Skip to content

Section III – Definitions

The bolded terms in this Policy have the meanings set forth in this SECTION III – DEFINITIONS, which are below.

A. Act of Terrorism

Any act that is certified by the Secretary of the Treasury of the United States, in concurrence with the Secretary of State and the Attorney General of the United States, to be an act of terrorism pursuant to the Terrorism Risk Insurance Act of 2002 (TRIA), or any renewal or amendment thereto.

B. Additional Insured

  1. Any person or entity that the Insured Organization has agreed in a written contract to add as an additional insured to the Policy, but only to the extent the Insured Organization would have been liable and coverage would have been afforded under the terms and conditions of this Policy had such Claim been made against the Insured Organization, and provided that any resulting Loss, damage or injury occurs: (i) subsequent to the execution of the written contract and (ii) on or after the applicable Retroactive Date; or
  2. Any person or entity for whom the Insured Organization is vicariously liable, but only to the extent the Insured Organization would have been liable and coverage would have been afforded under the terms and conditions of this Policy had such Claim been made against the Insured Organization, and provided that any resulting Loss, damage or injury occurs on or after the applicable Retroactive Date.

C. Adverse Media Event

  1. publication by a third party via any medium, including television, print, radio, electronic, or digital form of previously non-public information specifically concerning a Cyber Security Incident, Privacy Breach Incident, or Extortion Demand; or
  2. notification of individuals pursuant to part 5. of the Breach Investigation Costs definition.

Two or more Multiple Adverse Media Events arising from the same or a series of related, repeated, or continuing Cyber Security Incidents, Privacy Breach Incidents, or Extortion Demands, shall be treated as a single Adverse Media Event, and shall be deemed to occur at the time of the first such Adverse Media Event.

D. Automatic Extended Period

The 60-day additional period of time for reporting Claims as detailed in part A. of SECTION VIII – EXTENDED REPORTING PERIODS.

E. Breach Investigation Costs

Reasonable and necessary fees and costs for the following services provided to the Insured Organization by professionals on the Vendor Panel:

  1. for an attorney to determine legal notification requirements to natural persons or any governmental entity pursuant to applicable Breach Notification Laws;
  2. for a computer security expert to investigate and determine the cause and scope of the applicable Cyber Security Incident or Privacy Breach Incident and to assist in mitigating or containing an ongoing Cyber Security Incident or Privacy Breach Incident;
  3. to identify and notify those natural persons whose Protected Personal Information was potentially impacted by a Privacy Breach Incident;
  4. to provide a call center to respond to inquiries from those natural persons whose Protected Personal Information was potentially impacted by a Privacy Breach Incident;
  5. to provide monitoring and identity protection and restoration services to natural persons whose Protected Personal Information was potentially impacted by a Privacy Breach Incident, but only to the extent such services are required by applicable Breach Notification Laws; and
  6. to identify and notify those entities whose Confidential Corporate Information was potentially impacted by a Cyber Security Incident or Privacy Breach Incident.

Breach Investigation Costs do not include and We will not be required to pay any internal salary or overhead expenses of the Insured Organization or any costs the Insured Organization would be required to pay independent of a Cyber Security Incident or Privacy Breach Incident.

F. Breach Notification Laws

Any local, state, federal, or foreign laws, statutes, legislation, rules, or regulations which require entities which collect, process, or maintain Protected Personal Information to notify natural persons or regulatory or governmental authorities if Protected Personal Information has potentially or actually been compromised, accessed, or acquired without a natural person's authorization.

G. Bricking Loss

Reasonable and necessary costs incurred by the Insured Organization during the Period of Restoration to replace computer hardware or any associated devices or equipment owned by or leased to the Insured Organization that have been rendered non-functional due to the corruption or destruction of software or firmware as a direct result of a Cyber Security Incident, but only if reasonable efforts have been made to restore the functionality of such computers, devices or equipment. Bricking Loss does not include costs to replace software or Data. All Bricking Loss must be submitted pursuant to a Proof of Loss.

