Chubb Cyber Insurance Singapore — Independent Review

Rule:

Regulatory Fines means any civil monetary fine or penalty imposed by a government or regulatory body, including an official governmental entity in such entity's regulatory or official capacity pursuant to its order under a Regulatory Proceeding. Regulatory Fines shall not include any civil monetary fines or penalties that are not insurable by law, criminal fines, disgorgement of profits or multiple damages. Privacy Regulations means regulations applying to the care, collection, custody, control, use, or disclosure of Personal Data, including Data that is regulated by the Personal Data Protection Act 2012 (No.26 of 2012) and the EU General Data Protection Regulation (GDPR). Regulatory Fines are a sublimit under Privacy and Network Security Liability shown in the Schedule.

Covered:

true

Sublimit Sgd:

rule string

Where Insurable Only:

true

Rule:

Cyber Extortion Damages means Money, including cryptocurrency(ies), paid by you where legally allowed and insurable, to terminate or end a Cyber Extortion Event. Cyber Extortion Expenses means such reasonable and necessary expenses to hire a third party consultant for the sole purpose of handling the negotiation and payment of Cyber Extortion Damages to terminate or end a Cyber Extortion Event. Covered under Insuring Agreement 1.4 with a separate Limit of Insurance and Excess as shown in the Schedule. Sanctions: We shall not be deemed to provide cover and we shall not be liable to pay any Loss or provide any benefit hereunder to the extent that the provision of such cover, payment of such Loss or provision of such benefit would expose us, or our parent or ultimate holding company, to any sanction, prohibition or restriction implemented pursuant to resolutions of the United Nations or the trade and economic sanctions, laws or regulations of the Republic of Singapore, the European Union, United Kingdom, Commonwealth of Australia or the United States of America.

Covered:

true

Sublimit Sgd:

rule string

Sanctions Clause:

true

Panel Negotiator Required:

true

Sublimit Pct Of Aggregate:

rule string

Rule:

Business Interruption Loss during the Period of Indemnity, arising from a Business Interruption Incident, the duration of which exceeds the Waiting Period, and is discovered by any Control Group member during the Policy Period. The Waiting Period means the number of hours specified in Item 3 of the Schedule following a Business Interruption Incident. Period of Indemnity means the period during which you incur Business Interruption Loss or Data and System Recovery Costs, beginning when the Business Interruption Incident occurs and not exceeding three (3) months. However, the Period of Indemnity may be extended solely by us for a time period within our discretion in the event that you are still incurring Business Interruption Loss or Data and System Recovery Costs. Business Interruption Incident includes inability to access, disruption of, or disturbance to a Covered Computer System operated for your benefit by a third-party service provider under written contract with you.

Waiting Period Hours:

rule string

Contingent Bi Covered:

rule string

Indemnity Period Months:

3

Rule:

Incident Response Expenses means those reasonable and necessary expenses: (A) to retain incident response management services for the purpose of coordinating response to a Cyber Incident or Business Interruption Incident; (B) to retain the services of a third party computer forensics firm to determine the cause and scope of a Cyber Incident or Business Interruption Incident; (C) to comply with consumer notification provisions of Privacy Regulations in the applicable jurisdiction that most favours coverage for such expenses, including retaining the services of a notification or call centre support service and retaining the services of a law firm to determine the applicability of and actions necessary to comply with Privacy Regulations; (E) to retain the services of a public relations firm, law firm or crisis management firm for advertising or related communications solely for the purpose of protecting or restoring your reputation as a result of a Cyber Incident or Business Interruption Incident; (G) to retain the services of a licensed investigator or credit specialist to provide up to one year of fraud consultation to the individuals whose Personal Data has been wrongfully disclosed or otherwise compromised, and to retain a third party identity restoration service for those individuals who have been confirmed by such investigator or specialist as victims of identity theft resulting solely and directly from the Cyber Incident; (H) for credit monitoring, identity theft monitoring, social media monitoring, credit freezing, fraud alert service or other fraud prevention software for those individuals whose Personal Data was wrongfully disclosed or otherwise compromised directly as a result of the Cyber Incident. Emergency Incident Response Expenses require retention of individuals through the Chubb Cyber Alert App and third party computer forensics firms that are part of the Chubb Incident Response Platform appointed by our pre-approved incident response manager.

Panel Required:

true

Forensic Covered:

true

Pr Crisis Covered:

true

Credit Monitoring Months:

12

Notification Costs Covered:

true

Rule:

Cyber Crime (Insuring Agreement Extension 2.3): We will pay on your behalf for Direct Financial Loss solely as a result of Theft of your Money or Securities due to Malicious Use or Access of a Covered Computer System by a Third Party, discovered by any Control Group member during the Policy Period. Theft means a dishonest and unlawful act of a Third Party of taking your Money or your Securities with the intention of permanently depriving you of its use and obtaining a financial gain for themselves. Exclusions under 4.20 include: any acts by employees or independent contractors; any acts by directors, executive officers or executive managers; government seizures; fluctuation in value; indirect or consequential loss; recall costs. Money does not include cryptocurrencies. Social engineering/invoice redirection not expressly covered. Limit of Insurance shown in the Schedule.

Sublimit Sgd:

rule string

Social Engineering:

false

Invoice Redirection:

false

Funds Transfer Fraud:

true

Rule:

We shall not be liable for Loss on account of any Claim alleging, based upon, arising out of or attributable to war, invasion, acts of foreign enemies, terrorism, hostilities or warlike operations (whether war is declared or not), strike, lock-out, riot, civil war, rebellion, revolution, insurrection, civil commotion assuming the proportions of or amounting to an uprising, military or usurped power. However, this exclusion shall not apply to an Act of Cyber-Terrorism which results in a Claim. Act of Cyber-Terrorism means any act, including force or violence, or the threat thereof against a Covered Computer System by an individual or group(s) of individuals, whether acting alone, on behalf of or in connection with any organisation(s) or government(s), to cause Unauthorised Use or Access of or inflict a Computer Malicious Act on a Covered Computer System for the purpose of furthering social, ideological, religious, economic or political objectives, intimidating or coercing a government or the civilian population thereof, or disrupting any segment of the economy.

Excluded:

true

Lloyds 2022 Clause:

false

• 4.1 Prior Knowledge: alleging, based upon, arising out of or attributable to a Wrongful Act actually or allegedly committed prior to the beginning of the Policy Period if, on or before the earlier of the effective date of this Policy or the effective date of any Policy issued by us of which this Policy is a continuous renewal or a replacement, any member of the Control Group of the Insured knew or reasonably could have foreseen that the Wrongful Act did or could lead to any Loss.
• 4.2 Pending or Prior Proceedings: alleging, based upon, arising out of, or attributable to any prior or pending litigation, Privacy and Network Security Claim, Media Claim, demand, arbitration, administrative or regulatory proceeding or investigation filed or commenced against you, and of which you had notice, on or before the earlier of the effective date of this Policy or the effective date of any policy issued by us of which this Policy is a continuous renewal or a replacement, or alleging or derived from the same or substantially the same fact, circumstance or situation underlying or alleged therein; or any Wrongful Act, fact, circumstance or situation that has been the subject of any notice given under any other policy before the effective date of this Policy; or any other Wrongful Act whenever occurring which, together with a Wrongful Act that has been the subject of such notice, would constitute a Single Claim.
• 4.3 Conduct: directly or indirectly caused by, arising out of or in any way connected with your conduct, or of any person for whose conduct you are legally responsible, that involves: (A) committing or permitting any knowing or wilful breach of duty, or violation, of any laws; or (B) committing or permitting any criminal, deliberately fraudulent or deliberately dishonest act or omission; or (C) any actual or attempted gain of personal profit, secret profit or advantage by you to which you were not entitled. This exclusion only applies where such conduct has been established to have occurred by final adjudication (after the exhaustion of any appeals), or written admission.
• 4.4 Intentional Wrongful Collection or Use: alleging, based upon, arising out of, attributable to, directly or indirectly resulting from, in consequence of, or in any way involving the unauthorised, surreptitious, or wrongful use or collection of Personal Data by you or the failure to provide adequate notice that Personal Data is being collected or used. However, this exclusion shall not apply to your unintentional violation of any Privacy Regulation, including but not limited to the unintentional wrongful use or collection of Personal Data.
• 4.5 Discrimination or Employment Practices: alleging, based upon, arising out of or attributable to any discrimination of any kind; humiliation, harassment or misconduct based upon, arising out of or related to any such discrimination; Wrongful Employment Practices.
• 4.6 Insured v. Insured: brought or maintained by you, or on your behalf, or any other natural person or entity for whom or which you are legally liable, arising out of a Privacy and Network Security Claim or Media Claim.
• 4.7 Contract: for breach of any express, implied, actual or constructive contract, warranty, guarantee, or promise, including liquidated damages provisions or any liability assumed by you.
• 4.8 Fees: Solely with respect to coverage under Insuring Agreements 1.5 and 1.6, alleging, based upon, arising out of or attributable to any fees, expenses, or costs paid to or charged by you.
• 4.9 Bodily Injury and Property Damage: alleging, based upon, arising out of or attributable to any Bodily Injury or Property Damage.
• 4.10 Infrastructure Outage: alleging, based upon, arising out of or attributable to any electrical or mechanical failure or interruption, electrical disturbance, surge, spike, brownout, blackout, or outages to electricity, gas, water, telecommunications or other infrastructure. However, this exclusion shall not apply to failures, interruptions, disturbances or outages of telephone, cable or telecommunications systems, networks or infrastructure, under an Insured's operational control, which is a result of a failure of Computer Malicious Act, Unauthorised Use or Access, or a failure of Network Security.
• 4.11 Force Majeure: alleging, based upon, arising out of or attributable to fire, smoke, explosion, lightning, wind, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, act of God or any other physical event, however caused.
• 4.12 War: alleging, based upon, arising out of or attributable to war, invasion, acts of foreign enemies, terrorism, hostilities or warlike operations (whether war is declared or not), strike, lock-out, riot, civil war, rebellion, revolution, insurrection, civil commotion assuming the proportions of or amounting to an uprising, military or usurped power. However, this exclusion shall not apply to an Act of Cyber-Terrorism which results in a Claim.
• 4.13 Pollution: alleging, based upon, arising out of or attributable to the actual, alleged or threatened discharge, release, escape, seepage, migration, or disposal of Pollutants, or any direction, formal mandate or request that any Insured test for, monitor, clean up, remove, contain, treat, detoxify or neutralise Pollutants, or any voluntary decision to do so.
• 4.14 Wear and Tear and Governmental Authority Intervention: Solely with respect to coverage under Insuring Agreements 1.1, 1.2 and 1.3: (A) alleging, based upon, arising out of, or attributable to the ordinary wear and tear or gradual deterioration of a Covered Computer System or Data, including any data processing media. (B) for any action of a public or governmental authority, including the seizure, confiscation or destruction of a Covered Computer Systems or Data.
• 4.15 Patent and Trade Secret: alleging, based upon, arising out of or attributable to any claim, dispute or issues with the validity, invalidity, infringement, violation or misappropriation of any patent or Trade Secret by or on behalf of you.
• 4.16 Intellectual Property: alleging, based upon, arising out of or attributable to any infringement, violation or misappropriation by you of any copyright, service mark, trade name, trademark or other intellectual property of any third party. However, this exclusion shall not apply to a Privacy and Network Security Wrongful Act or Media Wrongful Act expressly covered under Insuring Agreements 1.5 or 1.6.
• 4.17 Advertising or Misrepresentation: Solely with respect to coverage under Insuring Agreement 1.6, alleging, arising out of, or attributable to the actual goods, Products or services described, illustrated or displayed in Media Content.
• 4.18 Products: alleging, based upon, arising out of or attributable to any Products.
• 4.19 Trading: alleging, based upon, arising out of or attributable to any financial loss due to the inability to trade, invest, divest, buy or sell any financial security or financial asset of any kind; fluctuations in any value of assets; financial value in any of your accounts held at a financial institution; or inability to earn interest or appreciation on any asset.
• 4.20 Cyber Crime: Solely with respect to coverage under Insuring Agreement Extension 2.3 Cyber Crime, we will not pay for Direct Financial Loss consisting of or which is due to: (A) any acts by employees or independent contractors of the Insured, including any Claims caused by collusion with an employee or independent contractor; (B) any acts by your directors, executive officers or executive managers, including any Claims caused by collusion with a director, executive officer or executive manager; (C) any government seizures of your Money or Securities; (D) any fluctuation in value in any Monies or Securities; (E) indirect or consequential loss, including but not limited to income or profit; or (F) recall costs or expenses.
• 5.23 Trade and Economic Sanctions: We shall not be deemed to provide cover and we shall not be liable to pay any Loss or provide any benefit hereunder to the extent that the provision of such cover, payment of such Loss or provision of such benefit would expose us, or our parent or ultimate holding company, to any sanction, prohibition or restriction implemented pursuant to resolutions of the United Nations or the trade and economic sanctions, laws or regulations of the Republic of Singapore, the European Union, United Kingdom, Commonwealth of Australia or the United States of America.
• Data and System Recovery Costs do not include: (a) costs or expenses incurred to identify or remediate software vulnerabilities; (b) costs to replace any hardware or physical property; (c) costs incurred to research and develop Data, including Trade Secrets; (d) the economic or market value of Data, including Trade Secrets; (e) any other consequential loss or damage; (f) Incident Response Expenses; or (g) costs to update, upgrade, replace, maintain, or improve any Data or Computer System beyond what is provided in 3.20, D, i.
• Incident Response Expenses shall not include: (a) costs or expenses incurred to update or otherwise improve privacy or network security controls, policies or procedures to a level beyond that which existed prior to the Cyber Incident or Business Interruption Incident or to be compliant with Privacy Regulations, except to the extent Betterment Costs are applicable; (b) taxes, fines, penalties, injunctions, or sanctions; (c) Damages; (d) any other Expenses, except for Incident Response Expenses; (e) your wages, salaries, internal operating costs or expenses, or fees; or (f) costs to respond to, commence or defend third party litigation related to the Cyber Incident or Business Interruption Incident.
• Payment Card Loss shall not include: (A) subsequent fines or monetary assessments for continued noncompliance with the Payment Card Industry Data Security Standard beyond a period of three months from the date of the initial fine or monetary assessment; or (B) costs or expenses incurred to update or otherwise improve privacy or network security controls, policies or procedures.
• Consumer Redress Fund shall not include any sums paid which constitute taxes, fines, penalties, injunctions or sanctions.
• Regulatory Proceeding does not include any action, proceeding or suit, or the portion of any action, proceeding or suit, that is based on or related to a criminal violation of Privacy Regulations.
• Cyber Extortion Event shall not include any threats or connected series of threats made against you expressing intent to perform or cause any of the above if made, approved or directed by a member of the Control Group.
• Programming Error does not include integration, installation, upgrade or patching of any software, hardware or firmware on a Covered Computer System unless you can evidence that the Programming Error arises from an Accepted Program.

Cyber Crime:

rule string — amount shown in Schedule

Media Liability:

rule string — amount shown in Schedule

Reward Expenses:

rule string — amount shown in Schedule; forms part of and reduces Cyber Extortion Limit of Insurance

Betterment Costs:

rule string — amount shown in Schedule; forms part of and reduces Data and System Recovery Limit of Insurance

Regulatory Fines:

rule string — amount shown in Schedule

Payment Card Loss:

rule string — amount shown in Schedule

Consumer Redress Fund:

rule string — amount shown in Schedule

Telecommunications Fraud:

rule string — amount shown in Schedule

Emergency Incident Response:

rule string — amount shown in Schedule; forms part of and reduces Incident Response Limit of Insurance

---

**Policy Number:**

**Principal Address**

| From: | LST |
|-------|-----|
| To: | LST |

Both days inclusive, LST (Local Standard Time) at the Principal Address.

| **First Party Insuring Agreements** | **Limit of Insurance** | **Excess** |
|-------------------------------------|----------------------|-----------|
| Incident Response | $ | $ |
| Business Interruption | $ | $ Waiting Period: _ hours |
| Data and System Recovery | $ | $ |
| Cyber Extortion | $ | $ |

| **Third Party Insuring Agreements** | **Limit of Insurance** | **Excess** |
|------------------------------------|----------------------|-----------|
| Privacy and Network Security Liability | $ | $ |

| - | **Limit of Insurance** | **Excess** |
|---|----------------------|-----------|
| Consumer Redress Fund | $ | $ |
| Payment Card Loss | $ | $ |
| Regulatory Fines | $ | $ |
| Media Liability | $ | $ |

| **Insuring Agreement Extensions** | **Limit of Insurance** | **Excess** |
|----------------------------------|----------------------|-----------|
| Emergency Incident Response | $ | $ |
| Betterment Costs | $ | $ |
| Cyber Crime | $ | $ |
| Reward Expenses | $ | $ |
| Telecommunications Fraud | $ | $ |

Cyber Enterprise Risk Management (Version 2) Policy

As Agreed

---

Before you enter into an insurance contract, you have a duty to tell us anything that you know, or could reasonably be expected to know, may affect our decision to insure you and on what terms.

You have this duty until we agree to insure you.

You have the same duty before you renew, extend, vary or reinstate an insurance contract.

You do not need to tell us anything that:

- reduces the risk we insure you for; or
- is common knowledge; or
- we know or should know as an insurer; or
- we waive your duty to tell us about.

If you do not tell us anything you are required to, we may cancel your contract or reduce the amount we will pay you if you make a claim, or both.

If your failure to tell us is fraudulent, we may refuse to pay a claim and treat the contract as if it never existed.

---

If "Not Covered" is shown in Item 3 of the Schedule in relation to any Insuring Agreement, such Insuring Agreement and any reference to it is deemed deleted and such coverage is not afforded.

**We will pay on your behalf for:**

**Incident Response Expenses** by reason of a **Cyber Incident** or a **Business Interruption Incident** discovered by any **Control Group** member during the **Policy Period** and reported to us pursuant to General Condition 5.10 Notification.

**We will reimburse you for:**

**Business Interruption Loss** during the **Period of Indemnity**, arising from a **Business Interruption Incident**, the duration of which exceeds the **Waiting Period**, and is discovered by any **Control Group** member during the **Policy Period**; and

**Data and System Recovery Costs** during the **Period of Indemnity**, arising from a **Business Interruption Incident** discovered by any **Control Group** member during the **Policy Period**; and

**Cyber Extortion Damages** and **Cyber Extortion Expenses** by reason of a **Cyber Extortion Event** discovered by any **Control Group** member during the **Policy Period**;

and reported to us pursuant to General Condition 5.10 Notification.

**We will reimburse you for:**

**Damages** and **Privacy and Network Security Claims Expenses** by reason of a **Privacy and Network Security Claim** first made during the **Policy Period** resulting from any **Privacy and Network Security Wrongful Act** taking place after the **Retroactive Date** and prior to the end of the **Policy Period**; and

**Damages** and **Media Claims Expenses** by reason of a **Media Claim** first made during the **Policy Period** resulting from any **Media Wrongful Act** taking place after the **Retroactive Date** and prior to the end of the **Policy Period**;

and reported to us pursuant to General Condition 5.10 Notification.

