POLICY TOUR

CyberEdge Coverage
This policy tour provides a “click through” commentary of the CyberEdge
wording including brand new additions, changes to existing features and
general information on specific points. Please refer to the full policy wording
and schedule for full details of cover, definitions, terms and conditions.

Start
CyberEdge Coverage Policy Tour

HOW TO USE THE POLICY TOUR: Select section to start

SECURITY AND PRIVACY LIABILITY COVERAGE
Click on the icons to explore:

Information NETWORK INTERRUPTION COVERAGE

New EVENT MANAGEMENT COVERAGE

Use the “NEXT” buttons to navigate
directly to the next comment in CYBER EXTORTION COVERAGE
the category

New Information 2
CyberEdge Coverage Policy Tour

Security and Privacy Liability 2. Definitions

Coverage The following definitions are specific to this Security and

Privacy Liability Coverage Section. All other definitions set
1. Insurance Covers out within Section 10 (Definitions) of the General Terms and
Conditions shall apply as stated.
1.1. Data Protection Investigation and Data
Protection Fines Breach of Confidential Information
The Insurer will pay, to or on behalf of each Company, Loss The unauthorised disclosure or transmission of Confidential
resulting from a Regulatory Investigation first occurring Information.
during the Policy Period.
Claim
1.2. Cyber Liability (i) A written demand against an Insured;
The Insurer will pay, to or on behalf of each Insured, Loss (ii) civil, administrative or arbitral proceedings brought
resulting from a Claim first made during the Policy Period against an Insured; or
for any:
(iii) a PCI-DSS Assessment,
(i) actual or alleged Breach of Confidential Information
by an Insured or an Information Holder;
seeking any legal remedy.
(ii) actual or alleged Security Failure; or
(iii) actual or alleged failure by a Company to notify a
Data Subject or any Regulator of an unauthorised Company Computer System
disclosure or transmission of Personal Information (i) Any computer hardware, software or any
for which the Company is responsible in components thereof that are linked together
accordance with the requirements of any Data through a network of two or more devices accessible
Protection Legislation, through the internet or an intranet or that are
connected through data storage or other peripheral
which occurred or occurs prior to or during the Policy Period. devices which are owned, operated, controlled or
leased by a Company;

New Information 3
CyberEdge Coverage Policy Tour

(ii) any of the foregoing computer hardware, software Cyber Terrorism

or components thereof which is part of an industrial The premeditated use of disruptive activities against a
control system, including a supervisory control and Company Computer System or network, or the explicit threat
data acquisition (SCADA) system; to use such activities, by an individual or group of individuals,
(iii) any employee “Bring Your Own Device” but only to whether acting alone or on behalf of or in connection with
the extent such device is used to access any of the any entity or government, in each case with the intention
foregoing computer hardware, software or components to cause harm, further social, ideological, religious, political
thereof or Data contained therein; or or similar objectives, or to intimidate any person(s) in
(iv) any cloud service or other hosted computer resources, furtherance of such objectives.
used by a Company and operated by a Third Party
service provider under a written contract between such Cyber Terrorism does not include any such activities which
Third Party service provider and a Company. are part of or in support of any use of military force or war.

Confidential Information Damages

Corporate Information and Personal Information in a Damages that an Insured is legally liable to pay resulting from
Company’s or Information Holder’s care, custody or control a Claim as ascertained by:
or for which a Company is legally responsible. (i) judgments or arbitral awards rendered against that
Insured; or
Corporate Information (ii) a settlement agreement negotiated by that Insured and
A Third Party’s items of information that are not available to which is approved by the Insurer.
the public (including trade secrets, data, designs, forecasts,
formulas, practices, processes, records, reports and Damages includes punitive or exemplary or multiple
documents) which are subject to contractual or damages where lawfully insurable and any monetary
legal protection. amounts that an Insured is required by law or has agreed by
settlement to deposit into a consumer redress fund.

New Information 4
CyberEdge Coverage Policy Tour

Data Protection Fines Defence Costs does not include the remuneration of any
Any lawfully insurable fines or penalties which are Insured, cost of their time or any other costs or overheads of
adjudicated by a Regulator to be payable by a Company for a any Insured.
breach of Data Protection Legislation.
Information Holder
Data Protection Fines does not include any other type of civil A Third Party that:
or criminal fines and penalties. (i) a Company has provided Personal Information or
Corporate Information to; or
Data Protection Legislation (ii) has received Personal Information or Corporate
The Data Protection Act 1998, the Data Protection Act 2018 Information on behalf of a Company.
and the General Data Protection Regulation (Regulation (EU)
2016/679) and any subsequent legislation that alters, repeals Insured
or replaces such legislation and all other equivalent laws and
(i) A Company;
regulations relating to the regulation and enforcement of
(ii) a natural person who was, is or during the Policy Period
data protection and data privacy in any country.
becomes a principal, partner, director, officer or
Employee of a Company;
Data Subject (iii) a natural person who is an independent contractor,
Any natural person whose Personal Information has been temporary contract labourer, self–employed person, or
either collected, stored or processed by or on behalf of labour–only sub–contractor, under the direction and
a Company. direct supervision of a Company but only in relation to
the services provided to that Company.
Defence Costs
Reasonable and necessary legal fees, costs and expenses Insured includes the estate, heirs or legal representatives of a
which an Insured incurs with the prior written consent of the deceased, legally incompetent or bankrupt Insured referred
Insurer in relation to the investigation, response, defence, to in (ii) above to the extent that a Claim is brought against
appeal or settlement of a Claim or Regulatory Investigation, them solely by reason of them having an interest in property
including court attendance costs incurred by or on behalf of that is sought to be recovered in a Claim against such Insured
that Insured. referred to in (ii) above.