H. Business Income Loss

The Insured Organization's actual loss sustained during the Period of Restoration, subject to the Waiting Period, resulting from the reduction in business income and calculated using either of the following approaches:

  1. Net Profit Calculation: take the net profit or loss that the Insured Organization would have earned or incurred had no System Disruption occurred and add the normal operating expenses that must necessarily continue during the Period of Restoration (including payroll); or
  2. Gross Profit Calculation: take the revenue which the Insured Organization would have derived from the operating of the business had no System Disruption occurred and subtract any costs and expenses that must not necessarily continue during the Period of Restoration (including variable costs).

Business Income Loss also includes reasonable fees and costs for an external forensic accounting firm on the Vendor Panel to determine the amount of Business Income Loss.

Business Income Loss must be submitted pursuant to a Proof of Loss.

Business Income Loss does not include and We will not be required to pay:

  1. loss arising out of any liability to any third party;
  2. legal costs or legal expenses;
  3. loss incurred because of unfavorable business conditions;
  4. loss of market or any other consequential loss;
  5. Data Restoration Loss or costs to replace, recreate, restore, or repair computer programs, software, or electronic data; or
  6. Cyber Extortion Loss.

I. Claim

Any of the following:

  1. a written demand for monetary or non-monetary relief in satisfaction of a civil liability;
  2. a civil proceeding including a lawsuit, arbitration, mediation, or other alternative dispute resolution proceeding commenced by the filing or receipt of a complaint, written demand, or similar pleading;
  3. a request to toll or waive any applicable statute of limitations;
  4. with respect to part C. Regulatory Liability of SECTION II - 3RD PARTY INSURING AGREEMENTS only, a Regulatory Claim; or
  5. with respect to part D. PCI Liability of SECTION II - 3RD PARTY INSURING AGREEMENTS only, a PCI Claim.

A Claim does not include any criminal proceeding.

Two or more Claims which have a common nexus of fact, circumstance, situation, event, injury or damage, or cause, or a series of related facts, circumstances, situations, events, injuries or damages, or causes shall be treated as a single Claim. All such Claims shall be deemed made at the time of the first such Claim.

J. Claim Expenses

The following:

  1. reasonable and necessary fees, costs and expenses resulting from the investigation, adjustment, defense, and appeal of a Claim if incurred by Us, or by the Insured with Our prior written consent; and
  2. premium cost for appeal bonds for covered judgments or bonds to release property used to secure a legal obligation, if required in any Claim against an Insured; provided We will have no obligation to appeal or to obtain such bonds; and

Claim Expenses do not include and We will not be required to pay any salary, overhead, or other charges by the Insured for any time spent in cooperating in the defense and investigation of any Claim or circumstance that might lead to a Claim notified under this Policy, or costs to comply with any regulatory orders, settlements, or judgments.

K. Computer Systems

Any computer hardware, software, firmware, wireless device, data storage device, networking equipment, operating system, virtual machine, or electronic data storage or backup facility.

L. Confidential Corporate Information

Any confidential or proprietary information of an entity, other than the Insured Organization, which the Insured Organization is contractually or legally required to hold or maintain in confidence. However, Confidential Corporation Information does not include any information that is lawfully made available to the general public or Protected Personal Information.

M. Crisis Communications Loss

Reasonable and necessary fees and costs incurred by the Insured Organization for a 90-day period beginning after the Insured Organization first discovered the Incident and provided by professionals on the Vendor Panel or by other professionals retained with Our prior written consent to formulate and execute a crisis communications plan to mitigate harm to the Insured Organization as a direct result of the Incident.

N. Cryptocurrency

A digital currency or asset which is stored and transferred electronically, requires cryptographic techniques to generate and verify the transfer of units, and operates independently of any central bank or other central authority.

O. Cryptojacking Incident

The unauthorized use of or access to an Insured Computer Systems to mine for Cryptocurrency.

