Bitdefender provides the limited Cybersecurity Warranty Service (the “Warranty”) according to the terms and conditions outlined herein in this Warranty Agreement, for Customers that have a current, fully paid-up subscription for MDR Services and have a currently supported version of the MDR Services correctly installed and fully operational on their endpoint(s). Customer hereby agrees to have read, to have understood, and to be bound by this Warranty Agreement.
This Warranty is a third-party service provided by Cysurance under the Cysurance Certification Warranty Program Terms and Conditions provided below (‘Cysurance T&C). Bitdefender is not a party to and shall have no liability or responsibility under this Warranty or the Cysurance T&Cs. Cysurance T&Cs is the agreement entered into exclusively between Customer and Cysurance, and Bitdefender expressly disclaims any and all obligations, representations, or liabilities arising out of or in connection with this Warranty.
This Warranty is part of Bitdefender MDR Services and is subject to the Master Service Agreement for Bitdefender Business Solutions and Services published at: https://www.bitdefender.com/en-us/site/view/eula-business-solutions (the “Agreement”). In the case of conflict between the Warranty Agreement and the Agreement in respect of the Warranty, the terms of this Warranty Agreement and the Cysurance T&C provided herein shall prevail over the Agreement to the extent of such conflict.
Capitalized terms not defined in the Cysurance T&C shall have the meaning given to them herein below or in the Agreement.
1. Definitions
1.1. “Compliant Setup” means Customer’s endpoint environment using a current supported operating system that is free of known malware and/or viruses at the time immediately prior to the Qualifying Event, and such environment has an overall risk score less than 30% as indicated by the Executive Summary Dashboard in the GravityZone Platform and all endpoints from the Customer’s environment are managed and updated to latest Bitdefender Endpoint Security Tools version.
1.2. “Warranty Term” means the time period in which Customer (i) has a current, fully paid-up MDR Subscription and (ii) runs a currently supported version of the Bitdefender Solution correctly installed, configured and enabled to the recommended settings on all of the managed endpoints in compliance with the MDR Services Description, the relevant Documentation, Prerequisite Terms, and the terms and conditions of this Warranty.
2. Warranty
2.1. The Warranty is available to a Customer in respect of its Managed Endpoints. The Warranty does not apply to MSPs, or Customers of MSP and it is non-transferable. The Warranty is only available to a current subscriber of the MDR Services as stated on Bitdefender website or MDR PLUS service where the Customer has purchased a subscription. For the avoidance of doubt, a Customer that has an MDR Foundations, MDR Premium or MDR Enterprise subscription is not entitled to the Warranty until such Customer renews its Subscription. Only Customers that purchase the MDR Subscription for less than 1000 Endpoints in their environment are eligible to get a Warranty subscription included in the MDR Subscription price. Customers that purchase an MDR PLUS subscription or an MDR Subscription but for more than 1000 Endpoints in their environment are eligible to get a Warranty PLUS subscription.
2.2. If, prior to the scheduled renewal date, an Existing Customer (a) increases the Use Level of its Subscription license for MDR and (b) did not purchase the Warranty but would like to add it to the existing MDR Subscription, then the Warranty will apply to their entire augmented Subscription.
2.3. The Warranty is provided AS IS and may be modified at any time at the sole discretion of Bitdefender, and only the then current version of the Warranty as published by Bitdefender shall apply.
2.4. This Warranty is not intended to and shall not be construed to give any third party any interest or rights (including, without limitation, any third-party beneficiary rights) with respect to or in connection with any agreement or provision contained herein or contemplated hereby. Only the Customer has the right to enforce this Warranty.
2.5. THIS WARRANTY MAY BE CANCELLED, SUSPENDED OR REVISED BY BITDEFENDER BY REASONABLE WRITTEN NOTICE AT ANY TIME AND AT BITDEFENDER’S SOLE DISCRETION. SUCH NOTICE MAY INCLUDE A POSTING TO BITDEFENDER WEBSITE OR A BANNER ON THE GRAVITYZONE CONSOLE.
2.6 THIS WARRANTY DOES NOT AND SHALL NOT BE DEEMED TO PROVIDE A CONTRACT OF INSURANCE UNDER ANY LAWS OR REGULATIONS AND SHALL BE NULL AND VOID IN ANY COUNTRY OR JURISDICTION IN WHICH IT IS DEEMED TO BE A CONTRACT OF INSURANCE OR AN OFFERING OF INSURANCE.
3. SERVICES DESCRIPTION:
3.1. Prerequisites. Service Setup Phase. For Users: For using the Warranty, Customer needs to have a valid MDR Services subscription.
3.2. Onboarding Process. Upon the Customer's purchase of the Cysurance add-on as part of their Bitdefender Managed Detection and Response (MDR) service, the following onboarding process shall apply:
3.2.1 Acceptance of Terms and Conditions. The Customer must accept the Bitdefender Warranty Agreement which includes the Cysurance Warranty Terms and Conditions before gaining access to the MDR Portal following the purchase of the Warranty. This acceptance is a prerequisite for accessing the MDR Portal, and the Customer will be prompted to agree upon their next login. The Warranty activation is independent of the Customer's acceptance of the Warranty Agreement and the Cysurance Warranty Terms and Conditions.