New Information 5
CyberEdge Coverage Policy Tour

Insured Event PCI–DSS Assessment

A Claim or a Regulatory Investigation. Any written demand received by a Company from a Payment
Card Association (e.g., MasterCard, Visa, American Express)
Loss or bank or servicer processing payment card transactions
(e.g., an “Acquiring Bank” or “Payment Processor”) for a
(i) For the purposes of Insurance Cover 1.1, Defence Costs
monetary amount (including fraud recovery, operational
and Data Protection Fines;
reimbursement, reimbursement of card reissuance costs and
(ii) for the purposes of Insurance Cover 1.2, Damages, contractual fines and penalties) where:
Defence Costs and any amounts payable in connection
(i) a Company has contractually agreed to indemnify
with a PCI-DSS Assessment.
such Payment Card Association, bank or servicer
processing payment card transactions for any
Loss does not include: monetary assessment made in connection with a
(a) non–compensatory or multiple damages (except to Company’s obligations under generally accepted and
the extent covered as Damages or as part of a PCI-DSS published Payment Card Industry Standards for data
Assessment) or liquidated damages; security, including such contractual obligations
(b) fines or penalties (except Data Protection Fines to the contained in a merchant services agreement or similar
extent covered in 1.1. (Data Protection Investigation agreement; and
and Data Protection Fines)); (ii) such monetary assessment arises out of a Breach of
(c) the costs and expenses of complying with any order Confidential Information.
for, grant of or agreement to provide injunctive or other
non–monetary relief; or Personal Information
(d) an Insured’s remuneration, cost of time or overheads. Any information relating to an identified or identifiable
natural person.

Personal Information includes a natural person’s name,

online identifier, telephone number, credit card or debit card
number, account and other banking information, medical
information, or any other information about a natural person
protected under any Data Protection Legislation.

New Information 6
CyberEdge Coverage Policy Tour

Regulator (a) denial of service attack or denial of access; or

A regulator established pursuant to Data Protection (b) receipt or transmission of a malicious code,
Legislation in any jurisdiction and which is authorised to malicious software or virus;
enforce statutory obligations in relation to the collecting, (ii) the loss of Data arising from the physical theft or loss
storing, processing or control of Confidential Information. of hardware controlled by a Company; or
(iii) the unauthorised reprogramming or corruption of
Regulator includes any other government agency or software (including firmware) which renders a
authorised data protection authority who makes a demand Company Computer System or any component thereof
on the Insured in relation to Data Protection Legislation. non-functional or useless for its intended purpose.

Regulatory Investigation 3. Exclusions

Any formal or official action, investigation, inquiry or audit by
a Regulator against a Company once it is identified in writing The following Exclusions are specific to this Security and
by a Regulator, which arises out of the use or suspected Privacy Liability Coverage Section. They apply in addition to
misuse of Personal Information or any aspects of the control, the Exclusions in Section 11 (Exclusions) of the General Terms
collection, storing or processing of Personal Information and Conditions.
or delegation of data processing to an Information Holder,
which is regulated by Data Protection Legislation.
The Insurer shall not be liable for Loss arising out of, based
upon or attributable to:
Regulatory Investigation does not include any industry-wide,
non-firm specific, action, investigation, inquiry or audit.
3.1. Anti–Trust
Any actual or alleged antitrust violation, restraint of trade,
Security Failure unfair competition or unfair or deceptive business practices,
(i) Any intrusion of, unauthorised access (including an including violation of any consumer protection law.
unauthorised person using authorised credentials) to,
or unauthorised use of (including by a person with
This Exclusion 3.1 shall not apply to a Regulatory
authorised access) a Company Computer System,
Investigation alleging such unfair competition directly
including that which results in or fails to mitigate any: in connection with a Security Failure or Breach of
Confidential Information.

New Information 7
CyberEdge Coverage Policy Tour

3.2. Assumed Liability, Guarantee, Warranty 3.4. Employment Practices Liability

Any guarantee, warranty, contractual term or liability Any of a Company’s employment practices (including
assumed or accepted by an Insured under any contract or wrongful dismissal, discharge or termination, discrimination,
agreement except to the extent such liability would have harassment, retaliation or other employment–related claim).
attached to the Insured in the absence of such contract or
agreement. This Exclusion 3.4 shall not apply to any Claim by an
individual to the extent such individual is alleging:
This Exclusion 3.2 shall not apply to: (i) a Breach of Confidential Information in connection
(i) a contractual obligation to prevent a Security Failure or with such individual’s employment or application for
Breach of Confidential Information; employment with a Company; or
(i) an obligation under a confidentiality or disclosure (i) a failure to disclose a Security Failure or Breach of
agreement held within contracts with a Third Party to Confidential Information.
prevent a Breach of Confidential Information; or
(ii) the obligation to comply with Payment Card Industry 3.5. Government Entity or Public Authority
Data Security Standards. Any seizure, confiscation or nationalisation of a Company
Computer System by order of any government entity or
3.3. Bodily Injury and Property Damage public authority.
Any:
(i) physical injury, mental illness, sickness, disease or 3.6. Infrastructure
death: however, this Exclusion 3.3 (i) shall not apply in Any electrical or mechanical failure of infrastructure not
respect of emotional distress or mental anguish arising under the control of a Company, including any electrical
solely out of an Breach of Confidential Information; or power interruption, surge, brownout or blackout, failure
(ii) loss, damage or destruction of tangible property. of telephone lines, data transmission lines, or other
telecommunications or networking infrastructure.

