Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
Conquest Security Inc; 2020-04-23;
DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E 20April 23rd \ AGREEMENT FOR CYBERSECURITY ASSESSMENT CONQUEST SECURITY, INC. THIS AGREEMENT is made and entered into as of the ______ day of ___________ , 20_, by and between the CITY OF CARLSBAD, a municipal corporation, ("City"), and Conquest Security, Inc. a Maryland corporation, ("Contractor"). RECITALS A. City requires the professional services of a cybersecurity company that is experienced in cybersecurity assessment. B. Contractor has the necessary experience in providing professional services and advice related to cybersecurity assessment. C. Contractor has submitted a proposal to City and has affirmed its willingness and ability to perform such work. NOW, THEREFORE, in consideration of these recitals and the mutual covenants contained herein, City and Contractor agree as follows: 1. SCOPE OF WORK City retains Contractor to perform, and Contractor agrees to render, those services (the "Services") that are defined in attached Exhibit "A", which is incorporated by this reference in accordance with this Agreement's terms and conditions. 2. STANDARD OF PERFORMANCE While performing the Services, Contractor will exercise the reasonable professional care and skill customarily exercised by reputable members of Contractor's profession practicing in the Metropolitan Southern California Area, and will use reasonable diligence and best judgment while exercising its professional skill and expertise. 3. TERM The term of this Agreement will be effective for a period of one (1) year from the date first above written. 4. TIME IS OF THE ESSENCE Time is of the essence for each and every provision of this Agreement. 5. COMPENSATION The total fee payable for the Services to be performed during the Agreement term will be twenty- nine thousand nine hundred dollars ($29,900). No other compensation for the Services will be allowed. The City reserves the right to withhold a ten percent (10%) retention until City has accepted the work and/or Services specified in Exhibit "A". Incremental payments, if applicable, should be made as outlined in attached Exhibit "A". 6. STATUS OF CONTRACTOR Contractor will perform the Services in Contractor's own way as an independent contractor and in pursuit of Contractor's independent calling, and not as an employee of City. Contractor will be under control of City only as to the result to be accomplished, but will consult with City as necessary. The persons used by Contractor to provide services under this Agreement will not be considered employees of City for any purposes. City Attorney Approved Version 6/12/18 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E The payment made to Contractor pursuant to the Agreement will be the full and complete compensation to which Contractor is entitled . City will not make any federal or state tax withholdings on behalf of Contractor or its agents, employees or subcontractors. City will not be required to pay any workers' compensation insurance or unemployment contributions on behalf of Contractor or its employees or subcontractors. Contractor agrees to indemnify City within thirty (30) days for any tax, retirement contribution, social security, overtime payment, unemployment payment or workers' compensation payment which City may be required to make on behalf of Contractor or any agent, employee, or subcontractor of Contractor for work done under this Agreement. At the City's election, City may deduct the indemnification amount from any balance owing to Contractor. 7. SUBCONTRACTING Contractor will not subcontract any portion of the Services without prior written approval of City. If Contractor subcontracts any of the Services, Contractor will be fully responsible to City for the acts and omissions of Contractor's subcontractor and of the persons either directly or indirectly employed by the subcontractor, as Contractor is for the acts and omissions of persons directly employed by Contractor. Nothing contained in this Agreement will create any contractual relationship between any subcontractor of Contractor and City. Contractor will be responsible for payment of subcontractors. Contractor will bind every subcontractor and every subcontractor of a subcontractor by the terms of this Agreement applicable to Contractor's work unless specifically noted to the contrary in the subcontract and approved in writing by City. 8. OTHER CONTRACTORS The City reserves the right to employ other Contractors in connection with the Services. 9. INDEMNIFICATION Contractor agrees to indemnify and hold harmless the City and its officers, officials, employees and volunteers from and against all claims, damages, losses and expenses including attorneys fees arising out of the performance of the work described herein caused by any negligence, recklessness, or willful misconduct of the Contractor, any subcontractor, anyone directly or indirectly employed by any of them or anyone for whose acts any of them may be liable. The parties expressly agree that any payment, attorney's fee, costs or expense City incurs or makes to or on behalf of an injured employee under the City's self-administered workers' compensation is included as a loss, expense or cost for the purposes of this section, and that this section will survive the expiration or early termination of this Agreement. 10. INSURANCE Contractor will obtain and maintain for the duration of the Agreement and any and all amendments, insurance against claims for injuries to persons or damage to property which may arise out of or in connection with performance of the services by Contractor or Contractor's agents, representatives, employees or subcontractors. The insurance will be obtained from an insurance carrier admitted and authorized to do business in the State of California. The insurance carrier is required to have a current Best's Key Rating of not less than "A-:VII"; OR with a surplus line insurer on the State of California's List of Approved Surplus Line Insurers (LASLI) with a rating in the latest Best's Key Rating Guide of at least "A:X"; OR an alien non-admitted insurer listed by the National Association of Insurance Commissioners (NAIC) latest quarterly listings report. 10.1 Coverage and Limits. Contractor will maintain the types of coverage and minimum limits indicated below, unless the Risk Manager or City Manager approves a lower amount. These minimum amounts of coverage City Attorney Approved Version 6/12/18 2 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E will not constitute any limitations or cap on Contractor's indemnification obligations under this Agreement. City, its officers, agents and employees make no representation that the limits of the insurance specified to be carried by Contractor pursuant to this Agreement are adequate to protect Contractor. If Contractor believes that any required insurance coverage is inadequate, Contractor will obtain such additional insurance coverage, as Contractor deems adequate, at Contractor's sole expense. The full limits available to the named insured shall also be available and applicable to the City as an additional insured. 10.1.1 Commercial General Liability (CGL) Insurance. Insurance written on an "occurrence" basis, including personal & advertising injury, with limits no less than $1,000,000 per occurrence with a $2,000,000 aggregate. If a general aggregate limit applies, either the general aggregate limit shall apply separately to this project/location or the general aggregate limit shall be twice the required occurrence limit. 10.1.2 Automobile Liability. (if the use of an automobile is involved for Contractor's work for City). $2,000,000 combined single-limit per accident for bodily injury and property damage. 10.1.3 Workers' Compensation and Employer's Liability. Workers' Compensation limits as required by the California Labor Code. Workers' Compensation will not be required if Contractor has no employees and provides, to City's satisfaction, a declaration stating this. 10.1.4 Professional Liability. Errors and omissions liability appropriate to Contractor's profession with limits of not less than $1,000,000 per claim , with an indemnification clause limiting vendor liability to $250,000. Coverage must be maintained for a period of five years following the date of completion of the work. 10.1.5 Cyber Insurance. Coverage limit to the amount of $1 ,000,000 per occurrence with a $1,000,000 aggregate. 10.2 Additional Provisions. Contractor will ensure that the policies of insurance required under this Agreement contain, or are endorsed to contain, the following provisions: 10.2.1 The City will be named as an additional insured on Commercial General Liability which shall provide primary coverage to the City. 10.2.2 Contractor will obtain occurrence coverage, excluding Professional Liability, which will be written as claims-made coverage. 10.2.3 This insurance will be in force during the life of the Agreement and any extensions of it and will not be canceled without thirty (30) days prior written notice to City sent by certified mail pursuant to the Notice provisions of this Agreement. 10.2.4 For cyber insurance, the Retroactive Date must be maintained and evidence of insurance must be provided for at least three (3) years after completion of the contract work. 10.3 Providing Certificates of Insurance and Endorsements. Prior to City's execution of this Agreement, Contractor will furnish certificates of insurance and endorsements to City. 10.4 Failure to Maintain Coverage. If Contractor fails to maintain any of these insurance coverages, then City will have the option to declare Contractor in breach, or may purchase replacement insurance or pay the premiums that are due on existing policies in order to maintain City Attorney Approved Version 6/12/18 3 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E the required coverages. Contractor is responsible for any payments made by City to obtain or maintain insurance and City may collect these payments from Contractor or deduct the amount paid from any sums due Contractor under this Agreement. 10.5 Submission of Insurance Policies. City reserves the right to require, at any time, complete and certified copies of any or all required insurance policies and endorsements. 11. BUSINESS LICENSE Contractor will obtain and maintain a City of Carlsbad Business License for the term of the Agreement, as may be amended from time-to-time. 12. ACCOUNTING RECORDS Contractor will maintain complete and accurate records with respect to costs incurred under this Agreement. All records will be clearly identifiable. Contractor will allow a representative of City during normal business hours to examine, audit, and make transcripts or copies of records and any other documents created pursuant to this Agreement. Contractor will allow inspection of all work, data, documents, proceedings, and activities related to the Agreement for a period of three (3) years from the date of final payment under this Agreement. 13. OWNERSHIP OF DOCUMENTS All work product produced by Contractor or its agents, employees, and subcontractors pursuant to this Agreement is the property of City. In the event this Agreement is terminated, all work product produced by Contractor or its agents, employees and subcontractors pursuant to this Agreement will be delivered at once to City. Contractor will have the right to make one (1) copy of the work product for Contractor's records. 14. COPYRIGHTS Contr~ctor agrees that all copyrights that arise from the services will be vested in City and Contractor relinquishes all claims to the copyrights in favor of City. 15. NOTICES The name of the persons who are authorized to give written notice or to receive written notice on behalf of City and on behalf of Contractor under this Agreement. For City Name Hendra Gunawan Title IT Security Manager Department Information Technology City of Carlsbad Address 1635 Faraday Avenue Carlsbad, CA 92008 Phone No. 760.331.9847 For Contractor Name Mark P Williamson Title Managing Partner Address 267 Kentlands Blvd., #800 Gaithersburg, MD 20878 Phone No. 301-905-2558 Email mark@conquestsecurity.com Each party will notify the other immediately of any changes of address that would require any notice or delivery to be directed to another address. City Attorney Approved Version 6/12/18 4 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E 16. CONFLICT OF INTEREST Contractor shall file a Conflict of Interest Statement with the City Clerk in accordance with the requirements of the City of Carlsbad Conflict of Interest Code. The Contractor shall report investments or interests in all categories. YesD No ~ 17. GENERAL COMPLIANCE WITH LAWS Contractor will keep fully informed of federal , state and local laws and ordinances and regulations which in any manner affect those employed by Contractor, or in any way affect the performance of the Services by Contractor. Contractor will at all times observe and comply with these laws, ordinances, and regulations and will be responsible for the compliance of Contractor's services with all applicable laws, ordinances and regulations. Contractor will be aware of the requirements of the Immigration Reform and Control Act of 1986 and will comply with those requirements, including, but not limited to, verifying the eligibility for employment of all agents, employees, subcontractors and consultants whose services are required by this Agreement. 18. DISCRIMINATION AND HARASSMENT PROHIBITED Contractor will comply with all applicable local, state and federal laws and regulations prohibiting discrimination and harassment. 19. DISPUTE RESOLUTION If a dispute should arise regarding the performance of the Services the following procedure will be used to resolve any questions of fact or interpretation not otherwise settled by agreement between the parties. Representatives of Contractor or City will reduce such questions, and their respective views, to writing. A copy of such documented dispute will be forwarded to both parties involved along with recommended methods of resolution, which would be of benefit to both parties. The representative receiving the letter will reply to the letter along with a recommended method of resolution within ten (10) business days. If the resolution thus obtained is unsatisfactory to the aggrieved party, a letter outlining the disputes will be forwarded to the City Manager. The City Manager will consider the facts and solutions recommended by each party and may then opt to direct a solution to the problem. In such cases, the action of the City Manager will be binding upon the parties involved, although nothing in this procedure will prohibit the parties from seeking remedies available to them at law. 20. TERMINATION In the event of the Contractor's failure to prosecute, deliver, or perform the Services, City may terminate this Agreement for nonperformance by notifying Contractor by certified mail of the termination. If City decides to abandon or indefinitely postpone the work or services contemplated by this Agreement, City may terminate this Agreement upon written notice to Contractor. Upon notification of termination, Contractor has five (5) business days to deliver any documents owned by City and all work in progress to City address contained in this Agreement. City will make a determination of fact based upon the work product delivered to City and of the percentage of work that Contractor has performed which is usable and of worth to City in having the Agreement completed. Based upon that finding City will determine the final payment of the Agreement. Either party upon tendering thirty (30) days written notice to the other party may terminate this Agreement. In this event and upon request of City, Contractor will assemble the work product and put it in order for proper filing and closing and deliver it to City. Contractor will be paid for work performed to the termination date; however, the total will not exceed the lump sum fee payable City Attorney Approved Version 6/12/18 5 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E under this Agreement. City will make the final determination as to the portions of tasks completed and the compensation to be made. 21. COVENANTS AGAINST CONTINGENT FEES Contractor warrants that Contractor has not employed or retained any company or person, other than a bona fide employee working for Contractor, to solicit or secure this Agreement, and that Contractor has not paid or agreed to pay any company or person, other than a bona fide employee, any fee, commission, percentage, brokerage fee, gift, or any other consideration contingent upon, or resulting from, the award or making of this Agreement. For breach or violation of this warranty, City will have the right to annul this Agreement without liability, or, in its discretion, to deduct from the Agreement price or consideration, or otherwise recover, the full amount of the fee, commission, percentage, brokerage fees, gift, or contingent fee. 22. CLAIMS AND LAWSUITS By signing this Agreement, Contractor agrees that any Agreement claim submitted to City must be asserted as part of the Agreement process as set forth in this Agreement and not in anticipation of litigation or in conjunction with litigation. Contractor acknowledges that if a false claim is submitted to City, it may be considered fraud and Contractor may be subject to criminal prosecution. Contractor acknowledges that California Government Code sections 12650 et seq., the False Claims Act applies to this Agreement and, provides for civil penalties where a person knowingly submits a false claim to a public entity. These provisions include false claims made with deliberate ignorance of the false information or in reckless disregard of the truth or falsity of information. If City seeks to recover penalties pursuant to the False Claims Act, it is entitled to recover its litigation costs, including attorney's fees. Contractor acknowledges that the filing of a false claim may subject Contractor to an administrative debarment proceeding as the result of which Contractor may be prevented to act as a Contractor on any public work or improvement for a period of up to five (5) years. Contractor acknowledges debarment by another jurisdiction is grounds for City to terminate this Agreement. 23. JURISDICTION AND VENUE Any action at law or in equity brought by either of the parties for the purpose of enforcing a right or rights provided for by this Agreement will be tried in a court of competent jurisdiction in the County of San Diego, State of California, and the parties waive all provisions of law providing for a change of venue in these proceedings to any other county. 24. SUCCESSORS AND ASSIGNS It is mutually understood and agreed that this Agreement will be binding upon City and Contractor and their respective successors. Neither this Agreement nor any part of it nor any monies due or to become due under it may be assigned by Contractor without the prior consent of City, which shall not be unreasonably withheld. 25. ENTIRE AGREEMENT This Agreement, together with any other written document referred to or contemplated by it, along with the purchase order for this Agreement and its provisions, embody the entire Agreement and understanding between the parties relating to the subject matter of it. In case of conflict, the terms of the Agreement supersede the purchase order. Neither this Agreement nor any of its provisions may be amended, modified, waived or discharged except in _a writing signed by both parties. City Attorney Approved Version 6/12/18 6 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E for 26. AUTHORITY The individuals executing this Agreement and the instruments referenced in it on behalf of Contractor each represent and warrant that they have the legal power, right and actual authority to bind Contractor to the terms and conditions of this Agreement. CONTRACTOR By: (sign here) Mark P. Williamson (print name/title) CITY OF CARLSBAD, a municipal corporation of the State of California Maria Callander, Information Technology Director ATTEST: BARBARA ENGLESON City Clerk If required by City, proper notarial acknowledgment of execution by contractor must be attached. If a corporation, Agreement must be signed by one corporate officer from each of the following two groups. Group A Chairman, President, or Vice-President Group B Secretary, Assistant Secretary, CFO or Assistant Treasurer Otherwise, the corporation must attach a resolution certified by the secretary or assistant secretary under corporate seal empowering the officer(s) signing to bind the corporation. APPROVED AS TO FORM: CELIA A. BREWER, City Attorney BY: (.ilA.ltt-~IA. Assistant City Attorney City Attorney Approved Version 6/12/18 7 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E EXHIBIT "A" SCOPE OF SERVICES See attached assessment proposal for scope of services. City Attorney Approved Version 6/12/18 8 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E ~n9ue~t security CYBERSECURITY ASSESSMENT PROPOSAL February 20, 2020 Prepared for: {cityof Carlsbad California Hendra Gunawan IT Security Manager City of Carlsbad 1635 Faraday Ave. Carlsbad, CA 92008 www.carlsbadca.gov Confidential Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E TABLE OF CONTENTS Executive Summary ...................................................................................................................... 3 Assessment Approach ..•....•....•••..................•..•..••................................•......................................... 5 Identify ..................................................................................................................................................... 6 Protect ...................................................................................................................................................... 6 Detect ....................................................................................................................................................... 6 Respond ................................................................................................................................................... 7 Recover .................................................................................................................................................... 7 Assessment Tasks .......................................................................................................................... 7 Organization Review .............................................................................................................................. 7 Risk Assessment ...................................................................................................................................... 7 Identification of Threats and Threat Actors ........................................................................................ 8 Attack Surface Profile ............................................................................................................................ 8 Security Program and Governance Assessment .................................................................................. 8 Training Assessment ............................................................................................................................... 9 Physical Security Assessment .............................................................................................................. 10 Network, Cloud Services, End Point, and 3rd Party Security Review .............................................. 