Common use of Security Incidents Clause in Contracts

Security Incidents. 1. Security Incidents on Supplier Information Systems must be logged, reviewed on a periodic basis (minimum quarterly), secured, and maintained for a minimum of twelve (12) months. 2. Supplier must develop and maintain an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents and perform any required recovery actions to remedy the impact. 3. Supplier shall notify Company within a reasonable period, in no event to exceed seventy-two (72) hours after discovery, or shorter if required by applicable law or regulation, of any Security Incident experienced by Supplier involving any Company Data. Supplier shall report any Security Incidents to the Cyber Incident Response Team at ▇▇▇▇▇▇@▇▇.▇▇▇ or 1-800-4GE- CIRT, or at such contact information communicated to Supplier from time to time. Supplier shall reasonably cooperate with Company in its investigation of an incident, whether discovered by Supplier, Company, or a third party, which shall include providing Company a detailed description of the Security Incident, the type of data that was the subject of the Security Incident, the identity of each affected person, and any other information Company reasonably may request concerning such affected persons and the details of the Security Incident, as soon as such information can be collected or otherwise becomes available. Supplier shall designate an individual responsible for management of the Security Incident, and shall identify such individual to Company promptly. 4. If requested by Company or its Affiliate, and at Company’s direction, Supplier shall send Security Notices regarding a Security Incident. Unless prohibited by applicable law or regulation, Supplier shall provide Company or its Affiliate with reasonable notice of, and the opportunity to comment on and approve, the content of such Security Notices prior to any publication or communication thereof to any third party, except neither Company nor its Affiliate shall have the right to reject any content in a Security Notice that must be included in order to comply with applicable law or regulation. Should Company or its Affiliate elect to send a Security Notice regarding a Security Incident, Supplier shall provide all reasonable and timely information relating to the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Notice. 5. Other than approved Security Notices, or to law enforcement or as otherwise required by law or regulation, Supplier may not make or permit any public statements concerning Company’s involvement with any such Security Incident to any third-party without the explicit written authorization of Company’s Legal Department.

Security Incidents. 1. Security Incidents on Supplier A party that receives Confidential Information Systems must be logged, reviewed on a periodic basis or Personal Information of the other party (minimum quarterly), secured, and maintained for a minimum of twelve “Receiving Party”) shall promptly notify the party who disclosed such Confidential Information or Personal Information (12“Disclosing Party”) months. 2. Supplier must develop and maintain an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents and perform any required recovery actions to remedy the impact. 3. Supplier shall notify Company within a reasonable period, in no event to exceed seventy-two (72) hours after discovery, or shorter if required by applicable law or regulation, of any Security Incident experienced by Supplier involving that results in the unauthorized access to, disruption of, or misuse of, the Disclosing Party’s Confidential Information or Personal Information or any Company DataInformation System on which the Disclosing Party’s Confidential Information or Personal Information is stored or materially impacts a Providers’ operations or Providers’ ability to provide the Services in accordance with the Agreement. Supplier Notwithstanding the forgoing, a Recipient shall report any provide notice to a Provider if a Security Incidents Incident materially impacts a Recipient’s operations or a Recipient’s ability to receive the Cyber Services, in each case, in accordance with the Agreement. Required notices of a Security Incident Response Team at if Genworth is the Disclosing Party shall be made to ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇▇ and in accordance with the formal notice requirements in this Agreement. Required notices of a Security Incident if the Company is the Disclosing Party shall be made to the Company’s Chief Information Security Officer and in