Customer Limited Warranty Agreement

This Customer Limited Warranty Agreement (this “Customer Warranty”) is entered into by Cork Protection Inc. and/or its subsidiary warranty company Alpha PSC Warranty Co. (referred to together herein as “Cork”) and Customer (as defined below) (Cork and Customer are referred to singularly as “Party” or collectively as “Parties”) as of the Warranty Effective Date (as defined below). For good and valuable consideration, the sufficiency of which is hereby acknowledged, Parties agree as follows:

1. Warranty

1.1. Scope

Subject to the terms, conditions, and exclusions of this Customer Warranty, Cork shall pay to Customer the Covered Expenses that Customer incurs as a direct result of a Warranty Incident. Customer’s sole and exclusive remedy under the limited warranty provided by this Customer Warranty shall be for payment by Cork of such Covered Expenses not to exceed the maximum amounts set forth in Schedule A that are applicable to Customer (the “Cap”). The tier specified in Schedule A that applies to Customer is described in the Customer Portal. Cork’s liability under this Customer Warranty shall not exceed, and Cork shall not be liable for, any amounts in excess of or addition to:

• (A) the applicable maximum aggregate amount set forth in Schedule A regardless of the number of Warranty Incident(s) that have Incident Dates during the Warranty Period; and
• (B) the applicable maximum amount set forth in Schedule A for any one Warranty Incident or series of Related Incidents.

Where Schedule A specifies maximum amounts applicable to particular categories of Covered Expenses, those maximum amounts are part of and not in addition to the maximum amounts specified in Sections 1.1(A) and (B) above. Notwithstanding anything in this Customer Warranty to the contrary, any particular category of Covered Expenses as to which the applicable maximum amount is described in Schedule A as “Not Purchased” will not be considered a Covered Expense under this Customer Warranty. The limited warranty provided by this Customer Warranty extends only to Customer and does not extend to any third parties (including, but not limited to, suppliers, service providers, end-clients, Employees, Affiliates, or agents of Customer) or any of their fees, expenses, losses, or damages.

1.2. Pre-existing and Related Incidents

This Customer Warranty does not extend to:

• (A) Pre-existing Incidents; or
• (B) Related Incidents that include a Pre-existing Incident.

Except as set forth in this Section 1.2, all Covered Expenses resulting from a Related Incident shall be subject to the terms, conditions, exclusions, and Cap in effect on the Incident Date of the first Warranty Incident that forms part of the Related Incident.

1.3. Disclaimer

Except for the limited warranty provided in Section 1.1 above, the Cork Product is provided AS IS. CORK AND ITS AFFILIATES DISCLAIM ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY OR OTHERWISE. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, CORK AND ITS AFFILIATES AND SUPPLIERS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT WITH RESPECT TO THE CORK PRODUCT. THERE IS NO WARRANTY THAT THE CORK PRODUCT WILL BE ERROR FREE, OR THAT IT WILL BE PROVIDED WITHOUT WITHOUT WITHOUT INFORMATION OR WILL FULFILL ANY OF CUSTOMER’S PARTICULAR PURPOSES OR NEEDS.

2. Reimbursement Qualification

In order for Customer to be eligible for Payment(s):