---

If "Not Covered" is shown in Item 3 of the Schedule in relation to any Insuring Agreement Extension, such Insuring Agreement Extension and any reference to it is deemed deleted and such coverage is not afforded.

**We will pay on your behalf for:**

**Emergency Incident Response Expenses** incurred within the first 48 hours immediately following the discovery of a reasonably suspected or confirmed **Cyber Incident** or **Business Interruption Incident** by any **Control Group** member during the **Policy Period** and reported to us pursuant to General Condition 5.10 Notification, which requires immediate attention in order to mitigate the damage from, effects of and costs related to such **Cyber Incident** or **Business Interruption Incident**.

**We will reimburse you for:**

**Betterment Costs** arising from a **Business Interruption Incident** as covered under Insuring Agreement 1.3;

**Direct Financial Loss** solely as a result of **Theft** of your **Money** or **Securities** due to **Malicious Use or Access** of a **Covered Computer System** by a **Third Party**, discovered by any **Control Group** member during the **Policy Period**;

**Reward Expenses** solely to the extent used in direct connection with a **Cyber Extortion Event** as covered under Insuring Agreement 1.4;

**Telecommunications Expenses** due to a **Computer Malicious Act** or **Malicious Use or Access** of a **Covered Telecom System** by a **Third Party**, discovered by any **Control Group** member during the **Policy Period**;

and reported to us pursuant to General Condition 5.10 Notification.

---

When used in this **Policy**:

means a program that has been fully developed, successfully tested and proved successful in an equivalent operational environment prior to release.

means any act, including force or violence, or the threat thereof against a **Covered Computer System** by an individual or group(s) of individuals, whether acting alone, on behalf of or in connection with any organisation(s) or government(s), to cause **Unauthorised Use or Access** of or inflict a **Computer Malicious Act** on a **Covered Computer System** for the purpose of furthering social, ideological, religious, economic or political objectives, intimidating or coercing a government or the civilian population thereof, or disrupting any segment of the economy.

applicable to Insuring Agreement Extension 2.2 only, means costs to replace or restore software or applications in a **Covered Computer System** with newer, upgraded and/or improved versions of such software or applications.

**Betterment Costs** shall be a part of and not in addition to the applicable **Limit of Insurance** shown in the **Schedule** for Data and Systems Recovery as provided for under Insuring Agreement 1.3, and shall reduce such applicable **Limit of Insurance**.

means injury to the body, sickness, or disease, and death. **Bodily Injury** also means mental injury, mental anguish, mental tension, emotional distress, pain and suffering, or shock, regardless of how it is caused or manifests, except that **Bodily Injury** does not include any mental injury, mental anguish, mental tension, emotional distress, pain and suffering, or shock that arises out of a **Privacy and Network Security Wrongful Act** or **Media Wrongful Act** as expressly covered under Insuring Agreements 1.5 or 1.6.

means inability to access, disruption of, or disturbance to a **Covered Computer System** or the taking of, corruption of or destruction of your **Data** caused solely and directly by:

A. a **Computer Malicious Act**;

B. **Unauthorised Use or Access**;

C. **Human Error**;

D. a failure of **Network Security**;

E. **Programming Error**;

F. the reasonable and necessary shutdown of all or parts of a **Covered Computer System** in an attempt to prevent or mitigate the effects of any of items A.-E. above; or

G. a power failure, surge or diminution of an electrical system controlled by you, which is a result of A, B, or D above.

means:

A. your **Net Profit** before income taxes that would have been earned had the **Business Interruption Incident** not occurred, less your **Net Profit** actually earned before income taxes; and

B. your continuing normal operating and payroll expenses, but only to the extent that the same are disrupted or impeded by the **Business Interruption Incident** and would have been paid or accrued had the **Business Interruption Incident** not occurred.

**Business Interruption Loss** includes amounts covered under items A and B above that accrued during the **Waiting Period**. The **Excess** applicable to **Business Interruption Loss** shall be calculated pursuant to General Condition 5.5, D.

means a **Privacy and Network Security Claim**, a **Media Claim**, and/or a **Wrongful Act**.

means any malicious act committed against a **Covered Computer System**, or malicious access to or hacking of a **Covered Computer System**, for the purpose of creating, deleting, taking, collecting, altering or destroying your **Data** or services, without involving any physical damage to a **Covered Computer System**, telecommunications equipment or infrastructure. **Computer Malicious Act** includes a distributed denial of service attack or the introduction of malicious code, ransomware, cryptoware, virus, trojans, worms and logic or time bombs or any malware, programs, files or instructions of a malicious nature which may disrupt, harm, impede access to, or in any other way corrupt the operation of a **Covered Computer System**, **Data**, or software within.

means computer hardware, software, firmware, and the data stored thereon, as well as associated mobile devices, input and output devices, data storage devices, networking equipment and storage area network or other electronic data backup facilities, including SCADA and ICS systems.

means a sum of money that you are legally obligated to deposit in a fund as equitable relief for the payment of consumer **Privacy and Network Security Claims** or **Media Claims** due to an adverse judgment or settlement of a **Regulatory Proceeding**. **Consumer Redress Fund** shall not include any sums paid which constitute taxes, fines, penalties, injunctions or sanctions.

means the Chief Finance Officer, Chief Executive Officer, General Counsel, Risk Manager, Chief Information Officer, Chief Information Security Officer, Chief Technology Officer, Data Protection Officer, Insurance Representative, or the organisational equivalent of any of those positions of the **Named Insured**.

means a **Computer System**:

A. leased, owned, or operated by you; or

B. operated for your benefit by a third-party service provider under written contract with you.

applicable to Insuring Agreement Extension 2.5 only, means your fixed line telecom system or a fixed line telecom system operated on your behalf for which you are responsible for under a written agreement.

means **Money**, including cryptocurrency(ies), paid by you where legally allowed and insurable, to terminate or end a **Cyber Extortion Event**. The valuation of **Cyber Extortion Damages** shall be calculated as described in General Condition 5.12.

means any credible threat or connected series of credible threats made against you expressing intent to perform or cause, or the actual performance of or causing of, the following:

A. the release, divulgence, dissemination, destruction or use of confidential, sensitive or proprietary information, or personally identifiable information, stored on a **Covered Computer System**;

B. a failure of **Network Security** on a **Covered Computer System**;

C. the introduction or infliction of a **Computer Malicious Act** on a **Covered Computer System**;

D. the alteration, corruption, destruction, misappropriation, manipulation of, or damage to, **Data**, instructions or any electronic information transmitted or stored on a **Covered Computer System**; or

E. the restriction or inhibition of access to a **Covered Computer System**;

for the purpose of demanding **Money** or cryptocurrency(ies) from you, or that you otherwise meet a demand, in exchange for the mitigation or removal of such threat or connected series of threats, or the reversal or termination of the actual performance of such threats or series of connected threats.

**Cyber Extortion Event** shall not include any threats or connected series of threats made against you expressing intent to perform or cause any of the above if made, approved or directed by a member of the **Control Group**.

means such reasonable and necessary expenses to hire a third party consultant for the sole purpose of handling the negotiation and payment of **Cyber Extortion Damages** to terminate or end a **Cyber Extortion Event**.

means any actual or reasonably suspected:

A. **Computer Malicious Act**, **Human Error**, **Programming Error**, failure of **Network Security**, or **Unauthorised Use or Access** or any other threat or action against a **Covered Computer System**, including those threats or actions done in the commission of a **Cyber Extortion Event**;

B. **Privacy and Network Security Wrongful Act**; or

C. power failure, surge or diminution of an electrical system controlled by you;

that creates the need for **Incident Response Expenses**.

means compensatory damages, any award of prejudgment or post-judgment interest and settlements which you become legally obligated to pay as a result of a **Wrongful Act** to which this **Policy** applies.

**Damages** include punitive damages and exemplary damages, only to the extent such damages are insurable under the laws of the applicable jurisdiction that most favours coverage for such damages.

With respect to Insuring Agreement 1.5, **Damages** shall also include a **Consumer Redress Fund**, **Payment Card Loss**, and **Regulatory Fines**.

Any and all **Damages** are subject to the applicable **Limit of Insurance** listed on the **Schedule**.

**Damages** shall not include:

i. any amount for which you are not legally obligated to pay;

ii. matters uninsurable under the laws pursuant to which this **Policy** is construed;

iii. the cost to comply with any injunctive or other non-monetary or declaratory relief, including specific performance, or any agreement to provide such relief;

iv. your loss of fees or profits, return of fees, commissions;

v. royalties, or re-performance of services by you or under your supervision;

vi. disgorgement of any profit, remuneration or financial advantage to which you are not legally entitled; and

vii. any amounts other than those which compensate solely for a loss caused by a **Wrongful Act**, unless specifically provided for in this **Policy**.

With respect to Insuring Agreement 1.5, **Damages** shall not include any consideration owed or paid by or to an **Insured**, including any royalties, restitution, reduction, disgorgement or return of any payment, charges, or fees; or costs to correct or re-perform services related to **Products**, including for the recall, loss of use, or removal of **Products**.

means any information, facts or programs stored, created, used, or transmitted on any hardware or software. **Data** includes any information or programs that allow a computer and any of its accessories to function, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media that are used with electronically controlled equipment or other electronic backup facilities. **Data** does not constitute the actual hardware or tangible property.

means any reasonable and necessary costs:

A. to recover or reconstruct any **Data** that has been damaged, compromised or lost. These costs to recover or reconstruct **Data** are only available up and until a reasoned determination has been made by the third party forensics firm retained to recover the lost **Data**, that the **Data** cannot be recovered or reconstructed; and

B. to repair or restore software or applications in a **Covered Computer System** but only if necessary to restore a **Covered Computer System** to the same or equivalent condition or functionality as existed before the **Business Interruption Incident**; and

C. to identify and remediate the cause of the **Business Interruption Incident**; and

D. with our prior consent, which will not be unreasonably withheld or delayed:

i. to update, upgrade, replace, or improve a **Covered Computer System**, but only where:

a. the costs to update, upgrade, replace or improve the damaged or compromised software or applications on a **Covered Computer System** to a newer or improved standard, condition, functionality, or version are reasonably expected by you to be less than or equal to the cost(s) to repair, fix or restore the same; or

b. **Betterment Costs** are applicable; and

ii. any other reasonable and necessary costs to get your business back to full operating condition, but only to the extent that the **Business Interruption Incident** solely created or caused the issue or problem that prevented your business from being fully operational.