New Information 8
CyberEdge Coverage Policy Tour

This Exclusion 3.6 shall not apply to Loss arising out of, based 3.10. Securities Claims
upon or attributable solely to a Security Failure or Breach of Any:
Confidential Information that is caused by such electrical or (i) actual or alleged violation by an Insured of any law,
mechanical failure of infrastructure. regulation or rule relating to the ownership,
purchase, sale or offer of, or solicitation of an offer
3.7. Insured v Insured to purchase or sell, securities; or
Any Claim brought by or on behalf of an Insured against (ii) any actual or alleged violation by an Insured of
another Insured. any provision of the Securities Act of 1933, the
Securities Exchange Act of 1934 (each a United
States of America statute) or any similar law of
This Exclusion 3.7 shall not apply to an actual or alleged
any jurisdiction.
breach of Personal Information of any Employee, director,
principal, partner or officer.
This Exclusion 3.10 shall not apply to any Damages or
Defence Costs incurred in relation to a Claim solely alleging
3.8. Patent/Trade Secret a failure to notify a Regulator of a Breach of Confidential
Any: Information where such failure to notify is in violation of
(i) infringement of patents; any law.
(ii) loss of rights to secure registration of patents; or
(iii) misappropriation of trade secrets by or for the benefit 3.11. War and Terrorism
of a Company. Any war (whether war is declared or not), terrorism (except
Cyber Terrorism), invasion, use of military force, civil war,
3.9. PCI-DSS Assessment popular or military rising, rebellion or revolution, or any
Any PCI-DSS Assessment, unless the specific Insured which action taken to hinder or defend against any of these events.
is the subject of the PCI-DSS Assessment was validated
as compliant with the generally accepted and published
Payment Card Industry Standards for data security prior to
and at the time of any Breach of Confidential Information
which gives rise to such PCI-DSS Assessment occurring.

New Information 9
CyberEdge Coverage Policy Tour

Network Interruption Coverage 2. Definitions

1. Insurance Covers The following definitions are specific to this Network

Interruption Coverage Section. All other definitions set out
within Section 10 (Definitions) of the General Terms and
1.1. Network Interruption Loss
Conditions shall apply as stated.

The Insurer will, with regard to an Insured Event which first

occurs during the Policy Period, pay to each Company: Company Computer System
(i) Any computer hardware, software or any other
components thereof that are linked together through
(i) Network Loss which results from the Insured Event and
a network of two or more devices accessible through
which the Company incurs during the Insured Event
the internet or an intranet or that are connected
(but, if the Insured Event lasts longer than 120 days,
through data storage or other peripheral devices which
only during the first 120 days); and
are owned, operated, controlled or leased by a
Company; or
(ii) Network Loss which results from the Insured Event and (ii) any of the foregoing computer hardware, software
which the Company incurs during the 90 days following or components thereof which is part of an industrial
resolution of the Insured Event. control system, including a supervisory control and
data acquisition (SCADA) system.
1.2. Interruption and Mitigation Costs
The Insurer will pay, to or on behalf of each Company, Cyber Terrorism
Network Interruption Costs incurred in mitigating the The premeditated use of disruptive activities against a
impact of an Insured Event which first occurs during the Company Computer System or network, or the explicit threat
Policy Period. to use such activities, by an individual or group of individuals,
whether acting alone or on behalf of or in connection with
1.3. Loss Preparation Costs any entity or government, in each case with the intention
If Loss Preparation Costs Cover is Purchased, the Insurer will to cause harm, further social, ideological, religious, political
pay, to or on behalf of each Company, Loss Preparation Costs or similar objectives, or to intimidate any person(s) in
incurred as a result of an Insured Event which first occurs furtherance of such objectives.
during the Policy Period.

New Information 10
CyberEdge Coverage Policy Tour

Cyber Terrorism does not include any such activities which (v) if OSP System Failure Cover is Purchased, a Material
are part of or in support of any use of military force or war. Interruption to an OSP Computer System that is caused
by an OSP System Failure,
Increased Costs of Working
Expenses (including overtime of Employees) incurred and in each case, only where the duration of the Material
over and above normal operating expenses in order to Interruption exceeds the applicable Waiting Hours Period
ensure continuation of the normal business operations of a specified in the schedule.
Company and to reduce its loss of business income.
Loss
Insured (i) For the purposes of Insurance Cover 1.1, Network Loss;
A Company. (ii) for the purposes of Insurance Cover 1.2, Network
Interruption Costs;
(iii) for the purposes of Insurance Cover 1.3, Loss
Insured Event
Preparation Costs.
(i) If Security Failure Cover is Purchased, a Material
Interruption to a Company Computer System that is
caused by a Security Failure; Loss Preparation Costs
(ii) if System Failure Cover is Purchased, a Material Reasonable and necessary professional fees and expenses
Interruption to a Company Computer System that is incurred by a Company with the Insurer’s consent, for
caused by a System Failure; the services of a third-party forensic accounting firm to
(iii) if Voluntary Shutdown Cover is Purchased, a Material establish, prove, verify or quantify Network Loss or Network
Interruption to a Company Computer System that is Interruption Costs or prepare the proof of loss referred to in
caused by a Voluntary Shutdown; Condition 4.1 of this Network Interruption Coverage Section.
(iv) if OSP Security Failure Cover is Purchased, a Material
Interruption to an OSP Computer System that is caused Loss Preparation Costs does not include any fees or expenses
by an OSP Security Failure; and for consultation on coverage or negotiation of claims.