• 2.1. During the entirety of the Warranty Period, Customer must have a valid MSP Services Agreement in effect;
• 2.2. At the time the Warranty Incident first occurs, all information technology security tools and services set out in the Attestation must have been deployed to Customer and configured in accordance with applicable specifications;
• 2.3. At the time the Warranty Incident first occurs, the license keys for any software provided to Customer by MSP must have been active and/or registered to Customer;
• 2.4. The Warranty Incident must have (A) a Claim Request Date during the Warranty Period and (B) an Incident Date during the Warranty Period or any prior Customer Limited Warranty Agreement between the Parties so long as the limited warranty under this Customer Warranty and any predecessor thereto has remained effective without interruption between the Incident Date and the Claim Request Date;
• 2.5. Customer must comply with the Notification and Claim Request Process requirements set forth in Sections 3 and 4 below;
• 2.6. During the entirety of the Warranty Period, Customer must be in compliance with its MSP Services Agreement, including without limitation any payment obligations;
• 2.7. The Covered Expenses that Customer incurs as a direct result of a Warranty Incident must exceed $5,000, and at the time that Customer submits a Claim Request as set out in Section 3 below, Customer must have a commercially reasonable belief that the Covered Expenses it will incur as a direct result of the Warranty Incident will exceed $5,000. This paragraph 2.7 shall not apply to any claim seeking reimbursement only of SMS Phishing Loss and/or Cyber Insurance Deductible/Retention Loss.
• 2.8. Customer must reasonably cooperate with Cork in the investigation or handling of any claim, including, without limitation, by providing all information reasonably requested by Cork;
• 2.9. Customer must reasonably cooperate with Cork in obtaining information relating to the Warranty Incident from the MSP;
• 2.10. Customer must authorize Cork to obtain records or reports necessary for Cork’s investigation;
• 2.11. At Cork’s request, Customer must permit Cork to examine any Personnel under oath, outside the presence of any other Personnel at such times as may be reasonably required, about any matter relating to the Customer Warranty or the claim, including the Customer’s books and records. The answers given in any such examination must be signed by the Personnel who was subject to the examination;
• 2.12. To the extent the Claim Request includes Business Interruption/Extra Expense Loss under paragraph (B) of the definition of Business Interruption/Extra Expense Loss, Customer must provide Cork with a signed statement attesting that the Warranty Incident interrupted Customer’s critical business systems and that Customer has a reasonable belief that the amount set out in paragraph (A) of the definition of Business Interruption/Extra Expense Loss exceeds the amount set out in paragraph (B) of the definition of Business Interruption/Extra Expense Loss. To the extent the Claim Request includes any Business Interruption/Extra Expense Loss under paragraph (A) of the definition of Business Interruption/Extra Expense Loss, Customer must provide Cork with a signed proof of loss by the earlier of (A) sixty (60) days from the Incident Date and (B) thirty (30) days from the end of the Warranty Period;
• 2.13. At the time the Warranty Incident first occurs, either (A) all security compliance issues set out in a Security Compliance Notification must have been remediated within the time period specified therein, or (B) such remediation time period must have not yet elapsed;
• 2.14. At the time the Warranty Incident first occurs, either (A) all preventative maintenance for any software provided to Customer by MSP, including patching, must have been up to date in accordance with the vendor’s release cycle, or (B) if such preventative maintenance has been set out in a Security Compliance Notification, the time period for remediation specified therein must have not yet elapsed;
• 2.15. If Customer is in a regulated industry, including without limitation banking, energy, or healthcare, Customer must comply with all laws and regulations applicable to its industry.
• 2.16. To the extent a Claim Request includes any Covered Expenses that may potentially be covered under any cyber insurance that covers Customer, Customer must (A) submit a claim for such Covered Expenses under all such insurance policies and (B) comply with all terms and conditions of such policies.
• 2.17. To qualify for reimbursement of Cyber Insurance Deductible/Retention Loss, Customer must provide Cork with (A) a signed statement attesting that Customer has submitted a claim under its cyber insurance policy(ies) for amounts that Customer reasonably believes constitute Covered Expenses under any of paragraphs (A)-(F) of the definition of Covered Expenses; (B) a copy of the cyber insurance policy(ies) under which such claim was submitted; and (C) correspondence from Customer’s cyber insurer confirming (i) the amount of the deductible or retention applicable to such claim; (ii) that Customer has satisfied the deductible or retention applicable to such claim; and (iii) that the cyber insurer is providing coverage to Customer for such claim in excess of the deductible or retention.
• 2.18. To the extent the Claim Request includes SMS Phishing Loss, Customer must have integrated a Security Awareness Training (SAT) tool with the Cork Product or included in an Attestation the completion of a Security Awareness Training (SAT) program that includes training on phishing schemes perpetrated through SMS text message.
• 2.19. If Customer previously submitted a Claim Request that included SMS Phishing Loss, Customer shall not be eligible to seek reimbursement of SMS Phishing Loss in connection with a later SMS Phishing Event unless Customer provides proof to Cork that, prior to such later SMS Phishing Event, Customer completed an additional Security Awareness Training (SAT) program that included training on phishing schemes perpetrated through SMS text message.

3. Notification

3.1. Customer Obligation

Within seventy-two (72) hours of the Incident Date, Customer must provide written notice to Cork of the Warranty Incident (the “Initial Notice”). Customer shall have ten (10) days from the date of the Initial Notice to provide notice to Cork of Customer’s intent to request Payments (the “Claim Request”). Customer shall cause the MSP to submit, through the Customer Portal, the Initial Notice and the Claim Request. However, in the event that Customer reasonably suspects that MSP will not provide the Initial Notice or submit the Claim Request by the foregoing deadlines, Customer may do so itself by email to claims@corkinc.com.

4. Claim Request Process

4.1. Claim Request Requirements

A separate Claim Request must be submitted to Cork for each Warranty Incident.

4.2. Submission of Claim Request

Cork shall review the Claim Request, and Customer shall provide, within twenty-one (21) days of the Initial Notice, any information reasonably requested by Cork in connection with such Claim Request, including but not limited to any personal data or personally identifiable information relating to the applicable Warranty Incident giving rise to the Claim Request, provided that Cork shall use any such personal data or personally identifiable information not already in its possession only for the purpose of reviewing the Claim Request. By submitting the Claim Request to Cork, Customer authorizes Cork to share any information that is reasonably necessary to assess the validity of the Claim Request with Carrier, provided Carrier is under an obligation to keep such information confidential. Claim Requests made under this limited warranty are subject to Carrier’s standards of review. If Carrier denies coverage to Cork as to any Warranty Incident, notwithstanding anything to the contrary in this Customer Warranty, Cork shall have no obligation to make any Payments to Customer as to such Warranty Incident. Cork shall have no obligation to make any Payments in response to a Claim Request if:

• (A) Customer fails to provide information specified in this paragraph within the twenty-one (21) day period; or
• (B) Cork determines, in its reasonable discretion, that the information provided to Cork by Customer is insufficient for Cork to assess the validity of the Claim Request.

4.3. Payments

Cork shall have no obligation to make Payments that are prohibited by law. Customer shall submit proof of Covered Expenses in accordance with Cork’s instructions. During the Warranty Period and for a period of three (3) years thereafter, or for an additional period of time as reasonably requested by Cork, Cork shall have the right to inspect, and Customer shall maintain and provide, Customer’s records related to such Covered Expenses upon reasonable written request during regular business hours. In the event that Cork approves a Claim Request, Cork shall make the Payment to Customer within thirty (30) days of such approval, provided that Cork reserves the right to postpone the making of such Payment by up to ninety (90) additional days in the event that more than one of the parties to whom Cork has issued a limited warranty experience related Security Events. Cork reserves the right, subject to Customer’s prior written consent which shall not be unreasonably withheld, to pay the sum of Money demanded as part of a Ransomware Event instead of paying further Data Recovery Expenses. If Cork exercises such right,

• (A) its payment of that sum of Money will be deemed to eliminate any obligation to pay Data Recovery Expenses incurred after such Payment is made, regardless of whether Customer’s access to the Customer Computer System or Digital Asset is subsequently restored, and
• (B) such Payment shall erode the Cap as a Ransom Payment or, if Ransom Payment is listed in Schedule A as “Not Purchased” for the tier applicable to Customer, such Payment shall nonetheless erode the maximum amounts set forth in Sections 1.1(A) and (B) above.