P. Cyber Extortion Loss

Subject to the conditions set forth in part E. of SECTION VII – NOTICE AND CONDITIONS, reasonable and necessary fees and costs incurred by the Insured Organization for the following services provided by professionals on the Vendor Panel or by other professionals retained with Our prior written consent:

  1. to determine any legal obligations as a direct result of an Extortion Demand;
  2. to negotiate with the threat actor that made the Extortion Demand; and
  3. to make payment of money, funds, digital currencies (including Cryptocurrencies ), or other assets on the Insured Organization's behalf to terminate or prevent an Extortion Demand, including transaction fees to procure any digital currencies.

Cyber Extortion Loss does not include and We will not be required to pay any internal salary or overhead expenses of the Insured Organization or any costs the Insured Organization would be required to pay independent of an Extortion Demand.

Q. Cyber Security Incident

Any of the following:

  1. unauthorized access or use of Insured Computer Systems, including by theft of a password or access code, or access or use by an unauthorized person or an authorized person for purposes not intended by the Insured Organization;
  2. a Distributed Denial of Service (DDoS) attack,
  3. an infection of Insured Computer Systemsby malicious code, including by malware, computer virus, worms, ransomware, spyware, and other electronic means (including ransomware or spyware) that denies access to or disrupts Insured Computer Systems; or
  4. a failure of computer security to prevent an incident detailed in parts 1. through 3. above.

R. Cyber Terrorism

Any Act of Terrorism perpetrated electronically or through computer systems that is directed towards the destruction, disruption, or subversion of communication and information systems, infrastructure, computers, the internet, telecommunications or electronic networks or its content thereof or sabotage or threat therefrom. Cyber Terrorism does not include any activities which contribute to or are in support of any military action, war, or warlike operation and shall not include any actions by state-sponsored actors.

S. Damages

Any:

  1. monetary amounts an Insured becomes legally obligated to pay because of a Claim, including: judgments, compensatory damages, settlements made with Our prior written consent, punitive, exemplary, and multiplied damages (where insurable under the applicable law), and pre- and post-judgment interest;
  2. with respect to part C. Regulatory Liability of SECTION II – 3RD PARTY INSURING AGREEMENTS only, Regulatory Damages; and
  3. with respect to part D. PCI Liability of SECTION II – 3RD PARTY INSURING AGREEMENTS only, PCI Damages.

Damages does not include and We will not be required to pay:

  1. fines, penalties, assessments, sanctions, or taxes; however, this does not apply to civil fines or penalties to the extent otherwise covered as Regulatory Damages or to punitive, exemplary, and multiplied damages (where insurable under the applicable law);
  2. loss of any Insured's fees or profits, return or offset of the Insured's fees or charges, or the Insured's commissions or royalties provided or contracted to be provided;
  3. return of any remuneration or financial advantage to which any Insured was not legally entitled;
  4. license fees of any kind;
  5. any amount which any Insured is not obligated to pay;
  6. matters that are uninsurable under applicable law;
  7. funds, monies, digital currencies, (including cyrptocurrencies), securities, or other assets that are stolen, lost, or transferred from an Insured's account or the account of any third party;
  8. costs of complying with orders granting injunctive, declaratory, or equitable relief (except for sums deposited in a consumer redress fund as equitable relief for the payment of consumer claims); and
  9. liquidated damages, but only to the extent that they exceed the amount which the Insured would have been liable to pay in the absence of such liquidated damages agreement.

T. Data

Any electronic data, or digital information that is stored on or exists in Insured Computer Systems.

U. Data Restoration Loss

Reasonable and necessary fees and costs incurred by the Insured Organization for:

  1. a professional on the Vendor Panel; or
  2. a professional not on the Vendor Panel with Our prior written consent.

to replace, recreate, restore, or repair Data to the same or substantially the same form and condition existing immediately before the Cyber Security Incident or, if such Data cannot be replaced, recreated, restored, or repaired, to assist the Insured Organization in making that determination.

If the Insured Organization intends to submit any internal fees and costs above those costs that the Insured Organization would normally be required to pay but for the Cyber Security Incident, such costs must be submitted pursuant to a Proof of Loss.