3.3. Activation of Cybersecurity Warranty Service. The Cysurance Warranty ("Warranty") shall commence concurrently with the activation of the Customer's MDR license at the Start Date. The Start Date of the Warranty will be displayed within the Bitdefender MDR Portal and Bitdefender GravityZone Portal.
3.4 Validity of the Cybersecurity Warranty Service. The Customer acknowledges that the Warranty Validity Period is tied to the MDR Service Validity Period and will not exceed the term of the MDR Service unless renewed.
3.5. Integration and Data Handling. The Customer data will be integrated with the Cysurance API for the purposes of warranty registration and management. Bitdefender will securely store the Cysurance token along with details such as the start and end date of the Warranty, the tier of the Warranty, and the country of coverage.
3.6. Communication of Cybersecurity Warranty Service Activation. Upon activation of the Warranty, the MDR Portal will send an email notification to the Customer, which shall include the Start date of the Warranty, the tier of the Warranty, and a link to the Warranty page within the MDR Portal for further guidance.
3.7. Cancellation, Renewal and Continuity. The Warranty continues monthly until expressly canceled, or upon termination of the Customer’s MDR Service Agreement, whichever comes first. In the event of a renewal of the MDR Service Agreement, the Customer must re-accept the Warranty Agreement. If the MDR Service Agreement is renewed after expiration, the Warranty will be treated as a new subscription and subject to the onboarding process outlined in this section.
3.8. Termination and Expiration. Upon the expiration or termination of the Customer’s MDR Service Agreement, the associated Warranty will also be terminated. The MDR Portal will notify the Customer via email that their Warranty has ended.
4. Claims Process
In the event of a loss covered under the Warranty Agreement, the Customer may submit a claim by following the procedures outlined in the Warranty documentation provided within the MDR Portal. Upon submission of a claim, the following process and Service Level Agreement (SLA) shall apply:
4.1. Submission of Claim. How to file a claim
If the Customer believes it is eligible for reimbursement, he must notify Cysurance within 48 hours of learning of a company-triggered event using the claim form from the link on the Warranty page in his Bitdefender MDR Portal. All reimbursements require prior approval from Cysurance, Bitdefender’s warranty partner, so the Customer must file the claim immediately upon discovery.
4.1.1. Notify Cysurance within 48 hours of the incident discovery.
Customer must notify Cysurance within 48 hours of learning of a company-triggered event. In the event of a claim, Cysurance recommends notifying Cysurance as a priority, as claims for reimbursement require prior approval.
4.1.2. Provide Cysurance with information about the incident, the strain of malware or data logs with associated traits for a device, and covered software affected.
Proof of breach is required when submitting a claim for reimbursement. The affected endpoints’ log data or supporting evidence will be required for validation. This needs to be electronic records that evidence the breach. Most of the time this will be in one of the victims’ log files, but if logs are not available, then screenshots and other types of recordings may be sufficient.
4.1.3. Verify that the covered software was current with all system patches and updates before the incident.
As a best practice, Customer must follow a patching cadence with commercially reasonable measures taken - respectively close to the latest patch cycle release. In the event of a claim, Cysurance may request confirmation of activated licenses and the version update of the covered software.
Bitdefender Cybersecurity Warranty Service will not respond to a systemic failure of the service provider infrastructure, of an application, or of software that results in a loss for Customer company.
4.1.4. Customer needs to check the Warranty Service Enrollment Prerequisites at art 5 below.
4.1.5. Provide an itemized invoice to Cysurance of the services performed to remediate the incident (not to exceed $150/hr).
This applies in case the Customer intends to use services from a third party to assist with the remediation for Customer company. Approval from Cysurance for reimbursement will be required prior to engagement or invoices submitted.
4.1.6. Respond promptly to any requests related to the incident, diagnosing and servicing of the covered software, and follow any instructions provided by Cysurance.
The case incident will be closed within 15 days in the event of insufficient verification data or lack of response. Cysurance shall provide prior written notice.
The customer is entitled to a maximum of 1 valid event claim per year.
Remember to provide Cysurance with available supporting information when reporting claims.
In order to file a claim, complete the Warranty Service Claim Form online by using the Warranty page in the MDR Portal.
4.2. Acknowledgment. The Customer must submit the claim through the designated claim form available on the Warranty page within the MDR Portal. Upon submission, Cysurance shall acknowledge receipt of the claim within 12 (twelve) hours confirming the claim's receipt and initiating the review process.
4.3. Initial Review and Preliminary Response. Within 5 days of acknowledging receipt, Cysurance shall conduct an initial review of the claim based on information provided at that time. During this period, Cysurance will provide the Customer with a preliminary response, indicating, when possible, under the circumstances and information available, whether the claim is eligible under the Warranty and outlining any additional information or documentation required from the Customer.