4.4. Instant Fund Access

Upon receipt of a Claim Request, Cork will provide Customer with a preloaded digital or physical credit card in the amount specified as the maximum for instant fund access in Schedule A. The funds on such card (the “Instant Funds”) may be used by Customer or MSP to pay any expenses that would qualify as Data Recovery Expenses or Incident Response Expenses. Any Instant Funds not used within seven (7) days of receipt by Customer or MSP, whichever is earlier, must be returned to Cork. All of the following shall be reduced or eroded by the amount of the Instant Funds used:

• (A) the Maximum Aggregate Amount for All Warranty Incidents During the Warranty Period set forth in Schedule A;
• (B) the Maximum Amount for Any One Warranty Incident During the Warranty Period set forth in Schedule A;
• (C) any maximum amount applicable to Data Recovery Expenses set forth in Schedule A to the extent the Instant Funds were used to pay for Data Recovery Expenses;
• (D) any maximum amount applicable to Incident Response Expenses set forth in Schedule A to the extent the Instant Funds were used to pay for Incident Response Expenses; and
• (E) the amount of the Claim Request in response to which the Instant Funds were provided by Cork.

By providing the Instant Funds, Cork does not undertake liability to any third party for any expenses incurred by Customer or MSP.

5. Choice of Law: Arbitration

Notwithstanding any dispute resolution or venue provisions in the MSP Services Agreement or the Cork-MSP Agreement, any dispute, claim, or controversy arising out of or relating to this Customer Warranty or the existence, breach, termination, enforcement, interpretation, or validity of this Customer Warranty, including the determination of the scope or applicability of this arbitration clause, (each, a “Dispute”) shall be referred to and finally resolved by arbitration under the rules of the American Arbitration Association in force on the date when the notice of arbitration is submitted in accordance with such rules (which rules are deemed to be incorporated by reference into this clause), and the governing law is the law of the State of Delaware, USA. The seat, or legal place, of arbitration shall be Wilmington, Delaware, USA. The arbitrator shall be independent of all parties to the arbitration and shall have suitable experience and knowledge in the subject matter of the Dispute. Judgment upon the award so rendered may be entered in a court having jurisdiction or application may be made to such court for judicial acceptance of any award and an order of enforcement, as the case may be. The language to be used in the arbitral proceedings shall be English.

6. Insurance

6.1.

Cork has obtained one or more insurance policies to cover its obligations under this Customer Warranty. Customer is not an insured under such insurance policies. Where approved by Cork, Customer agrees to communicate directly with Carrier regarding Claim Requests (including without limitation obtaining prior written approvals) and to provide the same information and cooperation required under this Customer Warranty to any Carrier issuing such an insurance policy.

6.2.

Notwithstanding Section 6.1 above or anything else herein to the contrary,

• (A) the Parties do not intend for this Customer Warranty to be deemed a contract of insurance under any laws or regulations and
• (B) this Customer Warranty shall be null and void in any country or other jurisdiction in which it is deemed to be a contract of insurance.

7. General

7.1. Entire Agreement

This Customer Warranty constitutes the entire agreement between Customer and Accounting the subject matter of this Customer Warranty, which supersedes any prior or concurrent proposals, agreements, understandings, or other communications between the Parties, oral or written, regarding such subject matter. For the avoidance of doubt, this Customer Warranty is in addition to the MSP Services Agreement and the Cork-MSP Agreement, and except as expressly set forth herein, nothing in this Customer Warranty is intended to supersede, modify or amend the MSP Services Agreement or the Cork-MSP Agreement, including any warranties therein.

7.2. Limitation of Liability

EXCEPT AS OTHERWISE PROVIDED IN THIS CUSTOMER WARRANTY, IN NO EVENT WILL CORK OR ITS SUPPLIERS BE LIABLE (UNDER ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STATUTE, TORT OR OTHERWISE) FOR ANY LOST PROFITS, LOST BUSINESS OPPORTUNITIES, LOST DATA, DATA RESTORATION, PROPERTY DAMAGE, BODILY INJURY OR SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES OR SUCH DAMAGES OR LOSSES WERE REASONABLY FORESEEABLE; AND IN NO EVENT SHALL CORK’S LIABILITY UNDER OR ARISING FROM THIS CUSTOMER WARRANTY WITH RESPECT TO CUSTOMER EXCEED THE CAP AS SET FORTH IN SECTION 1.1 ABOVE FOR THE WARRANTY PERIOD. Multiple Claim Requests or Warranty Incidents shall not expand the limitation specified in the foregoing sentence. If the limitation of liability set forth in this paragraph is determined to be invalid under applicable(generate_image) law, this Customer Warranty shall be deemed null and void.

7.3. Term: Termination: Assignment

This Customer Warranty shall commence on the Warranty Effective Date and continue until the one-year anniversary of the Warranty Effective Date (“Warranty Period”), unless terminated earlier in accordance with this Section 7.3, and provided that neither the MSP Services Agreement nor the Cork-MSP Agreement have terminated or expired. Termination of the MSP Services Agreement, the Cork-MSP Agreement, or the insurance policy(ies) issued by Carrier shall terminate this Customer Warranty concurrently. Cork may terminate this Customer Warranty at any time by providing Customer with notice of termination via email at least twenty (20) days prior to the effective date of the termination. Cork has no obligation to renew this Customer Warranty upon expiration. Termination of this Customer Warranty, however, shall not terminate the MSP Services Agreement or the Cork-MSP Agreement. Customer may assign this Customer Warranty only to an Affiliate in connection with a corporate reorganization or in connection with a merger, acquisition, or sale of all or substantially all of its business and/or assets provided Customer provides Cork with written notice of any such assignment no later than thirty (30) days after such assignment or change in control event is effective, or to a Third Party pursuant to a valid assignment of Customer’s MSP Services Agreement. Any assignment in violation of this Section 7.3 shall be void and shall void this Customer Warranty. Subject to the foregoing, all rights and obligations of the parties under this Customer Warranty shall be binding upon and inure to the benefit of and be enforceable by and against the successors and permitted assigns.