New Information 11
CyberEdge Coverage Policy Tour

Material Interruption (ii) the Company’s Increased Costs of Working (but only
(i) The suspension or degradation of a Company up to an amount equal to the reduction in business
Computer System (for the purposes of Insured Event income that would have been incurred had the
(i) – (iii)) or an OSP Computer System (for the purposes Company been unable to continue its normal
of Insured Event (iv) or (v)) causing the Company to operating procedure).
be unable to continue the normal business operations
of the Company; or Network Loss Option 1 (Net Profit and Continuing Fixed Costs
(ii) the deletion, damage, corruption, alteration or loss of Calculation) is calculated as follows:
or to Data on a Company Computer System (for the
purposes of Insured Event (i) – (iii)) or an OSP Take the net profit or loss which would have been earned
Computer System (for the purposes of Insured Event or incurred had the Material Interruption not occurred and
(iv) or (v)) causing the Company to be unable to access add the costs (including ordinary payroll) which necessarily
that Data and unable to continue the normal business continue during the Material Interruption.
operations of the Company.
Network Loss Option 2 (Gross Profits Calculation) is
Network Interruption Costs calculated as follows:
The reasonable and necessary costs and expenses that a
Company incurs to minimise the Network Loss, or reduce Take the revenue which would have been derived from the
the impact of a Material Interruption; provided however that operation of the business had the Material Interruption not
the amount of Network Loss prevented or reduced would be occurred and subtract the variable costs, and any other
greater than the costs and expenses incurred. costs, which do not necessarily continue during the Material
Interruption.
Network Loss
(i) A Company’s actual loss sustained resulting from the
reduction in business income calculated by taking
either Network Loss Option 1 or Network Loss
Option 2; and

New Information 12
CyberEdge Coverage Policy Tour

OSP Computer System Outsource Service Provider

Any computer hardware, software or any components thereof A Third Party that a Company has appointed to provide
that are linked together through a network of two or more specified information technology services (such as the
devices accessible through the internet or an intranet or processing, hosting and storage of Data) based on an express
that are connected through data storage or other peripheral contractual agreement, but only to the extent of the provision
devices which are owned, operated, controlled or leased by of such services.
an Outsource Service Provider.
Outsource Service Provider does not include:
OSP Security Failure (i) a public utility (including a provider of electricity, gas,
Any intrusion of, unauthorised access (including any water or telecommunication services);
unauthorised person using authorised credentials) to, or (ii) an internet service provider (including any provider of
unauthorised use of (including by a person with authorised internet connectivity); or,
access) an OSP Computer System, including that which (iii) a securities exchange or market.
results in or fails to mitigate any:
(i) denial of service attack or denial of access; or
Security Failure
(ii) receipt or transmission of a malicious code, malicious s
software or virus. (i) Any intrusion of, unauthorised access (including an
unauthorised person using authorised credentials) to,
or unauthorised use of (including by a person with
OSP System Failure authorised access) a Company Computer System,
Any unintentional and unplanned outage of an OSP including that which results in or fails to mitigate any:
Computer System such that the Outsource Service Provider is (a) denial of service attack or denial of access; or,
unable to provide to a Company the services described in a (b) receipt or transmission of a malicious
contract between a Company and an Outsource Service code, malicious software or virus; or
Provider pursuant to which an Outsource Service Provider (ii) the unauthorised reprogramming or corruption of
provides services to a Company for a fee. software (including firmware) which renders a
Company Computer System or any component thereof
non-functional or useless for its intended purpose.

New Information 13
CyberEdge Coverage Policy Tour

System Failure 3. Exclusions

Any unintentional and unplanned outage of a Company
Computer System. The following Exclusions are specific to this Network
Interruption Coverage Section. They apply in addition to the
Voluntary Shutdown Exclusions in Section 11 (Exclusions) of the General Terms
and Conditions.
A voluntary and intentional shutdown or impairment of a
Company Computer System by or at the direction of:
(i) the Chief Information officer or Chief Information The Insurer shall not be liable for Loss:
Security Officer of a Company (or the equivalent
position regardless of title) who has at least 5 years’ 3.1. Betterment
experience in an Information Security or Technology Consisting of the costs of:
role; or
(i) updating, upgrading, enhancing or replacing any
(ii) an information technology services firm appointed by component of a Company Computer System or an OSP
a Company that has been approved in advance of such Computer System to a level beyond that which existed
appointment by the Insurer, prior to the occurrence of a Material Interruption:
however, this exclusion shall not apply to the extent
after the discovery of a Security Failure, with the reasonable that the replacement of a component of a Company
belief that such shutdown or impairment would limit the Computer System is:
Loss that would otherwise be incurred as a result of that (a) required to end the Material Interruption; and
Security Failure. (b) no longer available and can only be reasonably
replaced with an upgraded or enhanced
version; or
(ii) removing software program errors or vulnerabilities.

