Etiqa — Etiqa SME Cyber

Rule:

We shall pay on behalf of the insured all civil monetary fines and penalties (to the extent insurable under the law of the jurisdiction imposing such fines or penalties) and regulatory defence costs necessarily incurred in responding to any regulatory proceeding first made against the insured during the policy period, for a wrongful act arising out of the conduct of the company's business in the territorial limits, which first occurs on or after the retroactive date and before the end of the policy period.

Covered:

civil monetary fines and penalties to the extent insurable under the law of the jurisdiction imposing such fines or penalties

Where Insurable Only:

true

Rule:

We will indemnify the company, to the extent insurable, for cyber extortion payment and cyber extortion expenses incurred by the company and resulting directly from a cyber extortion threat that is discovered during the policy period. Cyber extortion payment shall only be paid, provided that the company can demonstrate to us that: (a) the cyber extortion payment was made under duress; (b) before agreeing to the cyber extortion payment, the company made all reasonable efforts to determine the credibility of the cyber extortion threat; and (c) a responsible person agreed to the cyber extortion payment. We shall not be deemed to provide cover nor shall we be liable to pay any claim or provide any benefit under this Policy to the extent that the provision of such cover, payment of such claim would expose us to any sanction, prohibition or restriction under United Nations resolutions or the trade or economic sanctions, laws or regulations of the Republic of Singapore, European Union, United States of America, United Kingdom and/or any other applicable national economic or trade sanction law or regulations.

Covered:

true

Sanctions Clause:

true

Panel Negotiator Required:

false

Rule:

We will indemnify the company for business income loss and extra expenses incurred by the company during the period of restoration due to an interruption in service, which is directly caused by a cyber event. The period of restoration means the period of time that begins on the time and date of the expiration of the waiting period following the interruption in service and ends on the time and date such company's computer systems was restored or could have been restored with reasonable speed, to substantially the same level of operation that existed prior to such interruption in service, provided that in no event the period of restoration exceeds 120 days. Service provider is defined as any third party independent contractor that provides for a fee, information technology services for the company's benefit, under a written contract with the company, including hosting, security management, co-location and data storage; coverage for interruption in service caused by a cyber event at a service provider is included within the definition of company's computer system.

Waiting Period Hours:

as provided in the Policy Schedule

Contingent Bi Covered:

rule string

Indemnity Period Months:

period of restoration not exceeding 120 days

Rule:

Privacy breach response costs means the following reasonable and necessary costs incurred with our prior written consent, within one (1) year of discovering evidence reasonably suggesting that a privacy breach had occurred: (a) engaging a computer forensic firm to ascertain whether a privacy breach has occurred and the cause and extent of such privacy breach, or whether a network security wrongful act may be the cause of such privacy breach; (b) identifying and preserving the relevant electronic data on the company's computer system; (c) engaging a law firm to advise the insured on its duties to comply with any law or regulation that requires notice to persons and/or governmental agencies due to an actual privacy breach and, if applicable, to examine the insured's indemnification rights and obligations under any written contract with a service provider; (d) notifying any person or legal entity who or which may be directly affected by an actual or suspected privacy breach; (e) public relation expenses to protect or restore the company's business reputation in response to negative publicity following such privacy breach; (f) providing necessary credit-monitoring services and reimbursement for credit freezes and/or credit thaws from a vendor approved by us for those persons who have been directly affected by an actual privacy breach; (g) complying with any other legal requirement owed by the insured to those persons who may be directly affected by an actual privacy breach.

Panel Required:

true

Forensic Covered:

true

Pr Crisis Covered:

true

Credit Monitoring Months:

rule string

Notification Costs Covered:

true

Rule:

No standalone cyber crime insuring clause is present in this wording. Exclusion 3.13 (Monetary Transaction) excludes any loss, transfer or theft of monies, securities or tangible property of others in the care, custody or control of the insured, and any trading losses, trading liabilities or personal debt of the insured. Damages definition expressly excludes any customer or client's funds lost due to unauthorised transfer.

Social Engineering:

false

Invoice Redirection:

false

Funds Transfer Fraud:

false

Rule:

war, invasion, acts of foreign enemies, terrorism, hostilities or warlike operations (whether war be declared or not), civil war, strike, riot, lock-out rebellion, revolution, insurrection, civil commotion assuming the proportion of or amounting to an uprising, military or usurped power; Terrorism is not deemed to include cyber terrorism.

Excluded:

true

Lloyds 2022 Clause:

false

• Crawford & Company International Pte Ltd

• any actual or alleged breach of any competition or antitrust laws, restraint of trade, false, deceptive or unfair trade practices.
• any actual or alleged bodily injury, sickness, emotional distress, mental anguish or death of any person howsoever caused.
• any liability assumed or accepted by the insured under the terms and conditions or warranties of any contract or agreement. However, this Exclusion shall not apply to the extent that such liability would have existed in the absence of such contract or agreement.
• any claim made, occurring, pending within, or to enforce a judgment obtained in the United States of America, Canada or any of their territories or possessions.
• any personal liability incurred by a director, officer, partner or trustee of the company whilst acting in that capacity or managing the company's business.
• any (a) criminal, deliberate, fraudulent, dishonest, unlawful or malicious act or omission committed or condoned by any insured; (b) willful violation of any duty, obligation, law or regulation committed or condoned by any insured; (c) willful violation of the company's privacy policy committed by or condoned by any insured; or (d) actual or attempted gain of profit, remuneration, advantage by an insured to which such insured was not legally entitled to.
• the incomplete disclosure of the company's fees or any disputes involving the company's fees or charges.
• any employment practices or discrimination against or harassment of any person on any basis, including but not limited to: race, creed, color, religion, ethnic background, national origin, age, handicap, disability, gender, marital status, sexual orientation or pregnancy. However, this Exclusion shall not apply not apply to any claim by an employee for a privacy breach relating to the unauthorized disclosure of such employee's personal information.
• any action, requirement or restriction of a public or governmental authority, including the seizure, confiscation, nationalization, expropriation, destruction or loss of use of the company's computer systems or digital assets and any delay caused by the requirements and restrictions imposed by such authority. However, this Exclusion shall not apply to: (a) cyber attacks committed by any such authority against the company's computer systems or digital assets; or (b) the shutdown the company's computer system which is ordered by a civil authority in response to a cyber attack.
• any insured, or any other person or entity, including a service provider's bankruptcy, liquidation or insolvency.
• any mechanical or electrical failure, or outage in, or disruption of power, utilities services, satellites, internet or telecommunications services not under the company's direct operational control.
• any loss of goodwill and reputational harm.
• (a) any loss, transfer or theft of monies, securities or tangible property of others in the care, custody or control of the insured; or (b) any trading losses, trading liabilities or personal debt of the insured.
• fire, smoke, explosion, lightning, wind, flood, earthquake, volcanic eruption, storm, subsidence, tidal wave, landslide, hail, subterranean fire or act of god or any other physical event, however caused.
• (a) loss or destruction of or damage to any property whatsoever or any loss or expense whatsoever resulting or arising therefrom or any consequential loss; or (b) legal liability of whatsoever nature directly or indirectly caused by or contributed to by or arising from: (i) ionising radiations or contamination by radioactivity from any nuclear fuel or from any nuclear waste from the combustion of nuclear fuel; or (ii) the radioactive, toxic, explosive or other hazardous properties of any explosive nuclear assembly or nuclear component thereof.
• any actual or alleged infringement, violation or misappropriation of any patent or trade secret. However, this Exclusion shall not apply to the extent any claim alleges an inadvertent disclosure of a trade secret that constitutes a privacy breach.
• (a) the actual, alleged or threatened discharge, disposal, migration, dispersal, release or escape of pollutants, or (b) any direction, order or request to test for, monitor, remediate, clean up, remove, contain, treat, detoxify, or neutralize pollutants, or to pay for or contribute to the costs of undertaking such actions.
• (a) any fact, circumstance, act, error, omission, threat, event or breach committed or existing prior to the inception date of this Policy, that on or before the inception date the insured was aware of or could reasonably have foreseen such fact, circumstance, act, error, omission, threat, event or breach may be the basis of any loss under the Insuring Clauses, wrongful act or cyber event, regardless of whether the insured had disclosed in the proposal or notified under another insurance or not; or (b) any claim made, threatened or intimated against any insured prior to the inception date of this Policy; or (c) any litigation or other proceedings commenced against any insured or any order, decree or judgement entered against any insured prior to the inception date of this Policy, or alleging or arising out of or in any way involving any of the same or substantially the same facts, circumstances or situations underlying or alleged in such prior litigation, proceeding, order, decree or judgement.
• any actual or alleged damage to, destruction of, impairment or loss of use of any tangible property including hardware or any replacement or repair of any tangible property including hardware.
• any claim brought by, on behalf of or at the behest of any insured or any related entity. However, this Exclusion does not apply to any claim brought by an insured person in his or her capacity as: (a) as the company's customer or client; or (b) an employee for a privacy breach relating to the unauthorized access, disclosure, use of or loss of such employee's personal information.
• (a) any act, error, omission, incident or event committed or occurred prior to the retroactive date stated in the Policy Schedule; or (b) any related or continuing acts, errors, omissions, incidents or events where the first such act, error, omission, incident or event was committed or occurred prior to the retroactive date stated in the Policy Schedule.
• any cost and expenses incurred to identify, patch or remediate software program errors or vulnerabilities except following a covered loss.
• any actual or alleged: (a) illegal, unauthorized or wrongful collection, acquisition or retention of personal information or client information by any means, including the use of cookies or malware; or (b) failure to provide adequate notice of the collection or use of personal information or client information. However, this Exclusion shall not apply: (i) if such collection is done by an employee of the company without the knowledge or consent of any of the company's directors and officers; or (ii) if such collection is done by a third party without the knowledge of the company.
• (a) any distribution of unsolicited emails, text messages, facsimiles, direct mail or other communications to multiple actual or prospective customers, including actual or alleged violation of any anti-spam statute; or (b) any wire tapping, audio or video recordings or unlawful telephone marketing by the insured or any other third party on the insured's behalf. However, this Exclusion does not apply if such unsolicited electronic dissemination of faxes, electronic mail or other communications to multiple actual or prospective customers by the insured or any other third party was caused by a malware or hacker.
• war, invasion, acts of foreign enemies, terrorism, hostilities or warlike operations (whether war be declared or not), civil war, strike, riot, lock-out rebellion, revolution, insurrection, civil commotion assuming the proportion of or amounting to an uprising, military or usurped power; Terrorism is not deemed to include cyber terrorism.
• any ordinary wear and tear, drop in performance, progressive or gradual deterioration of the company's computer systems or digital assets.

Each Sublimit Of Liability:

as specified in the Policy Schedule, part of the Policy Aggregate Limit of Liability

Each Insuring Clause Limit Of Liability:

as shown in the Policy Schedule, part of the Policy Aggregate Limit of Liability

In accordance with the Insurance Act (CAP 142), we would remind You that You must disclose to Us fully and faithfully all the facts You know or could reasonably be expected to know, otherwise You may not receive any benefit from this Policy.

WHEREAS the **Insured** by a signed proposal and declaration which shall be the basis of this Contract and is incorporated herein has applied to the **Insurer** for insurance hereinafter contained and has paid or agreed to pay the agreed premium as consideration for such insurance.

The **Insurer** agrees subject to the Terms Exclusions and conditions contained herein or enclosed hereon that in respect of events occurring during the period of Insurance (or any subsequent period for which the **Insured** has agreed to pay and the **Insurer** has agreed to accept a renewal premium) the **Insurer** will indemnify the **Insured** in the manner and to the extent hereinafter provided in the various Sections of this Policy.

PROVIDED that the liability of the **Insurer** shall in no case exceed in respect of each item the sum stated in the Schedule to be insured or in the whole of the Total Sum Insured under each Section or such other sum or sums as may be substituted by endorsement.

1. Notwithstanding anything herein contained but subject to clause 2 hereof, it is hereby agreed and declared that if the period of insurance is 60 days or more, any premium due must be paid and actually received in full by the **Insurer** (or the intermediary through whom this Policy was effected) within 60 days of the inception date of the coverage under the Policy, Renewal Certificate or Cover Note.

2. In the event that any premium due is not paid and actually received in full by the **Insurer** (or the intermediary through whom this Policy was effected) within the 60-day period referred to above, then:-

   (a) the cover under the Policy, Renewal Certificate or Cover Note is automatically terminated immediately after the expiry of the said 60-day period;

   (b) the automatic termination of the cover shall be without prejudice to any liability incurred within the said 60-day period; and

   (c) the **Insurer** shall be entitled to a pro-rata time on risk premium subject to a minimum of S$25.00.

3. If the period of insurance is less than 60 days, any premium due must be paid and actually received in full by the **Insurer** (or the intermediary through whom this Policy was effected) within the period of insurance.

When used in this Policy, its Schedule and its Endorsements, the following definitions shall apply:

**Business income loss** means:

(a) net income (net profit or net loss before taxes) which would have been reasonably earned or incurred had the **interruption in service** not occurred; and

(b) fixed operating expenses (including payroll) that are not saved as result of the **interruption in service**, but only to the extent that:

(i) such expenses must necessarily continue during the **period of restoration**; and

(ii) would have been incurred had the **interruption in service** not occurred.