10 Asset Discovery ..................................................................................................................................... 11 Assessment Deliverables ............................................................................................................. 11 Current Security Posture ..................................................................................................................... 11 Assets, Risks, and Impact ..................................................................................................................... 11 Recommended Target Security Profile ............................................................................................... 12 Gap Analysis and Roadmap ................................................................................................................ 12 Briefings ................................................................................................................................................. 12 Cost Proposal ............................................................................................................................... 12 Cybersecurity Assessment and Report: .............................................................................................. 12 Project Data Security .................................................................................................................. 13 Project Management Approach ................................................................................................. 13 Project Timeline .................................................................................................................................... 15 Key Personnel. ....................................................................................................................................... 15 Authorizations ....................................................................................................................................... 16 Project Assumptions ............................................................................................................................. 16 Carlsbad Project Responsibilities ....................................................................................................... 16 About Conquest Security ........................................................................................................... 17 <?on9ue~t security Page:2 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E EXECUTIVE SUMMARY Conquest Security (Conquest) proposes to conduct a cybersecurity assessment (assessment) for The City of Carlsbad, California (Carlsbad), with 21 locations containing IT infrastructure within the city. Conquest's approach to conducting an assessment utilizes the industry best practice National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) to ensure a standardized risk mitigation approach which will offer the highest risk reduction potential. The purpose of this assessment is to: 1. Identify IT assets across all departments within the city government. 2. Evaluate the value of each asset to the city's mission and services 3. Identify potential risks to the assets 4. Evaluate existing risk mitigation controls 5. Provide a plan to further mitigate risks and improve cybersecurity maturity. These tasks will be accomplished using the following mechanisms: • Discussions with city department heads and operational technical staff • Documentation reviews • Onsite inspections and observations • Active asset discovery scanning on city networks The assessment will focus on understanding Carlsbad's business drivers and security considerations specific to the long-te1m regulatory compliance, resiliency, privacy, and security of the city. Each organization's risks, priorities, and systems are unique, the tools and methods used to achieve a cybersecurity profile that reduces risks to an acceptable level will vaiy. Conquest's approach is focused on the unique requirements of the organization and its objectives. Conquest will evaluate the risks and threats to Carlsbad as well as its current administrative, technical and physical controls to determine the cun-ent security profile and to determine a desired security profile. Conquest will identify and prioritize opportunities for improvement within the context of a continuous and repeatable process. Documentation reviews will analyze security governance, risk management processes, and security controls via documentation, diagrams, architecture review and discussions. Conquest will evaluate and recommend improvements to Carlsbad's security functions to Identify, Protect, Detect, Respond, and Recover. Page:3 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E The documented desired security profile includes recommendations to implement industty standard frameworks for Carlsbad to effectively manage cybersecurity, continuously assess risks, protect privacy, and implement administrative, technical and physical controls. Conquest Security is a cybersecurity consulting firm that brings a tailored approach to protecting your organization from cyber threats. With nearly 30 years of experience with NIST and industry leading cybersecurity firms, our cross-domain expe1tise includes: Security Program Development; Governance and Regulatory Compliance; Identity and Access Management; Security Architecture; Security Testing; Technical Training; Cybersecurity Intelligence and Defense. This proposal fmther outlines the approach, tasks, deliverables, and costs of conducting the Comprehensive Security Assessment for Carlsbad. Page:4 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E ASSESSMENT APPROACH Using the NIST Cybersecurity Framework as an industry best practice, Conquest will collect information about Carlsbad's organization, goals, practices, critical assets, risks and existing security controls. This analysis will identify the risks, threats, and vulnerabilities to Carlsbad from an information technology perspective. Tasks to accomplish these goals will include: 1. Review the organization's IT systems and application priorities. Document the dependencies and priorities of critical applications for the operations of essential depaiiments such as Executives, Human Resources, Legal, Contracting and Procurement, Physical Security, Information Technology, Facilities, Regulatory Compliance, and other operational units. 2. Identification of Risks through discussions with depaiiment heads and other relevant staff, consultants, and contractors to determine critical areas of risk within the business process and technology. 3. Identification of Threats and Threat Actors generally and specifically to local government and its clients. 4. Profiling Carlsbad's Attack Surface. 5. Reconnaissance to collect public information about Carlsbad from social media and online information. 6. Evaluation of existing or needed policies, procedures, standards, and guidelines: a. Executive Management Governance b. Regulatory Compliance c. Human Resources d. Contracting and Procurement e. Physical Security and Safety f. Inf01mation Technology g. Cyber Security Policies and Procedures h. Incident Response Plans 1. Business Continuity and Disaster Recovery Plans 7. Evaluation of Hardware, Software, Cloud Services Invent01y 8. Network Scanning to identify assets not accounted for in existing inventories 9. Evaluation of existing controls and logs CZon9uest security Page:5 Cybersecmity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E 10. Evaluation of 3rd Party Risks 11. Evaluation of Security Awareness Training Policies, Procedures, and Effectiveness 12. Physical Security Practices and Safeguards 13. Network Architecture and Documentation Review 14. Security Architecture and Documentation Review The data collected by testing, discussions, and reviewing documentation will be used to access Carlsbad's current security state based on core security functions and categories: Identify The organizational ability to manage cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that suppmi critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of this function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. Protect Appropriate safeguards to ensure delivery of critical services. The Protect Function suppmis the ability to limit or contain the impact of a potential cybersecurity event. Examples of this Function include: Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. Detect Appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. C?on9uest security Page:6 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Examples of this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. Respond Appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function suppo1ts the ability to contain the impact of a potential cybersecurity incident. Examples of this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. Recover Appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supp01ts timely recovery to normal operations to reduce the impact from a cybersecurity incident. Examples of this Function include: Recovery Planning; Improvements; and Communications. ASSESSMENT TASKS Organization Review Conquest will analyze the Carlsbad's organizational dependencies and priorities of applications to evaluate the impact of risks and assignment of qualitative risk values. Discussions with Carlsbad's staff will focus on dependencies, policies, and procedures, existing controls and perceived gaps. Risk Assessment A high-level qualitative risk assessment will be conducted to identify IT risks and threats to Carlsbad. Through the discussions with staff and the review of processes, controls, and documentation, Conquest will document the assets of essential value to Carlsbad, the risks to those assets, and the impact of loss and disclosure. This review will include: • Critical Constitute Services Page:7 Cybersecw-ity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E • Reputational Risks • Regulatory Requirements • Critical Infrastructure • Personally Identifiable Information (PII) • Financial Information • Publically disclosed information that could be used against Carlsbad • 3rd Paity (supply chain) Risks Identification of Threats and Threat Actors Using local government industry-specific documented public incidents and Conquest knowledge of criminal undergrounds, marketplaces, and espionage, we will identify and document potential and emerging threats and threat Actors to Carlsbad. Attack Surface Profile Conquest will conduct external reconnaissance to profile Carlsbad attack surface. This reconnaissance will include: • Collecting public records that may expose information about Carlsbad that is valuable to threat actors and adversaries. • Analyzing Carlsbad social media accounts and the accounts of city management for infmmation that could potentially be used against the organization or individual. • Critical Infmmation exposed on pastebins and other open source surface websites. • Examination of Carlsbad's DNS records for critical information. Security Program and Governance Assessment Conquest will conduct a full review of Carlsbad's existing Security Program. This assessment will include a full review of documented policies, previous regulatory audits, and previous security assessments. The structure of the security program, as well as roles and responsibilities, will also be analyzed in accordance with regulato1y requirements and industry best practice. Policies, procedures, standards, and guidelines will be reviewed. These will include but are not limited to: • Corporate Security Policy • Acceptable Use Policy • Hiring and Background Check Procedures (Employees and Contractors) • Vendor Management Procedures • Data Classification Policy • Employee Handbooks C?on9uest security Page:8 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E • Incident Response Procedures • Business Continuity and Disaster Recovery Plans • Non-Disclosure Agreement Policies • PII Policy and Handling Procedures • Mobile, BYOD and Removable Media Policy • Account Policies • Access Control Policies • Password and Two-Factor Authentication Policies • Social Media Policies • Service Desk Policies • IT Systems Protection Policies and Standards (Antivirus, Intrusion Prevention, Access Controls) • Wireless Security Standards. • Wireless device protection and Bring Your Own Device (BYOD) Policies • Public Wi-Fi Security Policy • Patch Management and Systems Management Policies • Data Handling and Clean Desk Policies • Employee Te1mination Procedures • Contractor Onboarding and Te1mination Procedures • Physical Security and Safety Policies. • General Facilities Management Procedures This assessment is based on the NIST Cybersecurity Framework and Industiy Best Practices of NIST, Computer Security Institute (CIS), Cloud Security Alliance (CSA), Open Web Application Security Project (OW ASP), and SANS, Conquest will also evaluate Carlsbad policies and controls for alignment with applicable regulatory standards including: • Payment Card Industry Data Security Standard: PCI DSS • Health Insurance Portability and Accountability Act (HIP AA) • Criminal Justice Information Services (CJIS) Training Assessment Industry Standard Best Practices and regulatory standards specify minimum security awareness training requirements for organizations. With an exponential increase in social engineering attacks that lead to ransomware, extortion, and espionage, security training is more critical than ever. Also, training at the executive, user, and technical level are highly recommended. Conquest will evaluate Carlsbad's training program for compliance with regulatory and best practices. Page:9 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Physical Security Assessment Conquest will review documented physical security procedures and safeguards focused on the risks to Carlsbad's facilities. This assessment will consider environmental and human threats. The assessment will include a review of current controls and identify potential gaps. The physical security assessment will evaluate all preventative, detective, and conective controls including but not limited to : • Lighting • Intrusion Detection Systems • Guards, Gates, Locks, and other Access Controls Systems • Badging • Logs • Environmental Controls • Public Utility Risks and Safeguards • Fire detection and suppression systems • Fire prevention procedures and training • Safety Precautions • Physical Security and Safety Training. Network, Cloud Services, End Point, and 3rd Party Security Revi ew Conquest will analyze and review the documented system configurations standards, software configurations, network architecture, mobile devices, cloud services, and Jrd party security controls that protect Carlsbad's confidentiality, integrality and availability. The review will include: • Inventory and Control of Hardware Assets, Software Assets, Cloud Services, and 3rd Parties. • Continuous Vulnerability Management • Controlled Use of Administrative Privileges • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Maintenance, Monitoring and Analysis of Audit Logs • Email and Web Browser Protections • Malware Defenses • Limitation and Control of Network P01is, Protocols, and Services • Data Recovery Capability • Secure Configurations for Network Devices such as Firewalls, Routers, and Switches • Boundary Defense • Data Protection Page:10 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E • Controlled Access Based on the Need to Know • Wireless Access Control • Account Monitoring and Control • Security Skills Assessment and Appropriate Training to Fill Gaps • Web and Application Software Security • Incident Response and Management Asset Discovery Network scans will be conducted on all city networks to identify undocumented assets. These scans will also include a vulnerability assessment and additional configuration information. Scans will only be conducted with the written permission of the city IT Security Manager. ASSESSMENT DELIVERABLES A comprehensive final report will be delivered to Carlsbad that provides: 1. Description of the current cybersecurity posture; 2. Description of assets, asset value, and risks; 3. Description of the target state for cybersecurity to mitigate identified risks; 4. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process. Current Security Posture Conquest will document Carlsbad's current security practices, with the identification of vulnerabilities and risk exposure, in the context of today's actual threats and threat actors as well as emerging threats. Carlsbad's security capabilities to Identify, Prevent, Detect, Respond, and Recover from security incidents will be evaluated using the NIST Cyber Security Framework and the CIS 20 Critical Controls. Assets, Risks, and Impact Carlsbad's assets identified and discovered during the assessment will be documented. Using qualitative risk management analysis, asset value will be identified as high, medium, and low based on the impact to the city if the asset was compromised or lost. Identified risks to the city will documented and mitigation steps will be clearly identified. <?on9ue~t security Page: 11 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Recommended Target Security Profile Conquest will document Carlsbad's Recommended Target Security Profile to protect service delive1y and sensitive data while systematically reducing risk. Current risks are identified in the current security profile and the target security profile includes the mitigation plan to reduce those risks with administrative, technical, and physical controls. Policies, procedures, standards, guidelines, controls, and training enhancements will be recommended to meet the target security profile. Priorities will be set to assist Carlsbad with setting budgets and addressing the most critical areas first. Gap Analysis and Roadmap The Gap Analysis Report documents the differences between Carlsbad's cunent security profile and the recommended target security profile. The Roadmap specifies a precise and actionable plan to transition the cmTent security profile to the recommended target security profile, with as little time, cost, or disruption as possible. Additionally, the roadmap sets priorities based on risks and details the actionable means by which the security control strategy will be caiTied out. This rep01i will specify activities to enhance Carlsbad's future cybersecurity posture while offering the highest risk reduction potential. Briefings A final briefing and review of the report will be conducted. COST PROPOSAL Cybersecurity Assessment and Report: Conquest Security will conduct the cybersecurity assessment for the City of Carlsbad, CA and provide a comprehensive rep01i documenting assets, asset values, risks assessment, the current security profile and recommended security improvements. This assessment will require one Conquest consultant to be onsite for up to 7 business days. Additionally, off site analysis and testing will be conducted. The assessment will take 3 business weeks to complete. The Cost of the Assessment includes travel and expenses. Cybersecurity Assessment and Report: $29,900.00 Page: 12 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Terms: NET 30 days invoiced at the completion of the project. PROJECT DATA SECURITY Conquest follows industry best practices prudent procedures, and NDA obligations to protect information provided by Carlsbad. All paper-based information provided by Carlsbad or generated by Conquest during this assessment will be scanned, encrypted, and stored on a cloud accessible drive with access restricted to Conquest's Security authorized staff. TLS Encryption and two-factor authentication are used to access the information without exception. No paper documentation will be removed from Carlsbad facilities without executive permission. Digital information provided by Carlsbad or generated by Conquest will also be encrypted and uploaded to a secure cloud drive. • Client-Side Drive Security o Files are encrypted before they're uploaded to a cloud Drive to meet industry best practices, regulato1y requirements and prevent third-party access. • Enc1ypted files are accessed by Conquest Security authorized staff on a need to know basis only and exclusively for analysis and repo1ting. • No paper notes or documentation will be removed from Carlsbad facility without pe1m1ss10n. • All Conquest personnel sign an agreement to comply with the Carlsbad-Conquest Non- Disclosure Agreement. • Finding, Repmts, and Briefings will be delivered to Carlsbad electronically and securely encrypted. • Communications between Conquest Security and the Carlsbad Project Manager will be done via telephone and enc1ypted email. PROJECT MANAGEMENT APPROACH Conquest uses an industry standard best practice approach to project manager. Our process and procedures include: • A proven, highly effective, and unique project management approach, characterized by simplicity, structure, accountability, and transparency. <Zon9ue~t secunt1,1 Page:13 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E • A single project manager SME that takes the project from beginning to end. This means fewer hand-offs and fewer opportunities for oversights. • Conquest focuses exclusively on one client at a time. This means greater focus, better quality, and faster results. Conquest's assigned Project Manager will be Mark Williamson. Mark will work on site with the project manager assigned by Carlsbad to coordinate the overall planning and oversight of the project. • Each phase of the project is planned and executed as a mission, with a clear goal, action plan, and protocols for administration and communication. • Each phase of the project is internally debriefed in an After-Action Review (AAR), ensuring continuous improvement and that all requirements were met or exceeded. • All meetings are documented. Conquest manages and coordinates the resources necessary for project completion, including: • Conduct a Kick-off meeting to define roles and responsibilities; review tasks and timelines • Develop an initial project schedule, including critical milestones • Develop a Communication Plan, including Points of Contact for the customer and Conquest Develop a Status Reporting Plan, including a schedule for status meetings and status Reports • Assign Conquest resources and manage completion of tasks as defined in the Project Schedule • Coordinate issue escalation and resolution • Conduct Status Meetings and provide Status • Provide, at the completion of the Project, a Project Closure Form to the customer <?on9uest security Page: 14 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Project Timeline This assessment will require 1-day on-site work and 2 days of analysis, report writing, and briefing preparation. An estimated timeline is presented below and will be further refined with the Carlsbad project manager. Task Subtask/Description Date Online Kickoff Meeting Review Project Objective, Goals, Within one week of contract award. Timeline. Coordinate logistics and authorizations. Onsite Assessment Assessment Scheduled - 4 Weeks Final Rep01t Analysis/ Writing 4 weeks after assessment begins Briefings Presentations 1 week after report delivery Key Personnel • Mark P. Williamson has more than twenty-five years of experience as a cybersecurity expert working for the National Institute of Standards and Technology, Internet Security Systems, nCipher, Tripwire, and Conquest Security. Mark applies a wealth of business, project management, and technical expertise to providing Cyber Security Consulting, Security