this exclusion shall not apply to Cyber Terrorism. All other terms, conditions, and exclusions of the Policy shall remain unchanged. AB-CYB-064 10/2019 ©2019 Page 1 of 1 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD This endorsement is attached to, forms part of, and modifies: Policy number: 6603772-01 Named Insured: Rule4, Inc. California Consumer Privacy Act Enhancement Insurance coverage underwritten by HSB Specialty Insurance Company | One State Street | Hartford, CT 06102-5024 In consideration of the premium charged, it is agreed that the Policy is amended as follows: 1)The following is added to section V. Definitions: CCPA Penalties means Regulatory Penalties an Insured becomes legally obligated to pay as a result of a Regulatory Claim for such Insured’s actual, alleged or reasonably suspected non-compliance with the California Consumer Privacy Act, as amended. 2)The following is added to section V. Definitions, 17. Damages: Damages include CCPA Penalties to the same extent that Damages include Regulatory Penalties, but solely with respect to, subject to, and notwithstanding the terms and conditions set forth in paragraph V.17.f.. 3)The following is added to section V. Definitions, 30. Information Privacy Event: Information Privacy Event, paragraph V.30.c., also includes, but is not limited to, any violation of the California Consumer Privacy Act, as amended, including any violation of requirements therein which govern the Insured Organization’s use, sale, processing, profiling, acquisition, sharing, maintenance, and retention of Protected Personal Information. 4)The following is added to section V. Definitions, 54. Privacy Regulations: Privacy Regulations include the California Consumer Privacy Act, as amended. 5)The following is added to section V. Definitions, 59. Regulatory Claim: Regulatory Claim includes any Claim brought by, or on behalf of, any supervisory authority enforcing the California Consumer Privacy Act, as amended. 6)The following is added to section V. Definitions, 60. Regulatory Penalties: Regulatory Penalties includes CCPA Penalties, but only to the extent such CCPA Penalties are civil fines or penalties imposed against an Insured: a)by any supervisory authority enforcing the California Consumer Privacy Act, as amended; and b)as a direct result of an otherwise covered Regulatory Claim. All other terms, conditions, and exclusions of the Policy shall remain unchanged. AB-CYB-062 10/2019 ©2019 Page 1 of 1 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD This endorsement is attached to, forms part of, and modifies: Policy number: 6603772-01 Named Insured: Rule4, Inc. Law Enforcement Cooperation Enhancement Insurance coverage underwritten by HSB Specialty Insurance Company | One State Street | Hartford, CT 06102-5024 In consideration of the premium charged, it is agreed that the Policy is amended as follows: 1)The following is added to section VII. Conditions, E. Notice: Notwithstanding anything in section VII.E.2., Notice of Circumstances, to the contrary: a)In the event an Insured receives a request from a law enforcement authority to keep confidential certain information about an actual, possible, or reasonably suspected Cyber Event or Wrongful Act, then the notice of such Cyber Event or Wrongful Act, including any Claim relating to or arising out of such Cyber Event or Wrongful Act, shall be considered timely under this Policy, provided the Insured: i)requests permission from such law enforcement authority to share such information with us as soon as practicable following the receipt of such a request; ii)only withholds from us that portion of the information that the law enforcement authority has instructed such Insured not share with us; and iii)provides us with a full notice of such Cyber Event, Wrongful Act, or Claim as soon as legally possible after the law enforcement authority permits such Insured to share with us the full notice. b)Furthermore, with respect to any failure or delay by the Insured in providing information to us following receipt of a law enforcement authority request as set forth in part 1)a) of this endorsement: i)the Insured’s failure to provide documentation to us, or otherwise cooperate with us, will not be the basis for a denial of coverage for any Cyber Event or Claim under this Policy, but only to the extent the procedure set forth in part 1)a) of this endorsement is followed in connection with such authorized law enforcement request. Notwithstanding the above, no coverage shall be afforded for any Cyber Event or Claim if the information withheld relating to such Cyber Event or Claim is subject to exclusion under section VI.A.6., Prior Knowledge, section VI.A.7., Pending or Prior Proceedings, or any other limitation in this Policy relating to any misrepresentations provided in the Application. All other terms, conditions, and exclusions of the Policy shall remain unchanged. AB-CYB-066 10/2019 ©2019 Page 1 of 1 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD This endorsement is attached to, forms part of, and modifies: Policy number: 6603772-01 Named Insured: Rule4, Inc. Voluntary & Preventative Shutdown Coverage Insurance coverage underwritten by HSB Specialty Insurance Company | One State Street | Hartford, CT 06102-5024 In consideration of the premium charged, it is agreed that the Policy is amended as follows: 1)The following is added to section V. Definitions, 65. System Disruption: Subject to our prior consent, which will not be unreasonably withheld, System Disruption includes a measurable interruption, suspension, degradation, or failure in the service of: a)with respect to Insuring Agreement I.C.1. Direct Business Interruption, Insured Computer Systems; and b)with respect to Insuring Agreement I.C.2. Contingent Business Interruption, External Computer Systems: directly caused by a Voluntary Shutdown. 2)The following is added to section V. Definitions: Voluntary Shutdown means an Insured’s voluntary, intentional, and reasonably necessary shutdown of: a)with respect to Insuring Agreement I.C.1. Direct Business Interruption, Insured Computer Systems in response to a credible or actual threat of an Information Privacy Event, a Network Security Event, or, if attached as an endorsement to this Policy, a System Failure expressly directed against such Insured Computer Systems, but only to the extent that: i)a System Disruption may reasonably be expected in the absence of such shutdown; and ii)such shutdown serves to mitigate, reduce, or avoid Business Interruption Loss; and b)with respect to Insuring Agreement I.C.2. Contingent Business Interruption, the Insured’s connectivity or access to External Computer Systems in response to an actual Information Privacy Event, Network Security Event, or, if attached as an endorsement to this Policy, System Failure against such External Computer Systems, but only to the extent that: i)a System Disruption may reasonably be expected in the absence of such shutdown; and ii)such shutdown serves to mitigate, reduce, or avoid Contingent Business Interruption Loss. All other terms, conditions, and exclusions of the Policy shall remain unchanged. AB-CYB-063 10/2019 ©2019 Page 1 of 1 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD This endorsement is attached to, forms part of, and modifies: Policy number: 6603772-01 Named Insured: Rule4, Inc. Reliance on Other Carrier’s Application Endorsement Insurance coverage underwritten by HSB Specialty Insurance Company | One State Street | Hartford, CT 06102-5024 In consideration of the premium charged, it is agreed that the Policy is amended as follows: 1)The following is added to section VII. Conditions, I. Representations & Severability, and is applicable notwithstanding other Policy forms that amend such sections: For the purposes of this section, Application also means CyberPolicy’s CyberPolicy Tech E&O Application application for insurance, executed on 01/16/2020 by or on behalf of the Insured, including any applications, materials, attachments, and documents submitted and statements and representations made in connection with such application (“supporting materials”). Such application and any supporting materials are deemed attached to and incorporated into this Policy. No inconsistency between any term or phrase used in such application and any supporting materials and any term defined in this Policy will waive or change any of the terms, conditions and limitations of this Policy. In granting coverage under this Policy, it is agreed that we have relied upon the accuracy and completeness of such application and any supporting materials. All other terms, conditions, and exclusions of the Policy shall remain unchanged. AB-CYB-042 08/2018 ©2018 Page 1 of 1 DocuSign Envelope ID: E131706D-1A3C-46D6-9BDC-336EBABA0ACD