accordance with the formal notice requirements in this Agreement. The Receiving Party shall provide such notice following discovery and without unreasonable delay, but in no event later than three days following discovery of the Security Incident, even if not all information required by this Section is then available to the Receiving Party or 1-800-4GE- CIRTall actions required by this Section have not been completed by the Receiving Party. If any such information is not available at the time of initial notification or any such activities have not been completed at the time of initial notification, or at the Receiving Party shall continue all commercially reasonable efforts to obtain such contact information communicated and complete such activities and report to Supplier from time the Disclosing Party the progress and results of the foregoing. With respect to time. Supplier Security Incidents for which notification must be provided under this Agreement, the Receiving Party shall reasonably cooperate provide the Disclosing Party with Company in its investigation of an incident, whether discovered by Supplier, Company, or a third party, which shall include providing Company a detailed description of the Security Incident, the type of data that was the subject of the Security Incident, the identity name and any other personally identifying information of each affected personindividual, and any other information Company the Disclosing Party may reasonably may request concerning such affected persons and the details of Security Incident. The Receiving Party agrees to take action immediately, at its own expense, to (i) investigate the Security Incident, as soon as including without limitation its causes and effects, (ii) identify, prevent and mitigate the effects of any such information can be collected or otherwise becomes available. Supplier shall designate an individual responsible for management Security Incident, (iii) carry out any action necessary to remedy the cause of the Security IncidentIncident and prevent a recurrence, and (iv) inform the Disclosing Party of the progress and results of the foregoing. At the Disclosing Party’s option, such action shall identify such individual include without limitation: (A) Receiving Party’s mailing of notices regarding the Security Incident to Company promptly. 4. If requested by Company or its Affiliate, and at Company’s direction, Supplier shall send Security Notices regarding a Security Incident. Unless prohibited by applicable law or regulation, Supplier shall provide Company or its Affiliate with reasonable notice of, and the opportunity to comment on and approveaffected individuals, the content of such Security Notices which shall be subject to Disclosing Party’s prior written approval; and/or (B) provision of credit monitoring or other similar service to affected individuals offered by a reputable provider, for a reasonable duration but in no event more than twelve months. Alternatively, the Disclosing Party may undertake either or both of the foregoing actions at Receiving Party’s commercially reasonable expense. Receiving Party shall not issue any publication press release or make any other public filing, report or communication thereof to regarding any third party, except neither Company nor its Affiliate shall have the right to reject any content in a Security Notice that Incident for which notification must be included in order to comply with applicable law or regulation. Should Company or its Affiliate elect to send a Security Notice regarding a Security Incident, Supplier shall provide all reasonable and timely information relating to the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Notice. 5. Other than approved Security Notices, or to law enforcement or as provided under this Agreement without Disclosing Party’s prior written approval unless otherwise required by law applicable Law, regulation or regulationgovernmental or judicial order; provided, Supplier may not make that in such case the Receiving Party has given the Disclosing Party reasonable advance written notice of the intended disclosure and a reasonable opportunity to seek a protective order or permit any public statements concerning Company’s involvement with any other confidential treatment of the information, each to the extent permitted by law; provided, further, that the disclosure is limited to that required by such Security Incident to any third-party without the explicit written authorization of Company’s Legal Departmentapplicable law, regulation or governmental or judicial order.