Assessment Services, CISO Coaching and delivering Information Security Training Services. Mark is a Certified Information Systems Security Professional (CISSP) and graduated from the State University of New York with a Bachelor's Degree in Electrical Engineering. • Adrian Mikeliunas has over 15 years' experience conducting vulnerability assessments, risk assessments, regulatory compliance assessments, managing large-scale project and developing and delivering cybersecurity training. Adrian is a Ce11ified Information Systems Security Professional (CISSP). He is also ISO 17799 ce11ified as an lnfo1mation Security Management System Auditor and in Information Security Management System Implementation. Adrian graduated from Kennedy Western University with a Bachelor degree in Computer Science. • Don Codling has over 23 years with FBI-as Unit Chief Cyber division with extensive operational experience in Cyber Crime investigations, Cyber National Security investigations, senior policy development and implementation operations. Don has extensive experience conducting physical security assessments and with SCADA/ICS systems in the energy sector, healthcare, and financial services. He also maintains an active TS clearance with CI Polygraph. CZon9uest security Page: 15 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Authorizations • Carlsbad will provide in writing authorization for Conquest Security to conduct security testing on its systems, networks, and facilities if applicable. Carlsbad will authorize Conquest to conduct both physical and cyber intrusions and social engineering attacks. Cloud services will be evaluated for proper configuration only as testing may violate acceptable use. • All vulnerability testing will be conducted in a non-obtrusive manner. However, legacy applications may experience performance degradation or service outages. Carlsbad agrees in writing to hold Conquest harmless for any inte1rnptions caused by security testing. Project Assumptions The following assumptions were made in the creation of this proposal. Should any of these assumptions prove to be incorrect, Conquest reserves the right to modify the scope or schedule of work as defined in this proposal. • The actual project duration may vary due to unforeseen changes or circumstances. • The project start and completion dates are to be dete1mined upon receipt of a purchase order and a signed contract. • Conquest will provide services at Carlsbad locations in Carlsbad CA. • Travel, lodging and travel time costs are included in the cost proposal. • If the Customer commits to project dates and then cancels with less than forty-eight-hour notice, Conquest reserves the right to reschedule for the first available date. Late cancellation of previously agreed upon dates may cause the project to be delayed and miss imp01iant milestones set by the Customer. The customer will be responsible for any travel fees or losses due to cancelations. Carlsbad Proj ect Responsibilities The following Customer Responsibilities are assumed in the creation of this Proposal. Should the Customer fail to meet any of these responsibilities, Conquest reserves the right to modify the scope or schedule of work as defined in this Proposal. Page: 16 Cybersecmity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E The Customer is responsible for providing to Conquest staff, in a timely manner, the following resources and information required to complete the tasks in this SOW: • Interviews with key departments and executives • Documentation as outlined in the proposal • Documentation relating to the Customer network that Conquest requires completing the work, including, but not limited to, network diagrams, cable diagrams, IP addresses, serial numbers, device configurations, etc. • A suitable workspace with internet access for all Conquest personnel, while working at the Carlsbad's facility and providing services related to this proposal. • Access to physical facilities as defined in the timeline. • A Carlsbad's staff member is available to answer questions that may arise during the project. ABOUT CONQUEST SECURITY Conquest Security is a boutique cybersecurity consulting firm that brings a tailored approach to protecting your business from cyber threats! With the severe lack of cybersecurity talent available, we offer our cross-domain expertise to educate, enable, and augment your internal cybersecurity team. Our services include: • Cybersecurity Assessments: Identify risks and gaps in security controls to develop a comprehensive security road map that will improve security and privacy. • Cybersecurity Program Development and Improvement: Tailored to address your risks and support your mission with practical and cost-effect practices and controls. • Managed Vulnerability Assessments: Emiched with bespoke cyber threat intelligence to inform and guide protection activities. • Managed Threat Detection and Response Services that continuously monitor network and cyber assets and enable rapid response to advanced threats. • Customized Cybersecurity Training for Management, Technical Staff, and Employees. Page:17 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E • Vetted cybersecurity solutions that go beyond the marketing hype to offer practical, cost- effective, and proven protection. • Virtual Chieflnformation Security Officer Services (vCISO): Continuous coaching and trusted advice to reduce business risks and support the planning and implementation of cybersecurity programs. Page: 18 Cybersecurity Assessment Proposal DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E NON-DISCLOSURE AGREEMENT THIS NON-DISCLOSURE AGREEMENT is made and entered into as of the date recorded on the AGREEMENT by and between the City of Carlsbad (the "Disclosing Party") located at 1635 Faraday Ave, Carlsbad, California 92008 and Conquest Security Inc (the "Recipient" or "Receiving Party") located at 267 Kentlands Blvd., #800, Gaithersburg, Maryland 20878. This agreement is entered into pursuant to a Cybersecurity Assessment. Recipient shall be acting as a contractor. Throughout the duration of this Non-Disclosure Agreement, the Disclosing Pa1ty may deem it necessary to disclose or share certain proprietary information with the Recipient. Therefore, in consideration of the mutual promises and covenants contained within this Non-Disclosure Agreement, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, both parties hereto agree as follows: Confidential Information For all intents and purposes of this Non-Disclosure Agreement, "Confidential Information" shall mean and include any data or information that is deemed proprieta1y to the Disclosing Pa1ty and that which is not generally known to the public, whether in tangible or intangible form, whenever and however disclosed, including, but not limited to, (i) any form of marketing plan, strategies, financial information or projections, operations, sales quotes or estimates, business plans, performance results which may be related to the past, present and/or future business activities of said pa1ty, its subsidiaries and affiliated companies; (ii) plans for products or services, and customer or supplier lists; (iii) any scientific, technical or data information, invention, design, process, procedure, formula, improvement, technology or method; (iv) any concepts, reports, data, knowledge, works-in-progress, designs, development tools, specifications, computer software, source code, object code, flow cha1ts, databases, inventions, information and trade secrets, trademarks and copyrights; and (v) any other information that should reasonably be recognized as confidential information of the Disclosing Paity. Confidential Information need not be novel, unique, patentable, copyrightable or constitute a trade secret in order to be designated Confidential Information. The Receiving Pa1ty acknowledges that the Confidential Information is proprietary to the Disclosing Paity, has been developed and obtained through great effo1ts by the Disclosing Party and, as such, the Disclosing Pa1ty regards all of its Confidential Information as trade secrets. Notwithstanding anything in the foregoing statement to the contrary, Confidential Information shall not include any such information which: (i) was known by the Receiving Paity prior to receiving the Confidential Information from the Disclosing Paity; (ii) becomes rightfully known to the Receiving Paity from a third paity source not known, after diligent inquiiy, by the Receiving Paity to be under an obligation to the Disclosing Paity to maintain confidentiality; (iii) is or shall become publically available through no fault or failure to act by the Receiving Pa1ty in breach of this Non-Disclosure Agreement; (iv) is required to be disclosed in a judicial or administrative proceeding, or is otherwise requested or required to be disclosed by law or regulation, although the requirements of Compelled Disclosure shall apply prior to any disclosure being made; and (v) is or has been independently developed by employees, consultants or agents of the Receiving Paity without violation of the herein contained terms and conditions of this Non-Disclosure Agreement or reference or access to any Confidential Information; (vi) information the disclosing party shares DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E with others in a non-confidential setting no longer has to be kept by confidential by the receiving party under the ND A. · Confidential Information Disclosure The Disclosing Party may deem it necessary, from time to time, to disclose or make available to the Receiving Pa1iy Confidential Information. It shall then become the responsibility of the Receiving Party to: (i) limit the disclosure of any Confidential Information belonging to the Disclosing Paiiy to the Receiving Party's directors, officers, employees, agents or representatives (collectively herein refened to as "Representatives") who have a need to know such Confidential Information in connection with the cmTent or contemplated business relationship between the paiiies to which this Non-Disclosure Agreement relates, and only for that purpose; (ii) advise its Representatives of the proprietary nature of the Confidential Information and of the obligations set fmih herein this Non-Disclosure Agreement and require such Representatives to keep the Confidential Information confidential; (iii) shall keep all Confidential Information strictly confidential by way of exercising a reasonable degree of care, but not less than the degree of care that the Receiving Paiiy would exercise in safeguarding their own confidential information; and (iv) not disclose any Confidential Information received to any third parties, unless otherwise provided for herein this Non-Disclosure Agreement. Therefore, each party shall be responsible for any breach of this Non-Disclosure Agreement by any of their respective Representatives. Confidential Information Usage The Receiving Pa1iy herein agrees to make use of the Confidential Information solely for the purpose and in connection with the current or contemplated business relationship between both parties and not for any purpose other than that which has been stipulated and contained herein this Non-Disclosure Agreement, unless otherwise authorized by prior written consent by an authorized representative of the Disclosing Party. There shall be no other right or license, whether expressed or implied, in the Confidential Information granted to the Receiving Party hereunder. Ownership and title to the Confidential Information shall remain solely with the Disclosing Party, any and all use of the Confidential Information by the Receiving Pa1iy shall be solely for the benefit of the Disclosing Party, and any type or manner of improvements or modifications thereof by the Receiving Party shall remain the sole property of the Disclosing Paiiy. There shall be nothing herein contained that would be intended to modify the pa1iies' existing agreement that the pa1iies' discussions in fmiherance of a potential business relationship shall herein be governed by Federal Rule of Evidence 408 -Compromise Offers and Negotiations. Induced Disclosure of Confidential Information Notwithstanding anything in the foregoing clauses to the contrary, the Receiving Pa1iy may be compelled to disclose Confidential Information pursuant to any governmental, judicial, or administrative order, subpoena, discovery request, regulatory request or similar method, provided that the Receiving Paiiy promptly notifies, to the extent feasible, the Disclosing Paiiy in writing of any such demand for disclosure so that the Disclosing Party, at its sole expense, may seek to make such disclosure subject to a protective order or other appropriate remedy to preserve the confidentiality of the Confidential Information; provided in the case of a broad regulatory request with respect to the Receiving Paiiy's business (not targeted at Disclosing Paiiy), the Receiving Party may promptly comply with such request provided the Receiving Paiiy provides (if permitted by such regulator) the Disclosing Party prompt notice of such disclosure. The Receiving Party DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E agrees that it shall not oppose and shall cooperate with efforts by, to the extent feasible, the Disclosing Patty with any such request for a protective order or other relief. Notwithstanding the foregoing, if the Disclosing Patty is unable to obtain or does not seek a protective order and the Receiving Patty is legally requested or required to disclose such Confidential Information, disclosure of such Confidential Info1mation may be made without liability. Independent Development Receiving Party may cunently or in the future be developing information internally, or receiving information internally, or receiving information from other patties that may be similar to the Disclosing Patty's Confidential Information. Accordingly, nothing in this Non-Disclosure Agreement will be construed as a representation or inference that Receiving Patty will not develop or have developed products or services, that, without violation of this Non-Disclosure Agreement, might compete with the products or systems contemplated by the Disclosing Patty's Confidential Information. Term The herein contained Non-Disclosure Agreement shall remain in effect 1 year and shall be subject to an extension of 12 months if both patties are still discussing and contemplating a business transaction or relationship at the end of the original term. Notwithstanding the foregoing, the patties' duties to maintain in confidence any and all Confidential Information that may have been disclosed during the term shall thus remain in effect indefinitely. No Warranty All Confidential Information is provided by Disclosing Party "AS IS" and without any warranty, express, implied or otherwise, regarding the Confidential Information's completeness, accuracy or performance. Remedies Both patties to this Non-Disclosure Agreement acknowledge and agree that the Confidential Information hereunder this Non-Disclosure Agreement is of a unique and valuable nature, and that the unauthorized distribution or broadcasting of the Confidential Information could have the potential to destroy and, at the very least, diminish the value of such information. The damages that the Disclosing Patty could sustain as a direct result of the unauthorized dissemination of the Confidential Information would be impossible to calculate. Therefore, both patties hereby agree that the Disclosing Patty shall be entitled to claim injunctive relief that would prevent the dissemination of any Confidential Information that would be in violation of the terms set fo1th herein this Non-Disclosure Agreement. Any such injunctive relief provided shall be in addition to any other available remedies hereunder, whether at law or in equity. The Disclosing Patty shall be entitled to recover any sustained costs and/or fees, including, but not limited to, any reasonable attorney's fees which may be incuned while attempting to obtain any such relief. Fmthermore, in the event of any litigation which may be related to this Non-Disclosure Agreement, the prevailing patty shall be entitled to recover any such reasonable attorney's fees and expenses incmTed. Return of Confidential Information Upon completion/expiration or termination of this Non-Disclosure Agreement, the Receiving Patty shall immediately return and deliver to the Disclosing Patty all tangible material and/or information representing or exemplifying the Confidential Information provided hereunder and all notes, summaries, memoranda, drawings, manuals, records, excerpts or derivative information DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E deriving therefrom and all other documents, materials, notes or copies ("Notes") which may have been conve1ied to any computerized media in the form of any image, data or word processing files either manually or by image capture or any other form of work product that may be based on or include any Confidential Information, in whatever form of storage or retrieval, upon the earlier of (i) the completion or termination of this Non-Disclosure Agreement or (ii) at such time as the Disclosing Patiy may so request; provided however that the Receiving Pa1iy may retain such of its documents as is necessary to enable it to comply with its document retention policies. Alternatively, with the prior written consent of the Disclosing Party, the Receiving Party may immediately destroy (in the case of Notes, at the Receiving Patty's sole discretion) any of the foregoing embodying Confidential Information ( or the reasonably non-recoverable data erasure of computerized data) and, upon request, certify in writing such destruction by an authorized officer of the Receiving Pa1ty supervising the destruction of the material and or information. Notice of Breach The Receiving Patiy shall immediately notify the Disclosing Pa1iy upon discovering any unauthorized use or disclosure of Confidential Information by the Receiving Party or its Representatives, or any other breach of this Non-Disclosure Agreement by the Receiving Patty or its Representatives, and will cooperate with any effmts by the Disclosing Party to assist the Disclosing Pa1iy to regain the possession of its Confidential Information and thus prevent its fiuther unauthorized use. No Legally Binding Agreement for Transaction Both patties hereby agree that neither pa1ty shall be under any legal obligation of any kind whatsoever with respect to a Transaction by virtue of this Non-Disclosure Agreement, except for the matters specifically agreed to herein. The pa1ties fiuther acknowledge and agree that each patty herein reserves the right, in their sole and absolute discretion, to reject any and/or all proposals and to terminate discussions and negotiations with respect to any Transaction at any time. This Non-Disclosure Agreement does not create or constitute a joint venture or pa1tnership between the patties. In the event that a Transaction should go forward, the non-disclosure provisions of any applicable transaction documents entered into between the parties (or their respective affiliates) for the Transaction shall supersede this Non-Disclosure Agreement. Should and such provision not be provided or stipulated in said transaction documents, then this Non-Disclosure Agreement shall be the controlling instrument. Warranty Each pa1ty herein wa11'ants that it has the right and authorization to make such disclosures under this Non-Disclosure Agreement. NO WARRANTIES ARE MADE BY EITHER PAR TY UNDER THIS NON-DISCLOSURE AGREEMENT WHATSOEVER. The patties acknowledge that although they shall each endeavor to include in the Confidential Information any and all information that they each believe relevant for the purpose of the evaluation of a Transaction, the pa1ties understand that no representation or warranty as to the accuracy or completeness of the Confidential Information is being made by either pa1ty as the Disclosing Pa1ty. Fmthermore, neither patty is under any obligation contained within this Non-Disclosure Agreement to disclose any Confidential Information it chooses not to disclose. Neither patiy hereto shall have any liability to the other patty, or to the other patty's Representatives, resulting from any use of the Confidential Information except with respect to the disclosure of such Confidential Information in violation of this Non-Disclosure Agreement. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Entire Agreement This Non-Disclosure Agreement constitutes the entire understanding between the paiiies and supersedes any and all prior or contemporaneous understandings and agreements, whether oral or written, between the pa1iies, with respect to the subject matter hereof. This Non-Disclosure Agreement can only be modified by written amendment signed by the paiiy against whom such enforcement is sought. Governing Laws The validity, construction and performance of this Non-Disclosure Agreement shall be governed and construed in accordance with the laws of California or any applicable federal laws or statutes applicable to contracts made and to be wholly performed within such state, without giving effect to any form of conflict oflaw provisions thereof. The Federal and State comis located in California shall have sole and exclusive jurisdiction over any disputes arising under the terms of this Non- Disclosure Agreement. Waiver of Contractual Right Any such failure by either party to enforce the other paiiy's strict performance of any provision of this Non-Disclosure Agreement shall not constitute a waiver of its right to subsequently enforce such provision or any other provision of this Non-Disclosure Agreement. Severabilitv Although the restrictions herein contained in this Non-Disclosure Agreement are considered by the pa1iies to be reasonable for the purpose of protecting the Confidential Information, if any such restriction is found by a court of competent jurisdiction to be unenforceable, such provision will be modified, rewritten or interpreted to include as much of its nature and scope as will render it enforceable. In the event it cannot be so modified, rewritten or interpreted to be enforceable in any respect, it will not be given effect, and the remainder of the Non-Disclosure Agreement shall be enforced as if such provision was not included. Notices Any notices or communications required or permitted to be given hereunder may be delivered by hand, deposited with a nationally recognized overnight carrier, emailed, or mailed by certified mail, return receipt requested, postage prepaid, in each case, to the aforementioned address of the other party, or any such other address or addressee as may be furnished by a pa1iy in accordance with this paragraph. All such notices or communication shall be deemed to have been given and received (i) in the case of personal delivery or email, on the date of said delivery, ( ii) in the case of delivery by a nationally recognized overnight carrier, on the third business day following dispatch, and (iii) in the case of mailing, on the seventh business day following such mailing. Transfer or Assign This Non-Disclosure Agreement is personal in nature, and neither party may directly or indirectly assign or transfer it by operation oflaw or otherwise without the prior written consent of the other paiiy, which consent shall not be umeasonably withheld. All obligations contained in this Non- Disclosure Agreement shall extend to and be binding upon the pa1iies to this Non-Disclosure Agreement and their respective successors, assigns and designees. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Miscellaneous The receipt of Confidential Information pursuant to this Non-Disclosure Agreement shall not prevent or in any way limit either party from: (i) developing, making or marketing products or services that are or may be competitive with the products or services of the other, or (ii) providing products or services to other who compete with the other. Paragraph headings used in this Non-Disclosure Agreement are for reference only and shall not be used or relied upon in the interpretation ofthis Non-Disclosure Agreement. IN WITNESS WHEREOF, the paiiies hereto have executed this Non-Disclosure Agreement as of the aforementioned effective date. By: Maria Callander IT Director By: Mark P. Williamson Managing Paiiner 03/05/2020 Herman E. Wealcatch, Inc. 37 Walker Avenue Suite 200 Pikesville MD 21208 (410) 653-3053 (410) 653-5116 CONQUEST SECURITY, INC 267 KENTLANDS BLVD GAITHERSBURG MD 20878-5446 Selective Insurance Co. of South Carolina 19259 CL194910531 A S 2363608 01/24/2020 01/24/2021 1,000,000 5,000 2,000,000 2,000,000 A S 2363608 01/24/2020 01/24/2021 1,000,000 Uninsured motoristproperty damage Certificate Holder is Additional Insured for General Liability as respects services rendered by the Insured on their behalf. City of Carlsbad CA 1635 Faraday Avenue Carlsbad CA 92008 SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED INACCORDANCE WITH THE POLICY PROVISIONS. INSURER(S) AFFORDING COVERAGE INSURER F : INSURER E : INSURER D : INSURER C : INSURER B : INSURER A : NAIC # NAME:CONTACT (A/C, No):FAX E-MAILADDRESS: PRODUCER (A/C, No, Ext):PHONE INSURED REVISION NUMBER:CERTIFICATE NUMBER:COVERAGES IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement onthis certificate does not confer rights to the certificate holder in lieu of such endorsement(s). THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIESBELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. OTHER: (Per accident) (Ea accident) $ $ N / A SUBRWVDADDLINSD THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THISCERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS,EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. $ $ $ $PROPERTY DAMAGE BODILY INJURY (Per accident) BODILY INJURY (Per person) COMBINED SINGLE LIMIT AUTOS ONLY AUTOSAUTOS ONLY NON-OWNED SCHEDULEDOWNED ANY AUTO AUTOMOBILE LIABILITY Y / N WORKERS COMPENSATIONAND EMPLOYERS' LIABILITY OFFICER/MEMBER EXCLUDED?(Mandatory in NH) DESCRIPTION OF OPERATIONS belowIf yes, describe under ANY PROPRIETOR/PARTNER/EXECUTIVE $ $ $ E.L. DISEASE - POLICY LIMIT E.L. DISEASE - EA EMPLOYEE E.L. EACH ACCIDENT EROTH-STATUTEPER LIMITS(MM/DD/YYYY)POLICY EXP(MM/DD/YYYY)POLICY EFFPOLICY NUMBERTYPE OF INSURANCELTRINSR DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) EXCESS LIAB UMBRELLA LIAB $EACH OCCURRENCE $AGGREGATE $ OCCUR CLAIMS-MADE DED RETENTION $ $PRODUCTS - COMP/OP AGG $GENERAL AGGREGATE $PERSONAL & ADV INJURY $MED EXP (Any one person) $EACH OCCURRENCEDAMAGE TO RENTED $PREMISES (Ea occurrence) COMMERCIAL GENERAL LIABILITY CLAIMS-MADE OCCUR GEN'L AGGREGATE LIMIT APPLIES PER: POLICY PRO-JECT LOC CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) CANCELLATION AUTHORIZED REPRESENTATIVE ACORD 25 (2016/03) © 1988-2015 ACORD CORPORATION. All rights reserved. CERTIFICATE HOLDER The ACORD name and logo are registered marks of ACORD HIREDAUTOS ONLY DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E DATE (MM/DD/YYYY) 03/23/2020 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THISCERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIESBELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZEDREPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCERMercer Consumer, a service ofMercer Health & Benefits Administration LLCP.O. Box 8146Des Moines, IA, 50306-8146 CONTACTNAME:PHONE(A/C, No, Ext):FAX(A/C,No):EMAILADDRESS: INSURER(S) AFFORDING COVERAGE NAIC # INSURER A:Beazley Insurance Company Inc 37540 INSURED Conquest Security, Inc. 701 Market Street East Gaithersburg, MD 20878 INSURER B : INSURER C : INSURER D : INSURER E : INSURER F : CERTIFICATE OF LIABILITY INSURANCE COVERAGES CERTIFICATE NUMBER:REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIODINDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THISCERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS,EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSRLTR TYPE OF INSURANCE ADDLINSD SUBRWVD POLICY NUMBER POLICY EFF(MM/DD/YYYY)POLICYEXP(MM/DD/YYYY)LIMITS COMMERCIAL GENERAL LIABILITY EACH OCCURRENCE CLAIMS-MADE OCCUR DAMAGE TO RENTEDPREMISES(Ea occurrence) MED EXP (Any one person) PERSONAL & ADV INJURY GEN'L AGGREGATE LIMIT APPLIES PER:GENERAL AGGREGATE POLICY PRO- OTHER: PRODUCTS - COMP/OP AGG AUTOMOBILE LIABILITY COMBINED SINGLELIMIT(Ea accident) ANY AUTO BODILY INJURY (Per person) OWNEDAUTOS ONLY HIRED AUTOSONLY SCHEDULEDAUTOSNON-OWNEDAUTOS ONLY BODILY INJURY (Per accident) PROPERTY DAMAGE(Per accident) UMBRELLA LIAB EXCESS LIAB OCCUR CLAIMS-MADE EACH OCCURRENCE AGGREGATE DED RETENTION $ WORKERS COMPENSATIONAND EMPLOYERS' LIABILITY Y /NANYPROPRIETOR/PARTNER/EXECUTIVEOFFICER/MEMBER EXCLUDED?(Mandatory in NH)If yes, describe underDESCRIPTION OF OPERATIONS below N / A PERSTATUTE OTH- ER E.L. EACH ACCIDENT E.L. DISEASE - EA EMPLOYEE E.L. DISEASE - POLICY LIMIT A OTHER: ENGINEERS PROFESSIONAL LIABILITY INSURANCE RETRO DATE: Full Prior Acts VG00003015AA 03/19/2020 03/19/2021 DEDUCTIBLE: PER CLAIM: 5,000 LIMITS: PER CLAIM: $1,000,000 AGGREGATE: $1,000,000 DESCRIPTIONOF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) CLAIMS MADE POLICY CERTIFICATE HOLDER CANCELLATION Conquest Security, Inc. 701 Market Street East Gaithersburg, MD 20878 SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORETHE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED INACCORDANCE WITH THE POLICY PROVISIONS. AUTHORIZED REPRESENTATIVE ACORD 25 (2016/03)© 1988-2015 ACORD CORPORATION. All rights reserved. The ACORD name and logo are registered marks of ACORD LOCJECT DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00730 022019 ed. Date Issued: 20-Mar-2020 1 of 4 Beazley MediaTech THIS POLICY’S LIABILITY INSURING AGREEMENTS PROVIDE COVERAGE ON A CLAIMS MADE AND REPORTED BASIS AND APPLY ONLY TO CLAIMS FIRST MADE AGAINST THE INSURED DURING THE POLICY PERIOD OR THE OPTIONAL EXTENSION PERIOD (IF APPLICABLE) AND REPORTED TO THE UNDERWRITERS IN ACCORDANCE WITH THE TERMS OF THIS POLICY. AMOUNTS INCURRED AS CLAIMS EXPENSES UNDER THIS POLICY WILL REDUCE AND MAY EXHAUST THE LIMIT OF LIABILITY AND ARE SUBJECT TO RETENTIONS. These Declarations along with the statements contained in the information and materials provided to the Underwriters in connection with the underwriting and issuance of this Policy, and the Policy with endorsements shall constitute the contract between the Insureds and the Underwriters. GENERAL INFORMATION Insurer/Underwriter:Beazley Insurance Company, Inc. (Admitted) Named Insured:Conquest Security Inc Named Insured Address:701 Market Street East Gaithersburg, MD 20878 Notice of Claim, Loss or Circumstance: Beazley Group Attn: Cyber & Tech Claims Group 45 Rockefeller Plaza, 16th floor New York, NY 10111 cyber&techclaims@beazley.com Administrative Notice:Beazley USA Services, Inc. 30 Batterson Park Road Farmington, CT 06032 Tel: (860) 677-3700 Fax: (860) 679-0247 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00730 022019 ed. Date Issued: 20-Mar-2020 2 of 4 POLICY INFORMATION Policy Number:VG00003015AA Policy Form:Beazley MediaTech (F00731 022019 ed.) Policy Period:From: 19-Mar-2020 To: 19-Mar-2021 Both at 12:01 AM Local Time at the Named Insured Address Retroactive Date:Full Prior Acts Continuity Date:19-Mar-2020 Optional Extension Period:12 Months Optional Extension Premium:100% of the Annual Policy Premium Waiting Period:8 Hours Premium:$1,500.00 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00730 022019 ed. Date Issued: 20-Mar-2020 3 of 4 COVERAGE SCHEDULE (Currency in USD) Limit Retention Each Claim Limit of Liability: Media, Tech, Data & Network Liability: $1,000,000 Policy Aggregate Limit of Liability:$1,000,000 Additional Defense Limit:Not Included Media, Tech, Data & Network Liability Tech & Professional Services:$1,000,000 each Claim $5,000 Tech Product:$1,000,000 each Claim $5,000 Media:$1,000,000 each Claim $5,000 Data & Network:$1,000,000 each Claim $5,000 Breach Response Breach Response Costs:$1,000,000 each incident $0 Regulatory Defense & Penalties Regulatory Defense & Penalties:$1,000,000 each Claim $5,000 Payment Card Liabilities & Costs Payment Card Liabilities & Costs:$1,000,000 each Claim $5,000 First Party Data & Network Loss Business Interruption Loss: Resulting from Security Breach:$1,000,000 each incident $5,000 Resulting from System Failure:$1,000,000 each incident $5,000 Dependent Business Loss: Resulting from Dependent Security Breach:$100,000 each incident $5,000 Resulting from Dependent System Failure:$100,000 each incident $5,000 Cyber Extortion Loss:$1,000,000 each incident $1,000 Data Recovery Costs:$1,000,000 each incident $5,000 eCrime Fraudulent Instruction:$250,000 each loss $5,000 Funds Transfer Fraud:$250,000 each loss $5,000 Telephone Fraud:$250,000 each loss $5,000 Criminal Reward Criminal Reward:$50,000 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00730 022019 ed. Date Issued: 20-Mar-2020 4 of 4 ENDORSEMENTS EFFECTIVE AT INCEPTION 1. A01779MD 022019 ed. Maryland Amendatory Endorsement 2. BICMU05090406 Nuclear Exclusion 3. E02804MD 082014 ed. Sanction Limitation and Exclusion Clause - Maryland 4. E12254 022019 ed. War and Civil War Exclusion 5. E12287 022019 ed. Asbestos, Pollution and Contamination Exclusion Endorsement 6. E12228 022019 ed. Aggregate/Maintenance Retention 7. E12266 022019 ed. Amend Definition of Fraudulent Instruction 8. E12269 022019 ed. GDPR Cyber Endorsement 9. E12289 022019 ed. Computer Hardware Replacement Cost 10. E12290 022019 ed. Contingent Bodily Injury With Sublimit Endorsement 11. E12716 022019 ed. Post Breach Remedial Services Endorsement 12. E12864 042019 ed. Crisis Management Expense Coverage 13. E12972 052019 ed. CryptoJacking Endorsement 14. E13040 062019 ed. Reputation Loss 15. E13373 092019 ed. State Consumer Privacy Statutes Endorsement 20-Mar-2020 Authorized Representative Date Secretary President DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Beazley MediaTech TABLE OF CONTENTS INSURING AGREEMENTS 1 Media, Tech, Data & Network Liability .......................... 1 Breach Response .......................................................... 1 Regulatory Defense & Penalties ................................... 1 Payment Card Liabilities & Costs ................................. 1 First Party Data & Network Loss .................................. 2 eCrime ............................................................................ 2 Criminal Reward ............................................................ 2 DEFINITIONS 2 Additional Insured ......................................................... 2 Breach Notice Law ......................................................... 3 Breach Response Costs ................................................ 3 Business Interruption Loss ........................................... 3 Claim .............................................................................. 4 Claims Expenses ........................................................... 4 Computer Systems ........................................................ 4 Continuity Date .............................................................. 5 Control Group ................................................................ 5 Criminal Reward Funds ................................................. 5 Cyber Extortion Loss..................................................... 5 Damages ........................................................................ 5 Data ................................................................................ 6 Data Breach.................................................................... 6 Data & Network Wrongful Act ....................................... 6 Data Recovery Costs ..................................................... 6 Dependent Business ..................................................... 6 Dependent Business Loss ............................................ 6 Dependent Security Breach .......................................... 7 Dependent System Failure ............................................ 7 Digital Currency ............................................................. 7 Extortion Payment ......................................................... 7 Extortion Threat ............................................................. 7 Extra Expense ................................................................ 7 Financial Institution ....................................................... 7 Forensic Expenses ........................................................ 8 Fraudulent Instruction ................................................... 8 Funds Transfer Fraud .................................................... 8 Income Loss................................................................... 9 Individual Contractor ..................................................... 9 Insured ........................................................................... 9 Insured Organization ..................................................... 10 Loss ................................................................................ 10 Media Activities ............................................................. 10 Media Material ................................................................ 10 Media Wrongful Act ....................................................... 10 Merchant Services Agreement ...................................... 11 Money ............................................................................. 11 Named Insured ............................................................... 11 PCI Fines Expenses and Costs ..................................... 11 Penalties ......................................................................... 11 Period of Restoration .................................................... 11 Personally Identifiable Information............................... 12 Policy Period .................................................................. 12 Privacy Policy ................................................................ 12 Privacy Policy Violation ................................................ 12 Professional Services.................................................... 12 Regulatory Proceeding .................................................. 13 Retroactive Date ............................................................ 13 Securities ....................................................................... 13 Security Breach ............................................................. 13 Subsidiary ................................................................. 13 System Failure........................................................... 13 Tech Products ........................................................... 14 Tech & Professional Services Wrongful Act ........... 14 Tech Product Wrongful Act ...................................... 14 Tech Services ............................................................ 14 Telephone Fraud ....................................................... 14 Third Party Information............................................. 14 Transfer Account ...................................................... 14 Unauthorized Access or Use .................................... 14 Unauthorized Disclosure .......................................... 14 Waiting Period ........................................................... 15 EXCLUSIONS 15 Bodily Injury or Property Damage............................ 15 Deceptive Business Practices, Antitrust & Consumer Protection ................................................ 15 Distribution of Information ....................................... 15 Prior Known Acts & Prior Noticed Claims ............... 15 Racketeering, Benefit Plans, Employment Liability & Discrimination ......................................... 16 Sale or Ownership of Securities & Violation of Securities Laws ......................................................... 16 Criminal, Intentional or Fraudulent Acts ................. 16 Patent & Misappropriation of Information ............... 16 Governmental Actions .............................................. 17 Other Insureds & Related Enterprises ..................... 17 Trading Losses & Loss of Money ............................ 17 Contractual ................................................................ 17 Retroactive Date ........................................................ 17 Recall ......................................................................... 18 Infrastructure Failure ................................................ 18 Licensing Bodies & Joint Ventures ......................... 18 Over-Redemption ...................................................... 18 First Party Data & Network Loss ............................. 18 LIMIT OF LIABILITY AND COVERAGE 19 RETENTIONS 19 OPTIONAL EXTENSION PERIOD 19 GENERAL CONDITIONS 20 Notice of Claim or Loss ............................................ 20 Beazley Breach Response Services ........................ 20 Notice of Circumstance ............................................ 21 Defense of Claims ..................................................... 21 Settlement of Claims ................................................. 22 Assistance and Cooperation .................................... 22 Subrogation ............................................................... 23 Other Insurance ........................................................ 23 Action Against the Underwriters .............................. 23 Entire Agreement ...................................................... 23 Mergers or Consolidations ....................................... 23 Assignment ............................................................... 24 Cancellation .............................................................. 24 Singular Form of a Word .......................................... 24 Headings.................................................................... 24 Representation by the Insured ................................. 24 Named Insured As Agent .......................................... 24 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 1 of 24 Beazley MediaTech THIS POLICY’S LIABILITY INSURING AGREEMENTS PROVIDE COVERAGE ON A CLAIMS MADE AND REPORTED BASIS AND APPLY ONLY TO CLAIMS FIRST MADE AGAINST THE INSURED DURING THE POLICY PERIOD OR THE OPTIONAL EXTENSION PERIOD (IF APPLICABLE) AND REPORTED TO THE UNDERWRITERS IN ACCORDANCE WITH THE TERMS OF THIS POLICY. AMOUNTS INCURRED AS CLAIMS EXPENSES UNDER THIS POLICY WILL REDUCE AND MAY EXHAUST THE LIMIT OF LIABILITY AND ARE SUBJECT TO RETENTIONS. Please refer to the Declarations, which show the insuring agreements that the Named Insured purchased. If an insuring agreement has not been purchased, coverage under that insuring agreement of this Policy will not apply. The Underwriters agree with the Named Insured, in consideration of the payment of the premium and reliance upon the statements contained in the information and materials provided to the Underwriters in connection with the underwriting and issuance of this Insurance Policy (hereinafter referred to as the "Policy") and subject to all the provisions, terms and conditions of this Policy: INSURING AGREEMENTS Media, Tech, Data & Network Liability To pay Damages and Claims Expenses, which the Insured is legally obligated to pay because of any Claim first made against any Insured during the Policy Period for a: 1. Tech & Professional Services Wrongful Act; 2. Tech Product Wrongful Act; 3. Media Wrongful Act; or 4. Data & Network Wrongful Act. Breach Response To indemnify the Insured Organization for Breach Response Costs incurred by the Insured Organization because of an actual or reasonably suspected Data Breach or Security Breach that the Insured first discovers during the Policy Period. Regulatory Defense & Penalties To pay Penalties and Claims Expenses, which the Insured is legally obligated to pay because of a Regulatory Proceeding first made against any Insured during the Policy Period for a Data Breach or a Security Breach. Payment Card Liabilities & Costs To indemnify the Insured Organization for PCI Fines, Expenses and Costs which it is legally obligated to pay because of a Claim first made against any Insured during the Policy Period. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 2 of 24 First Party Data & Network Loss To indemnify the Insured Organization for: Business Interruption Loss Business Interruption Loss that the Insured Organization sustains as a result of a Security Breach or System Failure that the Insured first discovers during the Policy Period. Dependent Business Interruption Loss Dependent Business Loss that the Insured Organization sustains as a result of a Dependent Security Breach or a Dependent System Failure that the Insured first discovers during the Policy Period. Cyber Extortion Loss Cyber Extortion Loss that the Insured Organization incurs as a result of an Extortion Threat first made against the Insured Organization during the Policy Period. Data Recovery Costs Data Recovery Costs that the Insured Organization incurs as a direct result of a Security Breach or System Failure that the Insured first discovers during the Policy Period. eCrime To indemnify the Insured Organization for any direct financial loss sustained resulting from: 1. Fraudulent Instruction; 2. Funds Transfer Fraud; or 3. Telephone Fraud; that the Insured first discovers during the Policy Period. Criminal Reward To indemnify the Insured Organization for Criminal Reward Funds. DEFINITIONS Additional Insured means any person or entity that the Insured Organization has agreed in writing to add as an Additional Insured under this Policy prior to the commission of any act for which such person or entity would be provided coverage under this Policy, but only to the extent the Insured Organization would have been liable and coverage would have been afforded under the terms and conditions of this Policy had such Claim been made against the Insured Organization. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 3 of 24 Breach Notice Law means any statute or regulation that requires notice to persons whose personal information was accessed or reasonably may have been accessed by an unauthorized person. Breach Notice Law also includes any statute or regulation requiring notice of a Data Breach to be provided to governmental or regulatory authorities. Breach Response Costs means the following fees and costs incurred by the Insured Organization with the Underwriters' prior written consent in response to an actual or reasonably suspected Data Breach or Security Breach: 1. for an attorney to provide necessary legal advice to the Insured Organization to evaluate its obligations pursuant to Breach Notice Laws or a Merchant Services Agreement; 2. for a computer security expert to determine the existence, cause and scope of an actual or reasonably suspected Data Breach, and if such Data Breach is actively in progress on the Insured Organization’s Computer Systems, to assist in containing it; 3. for a PCI Forensic Investigator to investigate the existence and extent of an actual or reasonably suspected Data Breach involving payment card data and for a Qualified Security Assessor to certify and assist in attesting to the Insured Organization's PCI compliance, as required by a Merchant Services Agreement; 4. to notify those individuals whose Personally Identifiable Information was potentially impacted by a Data Breach; 5. to provide a call center to respond to inquiries about a Data Breach; 6. to provide a credit monitoring, identity monitoring or other personal fraud or loss prevention solution, to be approved by the Underwriters, to individuals whose Personally Identifiable Information was potentially impacted by a Data Breach; and 7. public relations and crisis management costs directly related to mitigating harm to the Insured Organization which are approved in advance by the Underwriters in their discretion. Breach Response Costs will not include any internal salary or overhead expenses of the Insured Organization. Business Interruption Loss means: 1. Income Loss; 2. Forensic Expenses; and 3. Extra Expense; actually sustained during the Period of Restoration as a result of the actual interruption of the Insured Organization’s business operations caused by a Security Breach or System Failure. Coverage for Business Interruption Loss will apply only after the Waiting Period has elapsed. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 4 of 24 Business Interruption Loss will not include (i) loss arising out of any liability to any third party; (ii) legal costs or legal expenses; (iii) loss incurred as a result of unfavorable business conditions; (iv) loss of market or any other consequential loss; (v) Dependent Business Loss; or (vi) Data Recovery Costs. Claim means: 1. a written demand received by any Insured for money, services, or any non-monetary or injunctive relief; 2. a written request for mediation or arbitration received by any Insured; 3. a civil proceeding against any Insured commenced by service of a complaint or similar proceeding; 4. a written request to toll or waive any applicable statute of limitations; 5. with respect to coverage provided under the Regulatory Defense & Penalties insuring agreement only, institution of a Regulatory Proceeding against any Insured; and Multiple Claims arising from the same or a series of related, repeated or continuing acts, errors, omissions or events will be considered a single Claim for the purposes of this Policy. All such Claims will be deemed to have been made at the time of the first such Claim. Claims Expenses means: 1. all reasonable and necessary legal costs and expenses resulting from the investigation, defense and appeal of a Claim, if incurred by the Underwriters, or by the Insured with the prior written consent of the Underwriters; and 2. the premium cost for appeal bonds for covered judgments or bonds to release property used to secure a legal obligation; provided the Underwriters will have no obligation to appeal or to obtain bonds. Claims Expenses will not include any salary, overhead, or other charges by the Insured for any time spent in cooperating in the defense and investigation of any Claim, or costs to comply with any regulatory orders, settlements or judgments. Computer Systems means computers, any software residing on such computers and any associated devices or equipment (including computers, hardware, software and input and output devices which are part of an industrial control system, including a supervisory control and data acquisition (SCADA) system): 1. operated by and either owned by or leased to the Insured Organization; or 2. with respect to coverage under Part 4. of the Media, Tech, Data & Network Liability insuring agreement, as well as the Breach Response, Regulatory Defense & Penalties and Payment Card Liabilities & Costs insuring agreements, operated by a third party pursuant to written contract with the Insured Organization and used for the purpose of providing hosted computer application services to the Insured Organization or for processing, maintaining, hosting or storing the Insured Organization’s electronic data. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 5 of 24 Continuity Date means: 1. the Continuity Date listed in the Declarations; and 2. with respect to any Subsidiaries acquired after the Continuity Date listed in the Declarations, the date the Named Insured acquired such Subsidiary. Control Group means any principal, partner, corporate officer, director, general counsel (or most senior legal counsel) or risk manager of the Insured Organization and any individual in a substantially similar position. Criminal Reward Funds means any amount offered and paid by the Insured Organization with the Underwriters’ prior written consent for information that leads to the arrest and conviction of any individual(s) committing or trying to commit any illegal act related to any coverage under this Policy; but will not include any amount based upon information provided by the Insured, the Insured’s auditors or any individual hired or retained to investigate the illegal acts. All Criminal Reward Funds offered pursuant to this Policy must expire no later than 6 months following the end of the Policy Period. Cyber Extortion Loss means: 1. any Extortion Payment that has been made by or on behalf of the Insured Organization with the Underwriters’ prior written consent to prevent or terminate an Extortion Threat; and 2. reasonable and necessary expenses incurred by the Insured Organization with the Underwriters’ prior written consent to prevent or respond to an Extortion Threat. Damages means a monetary judgment, award or settlement, including any award of prejudgment or post-judgment interest. With the prior written consent of the Underwriters, Damages also include the direct net cost of providing any future service credits offered by the Insured Organization in lieu of a monetary payment. Damages will not include: 1. future profits, restitution, disgorgement of unjust enrichment or profits by an Insured, or the costs of complying with orders granting injunctive or equitable relief; 2. return or offset of fees, charges or commissions charged by or owed to an Insured for goods or services already provided or contracted to be provided; 3. taxes or loss of tax benefits; 4. fines, sanctions or penalties against any Insured; 5. punitive or exemplary damages or any damages which are a multiple of compensatory damages, unless insurable by law in any applicable venue that most favors coverage for such punitive, exemplary or multiple damages; 6. discounts, coupons, prizes, awards or other incentives offered to the Insured’s customers or clients; DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 6 of 24 7. liquidated damages, but only to the extent that such damages exceed the amount for which the Insured would have been liable in the absence of such liquidated damages agreement; 8. fines, costs or other amounts an Insured is responsible to pay under a Merchant Services Agreement; or 9. any amounts for which the Insured is not liable, or for which there is no legal recourse against the Insured. Data means any software or electronic data that exists in Computer Systems and that is subject to regular back-up procedures. Data Breach means the theft, loss, or Unauthorized Disclosure of Personally Identifiable Information or Third Party Information that is in the care, custody or control of the Insured Organization or a third party for whose theft, loss or Unauthorized Disclosure of Personally Identifiable Information or Third Party Information the Insured Organization is liable. Data & Network Wrongful Act means: 1. a Data Breach; 2. a Security Breach; 3. failure to timely disclose a Data Breach or Security Breach; or 4. a Privacy Policy Violation. Data Recovery Costs means the reasonable and necessary costs incurred by the Insured Organization to regain access to, replace, or restore Data, or if Data cannot reasonably be accessed, replaced, or restored, then the reasonable and necessary costs incurred by the Insured Organization to reach this determination. Data Recovery Costs will not include: (i) the monetary value of profits, royalties, or lost market share related to Data, including but not limited to trade secrets or other proprietary information or any other amount pertaining to the value of Data; (ii) legal costs or legal expenses; (iii) loss arising out of any liability to any third party; or (iv) Cyber Extortion Loss. Dependent Business means any entity that is not a part of the Insured Organization but which provides necessary products or services to the Insured Organization pursuant to a written contract. Dependent Business Loss means: 1. Income Loss; and 2. Extra Expense; actually sustained during the Period of Restoration as a result of an actual interruption of the Insured Organization’s business operations caused by a Dependent Security Breach or Dependent System Failure. Coverage for Dependent Business Loss will apply only after the Waiting Period has elapsed. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 7 of 24 Dependent Business Loss will not include (i) loss arising out of any liability to any third party; (ii) legal costs or legal expenses; (iii) loss incurred as a result of unfavorable business conditions; (iv) loss of market or any other consequential loss; (v) Business Interruption Loss; or (vi) Data Recovery Costs. Dependent Security Breach means a failure of computer security to prevent a breach of computer systems operated by a Dependent Business. Dependent System Failure means an unintentional and unplanned interruption of computer systems operated by a Dependent Business. Dependent System Failure will not include any interruption of computer systems resulting from (i) a Dependent Security Breach, or (ii) the interruption of computer systems that are not operated by a Dependent Business. Digital Currency means a type of digital currency that: 1. requires cryptographic techniques to regulate the generation of units of currency and verify the transfer thereof; 2. is both stored and transferred electronically; and 3. operates independently of a central bank or other central authority. Extortion Payment means Money, Digital Currency, marketable goods or services demanded to prevent or terminate an Extortion Threat. Extortion Threat means a threat to: 1. alter, destroy, damage, delete or corrupt Data; 2. perpetrate the Unauthorized Access or Use of Computer Systems; 3. prevent access to Computer Systems or Data; 4. steal, misuse or publicly disclose Data, Personally Identifiable Information or Third Party Information; 5. introduce malicious code into Computer Systems or to third party computer systems from Computer Systems; or 6. interrupt or suspend Computer Systems; unless an Extortion Payment is received from or on behalf of the Insured Organization. Extra Expense means reasonable and necessary expenses incurred by the Insured Organization during the Period of Restoration to minimize, reduce or avoid Income Loss, over and above those expenses the Insured Organization would have incurred had no Security Breach, System Failure, Dependent Security Breach or Dependent System Failure occurred. Financial Institution means a bank, credit union, saving and loan association, trust company or other licensed financial service, securities broker-dealer, mutual fund, or liquid assets fund or similar investment company where the Insured Organization maintains a bank account. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 8 of 24 Forensic Expenses means reasonable and necessary expenses incurred by the Insured Organization to investigate the source or cause of a Business Interruption Loss. Fraudulent Instruction means the transfer, payment or delivery of Money or Securities by an Insured as a result of fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions provided by a third party, that is intended to mislead an Insured through the misrepresentation of a material fact which is relied upon in good faith by such Insured. Fraudulent Instruction will not include loss arising out of: 1. fraudulent instructions received by the Insured which are not first authenticated via a method other than the original means of request to verify the authenticity or validity of the request; 2. any actual or alleged use of credit, debit, charge, access, convenience, customer identification or other cards; 3. any transfer involving a third party who is not a natural person Insured, but had authorized access to the Insured’s authentication mechanism; 4. the processing of, or the failure to process, credit, check, debit, personal identification number debit, electronic benefit transfers or mobile payments for merchant accounts; 5. accounting or arithmetical errors or omissions, or the failure, malfunction, inadequacy or illegitimacy of any product or service; 6. any liability to any third party, or any indirect or consequential loss of any kind; 7. any legal costs or legal expenses; or 8. proving or establishing the existence of Fraudulent Instruction. Funds Transfer Fraud means the loss of Money or Securities contained in a Transfer Account at a Financial Institution resulting from fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions by a third party issued to a Financial Institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by the Insured Organization at such institution, without the Insured Organization's knowledge or consent. Funds Transfer Fraud will not include any loss arising out of: 1. the type or kind covered by the Insured Organization’s financial institution bond or commercial crime policy; 2. any actual or alleged fraudulent, dishonest or criminal act or omission by, or involving, any natural person Insured; 3. any indirect or consequential loss of any kind; 4. punitive, exemplary or multiplied damages of any kind or any fines, penalties or loss of any tax benefit; 5. any liability to any third party, except for direct compensatory damages arising directly from Funds Transfer Fraud; DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 9 of 24 6. any legal costs or legal expenses; or proving or establishing the existence of Funds Transfer Fraud; 7. the theft, disappearance, destruction of, unauthorized access to, or unauthorized use of confidential information, including a PIN or security code; 8. any forged, altered or fraudulent negotiable instruments, securities, documents or instructions; or 9. any actual or alleged use of credit, debit, charge, access, convenience or other cards or the information contained on such cards. Income Loss means an amount equal to: 1. net profit or loss before interest and tax that the Insured Organization would have earned or incurred; and 2. continuing normal operating expenses incurred by the Insured Organization (including payroll), but only to the extent that such operating expenses must necessarily continue during the Period of Restoration. Individual Contractor means any natural person who performs labor or service for the Insured Organization pursuant to a written contract or agreement with the Insured Organization. The status of an individual as an Individual Contractor will be determined as of the date of an alleged act, error or omission by any such Individual Contractor. Insured means: 1. the Insured Organization; 2. any director or officer of the Insured Organization, but only with respect to the performance of his or her duties as such on behalf of the Insured Organization; 3. an employee (including a part time, temporary, leased or seasonal employee or volunteer) or Individual Contractor of the Insured Organization, but only for work done while acting within the scope of his or her employment and related to the conduct of the Insured Organization’s business; 4. a principal if the Named Insured is a sole proprietorship, or a partner if the Named Insured is a partnership, but only with respect to the performance of his or her duties as such on behalf of the Insured Organization; 5. any person who previously qualified as an Insured under parts 2. through 4., but only with respect to the performance of his or her duties as such on behalf of the Insured Organization; 6. an Additional Insured, but only as respects Claims against such person or entity for acts, errors or omissions of the Insured Organization; 7. the estate, heirs, executors, administrators, assigns and legal representatives of any Insured in the event of such Insured's death, incapacity, insolvency or bankruptcy, but only to the extent that such Insured would otherwise be provided coverage under this Policy; and DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 10 of 24 8. the lawful spouse, including any natural person qualifying as a domestic partner of any Insured, but solely by reason of any act, error or omission of an Insured other than such spouse or domestic partner. Insured Organization means the Named Insured and any Subsidiaries. Loss means Breach Response Costs, Business Interruption Loss, Claims Expenses, Criminal Reward Funds, Cyber Extortion Loss, Damages, Data Recovery Costs, Dependent Business Loss, PCI Fines, Expenses and Costs, Penalties, loss covered under the eCrime insuring agreement and any other amounts covered under this Policy. Any Loss arising from the same or a series of related, repeated or continuing acts, errors, omissions, incidents or events will be considered a single Loss for the purposes of this Policy. With respect to the Breach Response and First Party Data & Network Loss insuring agreements, all acts, errors, omissions, incidents or events (or series of related, repeated or continuing acts, errors, omissions, incidents or events) giving rise to Loss in connection with such insuring agreements will be deemed to have been discovered at the time the first such act, error, omission, incident or event is discovered. Media Activities means creating, displaying, broadcasting, disseminating or releasing Media Material by or on behalf of the Insured Organization to the public, including any blog, webcasts, websites, broadcast or cable stations, or social media web pages, created and maintained by or on behalf of the Insured Organization. Media Material means any information, including words, sounds, numbers, images or graphics, but will not include computer software or the actual goods, products or services described, illustrated or displayed in such Media Material. Media Wrongful Act means one or more of the following acts committed on or after the Retroactive Date and before the end of the Policy Period in the course of the Insured Organization’s performance of Media Activities, Professional Services or Tech Services: 1. defamation, libel, slander, product disparagement, trade libel, infliction of emotional distress, outrage, outrageous conduct, or other tort related to disparagement or harm to the reputation or character of any person or organization; 2. a violation of the rights of privacy of an individual, including false light, intrusion upon seclusion and public disclosure of private facts; 3. invasion or interference with an individual’s right of publicity, including misappropriation of any name, persona, voice or likeness for commercial advantage; 4. false arrest, detention or imprisonment; 5. invasion of or interference with any right to private occupancy, including trespass, wrongful entry or wrongful eviction; 6. plagiarism, piracy or misappropriation of ideas under implied contract; 7. infringement of copyright; DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 11 of 24 8. infringement of trade dress, domain name, title or slogan, or the dilution or infringement of trademark or service mark, or improper deep-linking or framing or infringement of domain name including cybersquatting violations; 9. negligence regarding the content of any Media Activities, including harm caused through any reliance or failure to rely upon such content; 10. misappropriation of a trade secret; 11. unfair competition including a violation of Section 43(a) of the Lanham Act, but only if alleged in conjunction with and arising out of any of the acts listed in paragraphs 7. or 8. above. Merchant Services Agreement means any agreement between an Insured and a financial institution, credit/debit card company, credit/debit card processor or independent service operator enabling an Insured to accept credit card, debit card, prepaid card or other payment cards for payments or donations. Money means a medium of exchange in current use authorized or adopted by a domestic or foreign government as a part of its currency. Named Insured means the Named Insured listed in the Declarations. PCI Fines, Expenses and Costs means the monetary amount owed by the Insured Organization under the terms of a Merchant Services Agreement as a direct result of a suspected Data Breach. With the prior consent of the Underwriters, PCI Fines, Expenses and Costs includes reasonable and necessary legal costs and expenses incurred by the Insured Organization to appeal or negotiate an assessment of such monetary amount. PCI Fines, Expenses and Costs will not include any charge backs, interchange fees, discount fees or other fees unrelated to a Data Breach. Penalties means: 1. any monetary civil fine or penalty payable to a governmental entity that was imposed in a Regulatory Proceeding; and 2. amounts which the Insured is legally obligated to deposit in a fund as equitable relief for the payment of consumer claims due to an adverse judgment or settlement of a Regulatory Proceeding (including such amounts required to be paid into a “Consumer Redress Fund”); but will not include: (i) costs to remediate or improve Computer Systems; (ii) costs to establish, implement, maintain, improve or remediate security or privacy practices, procedures, programs or policies; (iii) audit, assessment, compliance or reporting costs; or (iv) costs to protect the confidentiality, integrity and/or security of Personally Identifiable Information or other information. The insurability of Penalties will be in accordance with the law in the applicable venue that most favors coverage for such Penalties. Period of Restoration means the 180-day period of time that begins upon the actual and necessary interruption of the Insured Organization’s business operations. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 12 of 24 Personally Identifiable Information means: 1. any information concerning an individual that is defined as personal information under any Breach Notice Law; and 2. an individual’s drivers license or state identification number, social security number, unpublished telephone number, and credit, debit or other financial account numbers in combination with associated security codes, access codes, passwords or PINs; if such information allows an individual to be uniquely and reliably identified or contacted or allows access to the individual’s financial account or medical record information. but will not include information that is lawfully made available to the general public. Policy Period means the period of time between the inception date listed in the Declarations and the effective date of termination, expiration or cancellation of this Policy and specifically excludes any Optional Extension Period or any prior policy period or renewal period. Privacy Policy means the Insured Organization’s public declaration of its policy for collection, use, disclosure, sharing, dissemination and correction or supplementation of, and access to Personally Identifiable Information. Privacy Policy Violation means the failure by the Insured to comply with that part of a Privacy Policy that specifically: 1. prohibits or restricts the Insured Organization’s disclosure, sharing or selling of Personally Identifiable Information; 2. requires the Insured Organization to provide an individual access to Personally Identifiable Information or to correct incomplete or inaccurate Personally Identifiable Information after a request is made; 3. mandates procedures and requirements to prevent the loss of Personally Identifiable Information; 4. prevents or prohibits improper, intrusive or wrongful collection of Personally Identifiable Information from another person; 5. requires notice to a person of the Insured Organization’s collection or use of, or the nature of the collection or use of his or her Personally Identifiable Information; or 6. provides a person with the ability to assent to or withhold assent for (e.g. opt-in or opt-out) the Insured Organization’s collection or use of his or her Personally Identifiable Information; provided the Insured Organization has in force, at the time of such failure, a Privacy Policy that addresses those subsections above that are relevant to such Claim. Professional Services means professional services performed for others by or on behalf of the Insured Organization for a fee. Professional Services will not include activities performed by or on behalf of the Insured Organization as an accountant, architect, surveyor, health care provider, lawyer, insurance or real estate agent or broker, or civil or structural engineer. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 13 of 24 Regulatory Proceeding means a request for information, civil investigative demand, or civil proceeding brought by or on behalf of any federal, state, local or foreign governmental entity in such entity’s regulatory or official capacity. Retroactive Date means the applicable date listed in the Declarations. Securities means negotiable and non-negotiable instruments or contracts representing either Money or tangible property that has intrinsic value. Security Breach means a failure of computer security to prevent: 1. Unauthorized Access or Use of Computer Systems, including Unauthorized Access or Use resulting from the theft of a password from a Computer System or from any Insured; 2. a denial of service attack affecting Computer Systems; 3. with respect to coverage under the Liability insuring agreements, a denial of service attack affecting computer systems that are not owned, operated or controlled by an Insured; or 4. infection of Computer Systems by malicious code or transmission of malicious code from Computer Systems. Subsidiary means any entity: 1. which, on or prior to the inception date of this Policy, the Named Insured owns, directly or indirectly, more than 50% of the outstanding voting securities ("Management Control"); and 2. which the Named Insured acquires Management Control after the inception date of this Policy; provided that: (i) the revenues of such entity do not exceed 15% of the Named Insured’s annual revenues; or (ii) if the revenues of such entity exceed 15% of the Named Insured’s annual revenues, then coverage under this Policy will be afforded for a period of 60 days, but only for any Claim that arises out of any act, error, omission, incident or event first occurring after the entity becomes so owned. Coverage beyond such 60 day period will only be available if the Named Insured gives the Underwriters written notice of the acquisition, obtains the written consent of Underwriters to extend coverage to the entity beyond such 60 day period and agrees to pay any additional premium required by Underwriters. This Policy provides coverage only for acts, errors, omissions, incidents or events that occur while the Named Insured has Management Control over an entity. System Failure means an unintentional and unplanned interruption of Computer Systems. System Failure will not include any interruption of computer systems resulting from (i) a Security Breach, or (ii) the interruption of any third party computer system. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 14 of 24 Tech Products means a computer or telecommunications hardware or software product, or related electronic product, that is created, manufactured or developed by the Insured Organization for others, or distributed, licensed, leased or sold by the Insured Organization to others, for compensation, including software updates, service packs and other maintenance releases provided for such products. Tech & Professional Services Wrongful Act means any negligent act, error, omission, misstatement, misleading statement, misrepresentation or unintentional breach of a contractual obligation by the Insured, or by any person or entity for whom the Insured is legally liable, in rendering or failing to render Professional Services or Tech Services that occurs on or after the Retroactive Date and before the end of the Policy Period, but does not mean a Media Wrongful Act. Tech Product Wrongful Act means: 1. any negligent act, error, omission, misstatement, misleading statement, misrepresentation or unintentional breach of a contractual obligation by the Insured that results in the failure of Tech Products to perform the function or serve the purpose intended; or 2. software copyright infringement by the Insured with respect to Tech Products; that occurs on or after the Retroactive Date and before the end of the Policy Period. Tech Services means computer, cloud computing, and electronic technology services, including: 1. data processing, software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), network as a service (NaaS); 2. data and application hosting, computer systems analysis, and technology consulting and training; or 3. custom software programming for a specific client of the Insured Organization and, computer and software systems installation and integration; performed by the Insured, or by others acting under the Insured Organization’s trade name, for others for a fee. Telephone Fraud means the act of a third party gaining access to and using the Insured Organization’s telephone system in an unauthorized manner. Third Party Information means any trade secret, data, design, interpretation, forecast, formula, method, practice, credit or debit card magnetic strip information, process, record, report or other item of information of a third party not insured under this Policy which is not available to the general public. Transfer Account means an account maintained by the Insured Organization at a Financial Institution from which the Insured Organization can initiate the transfer, payment or delivery of Money or Securities. Unauthorized Access or Use means the gaining of access to or use of Computer Systems by an unauthorized person(s) or the use of Computer Systems in an unauthorized manner. Unauthorized Disclosure means the disclosure of (including disclosure resulting from phishing) or access to information in a manner that is not authorized by the Insured Organization and is without knowledge of, consent or acquiescence of any member of the Control Group. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 15 of 24 Waiting Period means the period of time that begins upon the actual interruption of the Insured Organization’s business operations caused by a Security Breach, System Failure, Dependent Security Breach or Dependent System Failure, and ends after the elapse of the number of hours listed as the Waiting Period in the Declarations. EXCLUSIONS The coverage under this Policy will not apply to any Loss arising out of: Bodily Injury or Property Damage 1. physical injury, sickness, disease or death of any person, including any mental anguish or emotional distress resulting from such physical injury, sickness, disease or death; or 2. physical injury to or destruction of any tangible property, including the loss of use thereof; but electronic data will not be considered tangible property; Deceptive Business Practices, Antitrust & Consumer Protection any actual or alleged false, deceptive or unfair trade practices, antitrust violation, restraint of trade, unfair competition (except as provided under part 3. of the Media, Tech, Data & Network Liability insuring agreement), violation of consumer protection law, false, deceptive or misleading advertising, inaccurate cost estimates or failure of goods or services to conform with any represented quality or performance, or violation of the Sherman Antitrust Act, the Clayton Act, or the Robinson-Patman Act; but this exclusion will not apply to: 1. the Breach Response insuring agreement; or 2. coverage for a Data Breach or Security Breach, provided no member of the Control Group participated or colluded in such Data Breach or Security Breach; Distribution of Information the distribution of unsolicited email, text messages, direct mail, facsimiles or other communications, wire tapping, audio or video recording, or telemarketing, if such distribution, wire tapping, recording or telemarketing is done by or on behalf of the Insured Organization; but this exclusion will not apply to Claims Expenses incurred in defending the Insured against allegations of unlawful audio or video recording; Prior Known Acts & Prior Noticed Claims 1. any act, error, omission, incident or event committed or occurring prior to the inception date of this Policy if any member of the Control Group on or before the Continuity Date knew or could have reasonably foreseen that such act, error or omission, incident or event might be expected to be the basis of a Claim or Loss; 2. any Claim, Loss, incident or circumstance for which notice has been provided under any prior policy of which this Policy is a renewal or replacement; DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 16 of 24 Racketeering, Benefit Plans, Employment Liability & Discrimination 1. any actual or alleged violation of the Organized Crime Control Act of 1970 (commonly known as Racketeer Influenced and Corrupt Organizations Act or RICO), as amended; 2. any actual or alleged acts, errors or omissions related to any of the Insured Organization’s pension, healthcare, welfare, profit sharing, mutual or investment plans, funds or trusts; 3. any employer-employee relations, policies, practices, acts or omissions, or any actual or alleged refusal to employ any person, or misconduct with respect to employees; or 4. any actual or alleged discrimination; but this exclusion will not apply to coverage under the Breach Response insuring agreement or coverage for a Data Breach or Security Breach, provided no member of the Control Group participated or colluded in such Data Breach or Security Breach; Sale or Ownership of Securities & Violation of Securities Laws 1. the ownership, sale or purchase of, or the offer to sell or purchase stock or other securities; or 2. an actual or alleged violation of a securities law or regulation; Criminal, Intentional or Fraudulent Acts any criminal, dishonest, fraudulent, or malicious act or omission, or intentional or knowing violation of the law, if committed by an Insured, or by others if the Insured colluded or participated in any such conduct or activity; but this exclusion will not apply to: 1. Claims Expenses incurred in defending any Claim alleging the foregoing until there is a final non-appealable adjudication establishing such conduct; or 2. with respect to a natural person Insured, if such Insured did not personally commit, participate in or know about any act, error, omission, incident or event giving rise to such Claim or Loss. For purposes of this exclusion, only acts, errors, omissions or knowledge of a member of the Control Group will be imputed to the Insured Organization; Patent & Misappropriation of Information 1. infringement, misuse or abuse of patent or patent rights; 2. misappropriation of trade secret arising out of or related to Tech Products or any other products; 3. with respect to any Data & Network Wrongful Act, misappropriation of any Third Party Information (i) by or on behalf of the Insured Organization, or (ii) by any other person or entity if such misappropriation is done with the knowledge, consent or acquiescence of a member of the Control Group; or DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 17 of 24 4. disclosure, misuse or misappropriation of any ideas, trade secrets or confidential information that came into the possession of any person or entity prior to the date he or she became an Insured or Subsidiary of the Insured Organization; Governmental Actions a Claim brought by or on behalf of any state, federal, local or foreign governmental entity, in such entity’s regulatory or official capacity; but this exclusion will not apply to the Regulatory Defense & Penalties insuring agreement, or any Claim made against the Insured Organization by a governmental entity solely in its capacity as a customer of the Insured Organization; Other Insureds & Related Enterprises a Claim made by or on behalf of: 1. any Insured; but this exclusion will not apply to a Claim made by an individual that is not a member of the Control Group for a Data & Network Wrongful Act, or a Claim made by an Additional Insured; or 2. any business enterprise in which any Insured has greater than 15% ownership interest or made by any parent company or other entity which owns more than 15% of the Named Insured; Trading Losses & Loss of Money 1. any trading losses, trading liabilities or change in value of accounts; 2. any loss, transfer or theft of monies, securities or tangible property of the Insured or others in the care, custody or control of the Insured Organization; or 3. the monetary value of any transactions or electronic fund transfers by or on behalf of the Insured which is lost, diminished, or damaged during transfer from, into or between accounts; but this exclusion will not apply to coverage under the eCrime insuring agreement; Contractual with respect to coverage under parts 1. and 3. of the Media, Tech, Data & Network Liability insuring agreement: any obligation the Insured has under contract; but this exclusion will not apply to: 1. the obligation to perform Professional Services or Tech Services; 2. a Claim for misappropriation of ideas under implied contract, or 3. to the extent the Insured would have been liable in the absence of such contract; Retroactive Date any related or continuing act, error, omission, misstatement, misleading statement, misrepresentation, unintentional breach of a contractual obligation, incident or event where the first such act, error, omission, misstatement, misleading statement, DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 18 of 24 misrepresentation or unintentional breach of a contractual obligation, incident or event was committed or occurred prior to the Retroactive Date; Recall any costs or expenses incurred or to be incurred by the Insured or others for the reprinting, reposting, recall, inspection, repair, replacement, removal or disposal of any Tech Products, Media Material or work product, including when resulting from or incorporating the results of Professional Services or Tech Services; but this exclusion will not apply to the resulting loss of use of such Tech Products, Media Material or work product resulting from or incorporating the results of Professional Services or Tech Services; Infrastructure Failure failure or malfunction of satellites or of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the Insured Organization’s direct operational control; Licensing Bodies & Joint Ventures 1. the actual or alleged obligation to make licensing fee or royalty payments; or any Claim brought by or on behalf of any intellectual property licensing bodies or organizations; 2. any Claim made by or on behalf of any independent contractor, joint venturer or venture partner arising out of or resulting from disputes over ownership of rights in Media Material or services provided by such independent contractor, joint venturer or venture partner; Over-Redemption 1. any actual or alleged gambling, contest, lottery, promotional game or other game of chance; or 2. the value of coupons, price discounts, prizes, awards, or any other valuable consideration given in excess of the total contracted or expected amount; First Party Data & Network Loss with respect to the First Party Data & Network Loss insuring agreements: 1. seizure, nationalization, confiscation, or destruction of property or data by order of any governmental or public authority; 2. costs or expenses incurred by the Insured to identify or remediate software program errors or vulnerabilities or update, replace, restore, assemble, reproduce, recollect or enhance data or Computer Systems to a level beyond that which existed prior to a Security Breach, System Failure, Dependent Security Breach, Dependent System Failure or Extortion Threat; 3. fire, flood, earthquake, volcanic eruption, explosion, lightning, wind, hail, tidal wave, landslide, act of God or other physical event. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 19 of 24 LIMIT OF LIABILITY AND COVERAGE The Policy Aggregate Limit of Liability listed in the Declarations (the “Policy Aggregate Limit of Liability”) is the Underwriters’ combined total limit of liability for all Loss payable under this Policy. The limit of liability payable under each insuring agreement will be an amount equal to the Policy Aggregate Limit of Liability unless another amount is listed in the Declarations. Such amount is the aggregate amount payable under this Policy pursuant to such insuring agreement and is part of, and not in addition to, the Policy Aggregate Limit of Liability. All Dependent Business Loss payable under this Policy is part of and not in addition to the Business Interruption Loss limit listed in the Declarations. The Underwriters will not be obligated to pay any Loss, or to defend any Claim, after the Policy Aggregate Limit of Liability has been exhausted, or after deposit of the Policy Aggregate Limit of Liability in a court of competent jurisdiction. RETENTIONS The Retention listed in the Declarations applies separately to each act, error, omission, incident, event or related acts, errors, omissions, incidents or events giving rise to a Claim or Loss. The Retention will be satisfied by monetary payments by the Named Insured of covered Loss under each insuring agreement. If any Loss arising out of an incident or Claim is subject to more than one Retention, the Retention for each applicable insuring agreement will apply to such Loss, provided that the sum of such Retention amounts will not exceed the largest applicable Retention amount. Coverage for Business Interruption Loss and Dependent Business Loss will apply after the Waiting Period has elapsed and the Underwriters will then indemnify the Named Insured for all Business Interruption Loss and Dependent Business Loss sustained during the Period of Restoration in excess of the Retention. Satisfaction of the applicable Retention is a condition precedent to the payment of any Loss under this Policy, and the Underwriters will be liable only for the amounts in excess of such Retention. OPTIONAL EXTENSION PERIOD Upon non-renewal or cancellation of this Policy for any reason except the non-payment of premium, the Named Insured will have the right to purchase, for additional premium in the amount of the Optional Extension Premium percentage listed in the Declarations of the full Policy Premium listed in the Declarations, an Optional Extension Period for the period of time listed in the Declarations. Coverage provided by such Optional Extension Period will only apply to Claims first made against any Insured during the Optional Extension Period and reported to the Underwriters during the Optional Extension Period, and arising out of any act, error or omission committed on or after the Retroactive Date (if applicable) and before the end of the Policy Period. In order for the Named Insured to invoke the Optional Extension Period option, the payment of the additional premium for the Optional Extension Period must be paid to the Underwriters within 60 days of the termination of this Policy. The purchase of the Optional Extension Period will in no way increase the Policy Aggregate Limit of Liability or any sublimit of liability. At the commencement of the Optional Extension Period the entire premium will be deemed earned, and in the event the Named Insured terminates the DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 20 of 24 Optional Extension Period for any reason prior to its natural expiration, the Underwriters will not be liable to return any premium paid for the Optional Extension Period. All notices and premium payments with respect to the Optional Extension Period option will be directed to the Underwriters through entity listed for Administrative Notice in the Declarations. GENERAL CONDITIONS Notice of Claim or Loss The Insured must notify the Underwriters of any Claim as soon as practicable, but in no event later than: (i) 60 days after the end of the Policy Period; or (ii) the end of the Optional Extension Period (if applicable). Notice must be provided through the contacts listed for Notice of Claim, Loss or Circumstance in the Declarations. With respect to Breach Response Costs, the Insured must notify the Underwriters of any actual or reasonably suspected Data Breach or Security Breach as soon as practicable after discovery by the Insured, but in no event later than 60 days after the end of the Policy Period. Notice must be provided through the contacts listed for Notice of Claim, Loss or Circumstance in the Declarations. Notice of an actual or reasonably suspected Data Breach or Security Breach in conformance with this paragraph will also constitute notice of a circumstance that could reasonably be the basis for a Claim. With respect to Cyber Extortion Loss, the Named Insured must notify the Underwriters via the email address listed in the Notice of Claim, Loss or Circumstance in the Declarations as soon as practicable after discovery of an Extortion Threat but no later than 60 days after the end of the Policy Period. The Named Insured must obtain the Underwriters’ consent prior to incurring Cyber Extortion Loss. With respect to Data Recovery Costs, Business Interruption Loss and Dependent Business Loss the Named Insured must notify the Underwriters through the contacts for Notice of Claim, Loss or Circumstance in the Declarations as soon as practicable after discovery of the circumstance, incident or event giving rise to such loss. The Named Insured will provide the Underwriters a proof of Data Recovery Costs, Business Interruption Loss and Dependent Business Loss, and this Policy will cover the reasonable and necessary costs, not to exceed USD 50,000, that the Named Insured incurs to contract with a third party to prepare such proof. All loss described in this paragraph must be reported, and all proofs of loss must be provided, to the Underwriters no later than 6 months after the end of the Policy Period. The Named Insured must notify the Underwriters of any loss covered under the eCrime insuring agreement as soon as practicable, but in no event later than 60 days after the end of the Policy Period. Notice must be provided through the contacts listed for Notice of Claim, Loss or Circumstance in the Declarations. Any Claim arising out of a Loss that is covered under the Breach Response, First Party Data & Network Loss or eCrime insuring agreements and that is reported to the Underwriters in conformance with the foregoing will be considered to have been made during the Policy Period. Beazley Breach Response Services The Underwriters’ dedicated business unit focused exclusively on helping Insureds successfully prepare for and respond to actual or suspected Data Breaches and Security Breaches (the “Beazley Breach Response Services Team”) will be available to DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 