7.4. Modifications

Cork, in its sole discretion, may unilaterally modify the terms of this Customer Warranty. The version of the Customer Warranty that is posted in the Customer Portal on the Incident Date shall govern.

7.5. Reimbursement of Payments

Customer shall promptly (but in no event later than 30 days after written notice from Cork via email) reimburse Cork for:

• (A) all Payments related to a Claim Request that arises out of an event that is later determined not be a Warranty Incident or that relates to a Pre-Existing Incident;
• (B) any amounts by which a Payment exceeds the Covered Expenses actually incurred by and borne by Customer; or
• (C) any Payments for Covered Expenses for which Customer previously obtained or subsequently obtains coverage under any insurance policy or separate warranty.

7.6. Third Party Rights

This Customer Warranty is not intended to and shall not be construed to give any Third Party any interest or rights (including, without limitation, any third-party beneficiary rights) with respect to or in connection with any agreement or provision contained herein or contemplated hereby. For the avoidance of doubt, only Customer has the right to enforce this Customer Warranty or pursue claims relating to it against Cork.

7.7. Subrogation

If Customer has rights to recover all or part of any Payment from a Third Party other than Cork, those rights are transferred to Cork. Customer must do nothing after a Warranty Incident to impair these rights and must help Cork enforce them.

8. Other Warranties

To the extent Customer has a right to payment under any other warranty applicable to a Warranty Incident, Cork shall have no obligation to pay any Covered Expenses until such other warranty(ies) are fully exhausted.

9. Widespread Events

9.1. Managed Services Providers

This Customer Warranty is only intended to cover Warranty Incidents relating to the Cork Product as set forth herein and is not intended to guarantee MSP’s performance of its obligations to Customer. This Customer Warranty does not apply to any Warranty Incident, Covered Expenses, or Claim Request arising out of or in any way involving a Security Event impacting Customer which results, in whole or in part, directly or indirectly,

• (A) from a Security Event impacting the MSP itself or
• (B) from the negligence, error, omission, or wrongful acts of MSP or any person or entity acting for, or on behalf of, MSP.

9.2. Third-Party Software Providers

This Customer Warranty does not apply to any Warranty Incident, Covered Expenses, or Claim Request arising out of or in any way involving a vulnerability in a third-party software used by Customer or MSP that results in more than 5% of customers with whom Cork has entered into a limited warranty agreement experiencing a Security Event within any twenty-one (21) day period.

9.3. End Users

This Customer Warranty does not apply to any Warranty Incident, Covered Expenses, or Claim Request arising out of or in any way involving attacks, that result in more than 5% of customers with whom Cork has entered into a limited warranty agreement experiencing a Security Incident within any twenty-one (21) day period.

10. Exclusions

This Customer Warranty does not apply to any Warranty Incident, Covered Expenses, or Claim Request arising out of or in any way involving any of the following:

• (A) Any Customer Security Event that first affects the Customer Computer System at an Unprotected Endpoint.
• (B) Any Customer Security Event arising directly or indirectly out of any remote desktop protocol that, at the time of such Customer Security Event, was unsecured. A remote desktop protocol shall be deemed secured if, at the time of such Customer Security Event, it was utilizing (i) a properly-configured secure remote desktop protocol gateway, (ii) multi-factor authentication, or (iii) a virtual private network that itself was utilizing multi-factor authentication.
• (C) Any Customer Security Event contributed to or caused by Customer, any Affiliate of Customer, any Personnel, or any Affiliate Personnel, whether intentionally or unintentionally; provided however, that this exclusion shall not apply to a ACH/Wire Transfer Event.
• (D) Any ACH/Wire Transfer Event or SMS Phishing Event where the unauthorized or fraudulent instruction is by any Personnel, any Affiliate Personnel, or any natural person acting in collusion with any Personnel or Affiliate Personnel.
• (E) Any ACH/Wire Transfer Event where an unauthorized or fraudulent instruction was transmitted to Customer wholly or partially by any means other than email such as, without limitation, telephone, fax, chat message, or text message.
• (F) Any Physical Event.
• (G) Any Unrest.
• (H) Any outage, failure, degradation, malfunction, or interruption of electricity, gas, water, telephone, cable, satellite, telecommunications, internet infrastructure (including any domain name system, certificate authority, or internet service provider), or other infrastructure services.
• (I) Any planning, construction, maintenance, or use of any nuclear reactor, nuclear storage, disposal, waste or radiation site, or any other nuclear facility or site, the transportation of nuclear material, or any nuclear reaction or radiation, or radioactive, biological, or chemical contamination, regardless of its cause.
• (J) A threat to release, disclose, publish or otherwise communicate any Digital Asset, any portion thereof, or any other data or information obtained from a Customer Computer System where (i) such Digital Asset, data, or information was obtained by a Third Party in connection with a Customer Security Event or Ransomware Event and (ii) Customer’s access to such Digital Asset, data, or information has already been regained or restored.
• (K) A Customer Computer System or Digital Asset for which a Ransom Payment has previously been paid.
• (L) Any demand to make a Ransom Payment to any person or entity that (i) would be a violation of the local laws of the country where the Ransomware Event occurred; or (ii) resides in or is subject to economic sanctions administered or enforced by the U.S. Treasury Department Office of Foreign Assets Control (OFAC), including (a) any persons or entities listed on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) list, (b) persons or entities otherwise prohibited under relevant U.S. law, or (c) persons or entities prohibited by laws of other countries. Customer must provide to Cork evidence, to Cork’s reasonable satisfaction, that the payment or reimbursement of any such ransom payment shall not violate paragraphs (i)-(ii) above.
• (M) Any Security Event where the occurrence of such Security Event cannot be verified through log or event data.
• (N) Business Interruption Loss or Extra Expense incurred as a result of Customer’s unreasonable delay or interference with recovery from a Ransomware Event.

