GENERAL CHANGES 1. Notice Provisions Summary of Form Changes e-md /MEDEFENSE Plus Insurance Policy (from version P1818CE-0115 to P1818CE-0716) a. Currently, the policy requires notice to the Underwriters of a Claim no later than sixty (60) days after the Claim is made. Form P1818CE-0716 has been revised to require notice to the Underwriters of a Claim as soon as practicable, but no later than sixty (60) days after expiration of the Policy, or during the extended reporting period, if applicable. However, the notice provisions for BrandGuard have not changed; notice of Claim under that insuring agreement must still be made during the Period of Indemnity. b. The contact information for NAS Insurance Services, LLC in Item 9 of the Declarations has been amended to include an email address for reporting Claims. 2. Title Change to Named Coverage IV Named Coverage IV: Privacy Breach Response Costs, Notification Expenses, and Breach Support and Credit Monitoring Expenses is now Named Coverage IV: Breach Event Costs. 3. Consolidation of Cyber Terrorism into Network Asset Protection Currently, the policy includes a separate insuring agreement for income loss, interruption expenses and special expenses resulting from an act of cyber terrorism. Form P1818CE-0716 has been revised to delete that separate insuring agreement and incorporate coverage for income loss, interruption expenses and special expenses resulting from an act of cyber terrorism into Named Coverage VI: Network Asset Protection. 4. Incorporation of Cyber Crime and PCI DSS Liability Insuring Agreements Form P1818CE-0716 now includes Named Coverage VIII: Cyber Crime and Named Coverage IX: PCI DSS Liability. Both insuring agreements were previously only available by endorsement. 5. Elimination of Special Expenses Co-insurance Currently, the policy provides for 10% co-insurance, each and every loss, for Special Expenses payable under Named Coverage VI: Network Asset Protection. Such co-insurance has been eliminated in form P1818CE-0716. 6. MEDEFENSE Plus is Now Named Coverage X Currently, MEDEFENSE Plus is Named Coverage IX. In Form P1818CE-0716 MEDEFENSE Plus, is now Named Coverage X. Page 1 of 7
7. Retroactive Date Coverage Now Applicable to All Insuring Agreements Currently, the policy does not provide retroactive date coverage for all insuring agreements (unless modified by endorsement). Form P1818CE-0716 now provides retroactive date coverage for all insuring agreements, including first party coverage. 8. New Mandatory Endorsements Currently, the policy includes the following mandatory endorsements: Nuclear Incident Exclusion Clause War and Terrorism Exclusion Endorsement Form P1818CE-0716 now includes the following mandatory endorsements: Nuclear Incident Exclusion Clause U.S. Treasury Department s Office of Foreign Assets Control (OFAC) Advisory Notice to Policyholders We have withdrawn the War and Terrorism Exclusion Endorsement and incorporated the exclusion into the policy form. 9. Territorial Limits Currently, the policy excludes claims, acts and events that occur in countries where the United States has declared or imposed sanctions or trade embargoes. Form P1818CE-0716 eliminates this exclusionary language to provide worldwide coverage. 10 Coverage for Exemplary Damages and Multiplied Damages; Limited Coverage for Liquidated Damages; Applicability of Most Favorable Law to Insurability of Punitive, Exemplary or Multiplied Damages Currently, the policy s definition of damages expressly excludes the multiple portion of multiplied damages and liquidated damages. In addition, the policy is currently silent on coverage for exemplary damages. The definition of damages in form P1818CE-0716 now expressly includes exemplary and multiplied damages. Damages has also been revised to include most favorable law language for the insurability of punitive, exemplary and multiplied damages. Finally, the exclusion of liquidated damages has been softened to exclude only contractual liquidated damages to the extent such damages exceed the amount for which the Insured would have been liable in the absence of the liquidated damages agreement. 11. New Spousal or Domestic Partner Clause Form P1818CE-0716 now includes Section 20. Spousal or Domestic Partner Extension, which extends coverage under the policy to the spouse or domestic partner of any natural person Insured, if such spouse or domestic partner is the subject of any Claim because of his or her marriage or domestic partnership with the Insured. Coverage does not, however, extend to the direct acts of an Insured s spouse or domestic partner. Page 2 of 7
12. Notable Changes in Section 21. Coverage For Created, Acquired or Sold Entities Currently, the policy provides a period of sixty (60) days of automatic coverage for any newly acquired or created subsidiary. In order for coverage to extend beyond sixty (60) days, an additional premium must be paid for any subsidiary with revenues of more than 10% of the Named Insured s annual revenues. In form P1818CE-0716, that threshold has been increased to 15% of the Named Insured s annual revenues. Additionally, we took this opportunity to clarify that, with respect to any subsidiary with revenues of less than 15% of the Named Insured s annual revenues, coverage will extend for the duration of the policy period for no additional premium. 