Security Incidents. 19.1. Service Provider agrees to notify Company without undue delay but in all cases within twenty- four (24) hours of discovery of any actual or suspected Security Incidents on Supplier Information Systems must be loggedIncident of which it becomes aware, reviewed on a periodic basis (minimum quarterly)including those occurring at its Subprocessors. Service Provider agrees to take such reasonable, securedremedial actions warranted to investigate and halt the root cause of such incident to the extent it is ongoing.‌ 9.2. In the course of notification to Company, Service Provider will provide to Company, as feasible, sufficient information for Company to assess the Security Incident and maintained for a minimum of twelve (12) months. 2. Supplier must develop and maintain an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents and perform make any required recovery actions notification to remedy any Government Authority within the impact. 3. Supplier shall notify Company within a reasonable period, in no event to exceed seventy-two (72) hours after discovery, or shorter if timeline required by applicable law or regulationApplicable Law. Such information must include, of any Security Incident experienced by Supplier involving any Company Data. Supplier shall report any Security Incidents to the Cyber Incident Response Team at ▇▇▇▇▇▇@▇▇.▇▇▇ or 1-800-4GE- CIRT, or at such contact information communicated to Supplier from time to time. Supplier shall reasonably cooperate with Company in its investigation of an incident, whether discovered by Supplier, Company, or a third party, which shall include providing Company a detailed description of the Security Incident, the type of data that was the subject of the Security Incident, the identity of each affected person, and any other information Company reasonably may request concerning such affected persons and the details of the Security Incident, as soon as such information can be collected or otherwise becomes available. Supplier shall designate an individual responsible for management but is not necessarily limited to: A. The nature of the Security Incident, and shall identify such individual to Company promptly.the categories and approximate number of data subjects and Personal Data records involved; 4. If requested by Company or its Affiliate, and at Company’s direction, Supplier shall send Security Notices regarding a Security Incident. Unless prohibited by applicable law or regulation, Supplier shall provide Company or its Affiliate with reasonable notice of, and B. The likely consequences of the opportunity to comment on and approve, the content of such Security Notices prior to any publication or communication thereof to any third party, except neither Company nor its Affiliate shall have the right to reject any content in a Security Notice that must be included in order to comply with applicable law or regulation. Should Company or its Affiliate elect to send a Security Notice regarding a Security Incident, Supplier shall provide in so far as consequences are able to be determined; and C. Any measures taken or proposed to be taken to address or mitigate the incident.‌ 9.3. Company will decide on the basis of all reasonable available information and timely information relating Applicable Law if notification to the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Notice. 5. Other than approved Security Notices, or to law enforcement or as otherwise Data Subjects and/or Government Authorities is required by law or regulationdeemed prudent by Company. Where Company determines that notice should be provided, Supplier may not make or permit any public statements concerning Service Provider shall reimburse Company for all reasonable costs associated with providing notice to affected individuals and Government Authorities, unless Service Provider demonstrates that the breach was caused by Company’s involvement negligence or willful misconduct. 9.4. In the event of a Security Incident relating to the Personal Data collected or received under this Underlying Agreement, Service Provider agrees to assist and fully cooperate as instructed by Company with any internal investigation or external investigation by third parties, such as law enforcement, through the provision of information, employees, interviews, materials, databases, or any and all other items required to fully investigate and resolve any such incidents and provide information necessary to provide required notifications. Service Provider agrees to take such remedial actions as the Parties mutually agree is warranted, such agreement not to be unreasonably withheld by Service Provider. 9.5. Service Provider shall not disclose, without Company’s prior written approval, any information related to the suspected Security Incident to any thirdthird party other than a vendor hired to investigate/mitigate such Security Incident and bound by confidentiality and non-party without disclosure obligations, except as required by Applicable Law. 9.6. Notwithstanding any other limitation of liability or other indemnification obligation contained in the explicit written authorization of Company’s Legal DepartmentUnderlying Agreement, Service Provider agrees to indemnify Company for all losses resulting from any Security Incident due to negligence or willful misconduct by Service Provider, its agents, its affiliates, or any Subprocessor retained by Service Provider, including but not limited to costs associated with investigating the Security Incident, expenses associated with making notices or providing support to impacted Data Subjects, legal damages, government penalties, and/or mitigation expenses.