11. Definitions

• “ACH/Wire Transfer Event” means an unauthorized or fraudulent instruction sent exclusively by email by a natural person to a Customer falsely purporting to be a Vendor, Client, Executive Officer or Employee with the intention to mislead such Customer that directly results in a Customer’s transfer, payment, or delivery of Money. ACH/Wire Transfer Event does not include any Customer’s transfer, payment, or delivery of Money resulting in whole or in part from any unauthorized or fraudulent instruction, or any communication related to such unauthorized or fraudulent instruction, that was transmitted by any means other than email such as, without limitation, telephone, fax, chat message, or text message.
• “ACH/Wire Transfer Loss” means the loss of Money sustained by Customer as the direct result of a ACH/Wire Transfer Event. If a compromise of email account access is suspected as a cause of the loss, it will also include reasonable and necessary costs and expenses incurred by Customer, with Cork’s prior written consent, for a professional firm to investigate Customer Computer System to find and expel users with unauthorized access to the Customer’s email account. ACH/Wire Transfer Loss does not include any amounts reimbursed or reversed to a Customer by any credit card company or financial institution.
• “Affiliate” means any entity that a Party directly or indirectly controls (e.g., subsidiary) or is controlled by (e.g., parent), or with which it is under common control (e.g., sibling).
• “Attestation” means any and all attestations made by the MSP pursuant to section 2.2 End Customer On-Boarding, Integration and Processing of the Cork-MSP Agreement.
• “Bricking” means any software or computer program that is purposefully designed to adversely affect and render any computer hardware or “loT” device, including any critical computer hardware, components, or software program contained therein, as useless, inaccessible, damaged, or nonfunctional to an extent which is beyond reasonable repair or restoration.
• “Business Interruption/Extra Expense Loss” means one of the following as elected by Customer:
  • (A) Business Interruption Loss and/or Extra Expense; or
  • (B) $1,500 per day during the Period of Restoration, prorated to hour. For the avoidance of doubt, Customer may elect only one of Option (A) or Option (B) above for any one Warranty Incident. In the event that Customer elects Option (B) for a Warranty Incident, Customer shall have no right to seek reimbursement for any Business Interruption Loss or Extra Expense for that Warranty Incident.
• “Business Interruption Loss” means the following losses actually sustained by a Customer during the Period of Restoration due to the measurable interruption of such Customer’s business directly resulting from a System Disruption that was caused by a Ransomware Event:
  • (A) net profit before income taxes that would have been earned had no System Disruption occurred;
  • (B) net loss before income taxes that would have been avoided had no System Disruption occurred; and
  • (C) the Customer’s continuing normal operating and payroll expenses, but only to the extent such operating and payroll expenses must necessarily continue during the Period of Restoration. Business Interruption Loss also means reasonable and necessary costs incurred by a Customer, with Cork’s prior written consent, for a forensic accountant to determine the amounts of Business Interruption Loss described in paragraphs (A)-(C) above. Business Interruption Loss does not include: (A) any losses arising out of any liability to any Third Party; (B) legal costs or legal expenses; (C) losses incurred due to unfavorable business conditions; (D) loss of market or any other consequential loss, including loss of goodwill and interest on money withheld by customers; or (E) Data Recovery Expenses or other costs or expenses to recreate, replace, regain access to, or restore any software or electronic data. The Customer must submit to Cork written proof of loss of any Business Interruption Loss as set forth in Section 2.12 herein.
• “Carrier” means the insurance carrier(s) that issues insurance to Cork that covers Cork’s obligation to make Payments to Customer under the Customer Warranty.
• “Cyber Insurance Deductible/Retention Loss” means the loss incurred by Customer as a direct result of a Warranty Incident which satisfies Customer’s deductible or retention under a cyber insurance policy, provided that:
  • (A) a portion of such loss must qualify as Covered Expenses under any of paragraphs (A)-(F) of the definition of Covered Expenses;
  • (B) Customer must comply with the requirements of Section 2.17 of this Customer Warranty; and
  • (C) loss qualifies as Cyber Insurance Deductible/Retention Loss only after Customer’s cyber insurer acknowledges that such loss satisfies Customer’s deductible or retention and agrees to provide Customer with coverage in excess of that deductible or retention amount. Cyber Insurance Deductible/Retention Loss does not include (A) any amount in excess of the applicable deductible or retention under Customer’s cyber insurance policy(ies) or (B) any loss that Customer’s cyber insurance policy requires Customer to bear as co-insurance. Notwithstanding the foregoing, no loss shall constitute Cyber Insurance Deductible/Retention Loss if it is incurred in connection with any cyber insurance policy which provides that any deductible or retention must be borne by Customer or words to that effect.
• “Claim Request” has the meaning set forth in Section 3.1 herein.
• “Claim Request Date” means the date that a Claim Request is first made.
• “Client” means any natural person or entity to whom Customer provides goods or services pursuant to a written contract.
• “Compliance Action” means a request for information, civil investigative demand, administrative action or civil proceeding brought by, or on behalf of, any federal, state, local, or foreign governmental entity or regulatory authority or agency against Customer.
• “Computer System” means any computer hardware, software, firmware, wireless device, voice-based telecommunication system, operating system, virtual machine, networking equipment, and any associated devices or equipment.
• “Cork-MSP Agreement” means the Warranty Partner Agreement between Cork and MSP.
• “Cork Product” means the platform provided by Cork pursuant to the Cork-MSP Agreement, which monitors the configuration and deployment of the MSP Product.
• “Corporate Information” means confidential or proprietary information of an entity, other than a Customer, which:
  • (A) a Customer is contractually or legally required to hold or maintain in confidence; or
  • (B) is not known or lawfully available to the general public. Corporate Information does not include Protected Personal Information.
• “Covered Expenses” means solely (and to the exclusion of all other fees, expenses, losses, settlements and damages) the following reasonable and necessary fees, expenses or losses incurred by Customer as a direct result of a Warranty Incident:
  • (A) Data Recovery Expenses;
  • (B) Incident Response Expenses;
  • (C) Ransom Payment;
  • (D) SMS Phishing Loss;
  • (E) ACH/Wire Transfer Loss;
  • (F) Business Interruption/Extra Expense Loss; and
  • (G) Cyber Insurance Deductible/Retention Loss. The foregoing fees and expenses constitute “Covered Expenses” only if: (A) incurred by Customer after having obtained Cork’s prior written approval to obtain such services or incur such expenditures; (B) invoiced by a third-party provider that has been preapproved in writing by Cork, when such a third-party provider is used; (C) incurred by Customer within one (1) year following the Incident Date of the applicable Warranty Incident; and (D) payment and/or reimbursement does not violate any applicable domestic or foreign law, statute, regulation or rule as determined by Cork in its sole discretion. Covered Expenses do not include:
  • (A) Forensic Investigation Expenses;
  • (B) Public Relations Expenses;
  • (C) Legal Consultation Expenses;
  • (D) Notification Expenses;
  • (E) Credit Monitoring Expenses;
  • (F) Third Party Liability; or
  • (G) Penalties.
• “Credit Monitoring Expenses” expenses incurred to provide identity monitoring, credit monitoring, or other identity restoration services.
• “Customer” means a natural person or entity that (A) has entered into an MSP Services Agreement that includes use of the Cork Product and (B) has executed this Customer Warranty.
• “Customer Affiliate Personnel” means:
  • (A) an Affiliate of Customer’s Chairman, President, Chief Executive Officer, Chief Operating Officer, Chief Compliance Officer, Chief Financial Officer, Chief Information Officer, Chief Technology Officer, Chief Privacy Officer, Risk Manager, General Counsel or any individual in a functionally equivalent position.
  • (B) any individual whose labor or service is engaged by and directed by an Affiliate of Customer. This includes part-time, seasonal, leased and temporary employees and volunteers, but only to the extent they are acting under the control of an Affiliate of Customer and within the scope of their duties; and
  • (C) any natural person or entity that provides goods or services for a fee pursuant to a written agreement, to, for, or on behalf of an Affiliate of Customer.
• “Customer Computer System” means any Computer System, which is (A) rented, leased, owned, or operated by a Customer; or (B) operated solely for Customer’s benefit by a third party under written contract between such third party and Customer.
• “Customer Portal” means the webpage accessed by entering customer log-in credentials at corkinc.com.
• “Customer Security Event” means a Security Event with respect to a Customer Computer System.
• “Data Recovery Expenses” means reasonable and necessary expenses incurred by Customer with Cork’s prior written consent for a professional firm to recover, restore, or repair a Digital Asset from backups. If a Digital Asset cannot reasonably be recovered, restored, or repaired, then Data Recovery Expenses will not exceed the reasonable and necessary expenses incurred by Customer to reach that determination.
• “Digital Asset” means any of Customer’s electronic data or computer software. Digital Assets do not include any computer hardware of any kind.
• “Employee” means any individual whose labor or service is engaged by and directed by a Customer. This includes part-time, seasonal, leased and temporary employees and volunteers, but only to the extent they are acting under the control of a Customer and within the scope of their duties for Customer. A Vendor is not an Employee.
• “Executive Officer” means a Customer’s Chairman, President, Chief Executive Officer, Chief Operating Officer, Chief Compliance Officer, Chief Financial Officer, Chief Information Officer, Chief Technology Officer, Chief Privacy Officer, Risk Manager, General Counsel or any individual in a functionally equivalent position.
• “Extra Expense” means reasonable and necessary costs and expenses incurred by Customer during the Period of Restoration as a result of the measurable interruption of such Customer’s business operations directly resulting from a System Disruption that was caused by a Ransomware Event, in order to reduce the Period of Restoration and minimize or reduce Business Interruption Loss. Extra Expense does not mean and will not include the cost of creating or procuring better computer systems or services than Customer had before the Ransomware Event, including upgrades, enhancements, and improvements. However, this shall not apply if the cost for the most current version of a computer system is substantially equivalent to or less than the original cost of the Customer Computer System that Customer had before the Ransomware Event.
• “Forensic Investigation Expenses” means fees and expenses billed to Customer by an outside consultant in connection with an investigation (including a forensic investigation) to determine the cause and extent of a Warranty Incident.
• “Incident Date” means the date the Warranty Incident or Pre-existing Incident first occurred. With respect to a Ransomware Event, the Warranty Incident or Pre-Existing Incident occurs at the time the demand for a sum of money referenced in the definition of Ransomware Event is made to the Customer. With respect to a ACH/Wire Transfer Event, the Warranty Incident or Pre-Existing Incident occurs at the time the transfer, payment, or delivery of Money referenced in the definition of ACH/Wire Transfer Event is first made. Notwithstanding the foregoing, each Warranty Incident that forms part of a Related Incident shall be deemed to have the Incident Date of the earliest Warranty Incident or Pre-existing Incident (if applicable) that forms part of the Related Incident.
• “Incident Response Expenses” means:
  • (A) reasonable and necessary costs incurred solely in, and directly from, the process of making or attempting to make a Ransom Payment. Incident Response Expenses shall include reasonable and necessary costs, fees, and expenses incurred by Customer, with Cork’s prior written consent, for a professional firm to (i) negotiate and submit a Ransom Payment on behalf of Customer and (ii) run sanction compliance checks before submitting a Ransom Payment on behalf of Customer. Notwithstanding anything in this Customer Warranty to the contrary, none of the aforementioned costs will be considered Incident Response Expenses if Ransom Payment is listed in Schedule A as “Not Purchased” for the tier applicable to Customer.