4.4. Claim Resolution. After receiving all requested information and documentation from the Customer, Cysurance shall endeavor to resolve the claim within 5 business days. The resolution of the claim may involve assessment, review, approval and processing of services provided as well as submitted invoices, the requested compensation, denial of the claim, or further investigation if required. The Customer will be promptly notified of the outcome, along with any actions taken or required.
4.5. Customer Support and Communication. Throughout the claims process, the Customer shall have access to support from the Bitdefender Customer Success Team and Cysurance Concierge Team. Inquiries related to the claim will be addressed within 48 hours, during normal business hours. The Bitdefender Customer Success Team and Cysurance Concierge Team will work collaboratively to ensure the Customer is informed and supported throughout the process.
4.6. Escalation and Dispute Resolution. If the Customer experiences delays or disputes the handling of their claim, they may escalate the issue to Cysurance dedicated claims manager. The escalated issue will be reviewed and addressed within 5 business days of the escalation request. Both Cysurance and Bitdefender are committed to resolving escalated issues in a fair and timely manner.
4.7. Limitation of Liability. Cysurance is the primary entity responsible for processing and resolving claims under the Warranty. Bitdefender’s role is limited to facilitating communication, assisting with the provision of information and materials on behalf of Customer, and providing support with the Enrollment. Bitdefender shall not be liable for any delays, failures, or actions by Cysurance that affect the claim process, except where such delays or failures are directly attributable to Bitdefender's actions or omissions.
This Claims Process and SLA are designed to ensure that the Customer's claims under the Cybersecurity Warranty Program are handled efficiently and transparently, providing timely resolution and support throughout the process.
Pre-existing Events. This limited Warranty does not extend to pre-existing Events, meaning any unauthorized access to Customer’s endpoint environment that occurs before Customer’s Warranty Term.
5. Cybersecurity Warranty Service Enrollment Prerequisites
5.1. Enrollment Prerequisites
The Bitdefender MDR Cybersecurity Warranty Service (“Warranty”) only provides financial reimbursements when cyber controls are in place, so it's important to ensure that Customer meets the minimum best practice cybersecurity controls to qualify for enrollment.
5.1.1. The Customer deploys industry standard and up-to-date anti-virus or comparable prevention tools on its endpoints.
All events must be verified through log or event data. Supporting evidence and log data for the affected endpoints are required when filing reimbursement claims.
5.1.2. PHI encryption and Data backups are in place for the Customer.
PHI encryption only applies to companies regulated by HIPAA. Data backup is mandatory for all Customers. A solution that encrypts data at rest and regularly scans for viruses and malicious data is required. Cloud backup solutions are also acceptable if they meet the above criteria.
5.1.3. multi-factor authentication is active on all Customer email accounts.
Multi-factor authentication is essential, as it makes stealing information harder for the average criminal. MFA prevents bad actors from gaining access to a network via a stolen password and, in doing so, allows other security tools to function as designed.
5.1.4. The Customer performs commercially reasonable maintenance, including applying patches and updates within 60 days of release.
As a best practice, the Customer must follow a patching cadence with commercially reasonable measures taken – respectively close to the latest patch cycle release.
5.1.5. The Customer must offer security awareness training to its employees.
All employees should receive security awareness training to ensure they have the skills required to identify an attack. If the Customer requires security awareness training, he must contact Bitdefender for assistance.
5.1.6. Out-of-cycle wire transfers and invoice routing information changes must be verified with the request and documented.
Business controls that document any change request to invoice routing and wire transfers are required, and documentation must be made available in the event of an attack.
5.1.7. The Customer applies his best efforts towards data privacy and is compliant with any required regulatory conditions.
If applicable, Customers must adhere to any national, state, federal, and/or regulatory, privacy, and security policies related to which they are subject, including, but not limited to, PCI, HIPAA, and SEC standards.
For Customers regulated under HIPAA/PCI/SEC/OSHA:
- An annual risk assessment is completed and documented.
- PHI was inventoried and accounted for before the incident.
- All employees completed HIPAA training before the incident and within the past 12 months.
5.2. Warranty. During the Warranty Validity Period, the warranty shall also apply so long as the Customer also subscribes to the GravityZone Platform in compliance with the Agreement, for the cybersecurity services to the Customer’s endpoints through the Bitdefender GravityZone Solution having activated the protection for Ransomware on its endpoint (“Endpoints”). The Warranty granted herein shall apply to all such endpoints provided that:
a. The GravityZone Platform and endpoints and MDR subscription are deployed in accordance with the Documentation and such endpoints are currently active and properly configured;
b. Each XDR sensor is deployed and configured according to the GravityZone Product Documentation, if the Customer has purchased the corresponding XDR license. Only Files that are on Endpoints are covered under this Warranty;
c. The GravityZone Platform and all endpoints of the Customer have the following required configurations and attributes:
i. GravityZone Platform:
· Antimalware On-Access module is enabled, cloud-based threat detection is enabled, advanced threat detection module is enabled and set on normal or aggressive mode (see Documentation for details), fileless attack protection module is enabled, ransomware mitigation module is enabled and monitors both locally and remote shares, hyperdetect module is enabled and all its protection levels are set to normal or aggressive, the advanced anti-exploit module is enabled and it’s configured to block memory access for lsass attacks and kill processes in case of privilege escalations, the sandbox analyzer module is enabled and configured to prefilter content in an aggresive mode (see Documentation for details).