13. Notable Changes in 22. Coverage In the Event of a Takeover Currently, only one year of tail coverage is available in the event of a takeover. Form P1818CE- 0716 now includes 2 year and 3 year tail options for additional premium of 150% and 200%, respectively, of the annual policy premium. We have also clarified that annual policy premium includes any additional premium for endorsements. CHANGES TO IMPORTANT NOTICE We have revised the Important Notice on page one for consistency with the changes outlined in General Changes above and to more clearly distinguish the liability insuring agreements from the first party insuring agreements. CHANGES TO SECTION 1. NAMED COVERAGES We have revised Section 1. Named Coverages for consistency with the changes outlined in General Changes above. Also, we have revised all insuring agreements to delete the phrase the entirety of. CHANGES TO SECTION 2. DEFENSE, SETTLEMENT AND INVESTIGATION We have revised Section 2. Defense, Settlement and Investigation for consistency with the changes outlined in General Changes above. We have also made minor editorial changes, including grammar corrections, to clarify language. Finally, we have taken this opportunity to modify paragraph e., concerning the Insured s refusal to consent to settlement (commonly known as the hammer clause ) to clarify that (1) Underwriters total liability will not exceed 50% of covered amounts, subject to the applicable Limit of Liability; and (2) that the Insured will be responsible for the remaining 50% and any amounts in excess of the applicable Limit of Liability. CHANGES TO SECTION 3. LIMITS OF LIABILITY, SECTION 4. RETENTION AND WAITING PERIOD AND SECTION 5. TERRITORIAL LIMITS We have revised these sections for consistency with the changes outlined in General Changes above. CHANGES TO SECTION 6. WHO IS INSURED We have made minor editorial changes to this section. Also, we have deleted reference to officer, director and replaced with newly added definition of executive. Page 3 of 7
CHANGES TO SECTION 7. DEFINITIONS 1. NEW DEFINITIONS Form P1818CE-0716 now contains definitions for the following terms pertaining to Cyber Crime Coverage: Financial fraud Financial fraud loss Insured telecommunications system Money Other property Phishing attack Phishing attack loss Security (Securities) Telecommunications fraud Telecommunications fraud loss Form P1818CE-0716 now contains definitions for the following terms pertaining to PCI DSS Liability Coverage: Acquiring bank Card association Merchant services agreement PCI DSS fines and assessments PCI DSS demand PCI Data Security Standard The following new defined terms have been added for consistency with the changes outlined in General Changes above, to clarify coverage, or to broaden coverage: Act of terrorism Executive Insured computer system (replaces Named Insured s computer system and has been broadened to include, with respect to Named Coverage VII: Cyber Extortion only, a system operated by a cloud computing service provider) Personally identifiable information Private information Privacy policy Takeover Third party You and Your Your reputation (replaces reputation ) Vicariously liable Voluntary notification expenses (replaces voluntary notification ) 2. DELETED DEFINITIONS The following defined terms have been deleted in their entirety: Page 4 of 7
Named Insured s computer system (replaced by new term) Reputation (replaced by new term) Operational programs (no longer used in the form) Voluntary notification (replaced by new term) 3. REVISED DEFINITIONS Generally, the definitions have been revised to incorporate new defined terms, where applicable. The following existing defined terms have been modified to be consistent with the changes outlined in General Changes above, to clarify coverage, or to broaden coverage: Act of cyber terrorism clarified to reinforce it as an exception to exclusion 32 (War and Terrorism) Assumed under contract editorial changes to clarify definition Brand loss previously defined as revenue, less variable costs, but has been simplified in the new form as net profit Breach support and credit monitoring expenses expanded to include the costs an Insured incurs on its own behalf or on behalf of others for who the Insured is vicariously liable. Other editorial changes have been made, including reordering of existing language and grammar corrections. Claim broadened to include Cyber Crime and PCI DSS Liability Claim expenses editorial changes to clarify definition Covered cause of loss editorial changes to clarify definition; also, part 3 (Computer Crime and Computer Attacks) now includes an act of cyber terrorism Cyber extortion threat now includes interrelated language to clarify intent if/when multiple, related or repeated threats occur Damages modified as outlined in General Changes above; also now excludes PCI DSS fines and assessments Digital assets loss - editorial changes to clarify definition; additional exclusion for loss arising out of a physical cause or natural peril, such as fire, wind, or flood First party insured event modified to delete reference to act of cyber terrorism and add Cyber Crime coverage Income loss - replaced revenue with net profit and other language changes to clarify intent Interruption expenses modified to include the phrase reasonable and necessary ; deleted the phrase clearly and directly ; deleted all references to act of cyber terrorism; and added a complete exclusion for loss arising out of a physical cause or natural peril Media material deleted the phrase solely responsible and replaced with responsible ; added a sentence to clarify that the term does not include any tangible goods or products that are made, produced, processed, prepared, assembled, packaged, labeled, sold, handled or distributed by an Insured or other trading under the Insured s name. Notification expenses - expanded to include the costs an Insured incurs on its own behalf or on behalf of others for who the Insured is vicariously liable. Other editorial changes have been made, including reordering of existing language and grammar corrections. Period of restoration modified to delete references to act of cyber terrorism Privacy breach reorganized and substantively broadened this definition to clarify intent Privacy regulations substantively broadened this definition to clarify intent Proactive privacy breach response costs added language to clarify that these costs are subject to a sub-limit Page 5 of 7