**Claim** means:

(a) a written demand against an **insured** for monetary damages or non-monetary relief including a written demand to toll or waive a statutory limitation period;

(b) the service of civil proceedings or institution of arbitration or other alternative dispute resolution proceedings against an **insured** seeking monetary damage, non-monetary or injunctive relief; or

(c) solely with respect to the coverage afforded under Insuring Clause 1.6 (Regulatory Proceedings), a **regulatory proceeding**.

**Company** means singularly or collectively, the policyholder and its **subsidiaries**.

**Company's computer system** means a **computer system** that is:

(a) owned, leased by or operated by the **company**; or

(b) operated for the **company's** benefit by a **service provider** under a written contract with the **company**.

**Computer system** means computer **hardware**, **software**, **programs**, the **electronic data** stored thereon and all associated input and output devices, data storage devices, networking equipment, and data backup facilities, including systems accessible through the internet, intranets, extranets or virtual private networks.

**Crawford** means Crawford & Company International Pte Ltd (Company Reg. No. 197101412E), our appointed Claims Service Call Centre.

**Cyber attack** means:

(a) the introduction of **malware** into the **company's computer system**;

(b) a **denial of service attack** upon the **company's computer system**;

(c) **unauthorized access** to the **company's computer system**; or

(d) **unauthorized use** of the **company's computer systems**.

**Cyber event** means:

(a) a **cyber attack**; or

(b) the shutdown of the **company's computer system** at the direction of a **responsible person**, or a civil authority in response to a **cyber attack**.

**Cyber extortion expenses** means any other reasonable and necessary costs and expenses incurred by the **company**, with our prior written consent, arising directly from a **cyber extortion threat**.

**Cyber extortion expenses** shall include any reasonable and necessary payment made to an informant for information that is not otherwise available.

**Cyber extortion payment** means any monies (including crypto or virtual currencies) paid or property surrendered by the **company** to a person(s) or entity(ies) who the **company** reasonably believes to be responsible for a **cyber extortion threat**, with the purpose of resolving or terminating such threat.

**Cyber extortion threat** means a demand for money (including crypto or virtual currencies) or property accompanied by a credible threat or connected series of threats made by someone other than an **insured person** to:

(a) release, divulge, disseminate, destroy, alter or use **digital assets** acquired by **unauthorized access** to or **unauthorized use** of the **company's computer system**;

(b) introduce **malware** into the **company's computer system**;

(c) corrupt, damage or destroy the **company's computer system**;

(d) electronically communicate with the **company's** customers and falsely claim to be the **company** or to be acting under the **company's** direction in order to falsely obtain personal confidential information of the **company's** customers; or

(e) restrict or hinder access to the **company's computer system** or **digital assets**, including the threat to initiate or continue a **denial of service attack** or the encryption of a **digital asset**; or having already encrypted the **company's digital assets** or disabled access and control of the **company's computer system**, a demand for money or property in return for the decryption key or instructions.

**Cyber terrorism** means any act or series of acts, including but not limited to the use of force or violence and/or the threat thereof expressly directed against the **company's computer systems**, by any person or group(s) of persons, whether acting alone or on behalf of or in connection with any organisation(s) or government(s), to cause **unauthorized access** to, **unauthorized use** of, **denial of service attack** or transmission of **malware** to the **company's computer system**, and which is committed for social, political, economic, religious, ideological or similar purposes including the intention to influence any government and/or to put the public in fear or disrupt any segment of the economy.

**Damages** means all sums the **insured** is legally liable to pay including monetary judgement, award, settlement and claimant's costs and expenses.

**Damages** do not include:

(a) the **company's** future profits, royalties or restitution;

(b) the costs arising out of a judicial order or execution resolutions granting non-monetary relief, including specific compliance or any agreement establishing such relief;

(c) the loss of the **company's** fees or profits, return or offset of the **company's** fees or charges, the **company's** commissions or royalties for the goods or services provided or contracted to be provided;

(d) costs or other amounts that the **insured** is responsible for under a merchant services agreement;

(e) taxes or loss of tax benefits, fines, penalties or sanctions;

(f) any amount the **insured** is not financially or legally obligated to pay;

(g) disgorgement of any profit, remuneration or financial advantage to which the **insured** is not legally entitled;

(h) monetary judgments, awards or settlements which are uninsurable under the law pursuant to which this Policy is construed;

(i) punitive, aggravated, exemplary damages, or any damages which are multiple of compensatory damages;

(j) any customer or client's funds lost due to unauthorised transfer; or

(k) liquidated damages.

**Data protection legislation** means any law or regulation, including amendments thereto, regulating the confidentiality, access, control, use and processing of **personal information**.

**Deductible** means the amount specified in the Policy Schedule.

**Defence costs** means reasonable and necessary fees, costs, charges and expenses incurred by the **insured** with our prior written consent, resulting from the investigation, adjustment, defence, settlement or appeal of a covered **claim**.

**Defence costs** do not include salaries, wages, overheads or benefit expenses incurred by the **insured**.

**Denial of service attack** means a malicious attack which aims to interrupt or prevent a legitimate user's access to a **computer system** or **digital assets**.

**Digital assets** means **electronic data** and **programs** stored on the **company's computer system**.

**Discovered** or **discovery** means when a **responsible person** first has knowledge of an event under Insuring Clause 1.1 (Digital Asset Restoration Costs), 1.2 (Business Interruption Business Income Loss), 1.3 (Privacy Breach Response Costs) or 1.4 (Cyber Extortion Threat) which would cause such **responsible person** to reasonably foresee that a **loss** covered under Insuring Clause 1.1 (Digital Asset Restoration Costs), 1.2 (Business Interruption Business Income Loss), 1.3 (Privacy Breach Response Costs) or 1.4 (Cyber Extortion Threat) is likely to have been incurred or to be incurred, even though the exact amount or details of such **loss** may not be known at that time.

**Electronic data** means information stored or transmitted in a digital format.

**Employee** means any natural person who is under a contract of service with the **company**, including any part time, temporary or seasonal **employee**, and whom the **company** has the right to govern and direct in the performance of their duties.

**Extra expenses** means reasonable and necessary costs incurred by the **company**, with our prior written consent, during the **period of restoration**:

(a) to minimize, avoid or reduce the **business income loss**, which the **company** would not have sustained had the relevant **cyber event** not occurred, including but not limited to the costs of (i) renting, hiring or leasing of external equipment; (ii) alternative work methods; (iii) third party services; and (iv) increased cost of labor.

Provided always that such expenses are over and above the **company's** fixed operating expenses (including payroll) and do not exceed the amount of loss that otherwise would have been payable as **business income loss**.

(b) to preserve critical evidence of any criminal or malicious wrongdoing;

(c) to investigate and determine the nature and extent of the **cyber event** and to substantiate the **business income loss**.

**Extra expenses** do not include:

(a) any costs or expenses incurred to update, restore, replace or improve any **computer system** to a level beyond that which existed just before the **interruption in service** occurred;

(b) legal costs or expenses of any type;

(c) any contractual penalties;

(d) loss arising out of any liability to a third party; or

(e) any other consequential loss or damage.