· Network protection module is enabled, scan SSL is enabled, the antiphising module is enabled, the web and email traffic scanning is enabled, the network attack defense is enabled, and all attack techniques are enabled and the action taken is block.
· The firewall module is enabled.
· The remote shell module is enabled.
· The EDR module is enabled
· All Bitdefender MDR Service pre-approved actions are enabled.
· Customer has provided at least one valid Emergency Contact in the MDR Portal
· Two-factor authentication is enabled in the Management Console, or Single Sign On with two-factor authentication, enabled and enforced for all Management Console users.
· Agent is not tampered with intentionally by Customer, and it is at its latest version also available on Bitdefender update servers.
ii. Operating system:
· The Warranty applies to Standard (not Legacy) Windows, Linux and MacOSX Agents, and on supported versions of Microsoft Windows (as specified in the GravityZone Product Documentation).
· Each endpoint is malware-free prior to GravityZone Agent installation.
· The OS is fully updated and patched for security updates on each covered endpoint, and all vulnerable applications are updated to the latest releases.
d. The Customer adheres to the following manual actions post infection (i.e., upon discovery of Ransomware):
· Immediately (no more than an hour upon discovery) adds the specific Ransomware threat to blacklist;
· In case the Ransomware was not blocked but only detected – takes a remediation and rollback action within 1 hour of infection/discovery of the Ransomware; and
- Notifies Cysurance of the Ransomware discovery within 48 hours at Cybersecurity Warranty Service Claim Form online by using the Warranty page in the MDR Portal.
Pre-existing Events. This limited warranty does not extend to pre-existing Events, meaning any unauthorized access to Customer’s endpoint environment that occurs before Customer’s Warranty Term.
ANNEX 1 TO WARRANTY AGREEMENT
Cysurance Terms:
Cysurance Certification Warranty Program Terms and Conditions
This Annex 1 is a part of the Subscriber General Terms and Conditions Agreement (the “Agreement”) to which this Annex 1 is attached. The Cysurance Certification Warranty Program will provide Participants with a warranty in respect of (1) the Cysurance vetted and approved external monitoring software products Participants license from Prime Subscriber (the “Warrantied Software Systems”), and (2) the ongoing services delivered by Cysurance as set out below (collectively, the “Warrantied Software System/Services”). Any capitalized terms not otherwise defined herein shall have the meaning set forth in the Warranty Agreement.
1. Definitions.
a. BEC Event means a business email compromise (BEC). The Certification Warranty applies to a BEC Event which is a full, unauthorized threat-actor takeover of a Participant account in its Environment that is monitored by Solutions implemented by Prime Subscriber. The Certification Warranty does not apply to incidents where the social engineering of an individual acting on behalf of or with the Participant has resulted in lost income, lost funds or other fraud of Participant. To be a Qualifying Event, a BEC Event must result from the compromise of credential or other unauthorized access in and of a Participant's own Environment. As an example, where a Participant's HVAC vendor is compromised, and an unauthorized third-party uses quality of the HVAC vendor to persuade the Customer to send funds to an unauthorized recipient, such is not a Qualifying Event, as the compromised environment is not Participant's, but belongs to its HVAC vendor.
b. Benefit End Date means the last day of Participant’s qualifying Subscription Term (or other applicable Solutions Agreement), or any qualifying renewals thereof.
c. Benefit Start Date means the first day of the Enrollment Term as set forth on the Enrollment Confirmation from Prime Subscriber.
d. Business Income Event means a Security Breach of Participant's Environment which actually and materially effects the Participant's business operations, resulting in actual, documentable loss of business income (net profit or loss before income taxes) which would have been earned had no Security Breach occurred.
e. Compliance Event means a BEC Event or Ransomware Event that involves a confirmed data breach of Personal Data triggering HIPAA, GDPR, UK GDPR, PCI, OSHA, SEC, FTC, and/or any international, federal, state or other legally required notice and/or reporting requirements, where the sole Recovery Benefit is for immediate legal assessment and emergency response of the Compliance Event. Continuing legal services beyond initial breach assessment, including dealing with the nature of the data breach and any extent of the same, are beyond scope of any Recovery Benefit of this Certification Warranty.
f. Cyber Legal Liability Event means litigation arising directly out of a breach of data privacy and/or data security because of a BEC Event or Ransomware Event and out of binding statements of privacy and/or security on Participant’s website where legal defense expenses and settlement costs are incurred.
g. Enrollment Confirmation means the email issued by Prime Subscriber to Participant confirming Participant’s enrollment in the Certification Warranty with Provider, which occurs upon Participant’s enrollment via the Enrollment Portal.