  • (B) reasonable and necessary costs, fees, and expenses incurred by Customer in response to a Ransomware Event, with Cork’s prior written consent, to hire a law firm to (i) determine the applicability of any notifications, communications, actions, or other services required or necessary for the Customer to comply with applicable Privacy Regulations; (ii) draft and develop letters, documents, or other materials to properly notify the natural persons whose Personal Protected Information was, or may have been, wrongfully disclosed, accessed, acquired, or otherwise compromised or impacted as a result of the applicable Ransomware Event; (iii) provide any legally required communications and reporting services to any regulatory, administrative, or supervisory authority; and (iv) assist in the retention of a third-party vendor to provide legal, consultative, or professional services related to the activities set forth in Sections (B)(i)-(iii) of this paragraph. Incident Response Expenses shall not include Legal Consultation Expenses. For the avoidance of doubt, the costs, fees, and expenses incurred by Customer for the third-party vendor referenced in Section (B)(iv) above do not constitute Covered Expenses.
  • (C) reasonable and necessary costs and expenses incurred by Customer, with Cork’s prior written consent, for a professional firm to restore the Customer Computer System to the level or condition at which it existed prior to a Ransomware Event, including, without limitation, by:
    • (i) replacing or reinstalling software;
    • (ii) removing Malicious Code;
    • (iii) correcting the configuration of the Customer Computer System;
    • (iv) identifying ransomware variants;
    • (v) determining whether malware can be decrypted;
    • (vi) developing a risk profile based on the ransomware;
    • (vii) troubleshooting issues during the decryption process;
    • (viii) repairing damaged files; or
    • (ix) monitoring the Customer Computer System for two (2) weeks after remediation. Incident Response Expenses does not mean and will not include the cost of creating or procuring better computer systems or services than Customer had before the Ransomware Event or ACH/Wire Transfer Event, including upgrades, enhancements, and improvements. However, this shall not apply if the cost for the most current version of a computer system is substantially equivalent to or less than the original cost of the Customer Computer System that Customer had before the Ransomware Event or ACH/Wire Transfer Event.
• “Instant Funds” shall have the meaning set forth in Section 4.4 herein.
• “Legal Consultation Expenses” means fees and expenses incurred in connection with the response to or defense of any actual, anticipated or threatened suit, action, proceeding, litigation or Compliance Action against the Customer.
• “Malicious Code” means any software or computer program that is purposefully designed to adversely affect, intentionally harm, or dishonestly monetize any computer hardware, software, firmware, wireless device, operating system, or virtual machine, including Bricking, auto-reproduction programs, computer viruses, worms, Trojan horses, spyware, dishonest adware, crime-ware, or mine-ware.
• “Money” means currency, coins and bank notes in current use and having a face value, bullion, traveler’s checks, registered checks, money orders held for sale to the public, digital currency, virtual currency or cryptocurrency.
• “MSP” means the managed services provider that has agreed to provide Customer with information technology security tools and services that are monitored by the Cork Product.
• “MSP Computer System” means any Computer System, which is (A) rented, leased, owned, or operated by MSP; or (B) operated solely for MSP’s benefit by a third party under written contract between such third party and MSP.
• “MSP Product” means the information technology security tools and services utilized by the MSP which are referenced in section 2.2 End Customer On-Boarding, Integration and Processing of the Cork-MSP Agreement.
• “MSP Services Agreement” means the written agreement between Customer and an MSP for the MSP to provide Customer with information technology security tools and services.
• “Notification Expenses” means expenses incurred by or on behalf of Customer to notify any natural persons or entities that information regarding them or maintained by, processed by, collected by, or belonging to them, including Protected Personal Information or Corporate Information, has potentially or actually been compromised, accessed, or acquired without their authorization.
• “Payment” means the amount(s) that Cork pays to Customer under this Customer Warranty.
• “Penalties” means any monetary civil or criminal fine or penalty imposed by any federal, state, local, or foreign governmental entity or regulatory authority or agency.
• “Period of Restoration” means the continuous period of time that:
  • (A) begins (i) if a waiting period is specified in Schedule A, at the end of the Waiting Period or (ii) if no waiting period is specified in Schedule A, upon the measurable interruption of the Customer’s business operations due to a Ransomware Event; and
  • (B) ends on the earliest of the date and time when: (i) the Customer Computer System or Digital Asset affected by the Ransomware Event is recovered, restored, or repaired from back-ups; (ii) Customer regains access to the Customer Computer System or Digital Asset affected by the Ransomware Event; (iii) Customer determines that Customer cannot reasonably recover, restore, or repair the Customer Computer System or Digital Asset affected by the Ransomware Event from back-ups and cannot reasonably regain access to the Customer Computer System or Digital Asset affected by the Ransomware Event; or (iv) any of (B)(i)-(B)(iii) could have occurred had the Customer acted with due diligence and dispatch.
• “Personnel” means the Employees, Executive Officers, or Vendors of Customer.
• “Physical Event” means fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, an act of God, or any other physical event, however caused.
• “Pre-existing Incident” means a Warranty Incident that occurs before the effective date of the first Customer Limited Warranty Agreement between the Parties.