**Hardware** means any and all the physical components of a **computer system**.

**Insured**, **You**, **Your** means:

(a) the **company**; and

(b) the **insured persons**.

**Insured person** means any natural person who was, now is, or becomes during the **policy period** a director, officer, trustee, partner or **employee** of the **company** whilst acting within the scope of their duties as such.

**Insured person** shall also include the estate, heirs or legal representatives of any person identified above in the event of his/her death, incapacity, insolvency or bankruptcy.

**Interrelated event** means all **loss** or **claims** that have as a common nexus any fact, circumstance, situation, event, transaction, cause or series of causally connected facts, circumstances, situations, events, transactions or causes.

**Interruption in service** means the total or partial interruption, suspension, degradation or delay in the performance of the **company's computer systems**.

**Loss** means:

(a) **business income loss**;

(b) **cyber extortion payment**;

(c) **cyber extortion expenses**;

(d) **damages**;

(e) **defence costs**;

(f) civil monetary fines and penalties covered under Insuring Clause 1.6 (Regulatory Proceedings);

(g) **extra expenses**;

(h) **privacy breach response costs**;

(i) **regulatory defence costs**;

(j) **restoration costs**;

or any other amounts we are liable to pay under the terms and conditions of this Policy.

**Material event** means:

(a) the **policyholder** merges with or consolidates into another entity;

(b) the **policyholder** sells all or more than 50% of its assets to any person, entity or group;

(c) any person, entity or group acquires more than 50% of the issued share capital of the **policyholder**;

(d) any person, entity or group acquires control of the appointment of the majority of the board members of the **policyholder**; or

(e) a trustee in bankruptcy, receiver, manager, liquidator, administrator (or similar official or person) is appointed for the **policyholder**.

**Malware** means any malicious software or code designed to infiltrate, disrupt, corrupt or damage a **computer system** or circumvent any network security product or service, including but not limited to viruses, worms, trojan horses, ransomware, adware and spyware.

**Network security** means the use of software, **hardware** as well as the written security and privacy policies and procedures by the **company** or on their behalf to protect against a **cyber attack**.

**Network security wrongful act** means any actual or alleged act, error or omission by an **insured**, someone for whom the **company** is legally responsible or a **service provider** which causes a failure of the **company's network security** resulting in:

(a) theft, alteration, copying, corruption, destruction, deletion or damage to **electronic data** on the **company's computer systems**;

(b) **unauthorized access** or **unauthorized use** of the **company's computer systems**;

(c) failure to provide an authorized user with access to the **company's computer system**, unless such denial of access is caused by a mechanical or electrical failure outside the **company's** control;

(d) failure to prevent the transmission of **malware** from the **company's computer system** to a **computer system** that is not under the **company's** ownership, operation or control; or

(e) failure to prevent the transmission of **denial of service attack** from the **company's computer system** to a **computer system** that is not under the **company's** ownership, operation or control.

**Period of restoration** means the period of time that:

(a) begins on the time and date of the expiration of the **waiting period** following the **interruption in service**; and

(b) ends on the time and date such **company's computer systems** was restored or could have been restored with reasonable speed, to substantially the same level of operation that existed prior to such **interruption in service**,

provided that in no event the **period of restoration** exceeds 120 days.

**Personal information** means in electronic or paper format:

(a) any non-public personal information that allows an individual to be distinctly identified or contacted, including passport number, identification card number, national insurance number, social security number, driver's license number, home address, email address, telephone number and mobile number;

(b) non-public medical or healthcare data included protected health information;

(c) any account number or credit or debit card number in combination with any required password, access or other security code that would permit access to the financial account; or

(d) any other non-public personal information as defined in any **data protection legislation**.

Provided always that **personal information** does not include any publicly available information that is lawfully made available to the general public, including from government records.

**Policyholder** means the entity named in the Policy Schedule.

**Policy period** means the period specified in the Policy Schedule.

**Pollutants** means any solid, liquid, gaseous, biological or thermal irritant or contaminant, including smoke, vapor, soot, fumes, dust, fibers, asbestos or asbestos products, silica, fungi, mold, spores, mycotoxins, germs, acids, alkalis, chemicals, hazardous substances and waste. Waste includes materials to be recycled, reconditioned or reclaimed.

**Privacy breach** means:

(a) an actual or alleged **unauthorized access**, disclosure, theft, use of or loss of:

(i) **personal information** in the care, custody or control of an **insured** or **service provider**; or

(ii) third party confidential corporate information in the care, custody or control of an **insured** or **service provider**;

(b) actual or alleged violation of any **data protection legislation**; or

(c) actual or alleged violation of the **company's** documented privacy policy.

**Privacy breach response costs** means the following reasonable and necessary costs incurred with our prior written consent, within one (1) year of discovering evidence reasonably suggesting that a **privacy breach** had occurred:

(a) engaging a computer forensic firm to ascertain whether

(i) a **privacy breach** has occurred and the cause and extent of such **privacy breach**; or

(ii) whether a **network security wrongful act** may be the cause of such **privacy breach**;

(b) identifying and preserving the relevant **electronic data** on the **company's computer system**;

(c) engaging a law firm to advise the **insured** on its duties to comply with any law or regulation that requires notice to persons and/or governmental agencies due to an actual **privacy breach** and, if applicable, to examine the **insured's** indemnification rights and obligations under any written contract with a **service provider**;

(d) notifying any person or legal entity who or which may be directly affected by an actual or suspected **privacy breach**;

(e) public relation expenses to protect or restore the **company's** business reputation in response to negative publicity following such **privacy breach**;

(f) providing necessary credit-monitoring services and reimbursement for credit freezes and/or credit thaws from a vendor approved by us for those persons who have been directly affected by an actual **privacy breach**;

(g) complying with any other legal requirement owed by the **insured** to those persons who may be directly affected by an actual **privacy breach**.

Provided always that **privacy breach response costs** do not include:

(i) regular or overtime wages, salaries or fees of any director, officer or **employees**;

(ii) the cost to comply with any order for, grant of or agreement to provide injunctive or other non-monetary relief;

(iii) principal, interest or other moneys paid or due as the result of any loan, lease or extension of credit; or

(iv) taxes, fines, sanctions or penalties.

**Privacy wrongful act** means any actual or alleged act, error or omission by an **insured**, someone for whom the **company** is legally responsible or a **service provider**, which results in a **privacy breach**.

**Program** means a set of instructions that a **computer system** follows in order to perform a specific task. **Programs** include application software, operating systems, firmware and compilers.

**Proposal** means all statements and information, including all statements made in the proposal form, its attachments and the material incorporated therein, submitted to us for the purpose of seeking cover under this Policy.