h. Enrollment Term means the period Participant may receive a Recovery Benefit and which begins on the Benefit Start Date (defined in Section 2(a) and ends upon termination (defined in Section2 (b). Depending on the Benefit Start Date, generally the Enrollment Term is equivalent to the annual Subscription Term under the Solutions Agreement with the Prime Subscriber, for qualifying Subscriptions. In the case of a multi-year qualifying Subscription, an Enrollment Term under this Agreement will be those annual periods within a multi-year Subscription Term.
i. Environment means computer systems or networks identified by Participant and for which Prime Subscriber has implemented Solutions. Note any computer systems, networks, software or other tools of a dependent system, or any computer systems, networks, software or other tools not identified by a Participant to their Prime Subscriber as part of the Participant's Environment will not qualify for a Recovery Benefit, as such systems, etc., are not protected by Prime Subscriber Solutions. To be clear, this Warranty does not cover systems or environments Solutions are not purchased to secure.
j. Event means a Ransomware Event or BEC Event occurring in Participant's Environment, which may result in a Business Income Event, Compliance Event and Cyber Legal Liability Event.
k. Participant means the Customer who has contracted with Prime Subscriber to provide Solutions which protect the Environment that Participant has adequately and properly identified to the Prime Subscriber.
l. Personal Data means any information concerning an individual that is defined as personal information or personal data under any applicable data protection law; Personal Data does not include information lawfully available to the general public or that has been fully anonymized under an accepted industry standard.
m. Provider means Cysurance, a third-party service provider who has contracted with Prime Subscriber to provide Participant with the benefits set out in this Agreement.
n. Qualifying Event means a Ransomware Event or a BEC Event, or the Business Income Event, Compliance Event or Cyber Legal Liability Event resulting from a Ransomware Event or BEC Event occurring in Participant's Environment, for which Provider will apply a Recovery Benefit.
o. Ransomware Event means the unauthorized access to at least one Participant endpoint in Participant's Environment in the form of ransomware which has caused material harm to Participant, whereby “material harm” must include at least one of the following: (i) the unauthorized acquisition of unencrypted digital data from Participant's Environment that compromises the security, confidentiality, or integrity of personal information or confidential information maintained by Participant; (ii) public disclosure of personal information or confidential information from Participant's Environment and maintained by Participant; or (iii) the compromise of at least one Participant endpoint in Participant's Environment resulting in the full blocking of authorized access to such endpoint.
p. Recovery Benefit means the funding conferred to the Participant by the Provider in the event of a Qualifying Event; a Recovery Benefit is limited to supporting repair, remediation, and/or replacement of those parts of Participant’s Environment damaged by a Qualifying Event, including, but not limited to, removing and remediating elements that caused the Qualifying Event. A Recovery Benefit applies to immediate recovery services such as initial investigation to determine required services and restoration of Participant's current business systems covered by the Solutions. Continuing investigation concerning the extent of an actual or suspected Event, ongoing negotiations with a threat actor, procurement of new Solutions or recovery beyond Participant's Environment, legal evaluation of reporting obligations, or other ongoing breach services, are not eligible for a Recovery Benefit.
q. Security Breach means the (i) unauthorized access or use of Participant's Environment resulting from theft of a password from an agent of the Participant; (ii) a denial of service attack affecting Participant's Environment; or (iii) infection of a part of Participant's Environment by malicious code or the unauthorized transmission of malicious code from the Participant's Environment, which result in the loss of business income (net profit or loss before income taxes) which would have been earned had no loss occurred.
r. Prime Subscriber means Bitdefender and its Affiliates engaged by the Participant to provide a Solution for the protection of Participant's Environment; such Solutions must be implemented and maintained by the Prime Subscriber for Participant in order for a Recovery Benefit to apply.
s. Solution or Solutions means the MDR Services which Participant has obtained, implemented and maintained provided by Prime Subscriber for the protection of Participant's Environment.
t. Enrollment Portal means the registration portal Participant must use to enroll and qualify for Certification Warranty benefits.
u. Waiting Period Not Applicable.
2. Certification Warranty
a. Benefit Start Date. Participant’s Enrollment Term will begin on the Benefit Start Date.
b. Benefit End Date. Unless otherwise terminated earlier, Participant’s Enrollment Term will automatically terminate on the Benefit End Date.