New Information 14
CyberEdge Coverage Policy Tour

3.2. Bodily Injury and Property Damage 3.6. Liability

Arising out of, based upon or attributable to any: Arising out of, based upon or attributable to any:
(i) physical injury, mental illness, sickness, disease or (i) written demand, civil, administrative or arbitral
death; or proceedings, made by any Third Parties seeking any
(ii) loss, damage or destruction of tangible property. legal remedy; or
(ii) penalties paid to Third Parties.
3.3. Business Conditions
Consisting of loss of earnings, or costs or expenses, 3.7. Patent
attributable to unfavourable business conditions. Arising out of, based upon or attributable to any infringement
of patents.
3.4. Government Entity or Public Authority
Arising out of, based upon or attributable to any seizure, 3.8. Trading Losses
confiscation or nationalisation of a Company Computer Consisting of trading losses, liabilities or changes in trading
System by order of any government entity or public authority. account value.

3.5. Infrastructure 3.9. War and Terrorism

Arising out of, based upon or attributable to any electrical Arising out of, based upon or attributable to any war (whether
or mechanical failure of infrastructure not under the control war is declared or not), terrorism (except Cyber Terrorism),
of a Company (or, where OSP Security Failure Cover or OSP invasion, use of military force, civil war, popular or military
System Failure Cover is Purchased, an Outsource Service rising, rebellion or revolution, or any action taken to hinder or
Provider), including any electrical power interruption, defend against any of these events.
surge, brownout or blackout, failure of telephone lines,
data transmission lines, or other telecommunications or
networking infrastructure.

New Information 15
CyberEdge Coverage Policy Tour

4. Conditions All adjusted claims are due and payable 45 days after:
(a) the presentation of the satisfactory written proof of
The following conditions are specific to this Network Network Loss and Network Interruption Costs as
Interruption Coverage Section and shall apply in addition provided for in (i) and (ii) above; and
to the conditions set out within the General Terms and (b) the subsequent written acceptance thereof by
Conditions. the Insurer.

4.1. Proof of Loss Network Loss shall be reduced by any amounts recovered
by a Company (including the value of any service credits
In addition to the requirements to give notice to the Insurer
provided to a Company) from any party (including any
under Section 8.1 (Notice and Reporting) of the General
Outsource Service Provider).
Terms and Conditions, and before coverage under this
Network Interruption Coverage Section shall apply, a
Company must also: The costs and expenses of establishing or proving Network
(i) complete and sign a written, detailed and affirmed Loss and/or Network Interruption Costs under this Network
proof of loss after the resolution of the Material Interruption Coverage Section, including those associated
Interruption, which will include: with preparing the proof of loss, shall be the obligation of the
Company and are not covered under this policy except as
(a) a full description of the Network Interruption
covered under 1.3 (Loss Preparation Costs) of this Network
Costs or Network Loss and the circumstances of
Interruption Coverage Section.
such Network Interruption Costs or Network Loss;
(b) a detailed calculation of any Network Loss;
(c) all underlying documents and materials that
reasonably relate to or form a part of the basis of
the proof of the Network Interruption Costs or
Network Loss; and
(ii) upon the Insurer’s request promptly respond to
requests for information.

New Information 16
CyberEdge Coverage Policy Tour

4.2. Appraisal
If a Company and the Insurer disagree on the extent of
Network Loss or Network Interruption Costs, either may
make a written demand for an appraisal of such Network
Loss or Network Interruption Costs. If such demand is made,
each party will select a competent and impartial appraiser.
The appraisers will then jointly select an expert who has not
less than 10 years’ standing and who is a partner in a major
international accounting firm, experienced in assessing loss
of this nature. Each appraiser will separately state the extent
of Network Loss or Network Interruption Costs. If they fail to
agree, they will submit their differences to the expert. Any
decision by the expert will be final and binding.

The Company and the Insurer will:

(i) pay their own costs, including the costs of their
respective chosen appraiser, and
(ii) bear the expenses of the expert equally.

New Information 17
CyberEdge Coverage Policy Tour

Event Management Coverage the Insured Event by contacting the Emergency Number
specified in the schedule.
1. Insurance Covers
No Retention shall apply to First Response Expenses.

1.1. Event Management

2. Definitions
The Insurer will pay to or on behalf of each Company:
The following definitions are specific to this Event
(i) Legal Expenses;
Management Coverage Section. All other definitions set out
(ii) IT Expenses; within Section 10 (Definitions) of the General Terms and
(iii) Data Recovery Expenses; Conditions shall apply as stated.

(iv) Reputation Protection Expenses;

Breach of Confidential Information
(v) Notification Expenses; The unauthorised disclosure or transmission of Confidential
(vi) Credit Monitoring and ID Monitoring Expenses; and Information.
(vii) (if First Response Cover is Purchased) First
Response Expenses, Company Computer System
(i) Any computer hardware, software or any
incurred solely as a result of an Insured Event which has components thereof that are linked together
occurred, or the Company reasonably believes has occurred, through a network of two or more devices accessible
before or during the Policy Period and which, during the through the internet or an intranet or that are
Policy Period, the Company first becomes aware of such connected through data storage or other peripheral
Insured Event. devices which are owned, operated, controlled or
leased by a Company;
First Response Expenses will only be paid by the Insurer (ii) any of the foregoing computer hardware, software
to the extent that they are incurred during the period of or components thereof which is part of an industrial
hours stated for the First Response Cover in the schedule, control system, including a supervisory control and
which shall commence when the Responsible Officer of data acquisition (SCADA) system; or
the Policyholder first notifies the First Response Advisor of

New Information 18
CyberEdge Coverage Policy Tour

(iii) any employee “Bring Your Own Device” but only to Cyber Terrorism
the extent such device is used to access any of the The premeditated use of disruptive activities against a
foregoing computer hardware, software or components Company Computer System or network, or the explicit threat
thereof or Data contained therein. to use such activities, by an individual or group of individuals,
whether acting alone or on behalf of or in connection with
Confidential Information any entity or government, in each case with the intention
Corporate Information and Personal Information in a to cause harm, further social, ideological, religious, political
Company’s or Information Holder’s care, custody or control or similar objectives, or to intimidate any person(s) in
or for which a Company is legally responsible. furtherance of such objectives.