**Data and System Recovery Costs** include, but are not limited to:

I. the use of external equipment whether by hiring a third party or leasing the equipment;

II. the implementation of an alternate work method in accordance with a business continuity plan;

III. costs to subcontract with an external service provider; and

IV. increased costs of labour.

**Data and System Recovery Costs** do not include:

(a) costs or expenses incurred to identify or remediate software vulnerabilities;

(b) costs to replace any hardware or physical property;

(c) costs incurred to research and develop **Data**, including **Trade Secrets**;

(d) the economic or market value of **Data**, including **Trade Secrets**;

(e) any other consequential loss or damage;

(f) **Incident Response Expenses**; or

(g) costs to update, upgrade, replace, maintain, or improve any **Data** or **Computer System** beyond what is provided in 3.20, D, i.

applicable to Insuring Agreement Extension 2.3 only, means the replacement value of the **Money** or the market value of **Securities** at the time the **Theft** was discovered by any **Control Group** member during the **Policy Period**. The valuation of **Direct Financial Loss** shall be calculated as described in General Condition 5.12.

applicable to Insuring Agreement Extension 2.1 only, means those reasonable and necessary expenses:

A. to retain an individual or entity through the Chubb Cyber Alert App for the purpose of coordinating response to your reasonably suspected or confirmed **Cyber Incident** or **Business Interruption Incident**;

B. to retain a third party computer forensics firm that is part of the Chubb Incident Response Platform and that has been appointed by our pre-approved incident response manager to determine the cause and scope of your reasonably suspected or confirmed **Cyber Incident** or **Business Interruption Incident** and to initiate the process to stop, reverse or remediate the effects of such **Cyber Incident** or **Business Interruption Incident**.

**Emergency Incident Response Expenses** shall be a part of and not in addition to the applicable **Limit of Insurance** shown in the **Schedule** for Incident Response as provided for under Insuring Agreement 1.1, and shall reduce and may completely exhaust such applicable **Limit of Insurance**.

means the first part of a **Loss** and any other covered amount payable which shall apply to each and every **Claim**. The **Excess** that shall be borne by you is the amount listed on the **Schedule** with regard to coverage under the applicable Insuring Agreement or Insuring Agreement Extension. The **Excess** shall be applied pursuant to General Condition 5.5.

means the period(s) for the extension of coverage, if applicable, described in General Condition 5.8 and 5.16.

mean **Privacy and Network Security Claims Expenses**, **Media Claims Expenses**, **Business Interruption Loss**, **Cyber Extortion Damages** and **Cyber Extortion Expenses**, **Data and System Recovery Costs**, and **Incident Response Expenses**. **Expenses** shall also mean **Betterment Costs**, **Emergency Incident Response Expenses**, **Direct Financial Loss**, **Reward Expenses** and/or **Telecommunications Expenses**.

means an operating error or omission, including the choice of the program used, an error in setting parameters or any inappropriate single intervention by an employee or a third party providing services to you, which results in a loss, alteration or destruction of your **Data**.

means those reasonable and necessary expenses:

A. to retain incident response management services for the purpose of coordinating response to a **Cyber Incident** or **Business Interruption Incident**;

B. to retain the services of a third party computer forensics firm to determine the cause and scope of a **Cyber Incident** or **Business Interruption Incident**;

C. to comply with consumer notification provisions of **Privacy Regulations** in the applicable jurisdiction that most favours coverage for such expenses, but only to the extent that such compliance is required because of a **Cyber Incident**, including but not limited to:

i. retaining the services of a notification or call centre support service; and

ii. retaining the services of a law firm to determine the applicability of and actions necessary to comply with **Privacy Regulations**;

D. to retain a legal or regulatory advisor to handle and respond to any inquiries by any government agency, or functionally equivalent regulatory authority, alleging the violation of **Privacy Regulations**, including communicating with such government agency or functionally equivalent regulatory authority to determine the applicability and actions necessary to comply with **Privacy Regulations**, but not the costs to actually appear or defend you at a **Regulatory Proceeding**;

E. to retain the services of a public relations firm, law firm or crisis management firm for advertising or related communications solely for the purpose of protecting or restoring your reputation as a result of a **Cyber Incident** or **Business Interruption Incident**;

F. to retain the services of a law firm solely to provide a preliminary legal opinion and advice as to your rights and options with regards to the legal issues that arise as a result of the **Cyber Incident** or **Business Interruption Incident**, including determining your potential indemnification rights under vendor contracts and preparing for and mitigating potential third party litigation;

G. to retain the services of a licensed investigator or credit specialist to provide up to one year of fraud consultation to the individuals whose **Personal Data** has been wrongfully disclosed or otherwise compromised, and to retain a third party identity restoration service for those individuals who have been confirmed by such investigator or specialist as victims of identity theft resulting solely and directly from the **Cyber Incident**;

H. for credit monitoring, identity theft monitoring, social media monitoring, credit freezing, fraud alert service or other fraud prevention software for those individuals whose **Personal Data** was wrongfully disclosed or otherwise compromised directly as a result of the **Cyber Incident**; and

I. with our prior consent:

i. to voluntarily notify individuals whose **Personal Data** has been wrongfully disclosed or otherwise compromised, including retaining a notification service or call centre support service; and

ii. any other reasonable and necessary expenses.

**Incident Response Expenses** shall not include:

(a) costs or expenses incurred to update or otherwise improve privacy or network security controls, policies or procedures to a level beyond that which existed prior to the **Cyber Incident** or **Business Interruption Incident** or to be compliant with **Privacy Regulations**, except to the extent **Betterment Costs** are applicable;

(b) taxes, fines, penalties, injunctions, or sanctions;

(c) **Damages**;

(d) any other **Expenses**, except for **Incident Response Expenses**;

(e) your wages, salaries, internal operating costs or expenses, or fees; or

(f) costs to respond to, commence or defend third party litigation related to the **Cyber Incident** or **Business Interruption Incident**.

means the person(s) employed by the **Insured Organisation** who is responsible for procuring and maintaining the **Insured Organisation's** insurance policy(ies).

means the **Insured Organisation** and any **Insured Person**.

means the **Named Insured** and any **Subsidiary**.

means:

A. any past, present or future principal, partner, officer, director, trustee, supervisory board member, employee, leased employee, or temporary employee of the **Insured Organisation** while acting on the **Insured Organisation's** behalf or at the **Insured Organisation's** direction and control;

B. a lawyer employed by the **Insured Organisation** who in their capacity as such must comply with Sarbanes-Oxley Act of 2002 (USA); and

C. independent contractors of the **Insured Organisation**, who are natural persons, whilst performing duties on behalf of the **Insured Organisation**.

The term **Insured Person** also includes:

i. any domestic partner of a principal, partner, director, officer, trustee, employee, but only where the **Privacy and Network Security Claim** or **Media Claim** is brought against such principal, partner, director, officer, trustee, employee;

ii. the estate, heir or legal representative of a deceased principal, partner, director, officer, trustee, employee, but only where such **Privacy and Network Security Claims** or **Media Claim** is brought against such principal, partner, director, officer, trustee, employee.

The term **Insured Person** does not include any auditor, receiver, liquidator (including provisional liquidator), administrator, judicial manager, trustee in bankruptcy, mortgagee in possession or the like or any employees of such person.

means Chubb Insurance Singapore Limited (Company Number: 199702449H).

means the amount stated as such in the **Schedule** which, subject to the **Policy Aggregate**, is the maximum aggregate amount of a **Loss** and other covered amounts payable by us for each and every **Claim** in respect of the **Policy Period**.

means any **Damages** or **Expenses**.

means the prohibited, unlawful and unauthorised entry to, use or access of a **Covered Computer System**.

means:

A. a demand against you for monetary or non-monetary damages;

B. a civil proceeding against you seeking monetary damages or non-monetary or injunctive relief, commenced by the service of a complaint or similar pleading; or

C. an arbitration proceeding against you seeking monetary damages or non-monetary or injunctive relief.

means:

A. reasonable and necessary legal fees, expert witness fees and other fees and costs incurred by us, or by you with our prior consent, such consent not to be unreasonably withheld or delayed, in the investigation and defence of a covered **Media Claim**;

B. reasonable and necessary premiums for any appeal bond, attachment bond or similar bond, provided that we shall have no obligation to apply for or furnish such bond; and

C. subject to our prior approval, reasonable and necessary fees incurred for public relations and crisis communications services.

means electronic media distributed by or on behalf of you on the Internet, including on social media websites.

means the publication, distribution, or broadcast of **Media Content**.

means any actual or alleged;

A. disparagement or harm to the reputation or character of any person or organisation, defamation, libel, slander, product disparagement, trade libel, infliction of emotional distress, mental anguish and injurious falsehood;

B. eavesdropping, false arrest or malicious prosecution;

C. plagiarism, piracy or misappropriation of ideas in connection with any **Media Content**;

D. infringement of copyright, domain name, trade dress, title or slogan, or the dilution or infringement of trademark, service mark, service name or trade name; but not actual or alleged infringement of any patent or **Trade Secret**;

E. negligence with respect to the **Insured's** creation or dissemination of **Media Content**;

committed by the **Insured** solely in the performance of providing **Media Services**.