3. Certification Warranty Benefits
a. During the Enrollment Term, Participant may submit a request for a Recovery Benefit by notifying Provider at bitdefender@cysurance.com/ or a form link: https://enroll.cysurance.com/bitdefender-claim-submission/, within at least the first forty-eight (48) hours of discovery of any actual Event, that one of the following Events has or may have occurred during the Enrollment Term:
· Ransomware Event;
· BEC Event;
· Compliance Event;
· Cyber Legal Liability Event; and/or
· Business Income Event.
b. Should an Event occur and be determined a Qualifying Event, and provided an exclusion set forth in Section 4 below does not apply, Provider will afford Participant a Recovery Benefit, subject to the following:
(1) Participant may only seek indemnification for one (1) Qualifying Event during the Enrollment Term;
(2) Participant must have a commercially reasonable basis and belief that damages resulting from the Event will exceed $5,000 USD or equivalent in applicable foreign currency;
(3) Recovery Benefit will not exceed Participant’s maximum Certification Warranty Indemnification Level as specified within Participant’s Enrollment Confirmation;
(4) Application of a Recovery Benefit in the form of cyber-insurance deductible-buy back, subject to the terms and conditions of Participant’s cyber-insurance carrier, any terms and conditions of Provider, and to review and approval by both Provider and Participant’s identified cyber-insurance carrier;
(5) Payment of any applicable deductible by Participant for the applicable Recovery Benefit; and
(6) Any Recovery Benefit is provided in accordance with any additional terms and conditions applicable to such Qualifying Event as specified in the Warranty Confirmation Summary attached hereto as Schedule 1.
c. Recovery Benefits are limited by this Certification Warranty. Participant is responsible for notice and coordination with any insurance carrier for any ascertain insurance claims. The provider is not an insurance carrier or coordinator.
4. Recovery Benefit Exclusions. A Recovery Benefit may be restricted to the country in which the Participant subscribed to the Solutions. A Recovery Benefit will not be afforded if any one or more of the following conditions occur regarding to the nature of the loss:
a. Participant fails to take commercially reasonable measures to: (i) undertake preventative maintenance, including but not limited to patching of any application and/or operating system running on an endpoint that is up to date per the timeframe for Common Vulnerability Scoring System (CVSS): Critical (score 8.5+) within 7 days, High (score 7-8.5) within 30 days; and Medium and Lower (score < 7.0) within 60 days, where each time frame is beginning from the date the fix is made available and if a reboot of the system or application was required in connection with any of the above, the application/system will not be considered to have fulfilled this requirement unless and until completion of the applicable reboot; and (ii) implement cloud or other back up measures of Participant’s data to allow for recovery from a Ransom Event;
b. Participant fails to deploy multifactor authentication (MFA) on email, servers housing proprietary and privacy data, and operating systems essential business operations;
c. Participant fails to deploy industry standard and up-to-date anti-virus or comparable prevention tools on its endpoints;
d. Participant does not have the Solutions actively deployed in the part of the Participant’s network or computer systems in which the Event occurred, such that there was no active deployment providing Prime Subscriber with means of receiving supported security relevant telemetry from such network or computer systems (i.e., infrastructure or endpoint);
e. Participant is in breach of Prime Subscriber’s Contract or the Contract with Prime Subscriber has terminated or expired;
f. Participant is unable to provide proof of the Event or cannot verify the Event through log/event data;
g. The Breach Incident is occurring within a virtual desktop infrastructure (e.g. Citrix, VMware, and other virtual desktop infrastructure environments). For avoidance of doubt, this relates to both the device and operating system running the VDI management system/hypervisor and the virtualized operating system(s) running within each virtual instance;
h. The Breach Incident is caused by a third-party product and/or service which directly or indirectly causes the malfunction or nonperformance of the Product or the Subscription;
i. Situations where (i) the data is retrievable (i.e., Participant can get access to back-up data and is capable of restoring the majority of the deleted or encrypted data with the back-up); or (ii) where the data was not on the Bitdefender managed endpoints affected by the Breach Incident;
j. The Breach Incident is caused by a systemic failure of software impacting customers on a significant, large-scale basis;
k. The Breach Incident is caused by a systemic failure affecting the Bitdefender infrastructure;
l. Any Breach Incident that arises out of or is caused by, directly or indirectly, acts of God, including but not limited to earthquakes, hurricanes, tsunamis, natural disasters, wildfires, solar flares, solar winds, etc., acts of war or terrorism, or reasonably believed to be related to state sponsored cyberattacks, civil or military disturbances, nuclear interruptions, loss or malfunctions of utilities, communications, or the systemic failures of the same;
m. The Breach Incident arising directly or indirectly from the intentional or willful misconduct, collusion, or the negligence of the Customer, its Affiliates, or its or their directors, officers, agents, employees, non-employee workers, agents, representatives, contractors or consultants (“Customer Representatives”);
n. The Breach Incident arising as a result of an infection, compromise, malware, virus or other unauthorized access of asset(s) or credentials that attempts to circumvent controls in an effort to compromise an endpoint that was introduced to Customer’s internal systems (which could be an unprotected endpoint within the Customer network or a managed Bitdefender endpoint) by a Customer Representative, whether intentionally or unintentionally (e.g. malware or virus testing);
o. Customer is not in good faith or is considered non-meritorious or frivolous, as reasonably determined by Prime Subscriber;
p. After notification or an alert of a possible Event to Participant from Prime Subscriber, Participant fails to take reasonable measures or actions to investigate and adequately address any issues prompting such an alert from Prime Subscriber;
q. If a Participant is regulated by HIPAA, PCI, SEC, FTC, GDPR and/or any other international, federal, state or other law, regulation or rule:
i. Participant has not completed annual security and data risk assessments, or other necessary risk assessments, and documented risks;
ii. Protected Health Information (“PHI”) or other protected information data inventory has not been fully completed and accounted for prior to an incident and claim;
iii. Subject to Participant’s standard historical employment practices related to HIPAA, GLBA, CCPA, GDPR, UK GDPR or other data protection required training for employees, all of Participant’s employees have not completed the necessary training within the 12 months prior to any incident and request for a Recovery Benefit;
iv. Participant has not adopted and adhered to applicable privacy and security policies, public facing, internal or otherwise, related to any international, federal, state or other legal or regulatory requirements to which Participant is subject prior to any Event;
v. Participant is named as a defendant, respondent, co-defendant or other defending party in a class-action lawsuit regarding the privacy requirement breach resulting from violation of any international, federal, state or other law, regulation or rule arising from or relating to an Event.