Security Incidents. 19.1. Service Provider agrees to notify Company without undue delay but in all cases within twenty‐ four (24) hours of discovery of any actual or suspected Security Incidents on Supplier Information Systems must be loggedIncident of which it becomes aware, reviewed on a periodic basis (minimum quarterly)including those occurring at its Subprocessors. Service Provider agrees to take such reasonable, secured, remedial actions warranted to investigate and maintained for a minimum halt the root cause of twelve (12) monthssuch incident to the extent it is ongoing. 29.2. Supplier must develop In the course of notification to Company, Service Provider will provide to Company, as feasible, sufficient information for Company to assess the Security Incident and maintain an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents and perform make any required recovery actions notification to remedy any Government Authority within the impact. 3. Supplier shall notify Company within a reasonable period, in no event to exceed seventy-two (72) hours after discovery, or shorter if timeline required by applicable law or regulationApplicable Law. Such information must include, of any Security Incident experienced by Supplier involving any Company Data. Supplier shall report any Security Incidents to the Cyber Incident Response Team at ▇▇▇▇▇▇@▇▇.▇▇▇ or 1-800-4GE- CIRT, or at such contact information communicated to Supplier from time to time. Supplier shall reasonably cooperate with Company in its investigation of an incident, whether discovered by Supplier, Company, or a third party, which shall include providing Company a detailed description of the Security Incident, the type of data that was the subject of the Security Incident, the identity of each affected person, and any other information Company reasonably may request concerning such affected persons and the details of the Security Incident, as soon as such information can be collected or otherwise becomes available. Supplier shall designate an individual responsible for management but is not necessarily limited to: A. The nature of the Security Incident, and shall identify such individual to Company promptly.the categories and approximate number of data subjects and Personal Data records involved; 4. If requested by Company or its Affiliate, and at Company’s direction, Supplier shall send Security Notices regarding a Security Incident. Unless prohibited by applicable law or regulation, Supplier shall provide Company or its Affiliate with reasonable notice of, and B. The likely consequences of the opportunity to comment on and approve, the content of such Security Notices prior to any publication or communication thereof to any third party, except neither Company nor its Affiliate shall have the right to reject any content in a Security Notice that must be included in order to comply with applicable law or regulation. Should Company or its Affiliate elect to send a Security Notice regarding a Security Incident, Supplier shall provide all reasonable and timely information relating in so far as consequences are able to be determined; and C. Any measures taken or proposed to be taken to address or mitigate the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Noticeincident. 59.3. Other than approved Security Notices, or Company will decide on the basis of all available information and Applicable Law if notification to law enforcement or as otherwise Data Subjects and/or Government Authorities is required by law or regulationdeemed prudent by Company. Where Company determines that notice should be provided, Supplier may not make or permit any public statements concerning Service Provider shall reimburse Company for all reasonable costs associated with providing notice to affected individuals and Government Authorities, unless Service Provider demonstrates that the breach was caused by Company’s involvement negligence or willful misconduct. 9.4. In the event of a Security Incident relating to the Personal Data collected or received under this Underlying Agreement, Service Provider agrees to assist and fully cooperate as instructed by Company with any internal investigation or external investigation by third parties, such as law enforcement, through the provision of information, employees, interviews, materials, databases, or any and all other items required to fully investigate and resolve any such incidents and provide information necessary to provide required notifications. Service Provider agrees to take such remedial actions as the Parties mutually agree is warranted, such agreement not to be unreasonably withheld by Service Provider. 9.5. Service Provider shall not disclose, without Company’s prior written approval, any information related to the suspected Security Incident to any third-third party without other than a vendor hired to investigate/mitigate such Security Incident and bound by confidentiality and non‐disclosure obligations, except as required by Applicable Law. 9.6. Notwithstanding any other limitation of liability or other indemnification obligation contained in the explicit written authorization of Company’s Legal DepartmentUnderlying Agreement, Service Provider agrees to indemnify Company for all losses resulting from any Security Incident due to negligence or willful misconduct by Service Provider, its agents, its affiliates, or any Subprocessor retained by Service Provider, including but not limited to costs associated with investigating the Security Incident, expenses associated with making notices or providing support to impacted Data Subjects, legal damages, government penalties, and/or mitigation expenses.