Data Restoration Loss does not include and We will not be required to pay:

  1. any internal salary or overhead expenses of the Insured Organization or any costs the Insured Organization would be required to pay independent of a Cyber Security Incident;
  2. the monetary value or profits, royalties, or lost market share related to Data, including trade secrets or other proprietary information pertaining to the value of Data;
  3. legal costs or expenses;
  4. loss arising out of any liability to a third party; or
  5. any Cyber Extortion Loss.

V. Digital Media Content

Text, images, data, graphics, sounds, music, photographs, videos, advertisements, webcasts, podcasts, blog or vlog posts, and online forum posts. However, Digital Media Content does not include computer software itself or the actual goods, products or services described, shown, or illustrated in such Digital Media Content.

W. Digital Media Wrongful Act

Any misstatement, misleading statement, act, error, omission, or breach of duty actually or allegedly committed or attempted by or on behalf of the Insured Organization, in the public display of Digital Media Content on the Insured Organization's website or posted by or on behalf of the Insured Organization on any social media site or anywhere on the internet, which results in:

  1. infringement, including copyright infringement, plagiarism or misappropriation of property rights, dilution of title, logo, slogan, domain name, metatag, trademark, trade name, trade dress, service mark, or service name;
  2. defamation, libel, slander, harassment, trespass, or other invasion of the right of private occupancy or any other form of defamation or harm to the character, reputation, or feelings of any person or entity, including product disparagement, trade libel, infliction of emotional distress, or prima facie tort; or
  3. invasion of the right of privacy or publicity, including the torts of intrusion upon seclusion, publication of private facts, or misappropriation of name or likeness.

X. Employee

Any natural person whose work or service is or was guided and engaged by an Insured Organization, including full-time or part-time laborers, interns, volunteers, seasonal or temporary laborers, or laborers whose service or work is or was leased by or to an Insured Organization.

Y. Executive Group

Any principal, partner, corporate officer, director, general counsel (or most senior legal counsel) or risk manager of the Insured Organization or any individual in a substantially similar position.

Z. Extended Reporting Periods

Collectively the Automatic Extended Reporting Period and Optional Extended Reporting Period.

AA. External Computer Systems

Any Computer Systems of a Technology Provider or Non-Technology Provider.

BB. External Cyber Security Incident

Any of the following:

  1. unauthorized access or use of External Computer Systems;
  2. a Distributed Denial of Service (DDoS) attack;
  3. an infection of External Computer Systems by malicious code, including by malware, computer virus, worms, ransomware, spyware, and other electronic means (including ransomware or spyware) that denies access to or disrupts External Computer Systems; or
  4. a failure of computer security to prevent an incident detailed in parts 1. through 3. above.

CC. External System Failure

An unintentional and unplanned full or partial interruption of External Computer Systems. External System Failure will not include any full or partial interruption resulting from a Cyber Security Incident, External Cyber Security Incident, or System Failure.

DD. Extortion Demand

A demand to any Insured Organization made by a third-party for money, funds, digital currencies (including Cryptocurrencies ), or other assets in exchange for:

  1. the deletion, return of, or refraining from disclosing Protected Personal Information or Confidential Corporate Information that is owned by or in the care, custody, or control of an Insured;
  2. not causing a Cyber Security Incident or Privacy Breach Incident;
  3. not publicizing that Data or Insured Computer Systems will be or have been impaired, compromised, or destroyed;
  4. not impairing, altering, locking, damaging, corrupting, encrypting, or destroying, or preventing access to Data;
  5. not preventing access to, interrupting, or suspending Insured Computer Systems; or
  6. not introducing malicious code onto Insured Computer Systems or to third party Computer Systems from Insured Computer Systems;

provided that the Insured and Us reasonably believe that the third-party's demand is credible and that there is imminent and probable danger that the extortionist can execute on its demand.