Cyber Terrorism does not include any such activities which

Corporate Information
are part of or in support of any use of military force or war.
A Third Party’s items of information that are not available to
the public (including trade secrets, data, designs, forecasts,
formulas, practices, processes, records, reports and Data Recovery Expenses
documents) which are subject to contractual or The reasonable and necessary fees, costs and expenses
legal protection. incurred by a Company on actions taken to:
(i) identify lost, damaged, destroyed or corrupted Data;
Credit Monitoring and ID Monitoring Expenses (ii) determine whether any lost, damaged, destroyed or
The reasonable and necessary fees, costs and expenses corrupted Data can be restored, repaired, recollected
incurred by a Company, with the Insurer’s prior written or recreated; and
consent, for Credit Monitoring and ID Monitoring Services (iii) restore, recreate, repair or recollect lost,damaged,
provided to those Data Subjects whose Confidential destroyed or corrupted Data to substantially the form
Information is reasonably believed to have been disclosed in which it existed immediately prior to the Insured
or transmitted. Event, including where necessary the cost to restore
Data from backups or the recreation of Data from
physical records.
Credit Monitoring and ID Monitoring Services
Credit or identity theft monitoring services to identify
possible misuse of any Personal Information as a result of an
actual or suspected Breach of Confidential Information.

New Information 19
CyberEdge Coverage Policy Tour

Data Subject First Response Legal Services

Any natural person whose Personal Information has been (i) legal advice and support provided pursuant to a
either collected, stored or processed by or on behalf of Relevant Engagement;
a Company. (ii) coordinating the First Response IT Specialist, and, if
considered necessary by the First Response Advisor or
First Response Advisor Insurer, the Public Relations Advisor; and
The law firm specified in the schedule, or other law firms (iii) preparation and notification to any relevant Regulator.
instructed by such specified law firm, or any replacement firm
nominated by the Insurer in the event of a conflict of interest, Information Holder
with respect to whom a Company shall enter into a A Third Party that:
Relevant Engagement. (i) a Company has provided Personal Information or
Corporate Information to; or
First Response Expenses (ii) has received Personal Information or Corporate
The reasonable and necessary fees, costs and expenses of: Information on behalf of a Company.
(i) the First Response Advisor providing First Response
Legal Services; Insured
(ii) the First Response IT Specialist providing IT Services; A Company.
and
(iii) the Public Relations Advisor, if its appointment is
considered necessary by the First Response Advisor or Insured Event
the Insurer, providing Reputation Protection Services. (i) A Breach of Confidential Information;
(i) a Security Failure; or
First Response IT Specialists (ii) in respect of Data Recovery Expenses only, an
Operational Failure.
The firm specified in the schedule, or any replacement firm
appointed by the Insurer in the event of a conflict of interest.

New Information 20
CyberEdge Coverage Policy Tour

IT Expenses Legal Services

The reasonable and necessary fees, costs and expenses of an IT The services of:
Specialist providing IT Services. (i) co–ordinating the IT Specialist or Public
Relations Advisor;
IT Services (ii) advising, notifying and corresponding on any
The services of: notification requirements with any relevant
Regulator; or
(i) substantiating whether an Insured Event has occurred,
how it occurred and whether it is still occurring; (iii) monitoring complaints raised by Data Subjects and
advising a Company on responses to an Insured Event
(i) identifying any compromised Data resulting from an
for the purposes of minimising harm to the Company,
Insured Event;
including actions taken to maintain and restore public
(ii) establishing the extent to which Confidential confidence in the Company,
Information may have been compromised; or
(iii) containing and resolving an Insured Event and making
in dealing with any actual or suspected Breach of
recommendations to prevent or mitigate a future
Confidential Information or Security Failure.
occurrence of the same or similar event.

Loss
IT Specialist
Legal Expenses, IT Expenses, Data Recovery Expenses,
An information technology services firm appointed by
Reputation Protection Expenses, Notification Expenses,
a Company that has been approved in advance of such
Credit Monitoring and ID Monitoring Expenses and First
appointment by the Insurer.
Response Expenses.

Legal Expenses
The reasonable and necessary fees, costs and expenses of a
Response Advisor providing the Legal Services.

New Information 21
CyberEdge Coverage Policy Tour

Notification (iii) a magnetic event other than:

(i) Setting up and operating call centres; (a) the use of electromagnetic or directed-energy
(ii) preparing and notifying; weapons; or
(a) those Data Subjects whose Confidential (b) the natural deterioration of the storage media
Information is reasonably believed to have been or data.
disclosed or transmitted; or
(b) any relevant Regulator; or Personal Information
(iii) investigating and collating information, Any information relating to an identified or identifiable
natural person.
with regard to any actual or suspected Breach of Confidential
Information. Personal Information includes a natural person’s name,
online identifier, telephone number, credit card or debit card
Notification Expenses number, account and other banking information, medical
information, or any other information about a natural person
The reasonable and necessary fees, costs and expenses
protected under any Data Protection Regulation.
incurred by a Company on Notification.