**Media Wrongful Act** shall not include any kind of discrimination or discriminatory conduct, including any alleged **Media Claims** of unequal or complete lack of access to your website and/or **Media Content**.

means currency, coins, bank notes, bullion, cheques, travellers cheques, registered cheques, postal orders, money orders held for sale to the public or funds, whether in physical or held via electronic means. **Money** does not include cryptocurrencies, goods or tangible property.

means the organisation first specified in Item 1 of the **Schedule**.

means an individual who can be identified by specific reference to an identifier such as a name, national identification number or other government issued identification number, location data, an online identifier such as an IP address, or by one or more factors specific to the physical, cultural or social identity of that individual.

means the operating profit resulting from your business after due provision has been made for all fixed charges.

means those activities performed by you, or by others on behalf of you, to protect against **Computer Malicious Acts** or **Unauthorised Use or Access**.

means monetary assessments, fines, penalties, chargebacks, reimbursements, and fraud recoveries that you become legally obligated to pay as a result of a **Privacy and Network Security Wrongful Act** and where such amount is due to your non-compliance with the Payment Card Industry Data Security Standard.

**Payment Card Loss** shall not include:

A. subsequent fines or monetary assessments for continued noncompliance with the Payment Card Industry Data Security Standard beyond a period of three months from the date of the initial fine or monetary assessment; or

B. costs or expenses incurred to update or otherwise improve privacy or network security controls, policies or procedures.

means the period during which you incur **Business Interruption Loss** or **Data and System Recovery Costs**, beginning when the **Business Interruption Incident** occurs and not exceeding three (3) months. However, the **Period of Indemnity** may be extended solely by us for a time period within our discretion in the event that you are still incurring **Business Interruption Loss** or **Data and System Recovery Costs**.

means:

A. a **Natural Person's** name, national identity number or national insurance number, medical or healthcare data, other protected health information, driver's license number, state identification number, credit card number, debit card number, address, telephone number, email address, account number, account histories, or passwords; and

B. any other protected personal information as defined in **Privacy Regulations**;

in any format.

means injury arising out of one or more of the following offenses:

A. false arrest, detention or imprisonment;

B. malicious prosecution;

C. libel, slander, or other defamatory or disparaging material;

D. publication or an utterance in violation of an individual's right to privacy; and

E. wrongful entry or eviction, or other invasion of the right to private occupancy.

means, collectively, the **Schedule**, the proposal, this policy form and any endorsements.

means the amount stated as such in the **Schedule** which is the maximum aggregate amount payable by us under the **Policy** in respect of the **Policy Period** irrespective of the number of **Claims**, the number of **Limits of Insurance**, number of claimants, number of **Insureds** making a **Claim**, number of Insuring Agreements and/or Insuring Agreement Extensions claimed under and/or anything whatsoever, including any combination of those things.

means the period of time specified in Item 2 of the **Schedule**, subject to any applicable prior termination pursuant to Section 5, General Conditions.

means any solid, liquid, gaseous or thermal irritant or contaminant, including smoke, vapour, soot, fumes, acids, alkalis, chemicals, asbestos, asbestos products or waste (waste includes materials to be recycled, reconditioned or reclaimed).

means:

A. a demand against you for monetary or non-monetary damages;

B. a civil proceeding against you seeking monetary damages or non-monetary or injunctive relief, commenced by the service of a complaint or similar pleading;

C. an arbitration proceeding against you seeking monetary damages or non-monetary or injunctive relief; or

D. a **Regulatory Proceeding**.

means:

A. reasonable and necessary legal fees, expert witness fees and other fees and costs incurred by us, or by you with our prior consent, in the investigation and defence of a covered **Privacy and Network Security Claim**; and

B. reasonable and necessary premiums for any appeal bond, attachment bond or similar bond, provided we shall have no obligation to apply for or furnish such bond.

means any error, misstatement, misleading statement, act, omission, neglect or breach of duty, actually or allegedly committed or attempted by you resulting in:

A. a failure of **Network Security**, including the failure to deter, inhibit, defend against or detect any **Computer Malicious Act** or **Unauthorised Use or Access**, including that which causes **Personal Injury**;

B. the failure by you or by an independent contractor for which you are legally responsible to handle, manage, store, destroy or otherwise control:

i. **Personal Data**, including that which causes **Personal Injury**; or

ii. Non-public, private third party corporate information in any format provided to you; or

C. an unintentional violation of your privacy policy that results in the violation of any **Privacy Regulation**, including but not limited to the unintentional wrongful use or collection of **Personal Data** by you.

means regulations applying to the care, collection, custody, control, use, or disclosure of **Personal Data**, including **Data** that is regulated by the Personal Data Protection Act 2012 (No.26 of 2012) and the EU General Data Protection Regulation (GDPR).

means anything that the **Insured** sells, designed, created, developed, assembled, manufactured, handled, installed, disposed of, leased to or licensed for others, sold, or that is distributed by or on behalf of an **Insured**, including the repair or maintenance thereof.

means error that occurs during the development or encoding of a program, application or operating system that would, once in operation, result in a malfunction of the computer system and/or an interruption of operation and/or an incorrect result.

**Programming Error** does not include integration, installation, upgrade or patching of any software, hardware or firmware on a **Covered Computer System** unless you can evidence that the **Programming Error** arises from an **Accepted Program**.

means physical injury to or loss or destruction of tangible property, including the loss of use thereof. **Property Damage** shall not include any injury to, loss or destruction of, or loss of use of **Data**.

means any civil monetary fine or penalty imposed by a government or regulatory body, including an official governmental entity in such entity's regulatory or official capacity pursuant to its order under a **Regulatory Proceeding**. **Regulatory Fines** shall not include any civil monetary fines or penalties that are not insurable by law, criminal fines, disgorgement of profits or multiple damages.

means a request for information, demand, suit, civil investigation or civil proceeding by or on behalf of a government agency, commenced by a service of a complaint or similar pleading alleging the violation of **Privacy Regulations** as a result of your **Privacy and Network Security Wrongful Act** and that may reasonably be expected to give rise to a covered **Privacy and Network Security Claim** under Insuring Agreement 1.5 of this **Policy**. Additionally, **Regulatory Proceeding** does not include any action, proceeding or suit, or the portion of any action, proceeding or suit, that is based on or related to a criminal violation of **Privacy Regulations**.

means the date specified in Item 4 of the **Schedule**.

applicable to Insuring Agreement Extension 2.4 only, means the reasonable amount of money or other security paid by an **Insured Organisation**, with our prior consent, to a third party natural person, who is not affiliated with or employed by the **Insured Organisation**, and who provides information not otherwise available that leads to the arrest and conviction of any person responsible for the **Cyber Extortion Event**.

**Reward Expenses** shall not include any **Incident Response Expenses** or **Cyber Extortion Expenses**.

**Reward Expenses** shall be a part of and not in addition to the applicable **Limit of Insurance** shown in the **Schedule** for Cyber Extortion as provided for under Insuring Agreement 1.4, and shall reduce such applicable **Limit of Insurance**.

means the schedule attached to this **Policy**.

applicable to Insuring Agreement Extension 2.3 only, means negotiable and non-negotiable instruments or contracts, including any note, stock, bond, debenture, evidence of indebtedness, share or other equity or debt security, representing either money or property, but does not include **Money** or cryptocurrencies. **Securities** also does not include goods or tangible property.

means all **Claims** or other matters giving rise to a claim under this **Policy** that relate to the same originating source or cause or the same underlying source or cause, regardless of whether such **Claims**, **Regulatory Proceedings** or other matters giving rise to a claim under this **Policy** involve the same or different claimants, **Insureds**, events, or legal causes of action.

means any entity that is not formed as a partnership or joint venture in which, at the inception of the **Policy**, the **Named Insured** directly or indirectly:

A. holds more than 50% of the voting rights;

B. has the right to appoint or remove more than 50% of the board of directors; or

C. controls alone, pursuant to a written agreement with other shareholders, more than 50% of the voting rights.

If a **Subsidiary** ceases to be a **Subsidiary** either prior to or during the **Policy Period**, this **Policy** shall continue to cover such **Subsidiary** and its **Insured Persons**, but:

i. only for **Privacy and Network Security Wrongful Acts** and **Media Wrongful Acts** that occur after the **Retroactive Date** and while the entity was a **Subsidiary**; and

ii. only for **Cyber Incidents**, **Business Interruption Incidents**, **Cyber Extortion Events**, and **Theft** discovered by any **Control Group** member while the entity was a **Subsidiary**.

applicable to Insuring Agreement Extension 2.5 only, means the amount invoiced for unauthorised voice or data charges or unauthorised bandwidth.