EE. Extra Expense

The following reasonable and necessary costs and expenses incurred by the Insured Organization during the Period of Restoration, subject to the Waiting Period, and submitted pursuant to a Proof of Loss :

  1. to reduce the Period of Restoration; and
  2. mitigate or reduce costs and expenses resulting from the System Disruption; and

Extra Expense also includes reasonable fees and costs for an external forensic accounting firm on the Vendor Panel to determine the amounts of Extra Expense.

Extra Expense does not include and We will not be required to pay:

  1. loss arising out of any liability to any third party;
  2. legal costs or legal expenses;
  3. loss incurred because of unfavorable business conditions; or
  4. loss of market or any other consequential loss.

  5. Data Restoration Loss or costs to replace, recreate, restore, or repair computer programs, software, or electronic data; or

  6. Cyber Extortion Loss.

FF. Incident

A Cryptojacking Incident, Cyber Security Incident, Extortion Demand, Privacy Breach Incident, System Disruption, Adverse Media Event, or any other incident described in SECTION I - 1ST PARTY INSURING AGREEMENTS or any other first-party insuring agreement added by endorsement to this Policy.

Two or more Incidents which have a common nexus of fact, circumstance, situation, event, injury or damage, or cause, or a series of related facts, circumstances, situations, events, injuries or damages, or causes shall be treated as a single Incident for purposes of this Policy that was first discovered during the Policy Period in which the earliest such Incident was discovered.

GG. Insured

Any of the following:

  1. the Insured Organization;
  2. any director or officer of the Insured Organization, including members of the Executive Group, but only with respect to the performance of the individual's duties as such on behalf of the Insured Organization;
  3. an Employee of the Insured Organization, but only for work done while acting within the scope of the individual's employment and related to the conduct of the Insured Organization's business;
  4. a principal if the Named Insured is a sole proprietorship, a member if the Named Insured is a limited liability company, or a partner or member if the Named Insured is a partnership or joint venture, but only with respect to the performance of the individual's duties as such on behalf of the Insured Organization;
  5. any person who previously qualified as an Insured under parts 2. - 4., but only with respect to the performance of the individual's duties as such on behalf of the Insured Organization;
  6. an Additional Insured, but only with respect to Claims against such individual or entity for acts, errors, or omissions of the Insured Organization;
  7. the estate, heirs, executors, administrators, assigns, and legal representatives of any party referenced in paragraphs 1.- 6. above in the event of such Insured's death, incapacity, insolvency, or bankruptcy, but only to the extent that such Insured would otherwise be provided coverage under this Policy; and
  8. the lawful spouse, including any natural person qualifying as a domestic partner of any individual referenced in paragraphs 2.- 6. above, but solely by reason of any act, error, or omission of an Insured other than such spouse or domestic partner.

HH. Insured Computer Systems

Any Computer Systems that is:

  1. operated by and either owned by or leased to the Insured Organization;
  2. operated by and either owned by or leased to an Employee or member of the Executive Group, but only if the individual's use of such Computer Systems is related to the individual's duties as an Employee or member of the Executive Group and in furtherance of the Insured Organization's business; or
  3. with respect to part A. Breach Investigation of SECTION I - 1ST PARTY INSURING AGREEMENTS and SECTION II - 3RD PARTY INSURING AGREEMENTS, operated by a third party for the Insured Organization's benefit pursuant to a written contract with the Insured Organization.

II. Insured Organization

The Named Insured and any Subsidiaries.

JJ. Loss

Breach Investigation Costs, Bricking Loss, Business Income Loss, Claim Expenses, Crisis Communication Loss, Cyber Extortion Loss, Damages, Data Restoration Loss, Extra Expense, Remediation Costs, Reputation Loss, Utility Loss, or any other amounts covered under this Policy.

KK. Management Control

Directly or indirectly owning interests representing more than fifty percent (50%) of the voting, appointment, or designation power, or having the right pursuant to a written agreement, by-laws, operating agreement, or similar document, to select a majority of the board of directors, trustees, or members of the management committee or management board or functional equivalent of an entity.

LL. Named Insured

The Named Insured listed in the Declarations.