Public Relations Advisor

Operational Failure
A consultant appointed by the Insurer or the Response
The loss or damage to Data caused by:
Advisor, or any other consultant appointed by a Company
(i) a negligent or unintentional act or failure to act by: that has been approved by the Insurer in advance of such
(a) an Insured; appointment, to provide Reputation Protection Services.
(b) an employee of an Insured; or
(c) a third party service provider to an Insured; Regulator
(ii) the loss or theft of electronic equipment; or A regulator established pursuant to Data Protection
Legislation in any jurisdiction and which is authorised to
enforce statutory obligations in relation to the collecting,
storing, processing or control of Confidential Information.

New Information 22
CyberEdge Coverage Policy Tour

Regulator includes any other government agency or Security Failure

authorised data protection authority who makes a demand (i) Any intrusion of, unauthorised access (including an
on a Company in relation to Data Protection Legislation. unauthorised person using authorised credentials) to,
or unauthorised use of (including by a person with
Relevant Engagement authorised access) a Company Computer System,
including that which results in or fails to mitigate any:
A written agreement between the First Response Advisor and
a Company governing the provision of the First Response (a) denial of service attack or denial of access; or
Legal Services to the Company. (b) receipt or transmission of a malicious code,
malicious software or virus;
(ii) The loss of Data arising from the physical theft or loss
Reputation Protection Expenses
of hardware controlled by a Company; or
The reasonable and necessary fees, costs and expenses
(iii) the unauthorised reprogramming or corruption of
of a Public Relations Advisor providing Reputation
software (including firmware) which renders a
Protection Services.
Company Computer System or any component thereof
non-functional or useless for its intended purpose.
Reputation Protection Services
Advice and support (including advice concerning media 3. Exclusions
strategy and independent public relations services, and the
design and management of a communications strategy) in
order to mitigate or prevent the potential adverse effect, or The following Exclusions are specific to this Event
reputational damage, from media reporting of an Management Coverage Section. They apply in addition to
Insured Event. the Exclusions in Section 11 (Exclusions) of the General Terms
and Conditions.

Response Advisor
The Insurer shall not be liable for any Loss:
Any law firm appointed by the Insurer, or any other law firm
appointed by a Company that has been approved in advance
of such appointment by the Insurer.

New Information 23
CyberEdge Coverage Policy Tour

3.1. Betterment This Exclusion 3.4 shall not apply to Loss arising out of, based
Consisting of the costs of: upon or attributable solely to a Security Failure or Breach of
(i) updating, upgrading, enhancing or replacing a Confidential Information that is caused by such electrical or
Company Computer System to a level beyond that mechanical failure of infrastructure.
which existed prior to the occurrence of an Insured
Event; and 3.5. Internal/Staff Costs
(ii) removing software program errors or vulnerabilities. Consisting of the costs of payroll, fees, benefits, overheads or
internal charges of any kind incurred by a Company.
3.2. Bodily Injury and Property Damage
Arising out of, based upon or attributable to any: 3.6. Patent/Trade Secret
(i) physical injury, mental illness, sickness, disease or Arising out of, based upon or attributable to any:
death; or (i) infringement of patents;
(ii) loss, damage or destruction of tangible property. (ii) loss of rights to secure registration of patents; or
(iii) misappropriation of trade secrets by or for the benefit
3.3. Government Entity or Public Authority of a Company.
Arising out of, based upon or attributable to any
seizure,confiscation or nationalisation of a Company 3.7. War and Terrorism
Computer System by order of any government entity or Arising out of, based upon or attributable to any war (whether
public authority. war is declared or not), terrorism (except Cyber Terrorism),
invasion, use of military force, civil war, popular or military
3.4. Infrastructure rising, rebellion or revolution, or any action taken to hinder or
Arising out of, based upon or attributable to any electrical defend against any of these events.
or mechanical failure of infrastructure not under the control
of a Company, including any electrical power interruption,
surge, brownout or blackout, failure of telephone lines, data
transmission lines, or other telecommunications or
networking infrastructure.

New Information 24
CyberEdge Coverage Policy Tour

4. Conditions

The following conditions are specific to this Event

Management Coverage Section and shall apply in
addition to the conditions set out within the General Terms
and Conditions.

4.1. First Response Notification

The cover provided for First Response Expenses is granted
solely with respect to a Breach of Confidential Information or
Security Failure first discovered during the Policy Period and
a Company shall, as a condition precedent to the obligations
of the Insurer in respect of such First Response Expenses,
notify the Insurer by contacting the Emergency Number
specified in the schedule as soon as reasonably practicable
after the Breach of Confidential Information or Security
Failure first occurs.