**Telecommunications Expenses** shall not include any fraudulent charges waived, reimbursed, or recovered by or on behalf of the telecommunications provider. Additionally, **Telecommunications Expenses** shall not include any voice, data or bandwidth charges incurred because of the intentional, negligent or wrongful misuse or overuse of a **Covered Telecom System** by employees or authorised third parties, who have legitimate access to a **Covered Telecom System**.

applicable to Insuring Agreement Extension 2.3 only, means a dishonest and unlawful act of a **Third Party** of taking your **Money** or your **Securities** with the intention of permanently depriving you of its use and obtaining a financial gain for themselves.

means an entity or **Natural Person** not qualifying as an **Insured** under this **Policy**.

means information, including a formula, pattern, compilation, program, device, method, technique or process, that derives independent economic value, actual or potential, from not being generally known to or readily ascertainable by other persons who can obtain value from its disclosure or use, so long as reasonable efforts have been made to maintain its secrecy.

means in respect of the company shown in Item 1 of the **Schedule**:

A. it or all of its assets is or are acquired by another entity;

B. it merges or consolidates into or with another entity;

C. any person, entity or affiliated group of persons and/or entities obtains the right or power to elect, appoint or designate at least fifty percent (50%) of the directors of it;

D. any person, entity or affiliated group of persons and/or entities acquires fifty percent (50%) or more of the issued capital of it; or

E. a receiver, receiver and manager, liquidator, administrator, official manager or trustee is appointed to manage, administer, liquidate, supervise, or otherwise take control.

means the entry or access to a **Covered Computer System** by an unauthorised party or individual, including an employee or authorised party exceeding authority.

means the number of hours specified in Item 3 of the **Schedule** following a **Business Interruption Incident**.

means the **Insurer**.

means an actual or alleged **Privacy and Network Security Wrongful Act**, **Media Wrongful Act**, **Malicious Use or Access**, **Cyber Incident**, or **Business Interruption Incident**.

means any actual or alleged violation of employment laws or any other legal provisions relating to any individual's actual or prospective employment relationship with the **Insured**, including:

A. employment-related invasion of privacy, except with respect to that part of any **Privacy and Network Security Claim** arising out of the loss of **Personal Data** that is otherwise covered under Insuring Agreement 1.5 of this **Policy**;

B. employment-related wrongful infliction of emotional distress, except with respect to that part of any **Privacy and Network Security Claim** arising out of the loss of **Personal Data** that is otherwise covered under Insuring Agreement 1.5 of this **Policy**.

means the **Insured**.

---

We shall not be liable for **Loss** on account of any **Claim**:

alleging, based upon, arising out of or attributable to a **Wrongful Act** actually or allegedly committed prior to the beginning of the **Policy Period** if, on or before the earlier of the effective date of this **Policy** or the effective date of any **Policy** issued by us of which this **Policy** is a continuous renewal or a replacement, any member of the **Control Group** of the **Insured** knew or reasonably could have foreseen that the **Wrongful Act** did or could lead to any **Loss**.

alleging, based upon, arising out of, or attributable to:

A. any prior or pending litigation, **Privacy and Network Security Claim**, **Media Claim**, demand, arbitration, administrative or regulatory proceeding or investigation filed or commenced against you, and of which you had notice, on or before the earlier of the effective date of this **Policy** or the effective date of any policy issued by us of which this **Policy** is a continuous renewal or a replacement, or alleging or derived from the same or substantially the same fact, circumstance or situation underlying or alleged therein; or

B. any **Wrongful Act**, fact, circumstance or situation that has been the subject of any notice given under any other policy before the effective date of this **Policy**; or

C. any other **Wrongful Act** whenever occurring which, together with a **Wrongful Act** that has been the subject of such notice, would constitute a **Single Claim**.

directly or indirectly caused by, arising out of or in any way connected with your conduct, or of any person for whose conduct you are legally responsible, that involves:

A. committing or permitting any knowing or wilful breach of duty, or violation, of any laws; or

B. committing or permitting any criminal, deliberately fraudulent or deliberately dishonest act or omission; or

C. any actual or attempted gain of personal profit, secret profit or advantage by you to which you were not entitled.

This exclusion only applies where such conduct has been established to have occurred by final adjudication (after the exhaustion of any appeals), or written admission.

Conduct committed by an **Insured Person** shall not be imputed to any other **Insured Person**.

However, conduct committed by or with the knowledge of a past, present, or future member of the **Control Group** shall be imputed to the relevant **Insured Organisation**.

alleging, based upon, arising out of, attributable to, directly or indirectly resulting from, in consequence of, or in any way involving the unauthorised, surreptitious, or wrongful use or collection of **Personal Data** by you or the failure to provide adequate notice that **Personal Data** is being collected or used.

However, this exclusion shall not apply to your unintentional violation of any **Privacy Regulation**, including but not limited to the unintentional wrongful use or collection of **Personal Data**.

alleging, based upon, arising out of or attributable to any:

A. discrimination of any kind;

B. humiliation, harassment or misconduct based upon, arising out of or related to any such discrimination;

C. **Wrongful Employment Practices**.

However, this exclusion shall not apply with respect to that part of any **Privacy and Network Security Claim** alleging employment-related invasion of privacy or employment-related wrongful infliction of emotional distress in the event such **Privacy and Network Security Claim** arises out of the loss of **Personal Data** which is covered under Insuring Agreement 1.5.

brought or maintained by you, or on your behalf, or any other natural person or entity for whom or which you are legally liable, arising out of a **Privacy and Network Security Claim** or **Media Claim**. However, this exclusion shall not apply to a **Privacy and Network Security Claim** brought against you by an **Insured Person**, alleging that you committed a **Privacy and Network Security Wrongful Act** as outlined in parts B and C only, which is expressly covered under Insuring Agreement 1.5.

for breach of any express, implied, actual or constructive contract, warranty, guarantee, or promise, including liquidated damages provisions or any liability assumed by you. This exclusion shall not apply to:

A. any liability or obligation you would have in the absence of such contract, warranty, guarantee, promise or agreement; or

B. any indemnity by you in a written contract or agreement with your client regarding any **Privacy and Network Security Wrongful Act** that results in the failure to preserve the confidentiality or privacy of **Personal Data** of customers of your client; or

C. with respect to Insuring Agreement 1.5, any **Payment Card Loss**.

Solely with respect to coverage under Insuring Agreements 1.5 and 1.6, alleging, based upon, arising out of or attributable to any fees, expenses, or costs paid to or charged by you.

alleging, based upon, arising out of or attributable to any **Bodily Injury** or **Property Damage**.

alleging, based upon, arising out of or attributable to any electrical or mechanical failure or interruption, electrical disturbance, surge, spike, brownout, blackout, or outages to electricity, gas, water, telecommunications or other infrastructure. However, this exclusion shall not apply to failures, interruptions, disturbances or outages of telephone, cable or telecommunications systems, networks or infrastructure, under an **Insured's** operational control, which is a result of a failure of **Computer Malicious Act**, **Unauthorised Use or Access**, or a failure of **Network Security**.

alleging, based upon, arising out of or attributable to fire, smoke, explosion, lightning, wind, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, act of God or any other physical event, however caused.

alleging, based upon, arising out of or attributable to war, invasion, acts of foreign enemies, terrorism, hostilities or warlike operations (whether war is declared or not), strike, lock-out, riot, civil war, rebellion, revolution, insurrection, civil commotion assuming the proportions of or amounting to an uprising, military or usurped power. However, this exclusion shall not apply to an **Act of Cyber-Terrorism** which results in a **Claim**.

alleging, based upon, arising out of or attributable to the actual, alleged or threatened discharge, release, escape, seepage, migration, or disposal of **Pollutants**, or any direction, formal mandate or request that any **Insured** test for, monitor, clean up, remove, contain, treat, detoxify or neutralise **Pollutants**, or any voluntary decision to do so.

Solely with respect to coverage under Insuring Agreements 1.1, 1.2 and 1.3:

A. alleging, based upon, arising out of, or attributable to the ordinary wear and tear or gradual deterioration of a **Covered Computer System** or **Data**, including any data processing media.

B. for any action of a public or governmental authority, including the seizure, confiscation or destruction of a **Covered Computer Systems** or **Data**.

alleging, based upon, arising out of or attributable to any claim, dispute or issues with the validity, invalidity, infringement, violation or misappropriation of any patent or **Trade Secret** by or on behalf of you.

alleging, based upon, arising out of or attributable to any infringement, violation or misappropriation by you of any copyright, service mark, trade name, trademark or other intellectual property of any third party. However, this exclusion shall not apply to a **Privacy and Network Security Wrongful Act** or **Media Wrongful Act** expressly covered under Insuring Agreements 1.5 or 1.6.

Solely with respect to coverage under Insuring Agreement 1.6, alleging, arising out of, or attributable to the actual goods, **Products** or services described, illustrated or displayed in **Media Content**.

alleging, based upon, arising out of or attributable to any **Products**.

alleging, based upon, arising out of or attributable to any:

A. financial loss due to the inability to trade, invest, divest, buy or sell any financial security or financial asset of any kind, however, solely with respect to **Business Interruption Loss** covered under Insuring Agreement 1.2, this shall not apply to your loss of fee or commission income;

B. fluctuations in any value of assets;

C. financial value in any of your accounts held at a financial institution; or

D. inability to earn interest or appreciation on any asset.

Solely with respect to coverage under Insuring Agreement Extension 2.3 Cyber Crime, we will not pay for **Direct Financial Loss** consisting of or which is due to:

A. any acts by employees or independent contractors of the **Insured**, including any **Claims** caused by collusion with an employee or independent contractor;

B. any acts by your directors, executive officers or executive managers, including any **Claims** caused by collusion with a director, executive officer or executive manager;

C. any government seizures of your **Money** or **Securities**;

D. any fluctuation in value in any **Monies** or **Securities**;

E. indirect or consequential loss, including but not limited to income or profit; or

F. recall costs or expenses.

---

To the extent permitted by the regulations and law (which expression is for this purpose taken to include but not be limited to any trade or economic sanctions applicable to either party), and subject to the terms of this **Policy**, it covers **Wrongful Acts** committed and **Claims** made anywhere in the world.

This **Policy** is governed by and is to be interpreted in accordance with the laws of the Republic of Singapore. The courts of the Republic of Singapore have exclusive jurisdiction in relation to any disputes regarding this **Policy** unless otherwise provided herein.

Unless the context otherwise requires, in this **Policy**:

A. the singular includes the plural and vice versa;

B. headings are merely descriptive and not to aid interpretation;

C. a position, title, legal status, legal concept or structure, or statute shall include the equivalent in any other jurisdiction;

D. a statute or statutory provision shall include any amended version or re-enactment; and

E. bolded words used in this **Policy** have the meanings set out in Section 3, General Definitions, and in the **Schedule**.