MM. Non-Technology Provider

A third party that provides services to the Insured Organization pursuant to a written contract that does not fall within the definition of Technology Provider, or within the definition of exclusion K. Infrastructure.

NN. Nuclear Material

Any nuclear material or sites, including source material, special nuclear material or by-product material or any nuclear reactor, nuclear waste, storage or disposal site, or any other nuclear facility, the transportation of nuclear material, or any nuclear reaction or radiation, or radioactive contamination, regardless of its cause as defined in the Atomic Energy Act of 1954 or in any law amendatory thereof.

OO. Optional Extended Reporting Period

The additional period of time for reporting Claims and Incidents as detailed in part B. of SECTION VIII – EXTENDED REPORTING PERIODS beginning with the effective date this Policy is cancelled, non-renewed or expired and ending at the expiration date specified in the applicable Optional Extended Reporting Period Endorsement.

PP. PCI Claim

Any Claim, brought by or on behalf of a Payment Card Association or entity processing or providing payment card transactions, for the Insured Organization's non-compliance with the Payment Card Industry Data Security Standards or any other generally accepted standards of a payment processor whose payment method is accepted for processing, as required by the terms of amerchant services agreement or payment card processing agreement to which the Insured Organization is a party.

QQ. PCI Damages

Any of the following:

  1. the monetary amount owed by the Insured Organization under the terms of a merchant services agreement or payment card processing agreement as a direct result of a Privacy Breach Incident, including charge backs, interchange fees, discount fees, or other service-related fees, rates, or charges;
  2. reasonable and necessary fees for an external forensic firm that is a qualified Payment Card Industry Forensic Investigator to investigate and determine the cause and scope of a Privacy Breach Incident which led to a PCI Claim; and
  3. reasonable and necessary fees for a Qualified Security Assessor (QSA) to certify and assist in attesting to the Insured Organization's compliance with payment processor standards regarding the security, disclosure, and handling of Protected Personal Information (including Payment Card Industry Data Security Standards), as required by a merchant services agreement or payment card processing agreement.

RR. Period of Restoration

  1. With respect to the System Restoration Insuring Agreement (Section I.D.), the period beginning on the date a Cyber Security Incident was first discovered, and ending sixty (60) days thereafter;
  2. With respect to the Business Interruption and Contingent Business Interruption Insuring Agreements (Sections I.E. and I.F.), the period beginning on the date a System Disruption first occurred, and ending on the earlier of: (1) ninety (90) days following when the impacted Computer Systems are, or could have been, repaired or restored with reasonable speed to the same functionality and level of service which existed prior to the System Disruption; or (2) one hundred and eighty (180) days from the earliest date the applicable System Disruption first occurred.

SS. Policy

Collectively, the Declarations, application materials, all forms and endorsements (including any forms and endorsements listed in the Declarations) which are attached to and form part of this Policy.

TT. Policy Period

The period from the inception date, stated in the Declarations, to the earlier of the expiration date stated in the Declarations or the effective date of termination, expiration, or cancellation of the coverage provided by this Policy. However, Policy Period does not include the Automatic Extended Reporting Period, Optional Extended Reporting Period, or any prior policy period or renewal period.

UU. Pollutants

Any solid, liquid, gaseous, electromagnetic, or thermal irritant or contaminant, whether occurring naturally or otherwise, including smoke, vapor, soot, fumes, acids, alkalis, chemicals, asbestos, asbestos products, mold, fibers, spores, fungus, germs, pathogens, poisonous biological material, or waste (including materials to be recycled, reconditioned, or reclaimed).

VV. Privacy Breach Incident

The disclosure, theft, or loss of, or access to, Protected Personal Information or Confidential Corporation Information in the care, custody, or control of the Insured Organization or a third party for whom the Insured Organization is legally responsible, and in a manner that is not authorized by the Insured Organization and without the knowledge of a member of the Executive Group.

WW. Privacy Policy

The Insured Organization's publicly available written policies or procedures regarding the collection, use, disclosure, dissemination, access to, and correction or supplementation of Protected Personal Information.