New Information 25
CyberEdge Coverage Policy Tour

Cyber Extortion Coverage (ii)

any of the foregoing computer hardware, software
or components thereof which is part of an industrial
control system, including a supervisory control and
1. Insurance Covers data acquisition (SCADA) system; or
(iii) any employee “Bring Your Own Device” but only to
1.1 Cyber Extortion the extent such device is used to access any of the
foregoing computer hardware, software or components
The Insurer will pay, to or on behalf of each Company, Loss thereof or Data contained therein.
that the Company incurs solely as a result of an Extortion
Threat which first occurs during the Policy Period. Confidential Information
Corporate Information and Personal Information in a
2. Definitions Company’s or Information Holder’s care, custody or control
or for which a Company is legally responsible.
The following definitions are specific to this Cyber Extortion
Coverage Section. All other definitions set out within Section Corporate Information
10 (Definitions) of the General Terms and Conditions shall A Third Party’s items of information that are not available to
apply as stated. the public (including trade secrets, data, designs, forecasts,
formulas, practices, processes, records, reports and
Breach of Confidential Information documents) which are subject to contractual or
The unauthorised disclosure or transmission of legal protection.
Confidential Information.
Cyber Extortion Expenses
Company Computer System The reasonable and necessary fees, costs and expenses of
(i) Any computer hardware, software or any components any firm appointed by the Insurer or any other firm appointed
thereof that are linked together through a network of by the Company that has been approved by the Insurer in
two or more devices accessible through the internet advance of such appointment to provide the Cyber
or an intranet or that are connected through data Extortion Services.
storage or other peripheral devices which are owned,
operated, controlled or leased by a Company;

New Information 26
CyberEdge Coverage Policy Tour

Cyber Extortion Services (i) commit or continue a Breach of

(i) Conducting an investigation to determine the validity, Confidential Information;
cause and scope of an Extortion Threat; (ii) commit or continue an intentional attack against a
(ii) advising on the response to an Extortion Threat; Company Computer System (including through the use
(iii) containing or resolving the disruption of the operations of ransomware); or
of a Company Computer System caused by the (iii) disclose information concerning a vulnerability in a
Extortion Threat; or Company Computer System.
(iv) assisting a Company in negotiating a resolution to an
Extortion Threat. Information Holder
A Third Party that:
Cyber Terrorism (i) a Company has provided Personal Information or
The premeditated use of disruptive activities against a Corporate Information to; or
Company Computer System or network, or the explicit threat (ii) has received Personal Information or Corporate
to use such activities, by an individual or group of individuals, Information on behalf of a Company.
whether acting alone or on behalf of or in connection with
any entity or government, in each case with the intention
Insured
to cause harm, further social, ideological, religious, political
or similar objectives, or to intimidate any person(s) in A Company.
furtherance of such objectives.
Insured Event
Cyber Terrorism does not include any such activities which An Extortion Threat.
are part of or in support of any use of military force or war.

Extortion Threat
Any threat or connected series of threats, for the purpose of
demanding money, securities or other tangible or intangible
property of value from a Company, to:

New Information 27
CyberEdge Coverage Policy Tour

Loss 3.1. Anti-terrorism legislation

(i) Any payment of cash, monetary instrument, To the extent that the provision of such payment to or on
cryptocurrencies (including the costs to obtain such behalf of a Company would expose the Insurer, its parent
cryptocurrencies) or the fair market value of any company or its ultimate controlling entity to any applicable
property which a Company has paid, to prevent or end anti-terrorism legislation or regulation under United Nations
an Extortion Threat; and resolutions laws or regulations of the European Union, or the
(ii) Cyber Extortion Expenses. United States of America or the United Kingdom.

Personal Information 3.2. Bodily Injury and Property Damage

Any Data relating to an identified or identifiable natural person. For any:
(i) physical injury, mental illness, sickness, disease or
Personal Information includes a natural person’s name, eath; or
online identifiers, telephone number, credit card or (ii) loss, damage or destruction of tangible property.
debit card number, account and other banking
information, medical information, or any other 3.3. Government Entity or Public Authority
information about a natural person protected under
Arising out of, based upon or attributable to a regulatory or
any Data Protection Legislation. enforcement threat or demand by any government entity or
public authority.
3. Exclusions
3.4. Patent
The following Exclusions are specific to this Cyber Extortion Arising out of, based upon or attributable to any infringement
Coverage Section. They apply in addition to the Exclusions in of patents.
Section 11 (Exclusions) of the General Terms and Conditions.

3.5. War and Terrorism

The Insurer shall not be liable for any Loss:
Arising out of, based upon or attributable to any war (whether
war is declared or not), terrorism (except Cyber Terrorism),
invasion, use of military force, civil war, popular or military
rising, rebellion or revolution, or any action taken to hinder or
defend against any of these events.

New Information 28
CyberEdge Coverage Policy Tour

American International Group, Inc. (AIG) is a leading global insurance organization. AIG member companies provide a wide range of property casualty insurance, life insurance, retirement solutions and other financial services to customers in approximately 70 countries and jurisdictions. These diverse offerings include products
and services that help businesses and individuals protect their assets, manage risks and provide for retirement security. AIG common stock is listed on the New York Stock Exchange.
Additional information about AIG can be found at http://www.aig.com | YouTube: www.youtube.com/aig | Twitter: @AIGinsurance www.twitter.com/AIGinsurance | LinkedIn: ww.linkedin.com/company/aig. These references with additional information about AIG have been provided as a convenience, and the information
contained on such websites is not incorporated by reference into this press release.
AIG is the marketing name for the worldwide property-casualty, life and retirement and general insurance operations of American International Group, Inc. For additional information, please visit our website at http://www.aig.com. All products and services are written or provided by subsidiaries or affiliates of American
International Group, Inc. Products or services may not be available in all countries and jurisdictions, and coverage is subject to underwriting requirements and actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverages may be provided
by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds. Non-insurance products and services may be provided by independent third parties. American International Group UK Limited is registered in England: company number
10737370. Registered address: The AIG Building, 58 Fenchurch Street, London EC3M 4AB. American International Group UK Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority (FRN number 781109). This information can be checked
by visiting the FS Register (www.fca.org.uk/register).

GBL00003622 1222

New Information 29