A. The **Limits of Insurance** and **Excesses** listed on the **Schedule** are separate **Limits of Insurance** and **Excesses** pertaining to each Insuring Agreement and each Insuring Agreement Extension.

B. The total amount payable by us (including **Loss**) under this **Policy** in respect of each and every **Single Claim** shall not exceed the sum of the applicable **Limits of Insurance**, and is subject to the **Policy Aggregate**.

C. The total amount payable by us (including **Loss**) under this **Policy** will not exceed the **Policy Aggregate**.

D. Any Sublimit listed on the **Schedule** shall be part of and not in addition to the applicable **Privacy and Network Security Liability** **Limit of Insurance** shown in the **Schedule**, and subject to the **Policy Aggregate**.

E. Sub-limits and Insuring Agreement Extension **Limits of Insurance** are not subject to reinstatement once exhausted.

A. We will only be liable for that part of a **Loss** and any other covered amount payable arising from any **Claim**, which exceeds the **Excess**. Such **Excess** shall be borne by you and is uninsured by us.

B. Only one **Excess** amount shall apply to each and every **Single Claim**. However, the **Excess** applicable to Insuring Agreement Extension 2.2 Betterment Costs shall apply separately to each and every **Single Claim**.

C. If a **Single Claim** is subject to different **Excess** amounts, the applicable **Excess** shall be applied separately to each part of **Damages** and **Expenses**, but the sum of such **Excess** shall not exceed the largest applicable **Excess**. However, the **Excess** applicable to Insuring Agreement Extension 2.2 Betterment Costs shall apply separately and in addition to the sum of such applicable **Excess** amounts.

D. With respect to Insuring Agreement 1.2 Business Interruption, we will pay the actual **Business Interruption Loss** incurred by you:

i. once the applicable **Waiting Period** has expired; and

ii. which exceeds the **Excess** amount shown in Item 3 of the **Schedule**.

A **Single Claim** shall attach to the **Policy** only if the notice of the first **Claim** or other matter giving rise to a **Claim** that became such **Single Claim**, was given by the **Insured** during the **Policy Period**.

You may cancel this **Policy** by giving 30 days' notice to us. If there are no **Claims** notified to us under this **Policy**, we will allow a refund of unearned premium calculated in accordance with its customary pro-rata.

We may cancel this **Policy** for non-payment of premium by 30 days' notice given to you and in accordance with the requirements of any applicable legislation.

In the event that a **Transaction** occurs during the **Policy Period**, then we will only pay for a **Loss** for any **Wrongful Act** occurring prior to the **Transaction** and which is otherwise covered by this **Policy** and reported to us pursuant to General Condition 5.10 Notification.

However, the company shown in Item 1 of the **Schedule** may, up to forty-five (45) days after the **Transaction**, request an offer from us for an **Extended Reporting Period** of up to eighty-four (84) months from the expiry date of the **Policy Period**. Upon such request and following our receipt of any requested information, we shall offer to extend the cover under this **Policy** for an **Extended Reporting Period** of up to eighty-four (84) months on such terms and conditions and at such premium as we may decide at our discretion. Any additional premium will be non-refundable.

The definition of **Subsidiary** under this **Policy** is extended to include any company that becomes a **Subsidiary** during the **Policy Period**, provided that:

A. the new **Subsidiary** does not increase the **Insured Organisation's** total turnover by more than twenty percent (20%) based on the **Insured Organisation's** latest audited consolidated financial statements or annual report; and

B. the new **Subsidiary** is domiciled outside of Canada or The United States of America or its Territories; and

C. the new **Subsidiary** is not registered as an investment advisor with the US Securities and Exchange Commission; and

D. the new **Subsidiary's** business activities are not materially different in their nature to those of the **Insured Organisation**.

In respect of any new **Subsidiary** falling outside the terms of conditions A.-D. above, cover will be automatically provided for a period of sixty (60) days from the date of acquisition, incorporation or creation. This automatic cover may be extended beyond the sixty (60) days with the written agreement of the **Insurer** on such terms the **Insurer** may apply and endorse to the **Policy**.

In respect of any new **Subsidiary**, cover only applies to **Claims** first made during the **Policy Period** in respect of **Wrongful Acts** allegedly committed after the acquisition, incorporation or creation of the new **Subsidiary**.

A. You shall give written notice to us as soon as practicable of a **Claim**.

B. If this **Policy** is not renewed, you shall give written notice to us as soon as practicable of a **Claim** and in no event more than 60 days after the expiry of the **Policy Period** or **Extended Reporting Period**.

C. All notifications under this **Policy** must be provided to us via the following email address: Claims.SG@chubb.com

D. Notifications must include certain information.

i. All notifications under this **Policy** shall include the following information:

(a) a specific description of the alleged **Claim** or **Loss** or other conduct;

(b) details of all parties involved, inclusive of names and contact information;

(c) a copy of any **Privacy and Network Claim** or **Media Claim** made by any third party or the documents or notice related to a **Regulatory Proceeding**;

(d) complete details of any alleged **Damages**; and

(e) such other information as we may require.

ii. Requests made by you for indemnity by us for any **Business Interruption Loss** shall be accompanied by a computation of the loss. This shall set out in detail how the loss has been calculated and what assumptions have been made. You shall produce any documentary evidence, including any applicable reports, books of accounts, bills, ledgers, invoices, and other vouchers and copies of such which we may reasonably require.

E. If, during the **Policy Period** or an obtained **Extended Reporting Period**, you:

i. become aware of circumstances which are likely to give rise to a **Claim** and give written notice of such circumstances to us; or

ii. receive a written request to waive application of a limitation period to, or to suspend the running of time towards expiry of a limitation period for the commencement of a civil proceeding against you for a **Wrongful Act** occurring before the expiry of the **Policy Period** and give written notice of such request and of such **Wrongful Act** to us,

then any **Claims** subsequently arising from such circumstances or such request shall be deemed to have first been made during the **Policy Period**.

Our adjustment of the **Business Interruption Loss** shall take full account of trends or circumstances during the twelve (12) months immediately before the **Business Interruption Incident**, which affect the profitability of the business and would have affected the profitability of the business had the **Business Interruption Incident** not occurred, including all material changes in market conditions which would affect the **Net Profit** generated. However, our adjustment will not include any increase in income that would likely have been earned as a result of an increase in the volume of business due to favourable business conditions.

For the purposes of establishing the value of:

A. **Direct Financial Loss** payable by us, the following valuation shall apply:

i. for currency other than that in which the **Policy** has been issued as referenced in the **Policy Schedule**, the value of that currency based on the rate of exchange published in The Financial Times on the day the **Theft** is first discovered by any **Control Group** member;

ii. **Securities** payable by us, the lesser of the following shall apply:

(a) the closing price of the **Securities** on the business day immediately preceding the day on which the **Theft** is first discovered by any **Control Group** member; or

(b) the cost of replacing the **Securities**; and

B. **Cyber Extortion Damages** payable by us, the following valuation shall apply:

If **Cyber Extortion Damages** are paid in a currency, including cryptocurrency(ies), other than the local currency from where this **Policy** is issued or the currency in which the **Policy** is issued, then payment under this **Policy** will require submission of proof of the calculation of the applicable rate of exchange used to convert such other currency to the local currency from where this **Policy** is issued or the currency in which this **Policy** is issued on the date that the **Cyber Extortion Damages** were actually paid.

Reimbursement of the **Direct Financial Loss** and **Cyber Extortion Damages** to you from us under this **Policy** shall be made in the local currency from where this **Policy** is issued based on the submission of proof provided by you. We retain the right to dispute or adjust the calculation of **Direct Financial Loss** and **Cyber Extortion Damages** to the extent that the submission of proof you submit is based on an inaccurate or inflated rate of exchange.

In the event that any **Claim** involves both covered matters and matters not covered, a fair and proper allocation of any **Loss** shall be made between you and us taking into account the relative legal and financial exposures attributable to covered matters and matters not covered under this **Policy**.

A. In respect of Insuring Agreements 1.5 and 1.6, we may take over and conduct (in your name) the defence of any **Privacy and Network Security Claim** or **Media Claim** in respect of which we may be liable to indemnify you.

B. You agree to do nothing which will or might prejudice us in respect of a **Privacy and Network Security Claim** or **Media Claim** covered by this **Policy**.

C. You must not make any admission of liability in respect of, or agree to settle, any **Privacy and Network Security Claim** or **Media Claim**, including any **Expenses**, without our prior consent (which shall not be unreasonably delayed or withheld), and we must be consulted in advance of investigation, defence and settlement of any **Privacy and Network Security Claim** or **Media Claim**. You must, at your own expense, give us and any investigators or legal representatives appointed by us, all information they reasonably require, and full co-operation and assistance in the conduct of the investigation (including for the purpose of enabling us to determine liability to provide indemnity under this **Policy**), defence, settlement, avoidance or reduction of any actual or possible **Loss** or **Claims**.

A. Where a dispute arises between you and us as to whether a **Privacy and Network Security Claim** or **Media Claim** under this **Policy** should be settled or a judgment or determination appealed, we will be entitled to brief senior counsel (to be mutually agreed or, in default of agreement, you are to select one of the three senior counsel nominated by us), to advise on whether or not the **Privacy and Network Security Claim** or **Media Claim** should be contested, and if not, on the amount for which the **Privacy and Network Security Claim** or **Media Claim** should be settled or whether a judgment or determination should be appealed. In providing such advice and in making any recommendation as to settlement, senior counsel is entitled to take into account both legal and commercial considerations. Senior counsel must have regard to the damages and costs that are likely to be recovered, the defence costs that will be incurred in contesting the **Privacy and Network Security Claim** or **Media Claim** and the prospects of the **Privacy and Network Security Claim** or **Media Claim** being successfully defended. You will not be required to contest the **Privacy and Network Security Claim** or **Media Claim** unless senior counsel recommends that, having regard to all the circumstances, the **Privacy and Network Security Claim** or **Media Claim** should be contested.