XX. Proof of Loss

A verified proof of loss providing full details of the submitted potential Bricking Loss, Business Income Loss, Extra Expense, Remediation Costs, Reputation Loss, or internal Data Restoration Costs, including backup documentation, provided to Us as soon as practicable after the Insured Organization first discovers the Cyber Security Incident or System Disruption, but no later than 6 months after the end of the Policy Period.

YY. Protection Period

The period beginning on the date the Adverse Media Event firstoccurred and ending on the earlier of: (1) the date that the Insured Organization's gross revenues are restored to the level they would have been but for the Adverse Media Event; or (2) one hundred and eighty (180) days.

ZZ. Protected Personal Information

Any information stored in any format about a natural person that:

  1. is considered personal information under any Breach Notification Laws; or
  2. an individual's drivers license or state identification number, social security number, unpublished telephone number, and credit, debit or other financial account numbers in combination with associated security codes, access codes, passwords or PINs; if such information allows an individual to be uniquely and reliably identified or contacted or could be used to identify a natural person or allows access to a natural person's financial account or medical record information.

However, Protected Personal Information does not include any information that is lawfully made available to the general public or Confidential Corporate Information.

AAA. Regulatory Claim

A request for information, civil investigative demand or proceeding, or other civil proceeding brought by or on behalf of a local, state, federal, or foreign governmental authority in any jurisdiction in such entity's regulatory or official capacity.

BBB. Regulatory Damages

Any:

  1. civil monetary fines or penalties assessed by a governmental authority in a Regulatory Claim, to the extent insurable by the law of an applicable venue that most favors coverage for such amounts; and
  2. amounts which the Insured is legally obligated to deposit into a fund as equitable relief for the payment of consumer claims due to an adverse judgment or settlement of a Regulatory Claim.

Regulatory Damages does not mean and We will not be required to pay fees and costs to:

  1. comply with corrective actions or injunctive relief, or audit, assessment, compliance or reporting costs (except for amounts the Insured is legally obligated to deposit into a fund as equitable relief for the payment of consumer claims due to any adverse judgment or settlement of a Regulatory Claim);
  2. remediate or improve Computer Systems;
  3. establish, implement, maintain, improve, or remediate security or privacy practices, procedures, programs, or policies; or
  4. protect the confidentiality, integrity, or security of any information, including Protected Personal Information or Confidential Corporate Information.

CCC. Remediation Costs

Reasonable and necessary costs incurred by the Insured Organization during the Period of Restoration and recommended by professionals on the Vendor Panel to update, improve, enhance, or replace the Insured Computer Systems. However, such costs are only covered if they are less than the costs to restore the Insured Computer Systems to the same or substantially the same condition that existed immediately prior to the Cyber Security Incident. Remediation Costs do not include any updates, improvements, enhancements, or replacements of Data. All Remediation Costs must be submitted pursuant to a Proof of Loss.

DDD. Reputation Loss

The Insured Organization's actual loss sustained resulting from the reduction in business income and calculated as follows:

  1. the net profit or loss that the Insured Organization would have earned during the Protection Period but for an Adverse Media Event;
  2. the Insured Organization's continuing normal and reasonable operating expenses, including payroll, but only to the extent that such operating expenses must necessarily continue during the Protection Period; and
  3. reasonable fees and costs for an external forensic accounting firm on the Vendor Panel to determine the amount of Reputation Loss.

When calculating any Reputation Loss, due consideration will be given to any amounts made up during, or within a reasonable time after the end of, the Protection Period.

Reputation Loss does not include and We will not be required to pay:

  1. loss arising out of any liability to any third party;
  2. legal costs or legal expenses;
  3. loss incurred because of unfavorable business conditions;
  4. loss of market or any other consequential loss;
  5. loss resulting from a System Disruption or an interruption of an Insured Organization's business operations for any period of time;
  6. Breach Investigation Costs; or
  7. Cyber Extortion Loss.

EEE. Retroactive Date

The applicable date shown in the Declarations. If the Declarations is left blank or contains the phrase "Full Prior Acts," "N/A," "Not Applicable," or "None," then no Retractive Date applies to the Policy.