**Public relations expenses** means the reasonable and necessary expenses, incurred by the **company**, with our prior written consent, in engaging a public relations firm.

**Regulatory defence cost** means reasonable fees, costs, charges and expenses incurred by the **insured** with our prior consent resulting from the investigation, adjustment, defence, settlement or appeal of a covered **regulatory proceeding**.

**Regulatory proceedings** means request for information, civil investigative demand, or civil proceeding commenced by service of a complaint or similar proceeding brought by or on behalf of an administrative or regulatory body or similar governmental body in such entity's regulatory or official capacity in connection with such proceeding.

**Related entity** means:

(a) any business enterprise other than the **company** in which any **insured** has an ownership interest in excess of 15%;

(b) any parent company or entity that has ownership interest in excess of 15% of the **policyholder**; or

(c) an entity other than the **company** if an **insured person** served as a director or officer of such entity at the time the **wrongful act** took place.

**Responsible person** means the **company's** Board Director, Chief Executive Officer, Chief Financial Officer, Data Protection Officer, General Counsel or any **insured person** in a functionally equivalent position.

**Restoration costs** means reasonable costs and expenses, necessarily incurred by the **company** to:

(a) restore, replace or recreate **digital assets** to the same or equivalent condition they were in immediately before the **cyber event**;

(b) prevent, minimize, or mitigate any further damage to **digital assets** including the reasonable and necessary fees and expenses of specialists outside consultants or forensic experts the **company** retains to determine the scope, cause or extent of the **cyber event** and to substantiate the **restoration costs**;

(c) preserve critical evidence of any criminal or malicious wrongdoing;

(d) purchase replacement licenses for **programs** where necessary.

**Restoration costs** shall not mean and we shall have no duty to indemnify the **company** for:

(a) any cost or expenses incurred to restore, update, replace or otherwise improve **digital assets** to a level beyond that which existed prior to the **cyber event**;

(b) any costs or expenses to update, replace, upgrade, maintain, or in any way improve any **computer system** to a level of functionality beyond that which existed prior to the **cyber event**;

(c) the economic or market value of **digital assets**, including but not limited trade secrets or other proprietary information;

(d) any costs and expenses incurred to research or develop any **digital assets**, including trade secrets or other proprietary information;

(e) legal costs or legal expenses of any type;

(f) loss arising out of any liability to any third party for whatever reason;

(g) any costs or expenses incurred without our prior written consent; or

(h) any other consequential loss or damage.

**Retroactive date** means the Retroactive Date stated in the Policy Schedule.

**Service provider** means any third party independent contractor that provides for a fee, information technology services for the **company's** benefit, under a written contract with the **company**, including hosting, security management, co-location and data storage.

**Subsidiary** means either in the singular or plural any entity that, as at the inception date of this Policy, the **policyholder** directly or indirectly through one or more **subsidiaries**:

(a) controls the composition of the board of directors (or equivalent in any other country);

(b) holds more than 50% of the shareholder or equity voting rights; or

(c) holds more than 50% of the issued share capital or equity.

Provided that this Policy only provides coverage with respect to **cyber event**, **cyber extortion threats**, **privacy breaches** or **wrongful acts** which first occur and are **discovered** whilst such entity is a **subsidiary** of the **policyholder**.

**Territorial limits** means worldwide excluding:

(a) the United States of America; and

(b) Canada,

and any territories under their jurisdiction.

**Unauthorized access** means the gaining of access to a **computer system** or network infrastructure by an unauthorized person or persons or by an authorized person or persons in an unauthorized manner.

**Unauthorized use** means the use of a **computer system** or network infrastructure by an unauthorized person(s) or by an authorized person(s) in an unauthorized manner.

**Waiting period** means the number of hours as provided in the Policy Schedule.

**We**, **Insurer**, **us** and **our** means Etiqa Insurance Pte. Ltd. (Company Reg. No. 201331905K)

**Wrongful act** means:

(a) a **network security wrongful act**; or

(b) a **privacy wrongful act**.

---

If "NOT COVERED" is shown in the Policy Schedule in relation to any Insuring Clause, such Insuring Clause and any reference to it within this Policy is deemed to be deleted and such coverage is not afforded.

We will indemnify the **company** for **restoration costs** the **company** incurs as a result of damage, alteration, corruption, distortion, theft, misuse or destruction of **digital assets**, directly caused by a **cyber event**.

The **cyber event** must first occur on or after the **retroactive date** and before the end of the **policy period** and be **discovered** during the **policy period**.

Only **restoration costs** incurred within six (6) months of the **discovery** of the **cyber event** are covered.

We will indemnify the **company** for **business income loss** and **extra expenses** incurred by the **company** during the **period of restoration** due to an **interruption in service**, which is directly caused by a **cyber event**.

The **cyber event** must first occur on or after the **retroactive date** and before the end of the **policy period** and be **discovered** during the **policy period**.

We will indemnify the **company** for **privacy breach response costs** the **company** incurs arising directly from a **privacy breach**.

The **privacy breach** must first occur on or after the **retroactive date** and before the end of the **policy period** and be **discovered** during the **policy period**.

We will indemnify the **company**, to the extent insurable, for **cyber extortion payment** and **cyber extortion expenses** incurred by the **company** and resulting directly from a **cyber extortion threat** that is **discovered** during the **policy period**.

In addition to the **company's** obligations as set forth in this Policy, **cyber extortion payment** shall only be paid, provided that the **company** can demonstrate to us that:

(a) the **cyber extortion payment** was made under duress;

(b) before agreeing to the **cyber extortion payment**, the **company** made all reasonable efforts to determine the credibility of the **cyber extortion threat**; and

(c) a **responsible person** agreed to the **cyber extortion payment**.

We shall pay on behalf of the **insured** all **damages** and **defence costs** arising from a **claim** first made against the **insured** during the **policy period**, for a **wrongful act** arising out of the conduct of the **company's** business in the **territorial limits**, which first occurs on or after the **retroactive date** and before the end of the **policy period**.

We shall pay on behalf of the **insured** all civil monetary fines and penalties (to the extent insurable under the law of the jurisdiction imposing such fines or penalties) and **regulatory defence costs** necessarily incurred in responding to any **regulatory proceeding** first made against the **insured** during the **policy period**, for a **wrongful act** arising out of the conduct of the **company's** business in the **territorial limits**, which first occurs on or after the **retroactive date** and before the end of the **policy period**.

---

No coverage will be available under this Policy with respect to any **loss** directly or indirectly caused by, based upon, arising out of or attributable to:

any actual or alleged breach of any competition or antitrust laws, restraint of trade, false, deceptive or unfair trade practices.

any actual or alleged bodily injury, sickness, emotional distress, mental anguish or death of any person howsoever caused.

any liability assumed or accepted by the **insured** under the terms and conditions or warranties of any contract or agreement.