r. The Event did not occur during the Enrollment Term;
s. Participant does not submit the request for a Recovery Benefit for the Event during the Enrollment Term; or
t. Participant has not conducted an assessment or analysis regarding, or taken steps to assess its risks under, and adopted and adhered to, all applicable privacy and security laws, regulations and rules governing its processing of Personal Data prior to any Event.
5. Indemnification Process.
a. PARTICIPANT MUST IMMEDIATELY REPORT AN EVENT TO THE PROVIDER. FAILURE TO REPORT AN EVENT WITHIN FORTY-EIGHT (48) HOURS OF DISCOVERY WILL EXCLUDE SUCH AN EVENT FROM CONSIDERATION FOR A RECOVERY BENEFIT. WITHIN FIFTEEN (15) DAYS OF DISCOVERY OF ANY ACTUAL OR REASONABLY SUSPECTED EVENT, PARTICIPANT MUST SUPPLY PROVIDER WITH SUFFICIENT INFORMATION AS TO ALLOW PROVIDER TO VALIDATE DAMAGES INCURRED AND APPROPRIATELY EVALUATE THE NATURE AND CIRCUMSTANCES REGARDING THE ASSERTED EVENT OR THE REQUEST FOR RECOVERY BENEFITS WILL BE CLOSED IN THE EVENT OF INSUFFICIENT VERIFICATION OF LACK OF RESPONSE AS STATED HEREIN. IF PARTICIPANT FAILS TO DELIVER THE REQUESTED INFORMATION TO PROVIDER AS SET FORTH HEREIN, PARTICIPANT’S PROFFERED EVENT WILL BE TREATED AS AN INVALID EVENT THAT IS INELIGIBLE FOR A RECOVERY BENEFIT PURSUANT TO THE TERMS OF THIS AGREEMENT. AFTER THE INITIAL FIFTEEN (15) DAYS AND PARTICIPANT'S ORIGINAL PROVISION OF INFORMATION TO PROVIDER, ANY MAINTAINED FAILURE BY PARTICIPANT TO RESPOND OR PROVIDE EVIDENCE SUPPORTING RECOVERY BENEFITS FOR MORE THAN THIRTY DAYS WILL RESULT IN THE REQUEST FOR RECOVERY BENEFITS BEING CLOSED FOR LACK OF RESPONSE. ANY DETERMINATION AS TO WHETHER AN EVENT IS A QUALIFYING EVENT, OR AS TO THE GRANT OF A RECOVERY BENEFIT, WILL BE MADE IN ACCORDANCE WITH THIS AGREEMENT.
b. Participant understands this Certification Warranty is separate and apart from, not affiliated with, and not issued by or part of any insurance product it has purchased, engaged or otherwise obtained. Participant is solely responsible for reporting any Event or Events to its insurance carrier regardless of whether Participant elects to request application of Recovery Benefits from Provider.
c. By submitting a request for a Recovery Benefit and submitting information to Provider, Participant understands and acknowledges Provider has separate terms and conditions related to privacy and data protection as set out on Provider’s website terms, privacy policies, or other agreements made by and between Participant and Provider which will govern the use and protection of the information. Prime Subscriber does not accept liability or responsibility for Provider. Participant understands and agrees it is responsible for reviewing Provider terms, policies and agreements prior to submission of information. In the event Participant requests that Prime Subscriber provide information directly to Provider on Participant’s behalf, Participant authorizes and consents to Prime Subscriber sharing the information with Provider, subject to the terms set forth in Sections 5(b) and 5(c) of the Agreement.
d. Indemnification made under the Certification Warranty is subject to the Provider’s standards of review. If Provider denies indemnification to the Participant, notwithstanding anything to the contrary in this Agreement, Prime Subscriber shall have no liability to Participant.
e. To receive Recovery Benefits under the Service Warranty, Participant agrees to:
i. Provide documentation evidencing the Participant’s date of enrollment in the Service Warranty;
ii. Provide log files and information about the symptoms and causes of a network compromise pertaining to the request for a Recovery Benefit, and all other information, documentation or things requested by Provider to assess the Event and any application of Benefits; and
iii. Verify cyber event via log files and/or other documentation or things concerning malicious code that resulted in any alleged loss of data and/or records triggering a violation of state and/or federal regulatory enforcement to which Participant is subject.