FFF. Subsidiary

Any entity over which:

  1. on, or prior to the inception date of this Policy, the Named Insured has Management Control; or

  2. the Named Insured acquires Management Control after the inception date of this Policy; provided that:

  3. the revenues of such entity do not exceed twenty five percent (35%) of the Named Insured's annual revenues; or

  4. if the revenues of such entity exceed twenty five percent (%) of the Named Insured's annual revenues, then coverage under this Policy will be afforded for a period of sixty (60) days, but only for any Claim or Loss that arises out of any act, error, omission, Incident, or event first occurring after the entity becomes so owned. Coverage beyond such 60-day period will only be available if the Named Insured gives the Us written notice of the acquisition, obtains Our written consent to extend coverage to the entity beyond such 60-day period, and agrees to pay any additional premium required by Us.

This Policy provides coverage only for acts, errors, omissions, Incidents, or events that occur while the Named Insured has Management Control over an entity.

GGG. System Disruption

The interruption, suspension, degradation, or failure of:

  1. with respect to part E. Business Interruption of SECTION I – 1ST PARTY INSURING AGREEMENTS, Insured Computer Systems directly caused by a Cyber Security Incident or System Failure; and
  2. with respect to part F. Contingent Business Interruption of SECTION I – 1ST PARTY INSURING AGREEMENTS, External Computer Systems directly caused by an External Cyber Security Incident or External System Failure,

causing an Insured Organization to be unable to continue normal business operations.

HHH. System Failure

An unintentional and unplanned full or partial interruption of Insured Computer Systems. System Failure will not include any full or partial interruption resulting from a Cyber Security Incident, External Cyber Security Incident, or External System Failure.

III. Technology Provider

A third party that provides information technology services to the Insured Organization pursuant to a written contract including:

  1. network and system support services, including information technology services or any other services that involve the design, development, installation, repair, maintenance, and ongoing support of networks and systems;
  2. cybersecurity services, such us endpoint monitoring or any other services that help protect networks, systems, and data from unauthorized access, theft, and damage;
  3. software programming and services, such as an Application Service Provider (ASP) or a provider of Software-as-a-Service (SaaS);
  4. data entry and processing;
  5. data and application hosting and related services including web hosting, data backup, data recovery, data conversion, and data destruction;
  6. digital marketing services, including the promotion of products or services through digital channels such as search engines, social media, email, and websites;
  7. Infrastructure-as-a-Service (IaaS), including data centers, co-location, cloud computing, or any other services that involve the operation and management of networks and systems;
  8. computer platform services, including Platform-as-a-Service (PaaS) or any other service that provides a platform for the development, running, maintaining, managing, testing, and deployment of applications; and
  9. website development and design services.

Provided that Technology Provider does not include a Non-Technology Provider.

JJJ. Utility Loss

Amounts charged to the Insured Organization for its use of utilities (including electricity, natural gas, water, oil, television, cable, internet, telephone, telecommunication, or other utilities) by a provider of such utilities that the Insured Organization would not have incurred had no Cryptojacking Incident occurred; provided that the amounts are:

  1. charged pursuant to a written contract between the Insured Organization and the respective utility provider that was executed before the Cryptojacking Incident first occurred;
  2. due for payment during the Policy Period;
  3. reflected in periodic bills or statements issued to the Insured Organization that detail the Insured Organization's usage of the respective utility; and
  4. not charged to the Insured Organization at a flat fee or pursuant to any other fee arrangement that does not change based on the Insured Organization's use of the respective utility.

KKK. Vendor Panel

The attorneys and other vendors approved by Us and identified on the Appendix attached to this Policy.

LLL. Waiting Period

The number of hours stated in the Declarations and begins when the System Disruption first occurred. Coverage for Business Income Loss and Extra Expense will apply where the duration of the System Disruption exceeds the Waiting Period.

MMM. We, Us and Our

The insurer issuing this Policy as shown in the Declarations.