However, this Exclusion shall not apply to the extent that such liability would have existed in the absence of such contract or agreement.

any **claim** made, occurring, pending within, or to enforce a judgment obtained in the United States of America, Canada or any of their territories or possessions.

any personal liability incurred by a director, officer, partner or trustee of the **company** whilst acting in that capacity or managing the **company's** business.

any

(a) criminal, deliberate, fraudulent, dishonest, unlawful or malicious act or omission committed or condoned by any **insured**;

(b) willful violation of any duty, obligation, law or regulation committed or condoned by any **insured**;

(c) willful violation of the **company's** privacy policy committed by or condoned by any **insured**; or

(d) actual or attempted gain of profit, remuneration, advantage by an **insured** to which such **insured** was not legally entitled to.

We will pay **defence cost** or **regulatory defence costs** until it is established by written admission of such **insured** or final judgment or final adjudication that such conduct did in fact occur. In this event, the **insured** will reimburse us for any **defence cost** or **regulatory defence costs** paid by us to or on behalf of such **insured** under this Policy.

No conduct of, facts known or knowledge possessed or connivance by an **insured** shall be imputed to any other **insured** for the purpose of determining the applicability of this Exclusion, save for that of

(i) a **responsible person** of a **subsidiary** which shall be imputed to that **subsidiary**; and

(ii) a **responsible person** of the **policyholder**, which shall be imputed to all **insureds**.

the incomplete disclosure of the **company's** fees or any disputes involving the **company's** fees or charges.

any employment practices or discrimination against or harassment of any person on any basis, including but not limited to: race, creed, color, religion, ethnic background, national origin, age, handicap, disability, gender, marital status, sexual orientation or pregnancy.

However, this Exclusion shall not apply not apply to any **claim** by an **employee** for a **privacy breach** relating to the unauthorized disclosure of such **employee's** **personal information**.

any action, requirement or restriction of a public or governmental authority, including the seizure, confiscation, nationalization, expropriation, destruction or loss of use of the **company's** **computer systems** or **digital assets** and any delay caused by the requirements and restrictions imposed by such authority.

However, this Exclusion shall not apply to:

(a) **cyber attacks** committed by any such authority against the **company's** **computer systems** or **digital assets**; or

(b) the shutdown the **company's** **computer system** which is ordered by a civil authority in response to a **cyber attack**.

any **insured**, or any other person or entity, including a **service provider's** bankruptcy, liquidation or insolvency.

any mechanical or electrical failure, or outage in, or disruption of power, utilities services, satellites, internet or telecommunications services not under the **company's** direct operational control.

any loss of goodwill and reputational harm.

(a) any loss, transfer or theft of monies, securities or tangible property of others in the care, custody or control of the **insured**; or

(b) any trading losses, trading liabilities or personal debt of the **insured**.

fire, smoke, explosion, lightning, wind, flood, earthquake, volcanic eruption, storm, subsidence, tidal wave, landslide, hail, subterranean fire or act of god or any other physical event, however caused.

(a) loss or destruction of or damage to any property whatsoever or any loss or expense whatsoever resulting or arising therefrom or any consequential loss; or

(b) legal liability of whatsoever nature directly or indirectly caused by or contributed to by or arising from:

(i) ionising radiations or contamination by radioactivity from any nuclear fuel or from any nuclear waste from the combustion of nuclear fuel; or

(ii) the radioactive, toxic, explosive or other hazardous properties of any explosive nuclear assembly or nuclear component thereof.

any actual or alleged infringement, violation or misappropriation of any patent or trade secret.

However, this Exclusion shall not apply to the extent any **claim** alleges an inadvertent disclosure of a trade secret that constitutes a **privacy breach**.

(a) the actual, alleged or threatened discharge, disposal, migration, dispersal, release or escape of **pollutants**, or

(b) any direction, order or request to test for, monitor, remediate, clean up, remove, contain, treat, detoxify, or neutralize **pollutants**, or to pay for or contribute to the costs of undertaking such actions.

(a) any fact, circumstance, act, error, omission, threat, event or breach committed or existing prior to the inception date of this Policy, that on or before the inception date the **insured** was aware of or could reasonably have foreseen such fact, circumstance, act, error, omission, threat, event or breach may be the basis of any **loss** under the Insuring Clauses, **wrongful act** or **cyber event**, regardless of whether the **insured** had disclosed in the **proposal** or notified under another insurance or not; or

(b) any **claim** made, threatened or intimated against any **insured** prior to the inception date of this Policy; or

(c) any litigation or other proceedings commenced against any **insured** or any order, decree or judgement entered against any **insured** prior to the inception date of this Policy, or alleging or arising out of or in any way involving any of the same or substantially the same facts, circumstances or situations underlying or alleged in such prior litigation, proceeding, order, decree or judgement.

any actual or alleged damage to, destruction of, impairment or loss of use of any tangible property including **hardware** or any replacement or repair of any tangible property including **hardware**.

any **claim** brought by, on behalf of or at the behest of any **insured** or any **related entity**.

However, this Exclusion does not apply to any **claim** brought by an **insured person** in his or her capacity as:

(a) as the **company's** customer or client; or

(b) an **employee** for a **privacy breach** relating to the unauthorized access, disclosure, use of or loss of such **employee's** **personal information**.

(a) any act, error, omission, incident or event committed or occurred prior to the **retroactive date** stated in the Policy Schedule; or

(b) any related or continuing acts, errors, omissions, incidents or events where the first such act, error, omission, incident or event was committed or occurred prior to the **retroactive date** stated in the Policy Schedule.

any cost and expenses incurred to identify, patch or remediate software program errors or vulnerabilities except following a covered **loss**.

any actual or alleged:

(a) illegal, unauthorized or wrongful collection, acquisition or retention of **personal information** or client information by any means, including the use of cookies or **malware**; or

(b) failure to provide adequate notice of the collection or use of **personal information** or client information.

However, this Exclusion shall not apply:

(i) if such collection is done by an **employee** of the **company** without the knowledge or consent of any of the **company's** directors and officers; or

(ii) if such collection is done by a third party without the knowledge of the **company**.

(a) any distribution of unsolicited emails, text messages, facsimiles, direct mail or other communications to multiple actual or prospective customers, including actual or alleged violation of any anti-spam statute; or

(b) any wire tapping, audio or video recordings or unlawful telephone marketing by the **insured** or any other third party on the **insured's** behalf.

However, this Exclusion does not apply if such unsolicited electronic dissemination of faxes, electronic mail or other communications to multiple actual or prospective customers by the **insured** or any other third party was caused by a **malware** or hacker.

war, invasion, acts of foreign enemies, terrorism, hostilities or warlike operations (whether war be declared or not), civil war, strike, riot, lock-out rebellion, revolution, insurrection, civil commotion assuming the proportion of or amounting to an uprising, military or usurped power;

Terrorism is not deemed to include **cyber terrorism**.

any ordinary wear and tear, drop in performance, progressive or gradual deterioration of the **company's** **computer systems** or **digital assets**.