21 of 24 assist the Named Insured in responding to an actual or suspected Data Breach or Security Breach. The Beazley Breach Response Services Team will work in collaboration with the Named Insured to triage and assess the severity of a data breach incident, while assisting the coordination of the range of resources and services the Named Insured may need to meet legal requirements and maintain customer confidence. The Beazley Breach Response Services Team may be reached via email at: bbr.claims@beazley.com or via a toll-free 24-Hour Hotline: (866) 567-8570. The Named Insured will have access, via the Beazley Breach Response Services Team, to the Underwriters’ network of third party breach response service providers, products and services to respond to an actual or suspected Data Breach or Security Breach. Coverage for the costs of products and services provided by any breach response service provider is subject to the terms and conditions of this Policy. The Named Insured will also have access to educational and loss control information and services made available by the Underwriters from time to time and includes access to beazleybreachsolutions.com, a dedicated portal through which it can access news and information regarding breach response planning, data and network security threats, best practices in protecting data and networks, offers from third party service providers, and related information, tools and services. The Named Insured will also have access to communications addressing timely topics in data security, loss prevention and other areas. Notwithstanding the foregoing, an actual or suspected Data Breach or Security Breach must be reported to the Underwriters in accordance with the Notice of Claim or Loss clause in order for such incident to be eligible for coverage under the Breach Response insuring agreement. Assistance from and access to the Beazley Breach Response Services Team will terminate after the Policy Aggregate Limit of Liability has been exhausted, or after deposit of the Policy Aggregate Limit of Liability in a court of competent jurisdiction. Notice of Circumstance With respect to any circumstance that could reasonably be the basis for a Claim, the Insured may give written notice of such circumstance to the Underwriters through the contacts listed for Notice of Claim, Loss or Circumstance in the Declarations as soon as practicable during the Policy Period. Such notice must include: 1. the specific details of the act, error, omission or event that could reasonably be the basis for a Claim; 2. the injury or damage which may result or has resulted from the circumstance; and 3. the facts by which the Insured first became aware of the act, error, omission or event. Any subsequent Claim made against the Insured arising out of any circumstance reported to Underwriters in conformance with the foregoing will be considered to have been made at the time written notice complying with the above requirements was first given to the Underwriters during the Policy Period. Defense of Claims Except with respect to coverage under the Payment Card Liabilities & Costs insuring agreement, the Underwriters have the right and duty to defend any covered Claim or DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 22 of 24 Regulatory Proceeding. Defense counsel will be mutually agreed by the Named Insured and the Underwriters but, in the absence of such agreement, the Underwriters’ decision will be final. With respect to the Payment Card Liabilities & Costs insuring agreement, coverage will be provided on an indemnity basis and legal counsel will be mutually agreed by the Named Insured and the Underwriters. The Underwriters will pay actual loss of salary and reasonable expenses resulting from the attendance by a corporate officer of the Insured Organization at any mediation meetings, arbitration proceedings, hearings, depositions, or trials relating to the defense of any Claim, subject to a maximum of USD 2,000 per day and USD 100,000 in the aggregate, which amounts will be part of and not in addition to the Policy Aggregate Limit of Liability. Settlement of Claims If the Insured refuses to consent to any settlement recommended by the Underwriters and acceptable to the claimant, the Underwriters’ liability for such Claim will not exceed: 1. the amount for which the Claim could have been settled, less the remaining Retention, plus the Claims Expenses incurred up to the time of such refusal; plus 2. sixty percent (60%) of any Claims Expenses incurred after the date such settlement or compromise was recommended to the Insured plus sixty percent (60%) of any Damages, Penalties and PCI Fines, Expenses and Costs above the amount for which the Claim could have been settled; and the Underwriters will have the right to withdraw from the further defense of such Claim. The Insured may settle any Claim where the Damages, Penalties, PCI Fines, Expenses and Costs and Claims Expenses do not exceed 50% of the Retention, provided that the entire Claim is resolved and the Insured obtains a full release on behalf of all Insureds from all claimants. Assistance and Cooperation The Underwriters will have the right to make any investigation they deem necessary, and the Insured will cooperate with the Underwriters in all investigations, including investigations regarding coverage under this Policy and the information and materials provided to the underwriters in connection with the underwriting and issuance of this Policy. The Insured will execute or cause to be executed all papers and render all assistance as is requested by the Underwriters. The Insured agrees not to take any action which in any way increases the Underwriters’ exposure under this Policy. Expenses incurred by the Insured in assisting and cooperating with the Underwriters do not constitute Claims Expenses under the Policy. The Insured will not admit liability, make any payment, assume any obligations, incur any expense, enter into any settlement, stipulate to any judgment or award or dispose of any Claim without the written consent of the Underwriters, except as specifically provided in the Settlement of Claims clause above. Compliance with a Breach Notice Law will not be considered an admission of liability. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 23 of 24 Subrogation If any payment is made under this Policy and there is available to the Underwriters any of the Insured’s rights of recovery against any other party, then the Underwriters will maintain all such rights of recovery. The Insured will do whatever is reasonably necessary to secure such rights and will not do anything after an incident or event giving rise to a Claim or Loss to prejudice such rights. If the Insured has waived its right to subrogate against a third party through written agreement made before an incident or event giving rise to a Claim or Loss has occurred, then the Underwriters waive their rights to subrogation against such third party. Any recoveries will be applied first to subrogation expenses, second to Loss paid by the Underwriters, and lastly to the Retention. Any additional amounts recovered will be paid to the Named Insured. Other Insurance The insurance under this Policy will apply in excess of any other valid and collectible insurance available to any Insured unless such other insurance is written only as specific excess insurance over this Policy. Provided, however, this Policy will become primary and non-contributory insurance as respects any insurance maintained by an Additional Insured if primary insurance is required by a contract in place between the Additional Insured and the Insured Organization, but only with respect to any Claim arising solely from the Media, Tech, Data & Network Liability insuring agreements. Action Against the Underwriters No action will lie against the Underwriters or the Underwriters' representatives unless and until, as a condition precedent thereto, the Insured has fully complied with all provisions, terms and conditions of this Policy and the amount of the Insured’s obligation to pay has been finally determined either by judgment or award against the Insured after trial, regulatory proceeding, arbitration or by written agreement of the Insured, the claimant, and the Underwriters. No person or organization will have the right under this Policy to join the Underwriters as a party to an action or other proceeding against the Insured to determine the Insured’s liability, nor will the Underwriters be impleaded by the Insured or the Insured’s legal representative. The Insured’s bankruptcy or insolvency of the Insured’s estate will not relieve the Underwriters of their obligations hereunder. Entire Agreement By acceptance of the Policy, all Insureds agree that this Policy embodies all agreements between the Underwriters and the Insured relating to this Policy. Notice to any agent, or knowledge possessed by any agent or by any other person, will not effect a waiver or a change in any part of this Policy or stop the Underwriters from asserting any right under the terms of this Policy; nor will the terms of this Policy be waived or changed, except by endorsement issued to form a part of this Policy signed by the Underwriters. Mergers or Consolidations If during the Policy Period the Named Insured consolidates or merges with or is acquired by another entity, or sells more than 50% of its assets to another entity, then this Policy will continue to remain in effect through the end of the Policy Period, but only with respect to events, acts or incidents that occur prior to such consolidation, merger or acquisition. There will be no coverage provided by this Policy for any other Claim or DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E F00731 022019 ed. Page 24 of 24 Loss unless the Named Insured provides written notice to the Underwriters prior to such consolidation, merger or acquisition, the Named Insured has agreed to any additional premium and terms of coverage required by the Underwriters and the Underwriters have issued an endorsement extending coverage under this Policy. Assignment The interest hereunder of any Insured is not assignable. If the Insured dies or is adjudged incompetent, such insurance will cover the Insured’s legal representative as if such representative were the Insured, in accordance with the terms and conditions of this Policy. Cancellation This Policy may be cancelled by the Named Insured by giving written notice to the Underwriters through the entity listed for Administrative Notice in the Declarations stating when the cancellation will be effective. This Policy may be cancelled by the Underwriters by mailing to the Named Insured at the address listed in the Declarations written notice stating when such cancellation will be effective. Such date of cancellation will not be less than 60 days (or 10 days for cancellation due to non-payment of premium) after the date of notice. If this Policy is canceled in accordance with the paragraphs above, the earned premium will be computed pro rata; but the premium will be deemed fully earned if any Claim, or any circumstance that could reasonably be the basis for a Claim or Loss, is reported to the Underwriters on or before the date of cancellation. Payment or tender of unearned premium is not a condition of cancellation. Singular Form of a Word Whenever the singular form of a word is used herein, the same will include the plural when required by context. Headings The titles of paragraphs, clauses, provisions or endorsements of or to this Policy are intended solely for convenience and reference, and are not deemed in any way to limit or expand the provisions to which they relate and are not part of the Policy. Representation by the Insured All Insureds agree that the statements contained the information and materials provided to the Underwriters in connection with the underwriting and issuance of this Policy are true, accurate and are not misleading, and that the Underwriters issued this Policy, and assume the risks hereunder, in reliance upon the truth thereof. Named Insured as Agent The Named Insured will be considered the agent of all Insureds, and will act on behalf of all Insureds with respect to the giving of or receipt of all notices pertaining to this Policy, and the acceptance of any endorsements to this Policy. The Named Insured is responsible for the payment of all premiums and Retentions and for receiving any return premiums. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E A01779MD 022019 ed. Page 1 of 2 MARYLAND AMENDATORY ENDORSEMENT This endorsement modifies insurance provided under the following: 1. The first paragraph of OPTIONAL EXTENSION PERIOD is amended by the addition of the following: The Optional Extension Period offered by the Underwriter pursuant to this section shall include an offer of an Optional Extension Period for an unlimited duration. In addition to this offer, the Underwriter shall offer an Optional Extension Period for a lesser duration. 2. GENERAL CONDITIONS, Settlement of Claims is deleted in its entirety and replaced with the following: If the Insured shall refuse to consent to any settlement or compromise recommended by the Underwriters and acceptable to the claimant and elects to contest the Claim and the Insureds refusal to consent results in actual prejudice to Underwriters, the Underwriters’ liability for any Damages, Penalties and Claims Expenses shall not exceed: 1. the amount for which the Claim could have been settled, less the remaining Retention, plus the Claims Expenses incurred up to the time of such refusal; plus 2. fifty percent (50%) of any Claims Expenses incurred after the date such settlement or compromise was recommended to the Insured plus fifty percent (50%) of any Damages or Penalties above the amount for which the Claim could have been settled. The remaining fifty percent (50%) of such Claims Expenses, Damages or Penalties must be borne by the Insured at their own risk and uninsured; or the applicable Limit of Liability, whichever is less, and the Underwriters shall have the right to withdraw from the further defense thereof by tendering control of said defense to the Insured. The portion of any proposed settlement or compromise that requires the Insured to cease, limit or refrain from actual or alleged infringing or otherwise injurious activity or is attributable to future royalties or other amounts that are not Damages (or Penalties for Claims covered under INSURING AGREEMENTS, Regulatory Defense & Penalties shall not be considered in determining the amount for which a Claim could have been settled. The Insured may settle any Claim where the Damages, Penalties, PCI Fines, Expenses and Costs and Claims Expenses do not exceed 50% of the Retention, provided that the entire Claim is resolved and the Insured obtains a full release on behalf of all Insureds from all claimants. 3. GENERAL CONDITIONS, Cancellation is deleted in its entirety and replaced with the following: Cancellation/Nonrenewal This Policy may be cancelled by the Named Insured by giving written notice to the Underwriters through the entity listed for Administrative Notice in the Declarations stating when the cancellation will be effective. Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” Beazley MediaTech DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E A01779MD 022019 ed. Page 2 of 2 The Underwriters may cancel this Policy for any reason by mailing by certificate of mailing to the Named Insured at the address shown in the Declarations written notice stating when, not less than forty-five (45) days thereafter, such cancellation shall be effective. However, if the Underwriters cancel this Policy because the Insured has failed to pay a premium when due, this Policy may be cancelled by the Underwriters by mailing by certificate of mailing a written notice of cancellation to the Named Insured at the address shown in the Declarations stating when not less than ten (10) days thereafter such cancellation shall be effective. The notice of cancellation shall state the reason for cancellation. The mailing of such notice shall be sufficient notice and the effective date of cancellation stated in the notice shall become the end of the Policy Period. If this Policy is canceled in accordance with the paragraphs above, the earned premium will be computed pro rata; but the premium will be deemed fully earned if any Claim, or any circumstance that could reasonably be the basis for a Claim or Loss, is reported to the Underwriters on or before the date of cancellation. Payment or tender of unearned premium is not a condition of cancellation. If this Policy is financed by a premium finance company, and the Underwriters, the premium finance company or the Named Insured cancels the Policy, the refund will be pro rata excluding any expense constant, administrative fee or nonrefundable charge filed with and approved by the Insurance Commissioner. If the Underwriters decide not to renew this Policy, the Insurer shall mail by certificate of mailing, written notice to the Named Insured at the address shown in the Declarations at least sixty (60) days before the end of the Policy Period. The notice of nonrenewal shall state the reason for nonrenewal. The regulatory requirements set forth in this Amendatory Endorsement shall supersede and take precedence over any provisions of this Policy or any endorsement to this Policy, whenever added, that are inconsistent with or contrary to the provisions of this Amendatory Endorsement, unless such Policy or endorsement provisions comply with the applicable insurance laws of this state. All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” NUCLEAR EXCLUSION This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that this Policy does not apply: I. Under any Liability Coverage, to injury, sickness, disease, death or destruction: (a) with respect to which an insured under the Policy is also an insured under a nuclear energy liability policy issued by Nuclear Energy Liability Insurance Association, Mutual Atomic Energy Liability Underwriters or Nuclear Insurance Association of Canada, or would be an insured under any such policy but for its termination upon exhaustion of its limit of liability; or (b) resulting from the hazardous properties of nuclear material and with respect to which (1) any person or organization is required to maintain financial protection pursuant to the Atomic Energy Act of 1954, or any law amendatory thereof, or (2) the insured is, or had this Policy not been issued would be, entitled to indemnity from the United States of America, or any agency thereof, under any agreement entered into by the United States of America, or any agency thereof, with any person or organization. II. Under any Medical Payments Coverage, or under any Supplementary Payments Provision relating to immediate medical or surgical relief, to expenses incurred with respect to bodily injury, sickness, disease or death resulting from the hazardous properties of nuclear material and arising out of the operation of a nuclear facility by any person or organization. III. Under any Liability Coverage, to injury, sickness, disease, death or destruction resulting from the hazardous properties of nuclear material, if: (a) the nuclear material (1) is at any nuclear facility owned by, or operated by or on behalf of, an insured or (2) has been discharged or dispersed therefrom; (b) the nuclear material is contained in spent fuel or waste at any time possessed, handled, used, processed, stored, transported or disposed of by or on behalf of an insured; or (c) the injury, sickness, disease, death or destruction arises out of the furnishing by an insured of services, materials, parts or equipment in connection with the planning, construction, maintenance, operation or use of any nuclear facility, but if such facility is located within the United States of America, its territories or possessions or Canada, this exclusion (c) applies only to injury to or destruction of property at such nuclear facility. IV. As used in this endorsement: BICMU05090406 Page 1 of 2 DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E "hazardous properties" include radioactive, toxic or explosive properties; "nuclear material" means source material, special nuclear material or by-product material; "source material", "special nuclear material", and "by-product material" have the meanings given them in the Atomic Energy Act 1954 or in any law amendatory thereof; "spent fuel" means any fuel element or fuel component, solid or liquid, which has been used or exposed to radiation in a nuclear reactor; "waste" means any waste material (1) containing by-product material and (2) resulting from the operation by any person or organization of any nuclear facility included within the definition of nuclear facility under paragraph (a) or (b) thereof; "nuclear facility" means: (a) any nuclear reactor, (b) any equipment or device designed or used for (1) separating the isotopes of uranium or plutonium, (2) processing or utilizing spent fuel, or (3) handling, processing or packaging waste, (c) any equipment or device used for the processing, fabricating or alloying of special nuclear material if at any time the total amount of such material in the custody of the insured at the premises where such equipment or device is located consists of or contains more than 25 grams of plutonium or uranium 233 or any combination thereof, or more than 250 grams of uranium 235, (d) any structure, basin, excavation, premises or place prepared or used for the storage or disposal of waste, and includes the site on which any of the foregoing is located, all operations conducted on such site and all premises used for such operations; "nuclear reactor" means any apparatus designed or used to sustain nuclear fission in a self-supporting chain reaction or to contain a critical mass of fissionable material. With respect to injury to or destruction of property, the word "injury" or "destruction" includes all forms of radioactive contamination of property. BICMU05090406 Page 2 of 2 All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” E02804MD 082014 ed. Page 1 of 1 All other terms and conditions of this Policy remain unchanged. Authorized Representative SANCTION LIMITATION AND EXCLUSION CLAUSE - MARYLAND This endorsement modifies insurance provided under the following: Beazley MediaTech Beazley Insurance Company, Inc. shall not be deemed to provide coverage and shall not be liable to pay any claim or provide any benefit hereunder to the extent that the provision of such coverage, payment of such claim or provision of such benefit would expose Beazley Insurance Company, Inc. to any sanction, prohibition or restriction under United Nations resolutions or the trade or economic sanctions, law or regulations of the United States of America or on the list of Specially Designated National and Blocked Persons issued by the United States Treasury Department’s Office of Foreign Asset Control (OFAC). In accordance with OFAC regulations, if it is determined that you or any other insured, or any person or entity claiming the benefits of this insurance has violated U.S. sanctions law or is a Specially Designated National and Blocked Person, as identified by OFAC, this insurance will be considered a blocked or frozen contract and all provisions of this insurance are immediately subject to OFAC. When an insurance policy is considered to be such a blocked or frozen contract, no payments nor premium refunds may be made without authorization from OFAC. Other limitations on the premiums and payments also apply. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” E12254 022019 ed. Page 1 of 1 WAR AND CIVIL WAR EXCLUSION This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that EXCLUSIONS is amended to include: War and Civil War or resulting from, directly or indirectly occasioned by, happening through or in consequence of: war, invasion, acts of foreign enemies, hostilities (whether war be declared or not), civil war, rebellion, revolution, insurrection, military or usurped power or confiscation or nationalization or requisition or destruction of or damage to property by or under the order of any government or public or local authority; provided, that this exclusion will not apply to Cyber Terrorism. For purposes of this exclusion, “Cyber Terrorism” means the premeditated use of disruptive activities, or threat to use disruptive activities, against a computer system or network with the intention to cause harm, further social, ideological, religious, political or similar objectives, or to intimidate any person(s) in furtherance of such objectives. All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” E12287 022019 ed. Page 1 of 1 ASBESTOS, POLLUTION, AND CONTAMINATION EXCLUSION ENDORSEMENT This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that the coverage under this Policy will not apply to any Loss arising out of either in whole or in part, directly or indirectly arising out of or resulting from or in consequence of, or in any way involving: 1. asbestos, or any materials containing asbestos in whatever form or quantity; 2. the actual, potential, alleged or threatened formation, growth, presence, release or dispersal of any fungi, molds, spores or mycotoxins of any kind; any action taken by any party in response to the actual, potential, alleged or threatened formation, growth, presence, release or dispersal of fungi, molds, spores or mycotoxins of any kind, such action to include investigating, testing for, detection of, monitoring of, treating, remediating or removing such fungi, molds, spores or mycotoxins; and any governmental or regulatory order, requirement, directive, mandate or decree that any party take action in response to the actual, potential, alleged or threatened formation, growth, presence, release or dispersal of fungi, molds, spores or mycotoxins of any kind, such action to include investigating, testing for, detection of, monitoring of, treating, remediating or removing such fungi, molds, spores or mycotoxins; The Underwriters will have no duty or obligation to defend any Insured with respect to any Claim or governmental or regulatory order, requirement, directive, mandate or decree which either in whole or in part, directly or indirectly, arises out of or results from or in consequence of, or in any way involves the actual, potential, alleged or threatened formation, growth, presence, release or dispersal of any fungi, molds, spores or mycotoxins of any kind; 3. the existence, emission or discharge of any electromagnetic field, electromagnetic radiation or electromagnetism that actually or allegedly affects the health, safety or condition of any person or the environment, or that affects the value, marketability, condition or use of any property; or 4. the actual, alleged or threatened discharge, dispersal, release or escape of Pollutants; or any governmental, judicial or regulatory directive or request that the Insured or anyone acting under the direction or control of the Insured test for, monitor, clean up, remove, contain, treat, detoxify or neutralize Pollutants. Pollutants means any solid, liquid, gaseous or thermal irritant or contaminant including gas, acids, alkalis, chemicals, heat, smoke, vapor, soot, fumes or waste. Waste includes but is not limited to materials to be recycled, reconditioned or reclaimed. All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” E12228 022019 ed. Page 1 of 1 AGGREGATE/MAINTENANCE RETENTION This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that: 1. The maximum aggregate Retention for all Claims made during any Policy Year under this Policy shall be $15,000 provided, that the each Claim Retention set forth in item 3. below shall not be subject to any aggregate Retention. 2. For purposes of this endorsement, the term “Policy Year” means each 365 day period beginning with the Inception Date of the Policy Period and each such succeeding Policy Period, if any. 3. With respect to any Claim made in any Policy Year after the maximum aggregate Retention is reached for that Policy Year, the each Claim Retention shall be $0. All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” E12266 022019 ed. Page 1 of 1 AMEND DEFINITION OF FRAUDULENT INSTRUCTION This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that the definition of Fraudulent Instruction is deleted in its entirety and replaced with the following: Fraudulent Instruction means the transfer, payment or delivery of Money or Securities by an Insured as a result of fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions provided by a third party, that is intended to mislead an Insured through the misrepresentation of a material fact which is relied upon in good faith by such Insured. Fraudulent Instruction will not include loss arising out of: 1. any actual or alleged use of credit, debit, charge, access, convenience, customer identification or other cards; 2. any transfer involving a third party who is not a natural person Insured, but had authorized access to the Insured’s authentication mechanism; 3. the processing of, or the failure to process, credit, check, debit, personal identification number debit, electronic benefit transfers or mobile payments for merchant accounts; 4. accounting or arithmetical errors or omissions, or the failure, malfunction, inadequacy or illegitimacy of any product or service; 5. any liability to any third party, or any indirect or consequential loss of any kind; 6. any legal costs or legal expenses; or 7. proving or establishing the existence of Fraudulent Instruction. All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” E12269 022019 ed. Page 1 of 1 All other terms and conditions of this Policy remain unchanged. Authorized Representative GDPR CYBER ENDORSEMENT This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that the definition of Data & Network Wrongful Act is amended to include the following: 5. non-compliance with the following obligations under the EU General Data Protection Regulation: (i) Article 5.1(f), also known as the Security Principle; (ii) Article 32, Security of Processing; (iii) Article 33, Communication of a Personal Data Breach to the Supervisory Authority; or (iv) Article 34, Communication of a Personal Data Breach to the Data Subject. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” E12289 022019 ed. Page 1 of 1 COMPUTER HARDWARE REPLACEMENT COST This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that: 1. The definition of Extra Expense is deleted in its entirety and replaced with the following: Extra Expense means reasonable and necessary expenses incurred by the Insured Organization during the Period of Restoration to minimize, reduce or avoid Income Loss, over and above those expenses the Insured Organization would have incurred had no Security Breach,System Failure, Dependent Security Breach or Dependent System Failure occurred; and includes reasonable and necessary expenses incurred by the Insured Organization to replace computers or any associated devices or equipment operated by, and either owned by or leased to, the Insured Organization that are unable to function as intended due to corruption or destruction of software or firmware directly resulting from a Security Breach, provided however that the maximum sublimit applicable to Extra Expense incurred to replace such devices or equipment is USD $100,000. 2. Part 2. of the Bodily Injury or Property Damage exclusion is deleted in its entirety and replaced with the following: 2. physical injury to or destruction of any tangible property, including the loss of use thereof; but this will not apply to the loss of use of computers or any associated devices or equipment operated by, and either owned by or leased to, the Insured Organization that are unable to function as intended due to corruption or destruction of software or firmware directly resulting from a Security Breach. Electronic data shall not be considered tangible property; All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” E12290 022019 ed. Page 1 of 1 CONTINGENT BODILY INJURY WITH SUBLIMIT ENDORSEMENT This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that: 1. The Bodily Injury or Property Damage exclusion is deleted in its entirety and replaced with the following: Bodily Injury or Property Damage 1.Bodily Injury; provided, this exclusion shall not apply to any Claim for Contingent Bodily Injury; and 2. physical injury to or destruction of any tangible property, including the loss of use thereof; but electronic data will not be considered tangible property; 2.DEFINITIONS is amended by the addition of: Bodily Injury means physical injury, sickness, disease or death of any person, including any mental anguish or emotional distress that results from such physical injury, sickness, disease or death. Contingent Bodily Injury means those Claims wherein the Damages sought by the claimant are for Bodily Injury which arise solely out of a Security Breach affecting the Insured Organization’s Computer Systems which is otherwise covered under the terms and conditions of this Policy; but not if the Insured's own act, error or omission is the direct immediate cause of such Claim for Bodily Injury. Furthermore, this extension of coverage applies only if such Claim for Bodily Injury is not covered under any other policy of insurance. 3. The Underwriter’s aggregate limit of liability for all Damages resulting from all Claims covered under this Endorsement, made against any Insured(s)based upon, arising out of, directly or indirectly resulting from or in consequence of, or in any way involving any Contingent Bodily Injury shall be $250,000, which amount shall be part of and not in addition to the Policy Aggregate Limit of Liability. All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” E12716 022019 ed. Page 1 of 1 Post Breach Remedial Services Endorsement This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that, following a covered Data Breach or Security Breach involving the actual Unauthorized Access or Use of the Insured Organization’s Computer Systems for which the Insured Organization has utilized services exclusively from Beazley Service Providers, the Insured Organization will be eligible to receive Post Breach Remedial Services. Post Breach Remedial Services means up to 100 hours per Policy Period of post-breach computer security consultation and remedial services to be provided by Lodestone Security (“Lodestone”). Such services will be provided at the Insured Organization’s request as per the description of services attached to this endorsement. Post Breach Remedial Services will be considered Breach Response Costs, and will be available in response to incidents in which forensic costs covered under parts 2. and 3. of the definition of Breach Response Costs have been incurred, subject to the applicable Retention. Post Breach Remedial Services will not include any costs to purchase or upgrade any hardware or software. To access the Post Breach Remedial Services, the Insured Organization must: 1. notify the Beazley Breach Response Services Team via email at: bbr.claims@beazley.com or via a toll-free 24-Hour Hotline: (866) 567-8570 following any actual or reasonably suspected Unauthorized Access or Use of the Insured Organization’s Computer Systems so that the Beazley Breach Response Services Team can work with the Insured Organization to coordinate the provision of services from Beazley Service Providers; 2. notify the Underwriters that they desire to receive such services; and 3. enter into an engagement agreement with Lodestone to receive such service, within sixty (60) days following a determination of the actual Unauthorized Access or Use of the Insured Organization’s Computer Systems, For purpose of this Endorsement, “Beazley Service Providers” means the Underwriters’ network of third party breach response service providers listed at www.beazley.com/cyberservices that are to be utilized exclusively in response to incidents in which forensic costs covered under parts 2. and 3. of the definition of Breach Response Costs have been/will be incurred, subject to the applicable Retention. All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” E12864 042019 ed. Page 1 of 1 CRISIS MANAGEMENT EXPENSE COVERAGE This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that: 1. The Limits listed in the Declarations under COVERAGE SCHEDULE are amended to include: Crisis Management Expenses: $1,000,000 2.INSURING AGREEMENTS is amended to include the following: To indemnify the Named Insured for 100% of the costs of a public relations consultancy incurred by the Insured Organization with Underwriters’ prior written consent, for the purpose of averting or mitigating material damage to the Insured Organization’s reputation that results or reasonably will result from a Claim covered under by the Policy and publicized through any media channel (“Crisis Management Expenses”); provided, this coverage shall only apply when covered Damages other than (crisis management expenses) exceeds the applicable Retention. 3. The definition of Damages is amended to include Crisis Management Expenses. All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” E12972 052019 ed. Page 1 of 1 CRYPTOJACKING ENDORSEMENT This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that: 1. The aggregate sublimit applicable to all loss under this endorsement is USD $100,000. 2 The Retention applicable to each incident, event, or related incidents or events, giving rise to an obligation to pay loss under this endorsement shall be USD $5,000. 3.INSURING AGREEMENTS is amended to include: Cryptojacking To indemnify the Insured Organization for any direct financial loss sustained resulting from Cryptojacking that the Insured first discovers during the Policy Period. 4. DEFINITIONS is amended to include: Cryptojacking means the Unauthorized Access or Use of Computer Systems to mine for Digital Currency that directly results in additional costs incurred by the Insured Organization for electricity, natural gas, oil, or internet (the “Utilities”); provided, however, that such additional costs for the Utilities are: 1. incurred pursuant to a written contract between the Insured Organization and the respective utility provider, which was executed before the Cryptojacking first occurred; 2. billed to the Insured Organization by statements issued by the respective utility provider, which include usage or consumption information; 3. not charged to the Insured Organization at a flat fee that does not scale with the rate or use of the respective utility; and 4. incurred pursuant to statements issued by the respective utility provider and due for payment during the Policy Period. All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E E13040 Page 1 of 3 062019 ed. Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” REPUTATION LOSS This endorsement modifies insurance provided under the following: Beazley MediaTech In consideration of the premium charged for the Policy, it is hereby understood and agreed that: 1. Limit listed in the Declarations under COVERAGE SCHEDULE is amended to include: Reputation Loss:USD $1,000,000 2. Retention listed in the Declarations under COVERAGE SCHEDULE is amended to include: Each incident giving rise to Reputation Loss:USD $5,000 3.INSURING AGREEMENTS is amended by the addition of: Reputation Loss To indemnify the Insured Organization for Reputation Loss that the Insured Organization sustains solely as a result of an Adverse Media Event that occurs during the Policy Period, concerning: 1. a Data Breach, Security Breach,or Extortion Threat that the Insured first discovers during the Policy Period; or 2. if this policy is a Renewal, a Data Breach, Security Breach,or Extortion Threat that the Insured first discovers during the last 90 days of the prior policy period. 4.DEFINITIONS is amended to include: Adverse Media Event means: 1. publication by a third party via any medium, including but not limited to television, print, radio, electronic, or digital form of previously non-public information specifically concerning a Data Breach, Security Breach, or Extortion Threat; or 2. notification of individuals pursuant to part 4. of the Breach Response Costs definition. Multiple Adverse Media Events arising from the same or a series of related, repeated or continuing Data Breaches, Security Breaches,or Extortion Threats, shall be considered a single Adverse Media Event, and shall be deemed to occur at the time of the first such Adverse Media Event. Claims Preparation Costs means reasonable and necessary costs that the Named Insured incurs to contract with a third party to prepare a proof of loss demonstrating Reputational Loss. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E E13040 Page 2 of 3 062019 ed. Protection Period means the period beginning on the date the Adverse Media Event occurs, and ends after the earlier of: 1. 180 days; or 2. the date that gross revenues are restored to the level they would have been but for the Adverse Media Event. Renewal means an insurance policy issued by the Underwriters to the Named Insured for the policy period immediately preceding this Policy Period that provides coverage for a Data Breach, Security Breach, or Extortion Threat otherwise covered under this Policy. Reputation Loss means: 1. the net profit or loss before interest and tax that the Insured Organization would have earned during the Protection Period but for an Adverse Media Event; and 2. continuing normal operating expenses incurred by the Insured Organization (including payroll), but only to the extent that such operating expenses must necessarily continue during the Protection Period. When calculating any Reputation Loss, due consideration will be given to any amounts made up during, or within a reasonable time after the end of, the Protection Period. Reputation Loss will not mean and no coverage will be available under this endorsement for any of the following: (i) loss arising out of any liability to any third party; (ii) legal costs or legal expenses of any type; (iii) loss incurred as a result of unfavorable business conditions; (iv) loss of market or any other consequential loss; (v) Breach Response Costs; or (vi) Cyber Extortion Loss; There will be no coverage available under this endorsement if there is an actual interruption of the Insured Organization’s business operations for any period of time. 5. Limits of Liability under LIMIT OF LIABILITY AND COVERAGE is amended to include: Reputational Loss and Claims Preparation Costs covered under this Policy arising from an Adverse Media Event concerning any Data Breach, Security Breach, or Extortion Threat (including a series of related, repeated or continuing Data Breaches, Security Breaches, or Extortion Threats) first discovered during the last 90 days of the prior policy period, will be considered to have been noticed to the Underwriters during the prior policy period and will be subject to the Policy Aggregate Limit of Liability of the prior policy period. Under such circumstances, if the Policy Aggregate Limit of Liability of the prior policy period is exhausted due to payments made under the prior policy, the Underwriter’s obligation to pay Reputational Loss or Claims Preparation Costs under this Policy shall be completely fulfilled and extinguished. DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E E13040 Page 3 of 3 062019 ed. 6. Notice of Claim or Loss under GENERAL CONDITIONS is amended to include: With respect to Reputation Loss, the Named Insured must notify the Underwriters through the contacts listed for Notice of Claim, Loss or Circumstance in the Declarations as soon as practicable after discovery of the circumstance, incident or event giving rise to such loss. All Reputation Loss must be reported, and all proofs of loss must be provided, to the Underwriters no later than four (4) months after the end of the Protection Period. 7. This Policy will cover up to USD 50,000 of Claims Preparation Costs in excess of the Retention stated in Section 2. of this endorsement. All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E E13373 Page 1 of 2 092019 ed. STATE CONSUMER PRIVACY STATUTES ENDORSEMENT This endorsement modifies insurance provided under the following: In consideration of the premium charged for the Policy, it is hereby understood and agreed that: 1. The Policy is amended to include the following insuring agreement: State Consumer Privacy Statutes To pay Penalties and Claims Expenses which the Insured is legally obligated to pay because of any Regulatory Proceeding first made against any Insured during the Policy Period for a violation of the California Consumer Privacy Act or any similar state statutes or state regulations specifically governing the Insured Organization’s collection, use, disclosure, sale, processing, profiling, acquisition, sharing, maintenance, retention or storage of or provision of access to personal information or personal data as defined under the California Consumer Privacy Act or similar state statutes or state regulations. 2. The definition of Claim is amended to include institution of a Regulatory Proceeding against any Insured under the State Consumer Privacy Statutes insuring agreement for a violation of the California Consumer Privacy Act or any similar state statutes or state regulations specifically governing the Insured Organization’s collection, use, disclosure, sale, processing, profiling, acquisition, sharing, maintenance, retention or storage of or provision of access to personal information or personal data as defined under the California Consumer Privacy Act or similar state statutes or state regulations. 3. The Governmental Actions exclusion will not apply to the State Consumer Privacy Statutes insuring agreement. 4. Solely with respect to the State Consumer Privacy Statutes insuring agreement, the Deceptive Business Practices, Antitrust & Consumer Protection exclusion is deleted in its entirety and replaced with the following: Deceptive Business Practices and Consumer Protection any actual or alleged false, deceptive or unfair trade practices, unfair competition, or violation of consumer protection law; but this exclusion will not apply to coverage under the State Consumer Privacy Statutes insuring agreement, provided no member of the Control Group participated in or colluded in the activities or incidents giving rise to coverage under such insuring agreement; Antitrust any actual or alleged antitrust violation, restraint of trade, false, deceptive or misleading advertising, violation of the Sherman Antitrust Act, the Clayton Act, or the Robinson-Patman Act, or inaccurate cost estimates or failure of goods or services to conform with any represented quality or performance; Effective date of this Endorsement: 19-Mar-2020 This Endorsement is attached to and forms a part of Policy Number: VG00003015AA Beazley Insurance Company, Inc.referred to in this endorsement as either the “Insurer” or the “Underwriters” Beazley MediaTech DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E E13373 Page 2 of 2 092019 ed. All other terms and conditions of this Policy remain unchanged. Authorized Representative DocuSign Envelope ID: DF228AE3-9535-4833-A110-1CD52DC1D95E