Security Incidents. 19.1. Service Provider agrees to notify Company without undue delay but in all cases within twenty- four (24) hours of discovery of any actual or suspected Security Incidents on Supplier Information Systems must be loggedIncident of which it becomes aware, reviewed on a periodic basis (minimum quarterly)including those occurring at its Subprocessors. Service Provider agrees to take such reasonable, secured, remedial actions warranted to investigate and maintained for a minimum halt the root cause of twelve (12) monthssuch incident to the extent it is ongoing. 29.2. Supplier must develop In the course of notification to Company, Service Provider will provide to Company, as feasible, sufficient information for Company to assess the Security Incident and maintain an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents and perform make any required recovery actions notification to remedy any Government Authority within the impact. 3. Supplier shall notify Company within a reasonable period, in no event to exceed seventy-two (72) hours after discovery, or shorter if timeline required by applicable law or regulationApplicable Law. Such information must include, of any Security Incident experienced by Supplier involving any Company Data. Supplier shall report any Security Incidents to the Cyber Incident Response Team at ▇▇▇▇▇▇@▇▇.▇▇▇ or 1-800-4GE- CIRT, or at such contact information communicated to Supplier from time to time. Supplier shall reasonably cooperate with Company in its investigation of an incident, whether discovered by Supplier, Company, or a third party, which shall include providing Company a detailed description of the Security Incident, the type of data that was the subject of the Security Incident, the identity of each affected person, and any other information Company reasonably may request concerning such affected persons and the details of the Security Incident, as soon as such information can be collected or otherwise becomes available. Supplier shall designate an individual responsible for management but is not necessarily limited to: A. The nature of the Security Incident, and shall identify such individual to Company promptly.the categories and approximate number of data subjects and Personal Data records involved; 4. If requested by Company or its Affiliate, and at Company’s direction, Supplier shall send Security Notices regarding a Security Incident. Unless prohibited by applicable law or regulation, Supplier shall provide Company or its Affiliate with reasonable notice of, and B. The likely consequences of the opportunity to comment on and approve, the content of such Security Notices prior to any publication or communication thereof to any third party, except neither Company nor its Affiliate shall have the right to reject any content in a Security Notice that must be included in order to comply with applicable law or regulation. Should Company or its Affiliate elect to send a Security Notice regarding a Security Incident, Supplier shall provide all reasonable and timely information relating in so far as consequences are able to be determined; and C. Any measures taken or proposed to be taken to address or mitigate the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Noticeincident. 59.3. Other than approved Security Notices, or Company will decide on the basis of all available information and Applicable Law if notification to law enforcement or as otherwise Data Subjects and/or Government Authorities is required by law or regulationdeemed prudent by Company. Where Company determines that notice should be provided, Supplier may not make or permit any public statements concerning Service Provider shall reimburse Company for all reasonable costs associated with providing notice to affected individuals and Government Authorities, unless Service Provider demonstrates that the breach was caused by Company’s involvement negligence or willful misconduct. 9.4. In the event of a Security Incident relating to the Personal Data collected or received under this Underlying Agreement, Service Provider agrees to assist and fully cooperate as instructed by Company with any internal investigation or external investigation by third parties, such as law enforcement, through the provision of information, employees, interviews, materials, databases, or any and all other items required to fully investigate and resolve any such incidents and provide information necessary to provide required notifications. Service Provider agrees to take such remedial actions as the Parties mutually agree is warranted, such agreement not to be unreasonably withheld by Service Provider. 9.5. Service Provider shall not disclose, without Company’s prior written approval, any information related to the suspected Security Incident to any thirdthird party other than a vendor hired to investigate/mitigate such Security Incident and bound by confidentiality and non-party without disclosure obligations, except as required by Applicable Law. 9.6. Notwithstanding any other limitation of liability or other indemnification obligation contained in the explicit written authorization of Company’s Legal DepartmentUnderlying Agreement, Service Provider agrees to indemnify Company for all losses resulting from any Security Incident due to negligence or willful misconduct by Service Provider, its agents, its affiliates, or any Subprocessor retained by Service Provider, including but not limited to costs associated with investigating the Security Incident, attorney and consultant fees, expenses associated with making notices to Data Subjects or Government Authorities, providing support (including credit monitoring and call centers) to impacted Data Subjects, legal damages, government penalties, and/or mitigation expenses.