---

#### (a) Automatic Cover For New Subsidiaries

The definition of **subsidiary** under this Policy shall also include any entity that becomes a **subsidiary** during the **policy period**, provided that:

i. the new **subsidiary's** annual revenue do not exceed 20% of the total consolidated annual revenue of the **policyholder** as stated in the most recent audited financial statements;

ii. the new **subsidiary** is not domiciled in, does not have any operations in, or securities listed in any exchange in United States of America or Canada or any territories under the jurisdiction of either such country;

iii. the new **subsidiary** has not had a **loss** or **claim** of the type covered under this Policy in the three (3) years immediately preceding the Policy inception date; and

iv. the new **subsidiary's** business activities are not materially different in their nature to those of the **company**.

#### (b) Other Cover For New Subsidiaries

In respect of any new **subsidiary** falling outside of the provisions of Clause 4.1(a) above, cover shall be afforded for a period of forty five (45) days from the date of acquisition, incorporation or creation. Coverage beyond such forty five (45) days shall only be available at our sole discretion, with our written agreement and on such terms as we may apply.

However, coverage under Clause 4.1(b) shall not apply in respect of any new **subsidiary** domiciled in, having operations in, or securities listed in any exchange in United States of America or Canada or any territories under the jurisdiction of either such country.

Under Clauses 4.1(a) and 4.1(b) above, a new **subsidiary** and its **insured persons** are only covered under this Policy with respect to **cyber events**, **cyber extortion threats**, **privacy breaches** or **wrongful acts** which:

i. first occurs after the acquisition, incorporation or creation of the new **subsidiary**; and

ii. is **discovered** or a **claim** first made during the **policy period**.

If any entity ceases to be a **subsidiary** under this Policy during the **policy period**, then no coverage shall be afforded under this Policy for any **loss** or **claim** made against such **subsidiary** or its **insured persons** after the date it ceased to be a **subsidiary**.

If during the **policy period** a **material event** occurs, then cover provided under this Policy shall only apply in respect of any **wrongful act** or any **privacy breach** which occurred on or after the **retroactive date** and prior to the effective date of the **material event**.

---

It is a condition precedent to cover under this Policy that:

upon **discovery**, the **insured** shall verbally notify us using any hotline or emergency number we have provided and in no event later than thirty (30) days after **discovery** give us written notice;

upon receipt of any **claim**, the **insured** shall notify us in writing as soon as reasonably practicable but in any event no later than the end of the **policy period** or thirty (30) days after expiration of the **policy period** in the case of **claims** first made against the **insured** during the last thirty (30) days of the **policy period**; and

if, during the **policy period**, the **insured** becomes aware of any act, omission, incident or fact that could reasonably be the basis of any **claim**, the **insured** shall notify us in writing as soon a reasonably practicable and within the **policy period**.

The **insured** must provide full particulars including all material facts, estimate **loss**, date and persons involved, reasons for anticipating a **claim** and the potential claimants.

Any subsequent **claim** that arises from such circumstances which is the subject of the written notice shall be deemed to have been first made at the time the written notice complying with the above requirements was first received by us.

All notifications by the **insured** of a **claim**, **cyber event**, **cyber extortion threat**, **privacy breach**, **wrongful act** or circumstances (as per 5.3 above) shall be made to **Crawford**, our appointed Claims Service Call Center, at 6632 8639. This hotline is available during operating hours from 8.30am to 5.30pm (Monday to Friday).

All such notifications to **Crawford** shall also be deemed to be a notification to us.

Notifications to us must include a specific description of the **claim** under this Policy, details of all parties involved, details of any **loss** and such other information as we may require. The **insured** shall provide us with all such co-operation and assistance as we may require in connection with such **loss** and take all reasonable steps to reduce and minimize the **loss**.

It is the **insured's** sole responsibility to report the **loss** to any applicable governmental authorities, if appropriate.

---

(a) Our maximum liability for all **loss** under all Insuring Clauses purchased under this Policy shall not exceed the Policy Aggregate Limit of Liability shown in the Policy Schedule.

(b) the Insuring Clause Limits of Liability shown in the Policy Schedule for each individual Insuring Clause is our maximum liability for **loss** for each Insuring Clause purchased under this Policy and is part of the Policy Aggregate Limit of Liability.

(c) Each Sublimit of Liability specified in the Policy Schedule is the maximum we shall pay for the cover to which it applies and is part of the Policy Aggregate Limit of Liability.

(d) Any **loss** covered under this Policy that falls within more than one Insuring Clause shall only be subject to one Limit of Liability, being the higher of the applicable limits.

(a) We shall only be liable to pay or indemnify under this Policy for each and every **loss** and all **loss** arising from an **interrelated event**, that is in excess of any applicable **deductible**, except in respect of **business income loss** and **extra expenses** where only the **waiting period** shall apply.

(b) In the event **loss** arising from an **interrelated event** is covered under more than one Insuring Clause then only **deductible** shall apply, being the highest **deductible** applicable to one of the relevant Insuring Clauses, except in respect of **business income loss** and **extra expenses** where only the **waiting period** shall apply.

(c) All **interrelated events** shall be considered one single **claim** or **loss** and shall be deemed to have been first made against the **insured** or **discovered** when the earliest of such **claims** or **loss** was first made against the **insured** or **discovered**, whether such date is before or during the **policy period**.

---

In respect of Insuring Clauses 1.5 (Security And Privacy Liability) and 1.6 (Regulatory Proceedings) it shall be the duty of the **insured** to take all reasonable steps to defend a **claim** and not to take any action that would prejudice our position. We shall have the right but not the duty to join the **insured** in the defence or settlement of any **claim** including effectively associating in the negotiation of any settlement.

The **insured** shall not admit or assume liability, enter into any settlement agreement, consent to any judgement or incur any **defence costs** or **regulatory defence costs** without our prior consent such consent not to be unreasonably withheld. We shall be entitled to assess the defence and negotiation of any settlement of any **claim** in order to reach a decision as to reasonableness. Only those settlements, consents to judgments, **defence costs** and **regulatory defence costs** that we have consented to shall be recoverable under this Policy.

In the event a dispute arises between us and the **insured** as to whether or not the **insured** should contest any **claim** for which coverage applies, then the **insured** shall not contest any **claim** until such time a senior counsel (to be mutually agreed upon by us and the **insured**) advises that such **claim** has reasonable prospect of success and taking into account the legal and commercial considerations of the cost of the defence. The cost of any referral for determination under this condition shall be borne by us.

The **insured** shall give us full co-operation and any information that we may reasonably require and take all reasonable steps to mitigate or avoid the **loss**. The **insured** shall not do anything that will prejudice our position or our potential or actual rights to recovery.