• “Privacy Regulations” include the California Consumer Privacy Act, Gramm-Leach Bliley Act of 1999, Health Insurance Portability and Accountability Act of 1996, California Database Breach Act, Minnesota Plastic Card Security Act, and General Data Protection Regulation Standard, and any other related or similar federal, state, local or foreign laws, regulations and standards.
• “Protected Personal Information” means any of the following information or data, regardless of whether such data or information is in electronic, non-electronic, or any other format:
  • (A) any natural person’s social security number, name, e-mail address, driver’s license or state identification number, address, and telephone number;
  • (B) any natural person’s security access codes or passwords;
  • (C) any natural person’s medical or healthcare data, biometric records, or any other protected health information;
  • (D) any natural person’s credit card or debit card number, account number, or any other protected financial information; or
  • (E) any other non-public personal information or data of a natural person as specified in any Privacy Regulations. Protected Personal Information does not include Corporate Information or any information that is lawfully available to the general public.
• “Public Relations Expenses” means the expenses incurred by Customer for a public relations firm to protect or restore the Customer’s reputation or mitigate financial harm to the Customer’s business resulting in whole or in part from a Warranty Incident.
• “Ransomware Event” means a Customer Security Event that directly results in the use of Malicious Code to block Customer’s access to a Customer Computer System or Digital Asset or delete or otherwise harm the Customer Computer System or Digital Asset, until a sum of money is paid.
• “Ransom Payment” means Money (including the cost to obtain cryptocurrency) or other consideration or value that Customer surrenders to the person or group believed to be responsible for a Ransomware Event in order to resolve such Ransomware Event, and that is preapproved in writing by Cork. Ransom Payment shall not include any such money, cryptocurrencies, consideration, or value surrendered by Customer after Customer’s access to the Customer Computer System or Digital Asset impacted by the Ransomware Event has been restored through backups or any other means.
• “Related Incident” means, collectively, the same, continuous, related or repeated Pre-existing Incidents and/or Warranty Incidents.
• “Security Compliance Notification” means any instruction made by the Cork Product to MSP to remediate a security vulnerability.
• “Security Event” means any:
  • (A) propagation of Malicious Code from a Computer System or attack by Malicious Code which infects a Computer System;
  • (B) denial of service attack originating from, or made against, a Computer System;
  • (C) access or use of a Computer System by an unauthorized person due to a failure in the security of a Computer System;
  • (D) access or use of a Computer System by an authorized person for purposes not authorized by the owner, renter, lessee, or operator of that Computer System;
  • (E) acquisition, access, loss, or disclosure of Corporate Information on a Computer System in a manner not authorized by the owner, renter, lessee, or operator of that Computer System;
  • (F) theft of a password or access code from a Computer System; or
  • (G) failure to provide any authorized user access to a website or Computer System due to a failure in the security of a Computer System.
• “SMS Phishing Event” means an unauthorized or fraudulent instruction sent exclusively by SMS text message by a natural person to a Customer falsely purporting to be an Executive Officer or Employee with the intention to mislead such Customer that directly results in a Customer’s transfer, payment, or delivery of Money. SMS Phishing Event does not include any Customer’s transfer, payment, or delivery of Money resulting in whole or in part from any unauthorized or fraudulent instruction, or any communication related to such unauthorized or fraudulent instruction, that was transmitted by any means other than SMS text message such as, without limitation, telephone, fax, chat message, or email.
• “SMS Phishing Loss” means the loss of Money in the form of gift cards or mobile ETF sustained by Customer as the direct result of an SMS text message sent to a Customer by a natural person falsely purporting to be an Executive Officer or Employee with the intention to mislead. SMS Phishing Loss does not include any amounts reimbursed or reversed to a Customer by any credit card company or financial institution.
• “System Disruption” means the actual and necessary interruption, suspension, degradation, or failure in the service of Customer Computer Systems. System Disruption also means a Customer’s voluntary and intentional interruption or suspension of Customer Computer Systems in response to a Ransomware Event in order to mitigate, reduce, or avoid Business Interruption Loss. Provided that any voluntary and intentional interruption or suspension of Customer Computer Systems is subject to Cork’s prior written consent, which will not be unreasonably withheld.
• “Third Party” means any natural person or entity other than Customer.
• “Third Party Liability” means any liability, or loss arising out of any liability, to a Third Party.
• “Unprotected Endpoint” means a Customer Computer System for which, pursuant to the MSP Services Agreement, MSP is not providing information technology security tools and services which are monitored by the Cork Product.
• “Unrest” means strike or similar labor action, war, invasion, military action (whether war is declared or not), civil war, mutiny, popular or military uprising, insurrection, rebellion, revolution, terrorism, state-sponsored cyberattack, military or usurped power, or any action taken to hinder or defend against any of these events.
• “Vendor” means any natural person or entity that provides goods or services to, for or on behalf of Customer in exchange for a fee pursuant to a written agreement with Customer.
• “Waiting Period” means the time period that begins upon the measurable interruption of the Customer’s business operations due to a Ransomware Event and ends when the amount of waiting period time specified in Schedule A has elapsed.
• “Warranty Effective Date” means the date the Customer executes the Customer Warranty.
• “Warranty Incident” means a failure of the Cork Product to prevent a Ransomware Event, a ACH/Wire Transfer Event, or SMS Phishing Event.
• “Warranty Period” has the meaning set forth in Section 7.3 herein.

Schedule A