B. The costs of obtaining this recommendation will be treated by us as part of **Expenses**.

C. If senior counsel recommends that, having regard to all the circumstances, settlement of the **Privacy and Network Security Claim** or **Media Claim** should be attempted, then subject to receiving the **Insured's** consent (not to be unreasonably withheld or delayed), we will attempt settlement of the **Privacy and Network Security Claim** or **Media Claim** in accordance with senior counsel's recommendation. Where settlement is attempted in accordance with senior counsel's recommendation but is unsuccessful, we will continue to indemnify the **Insured** subject to the terms, conditions, exclusions and limitations of this **Policy**.

D. Notwithstanding the preceding provisions of this clause, where we have the right to conduct the defence of any **Privacy and Network Security Claim** or **Media Claim**, we are also entitled to settle such **Privacy and Network Security Claim** or **Media Claim** if it is in receipt of senior counsel's opinion that settlement of the **Privacy and Network Security Claim** or **Media Claim** should be attempted, having regard to the matters set out in paragraph A. In such circumstances, we will consult with the **Insured** the subject of the **Privacy and Network Security Claim** or **Media Claim**. Should the **Insured** elect not to attempt settlement in accordance with senior counsel's recommendations and elect to contest the **Privacy and Network Security Claim** or **Media Claim**, our liability will be limited to the settlement amount recommended by senior counsel, plus the **Expenses** incurred up to the date the recommendation was made. Notwithstanding any advice from such senior counsel, we shall be entitled, if we elect to do so in our absolute discretion, to continue to defend such **Privacy and Network Security Claim** or **Media Claim**.

E. Any election under this Condition must be made in writing to us as soon as practicable, but no later than fourteen (14) days following receipt of senior counsel's recommendation.

If on expiry, any Insuring Agreement under this **Policy** is neither renewed nor replaced with insurance providing such coverage with any insurer, any **Insured** is entitled to an **Extended Reporting Period** of sixty (60) days automatically for no additional premium and may, subject to the payment of an additional payment of one hundred percent (100%) of the **Premium**, extend the cover under that Insuring Agreement of this **Policy** for an **Extended Reporting Period** of twelve (12) months from the expiration of the **Policy Period**, provided that:

A. the extended cover under this Condition applies only to:

i. for Insuring Agreements 1.1, 1.2, 1.3 and 1.4, and all applicable Insuring Agreement Extensions, **Wrongful Acts** occurring before the expiry of the **Policy Period** and notified to us before the expiry of the **Extended Reporting Period**; and

ii. for Insuring agreements 1.5 and 1.6 **Privacy and Network Security Wrongful Acts** or **Media Wrongful Acts** wholly committed before the expiry of the **Policy Period** and notified to us before the expiry of the **Extended Reporting Period**.

B. To exercise this **Extended Reporting Period** under this Condition, the **Named Insured** must, within the sixty (60) day period after the expiration of the **Policy Period**:

i. provide notice to us of the intention to exercise the twelve (12) month option; and

ii. pay the additional premium.

You shall not have the right to purchase the twelve (12) month **Extended Reporting Period** under this Condition in the event that a **Transaction** occurs during the **Policy Period**.

The **Extended Reporting Period** is not available in the event this **Policy** is cancelled or voided. Any additional premium payable under this Condition will be fully earned upon payment and will be non-refundable.

You agree that our offer of renewal terms, conditions, limits of liability or premium different from those of this **Policy** do not constitute a refusal to renew.

There shall be no entitlement to an **Extended Reporting Period** in the event, and from the date that, the **Named Insured** obtains any similar insurance cover. In such an event, any **Extended Reporting Period** already purchased shall automatically be cancelled. The premium shall have been fully earned at inception of the **Extended Reporting Period**.

A. If any payment is made by us under this **Policy**, we will be subrogated to all of your rights of indemnity, contribution or recovery in relation to that payment.

B. You must, at your own expense, provide us with all reasonable assistance and cooperation in securing and enforcing such rights.

C. You must not surrender any right, or settle any **Claim** for indemnity, contribution or recovery, without our prior written consent.

A. We shall have no remedy for any breach by you of your duty to make a fair presentation of the risk prior to inception of, or in connection with, this **Policy**, unless we demonstrate such breach was dishonest.

B. The proposal submitted to us for the purpose of seeking cover under this **Policy** will be construed as a separate proposal by each of you and, with respect to statements and particulars provided in the proposal, no statements made or information possessed by any **Insured Person** shall be imputed to any other **Insured Person** to determine whether cover is available for that **Insured**.

C. Only the statements made or knowledge possessed by any past, present or future **Control Group** member will be imputed to such **Insured Organisation**.

You must not disclose the terms or nature of any **Excess**, **Limit of Insurance**, **Policy Aggregate** or the premium payable under this **Policy**, to any third party, including disclosure in the **Insured Organisation's** annual report, except where:

A. we provide our written consent; or

B. it is necessary for you to provide, or cause to have provided, to a client an insurance certificate; or

C. disclosure is required by Court order.

This **Policy** and any rights arising under this **Policy** cannot be assigned without our prior written consent.

A. If any **Loss** is insured under any other policy entered into by, or effected on behalf of you, or under which you are a beneficiary, whether prior or current, then, this **Policy**, subject to its limitations, conditions, provisions and other terms, will only cover such **Loss** to the extent that the amount of it is in excess of the amount of such other insurance.

B. Clause A above does not apply to such other insurance that is written specifically as excess insurance over the policy limit specified in the **Schedule**.

The **Named Insured** agrees to act on behalf of you with respect to this **Policy**.

We shall not be deemed to provide cover and we shall not be liable to pay any **Loss** or provide any benefit hereunder to the extent that the provision of such cover, payment of such **Loss** or provision of such benefit would expose us, or our parent or ultimate holding company, to any sanction, prohibition or restriction implemented pursuant to resolutions of the United Nations or the trade and economic sanctions, laws or regulations of the Republic of Singapore, the European Union, United Kingdom, Commonwealth of Australia or the United States of America.

A person or organisation that is not a party to this **Policy** shall have no right under the Contracts (Rights of Third Parties) Act (Chapter 35B) to enforce any of its terms.

The validity of this **Policy** is subject to the conditions precedent that:

(i) for the risk insured, you have never had any insurance terminated in the last twelve (12) months due solely or in part to a breach of any premium payment condition;

(ii) if you have declared that you have breached any premium payment condition in respect of a previous policy taken up with another insurer in the last twelve (12) months:

(a) you have fully paid all outstanding premium for time on risk calculated by the previous insurer based on the customary short period rate in respect of the previous policy; and

(b) a copy of the written confirmation from the previous insurer to this effect is first provided by you to us before the cover incepts.

A. If the **Policy Period** is 60 days or more, any premium due must be paid and actually received in full by us (or the intermediary through whom this **Policy** was effected) within sixty (60) days of the inception date of the coverage under this **Policy**, renewal certificate or cover note.

B. In the event that any premium due is not paid and actually received in full by us (or the intermediary through whom this **Policy** was affected) within the 60-day period referred to above, then:

(i) the cover under this **Policy**, renewal certificate or cover note is automatically terminated immediately after the expiry of the said 60-day period;

(ii) the automatic termination of the cover shall be without prejudice to any liability incurred within the said 60-day period; and

(iii) we will be entitled to a pro-rata time on risk premium subject to a minimum of S$25.00.

C. If the **Policy Period** is less than sixty (60) days, any premium due must be paid and actually received in full by us (or the intermediary through whom this **Policy** was affected) within the **Policy Period**.

---

Chubb Insurance Singapore Limited ("**Chubb**") is committed to protecting your personal data. **Chubb** collects, uses, discloses and retains your personal data in accordance with the Personal Data Protection Act 2012 and our own policies and procedures. Our Personal Data Protection Policy is available upon request.

**Chubb** collects your personal data (which may include health information) when you apply for, change or renew an insurance policy with us, or when we process a claim. We collect your personal data to assess your application for insurance, to provide you with competitive insurance products and services and administer them, and to handle any claim that may be made under a policy. If you do not provide us with your personal data, then we may not be able to provide you with insurance products or services or respond to a claim.

We may disclose the personal data we collect to third parties for and in connection with such purposes, including contractors and contracted service providers engaged by us to deliver our services or carry out certain business activities on our behalf (such as actuaries, loss adjusters, claims investigators, claims handlers, third party administrators, call centres and professional advisors, including doctors and other medical service providers), other companies within the **Chubb** Group, other insurers, our reinsurers, and government agencies (where we are required to by law). These third parties may be located outside of Singapore.

You consent to us using and disclosing your personal data as set out above. This consent remains valid until you alter or revoke it by providing written notice to Chubb's Data Protection Officer ("**DPO**") (contact details provided below). If you withdraw your consent, then we may not be able to provide you with insurance products or services or respond to a claim.

From time to time, we may use your personal data to send you offers or information regarding our products and services that may be of interest to you. If you do not wish to receive such information, please provide written notice to Chubb's **DPO**.

If you would like to obtain a copy of Chubb's Personal Data Protection Policy, access a copy of your personal data, correct or update your personal data, or have a complaint or want more information about how Chubb manages your personal data, please contact Chubb's **DPO** at:

**Address:** Chubb Data Protection Officer
138 Market Street,
#11-01 CapitaGreen,
Singapore 048946

**E:** dpo.sg@chubb.com