If the **insured** shall refuse to consent to a settlement of a **claim**, other than a **regulatory proceeding**, that is recommended by us and which is acceptable to the claimant, then our liability for such **claim** (including **defence costs**) shall not exceed the amount that the **claim** could have been settled and the **defence costs** incurred up to the date of such refusal, less the applicable **deductible** and subject to the applicable Limit of Liability available under this Policy.

---

The calculation of net income (net profit or net loss before taxes) for the purpose of ascertaining the **business income loss** shall be based on the analysis of the actual business experience during the twelve (12) months immediately prior to the **cyber event**, and the **company's** probable experience that can be reasonably projected, had the relevant **cyber event** not occurred, taking into account all material changes in market conditions, trends, business developments and seasonal fluctuations; that would have affected the **company's** business before and after the **cyber event**.

**Business income loss** shall be reduced to the extent the **company** uses substitute methods, facilities, equipment or personnel to maintain its revenue stream.

The **company's** request for indemnity under this Policy must be accompanied by a computation of the **business income loss**. This shall set out in detail the calculations and the assumptions that have been made. The **company** shall produce any documentary evidence including any applicable book of accounts, invoices, vouchers, receipts, tax returns, payroll records, sales data, contracts, deeds, liens and any other relevant information that we may require and the **company** shall afford us full assistance in our investigations.

**Business Income Loss** does not include:

(a) fines and damages for breach of contract or for late or non-completion of orders;

(b) penalties of any kind;

(c) loss due to inability to trade, invest, divest, buy or sell any security or asset of any kind;

(d) fluctuation in any value of asset;

(e) the financial value in any account held in any financial institution;

(f) the inability to earn interest or the appreciation in any asset;

(g) legal costs or expenses of any type;

(h) other consequential loss or damage; or

(i) **extra expenses**.

(a) If it is deemed that the **digital assets** cannot be restored, replaced or recreated, we will only reimburse the **company's** actual and necessary expenses incurred up to the point the **company** makes such determination.

(b) If the affected **digital assets** were purchased from a third party, the maximum **restoration costs** recoverable under this Policy is the re-purchase price from such third party.

---

The following terms and conditions shall apply to this Policy:

We will only be liable for **loss** relating to matters, persons and/or entities covered under this Policy. If a **claim** under this Policy involves both covered and not-covered matters, persons and /or entities, then we and the **company** shall use our best efforts to agree upon a fair and proper allocation of the proportion of the **loss** covered under this Policy, on the basis of the relative legal and financial exposures.

Any dispute relating to this Policy between us and the **insured** shall be resolved by arbitration according to the rules of the Singapore International Arbitration Centre. Each party shall be responsible for their own costs and expenses incurred in the arbitration.

The interest hereunder is not assignable by the **insured** without our prior consent.

The **policyholder** acts on behalf of the **insured** with respect to this Policy.

This Policy may be cancelled:

(a) by the **policyholder** on behalf of all **insureds** by giving notice in writing to us. We will refund the unearned premium computed at the customary short rate.

(b) by us by giving thirty (30) days written notice to the **policyholder**. We will refund the unearned premium computed pro rata.

No premium will be refunded where any **claim**, **cyber event**, **cyber extortion threat**, **privacy breach**, **wrongful act** or circumstance has notified under this Policy on or before the cancellation. The return of any unearned premium will not be a condition precedent to the effectiveness of cancellation, but such payment will be made as soon as practicable.

The **insured** will make reasonable efforts not to disclose the existence of this Policy.

The headings are descriptive only, and not an aid to interpretation.

Whenever the singular form of a word is used herein, the same shall include the plural when required by context.

Words in bold are defined as set out under the General Definitions section of this Policy.

#### Interpretation

The construction, interpretation and meaning of the terms, conditions, exclusions and limitations of this policy shall be determined in accordance with the law of Singapore and in accordance with the English text as it appears in this policy.

This Policy shall apply in excess of any other valid and collectible insurance policy available to the **insured**, including any retention or deductible portion thereof, unless such other insurance is written only as specific excess insurance over the Limit of Liability under this Policy.

In the case of recovery by either the **insured** or us on account of any paid **loss**, the amount recovered, shall be applied as follows:

(a) firstly, for any costs and expenses reasonably and necessarily incurred by the relevant party in relation to the recovery;

(b) secondly, to reimburse the **insured** for any part of its **loss**, as submitted for payment to us, which exceeds the Limit of Liability;

(c) thirdly, to reimburse us for any **loss** paid under this Policy; and

(d) finally, to reimburse the **insured** for any **loss** that falls under any **deductible**.

In granting cover under this Policy, we have relied upon the declarations and statements in the **proposal**. All such declarations and statements in the **proposal** are the basis of coverage under this Policy and are incorporated into and form part of this Policy.

The **proposal** shall be construed as a separate **proposal** by each of the **insured persons**. No statements made in the **proposal**, or knowledge possessed by any **insured person** shall be imputed to any other **insured person** for the purpose of determining the availability of cover under this Policy.

Only declarations and statements made in the **proposal** or knowledge possessed by a **responsible person**, shall be imputed to the **company** for the purpose of determining the availability of cover under this Policy for the **company**.

This Policy is void:

(a) in any case of fraud by the **company** or any other **insured**; or

(b) if the **company** or any other **insured**, intentionally conceals, or misrepresents a material fact concerning the insurance provided by, property protected within, or any **claim** submitted under this Policy.

A person or organization that is not a party to this Policy shall have no rights under the Contracts (Rights of Third Parties) Act, Chapter 53B of Singapore (or equivalent or similar statute in any jurisdiction) to enforce any of its terms.

We shall not be deemed to provide cover nor shall we be liable to pay any **claim** or provide any benefit under this Policy to the extent that the provision of such cover, payment of such **claim** would expose us to any sanction, prohibition or restriction under United Nations resolutions or the trade or economic sanctions, laws or regulations of the Republic of Singapore, European Union, United States of America, United Kingdom and/or any other applicable national economic or trade sanction law or regulations.

---

You agree and consent, and if you are submitting information relating to another individual, you represent and warrant that you have the authority to provide that information to us; you have informed the individual about the purposes for which his/her **personal information** is collected, used and disclosed as well as the parties to whom such **personal information** may be disclosed by us.

Any information collected or held by us whether contained in your application or otherwise obtained may be used and/or disclosed to our associated individuals/companies or any independent third parties (within or outside Singapore) for any matters relating to your application, any policy issued and to provide advice or information concerning products and services which we believe may be of interest to you and to communicate with you for any purpose. The individual's data may also be used for audit, business analysis and reinsurance purposes.

---

Etiqa Insurance Pte. Ltd. (Company Reg. No. 201331905K)  
One Raffles Quay, #22-01 North Tower, Singapore 048583  
T +65 6336 0477 F +65 6339 2109 www.etiqa.com.sg