6. Additional Services
Following Participant’s enrollment in the Service Warranty, and as part of the value conferred by the Service Warranty, Provider will perform, or have performed, regular scans of Participant’s Environment from external sources. Results will be provided to Prime Subscriber to augment external monitoring and risk rating analyses that Prime Subscriber delivers to Participant as part of the Solutions. Such results may identify vulnerabilities related, but not limited to, the following:
An initial scan will be conducted upon Participant’s enrollment in the Certification Warranty and monthly thereafter during Participant’s Enrollment Term. By enrolling in the Service Warranty, Participant consents to the receipt of such additional services by the Provider.
7. Cancellation
a. Prime Subscriber’s Cancellation Rights.
Prime Subscriber may cancel the Program at any time for any reason.
b. Cysurance’s Cancellation Rights.
If Prime Subscriber has not otherwise made the appropriate payment by the due date or any applicable renewal date, the Program may be cancelled for nonpayment in accordance with Section 11(b) of the Subscriber General Terms and Conditions Agreement and Program coverage will cease from the due date or renewal date.
Additionally, unless applicable local law provides otherwise, Cysurance may cancel this Program for Prime Subscriber’s fraud or material misrepresentation upon sixty (60) days’ prior written notice.
c. Effect of Cancellation.
See Section 11 of the Agreement for Effect of Cancellation.
8. Program Changes
Cysurance reserves the right to change the terms and conditions of the Certification Warranty Program at any time and will provide Prime Subscriber with sixty (60) days prior written notice of such changes. If any changes are made, such notice will be provided in a separate writing or email.
If Cysurance adopts any revision to the Program that would broaden Participant’s coverage without additional cost or any increase in service fees and/or without changes to the terms and conditions applicable to the Program, the broadened coverage will immediately apply to the Program.
9. General Terms
(a) Cysurance may subcontract or assign performance of its obligations to third parties but shall not be relieved of its obligations to Prime Subscriber or any Participant in doing so.
(b) Cysurance is not responsible for any failures or delays in performing under the Program that are due to events outside of Cysurance’s reasonable control.
(c) This Program may not be available in all jurisdictions and is not available where prohibited by law.
(d) In carrying out its obligations Cysurance may, solely for the purposes of monitoring the quality of Cysurance’s response, record part or all the calls between Prime Subscriber and Cysurance.
(e) Cysurance represents and warrants that it has implemented commercially standard security measures, which will protect Confidential Information against unauthorized access or disclosure as well as unlawful destruction. Prime Subscriber or Participant will be responsible for the instructions it gives to Cysurance regarding the processing of its data, and Cysurance will seek to comply with those instructions as reasonably necessary for the performance of the Service and support obligations under the Program. Cysurance will be responsible for putting appropriate terms in place with any Participant related to the Confidential Information it receives from any Participant.
(f) Cysurance acknowledges and agrees to maintain compliance with the terms of the Data Protection Standards, GDPR and CCPA Privacy Addendum agreed upon with Prime Subscriber.
(g) There is no informal dispute settlement process available under this Program.
(h) As used in this Program, “Cysurance” is the Administrator.
(i) Except where prohibited by law, the laws of the State of New York govern Programs purchased in the United States. If these terms are inconsistent with the laws of any jurisdiction where Participant purchases this Program, including the laws of Alabama, Arizona, Florida, Georgia, Nevada, Oregon, Vermont, Washington, Wisconsin and Wyoming, then the laws of that jurisdiction will control.
(j) Support services under this Program may be available in English only.
Schedule 1 of Annex 1
Cysurance Certification Warranty Program Confirmation Summary
Subject to all of the terms and conditions of the Program, including any terms specified on Annex 1 to which this Schedule 1 is attached, the Program provides the following coverage limitations:
Participants Enrolled in the $100,000 Level** | ||
|
|
|
Certification Warranty Indemnification – Ransom Only $100,000 Level
Ransom Event | Per Event
$100K* | Per Participant
$100K* *Per Event and Per Participant amounts vary and are Program specific. |
Participants Enrolled in the $1,000,000 Level*
Certification Warranty Per Event Per Participant Indemnification –
Compliance Event A Maximum of $200,000 USD $200,000 USD
Ransomware Event & BEC Event A Maximum of $200,000 USD $200,000 USD
Cyber Legal Liability Event** A Maximum of $500,000 USD $500,000 USD
Business Income Event A Maximum of $100,000 USD $100,000 USD (There is a $2,500 USD per-claim deductible That applies to this Event)
|
Indemnification Per Event and Per Participant amounts reflected above, although shown in USD, means the equivalent amount in the applicable foreign currency reflected on Participant’s subscription for the Warrantied Software System.
* Participant must first exhaust any other Certification Warranty that would apply to these expenses.
**Cyber Legal Liability/Media - Participant must exhaust all other financial benefits before triggering this benefit tier.