Regulatory fines and penalties added exclusion for PCI DSS fines and assessments Security and privacy wrongful act added the following events as wrongful acts: o the inability of an authorized third party to gain access to your services; o the failure to prevent participation of an insured computer system in a denial of service attack directed against a third party Security breach added act of cyber terrorism as another component to this term; reorganized the existing language for easier readability Special expenses deleted all references to act of cyber terrorism ; further language changes to clarify intent Waiting period deleted all references to separate act of cyber terrorism insuring agreement Wrongful act amended to include reference to new PCI DSS Liability coverage CHANGES TO SECTION 8. EXCLUSIONS 1. REVISED EXCLUSIONS Generally, the exclusions have been renumbered and modified to include punctuation changes, grammar corrections, reordering of existing language, or simple clarifications. The following exclusions contain substantive revisions: Exclusion 18 (OFAC) revised to include an exception for security breaches originating from any country where the United States has imposed economic or trade sanctions - consistent with changes to Section 5 (Territorial Limits) Exclusion 20 (liability assumed under contract) revised to include an exception for liability assumed under a Merchant Services Agreement for PCI DSS fines and assessments Exclusion 26 (government enforcement of state/federal regulations) revised to include an exception for an otherwise covered claim under Named Coverage X (Medefense Plus) Exclusion 32 (War and Terrorism) revised to incorporate language from mandatory War and Terrorism Exclusion Endorsement Exclusion 35 (PCI DSS) revised to expressly state that the only exception is an otherwise covered claim under Named Coverage IX: PCI DSS Liability Exclusion 36 (unfair competition; anti-trust) revised to include an exception for allegations of deceptive trade practices that form an otherwise covered claim under Named Coverage II: Security and Privacy Liability Exclusion 37 (patent infringement; misappropriation of trade secret) revised to delete reference to trade secret, which is now a separate exclusion (Exclusion 38) 2. NEW EXCLUSIONS Exclusion 38 (trade secrets) formerly part of Exclusion 37; now a stand-alone exclusion which contains an exception for an otherwise covered claim under Named Coverage II alleging failure to prevent the misappropriation of a trade secret resulting from a security and privacy wrongful act Exclusion 47 (violations of TCPA, CAN SPAM Act) includes an exception for violations arising out of a security breach Exclusion 49 (applicable to Named Coverage VIII: Cyber Crime) excludes certain losses under that Named Coverage only Exclusion 50 (applicable to Named Coverage VIII Cyber Crime, Part A Financial Fraud) excludes certain losses under that part of Named Coverage VIII only Page 6 of 7
3. DELETED EXCLUSIONS Exclusion 39 (operational programs) Exclusion 40 (delivered programs) Exclusion 41 (use of illegal or unlicensed programs) CHANGES TO SECTION 10. EXTENDED REPORTING PROVISIONS This section was revised to include 2 year and 3 year tail options for additional premium of 150% and 200%, respectively, of the annual policy premium. We have also clarified that annual policy premium includes any additional premium for endorsements. CHANGES TO SECTION 11. NOTICE PROVISIONS Form P1818CE-0716 has been revised to require notice to the Underwriters of a Claim as soon as practicable, but no later than sixty (60) days expiration of the Policy, or during the extended reporting period, if applicable. However, the notice provisions for BrandGuard have not changed; notice of Claim under that insuring agreement must still be made during the Period of Indemnity. CHANGES TO SECTION 12. LOSS DETERMINATION The language of paragraph a, concerning brand loss, has been reorganized to reinforce that the brand loss payable will be calculated by taking into account 1) prior experience; 2) likely net profit had no covered event occurred; 3) income derived from substitute methods, facilities or personnel; 4) trends and circumstances affecting business; and 5) any fixed operating expenses that must continue during the period of indemnity. This is a clarification of coverage intent. The language of paragraph c, concerning income loss, has been reorganized to reinforce that the income loss payable is the sum of lost net profit plus fixed operating expenses that must continue during the period of indemnity. Income loss will be calculated by taking into account 1) prior experience; 2) likely net profit had no covered event occurred; 3) income derived from substitute methods, facilities or personnel; and 4) trends and circumstances affecting business. This is a clarification of coverage intent. Page 7 of 7