Common use of Privacy and Cybersecurity Clause in Contracts

Privacy and Cybersecurity. (a) Except as would not, individually or in the aggregate, reasonably be expected to be material to the Bank and the Transferred Subsidiaries, taken as a whole, (i) the Bank and the Transferred Subsidiaries are in compliance with all applicable Privacy Laws, the Payment Card Industry Data Security Standard and with all public-facing privacy policies that cover the Bank and the Transferred Subsidiaries; (ii) since January 1, 2019, there has been no unauthorized access, use, modification, disclosure or other misuse of the Personal Information or other information in respect of customers (including borrowers, depositors, clients and counterparties) of the Bank and the Transferred Subsidiaries in the possession or under the control of the Bank or the Transferred Subsidiaries, or other Persons performing services on behalf of the Bank or the Transferred Subsidiaries (with respect to the business of the Bank and the Transferred Subsidiaries), in each case, other than incidents that were resolved without cost, liability or the duty to notify any Person. (b) Except as would not, individually or in the aggregate, reasonably be expected to be material to the Bank and the Transferred Subsidiaries, taken as a whole, (i) the Bank and the Transferred Subsidiaries own or have a license, service agreement or other right to use all IT Assets that are used in their respective businesses, (ii) the Bank and the Transferred Subsidiaries have implemented commercially reasonable IT Asset and data security, relevant data backup and business continuity procedures with respect to all IT Assets used in the businesses of the Bank and the Transferred Subsidiaries (and all information, including Personal Information, processed thereby), (iii) the IT Assets owned or controlled by the Bank or the

Privacy and Cybersecurity. (a) Except as would not, individually or in the aggregate, reasonably be expected to be material to have a Material Adverse Effect on the Bank and the Transferred Subsidiaries, taken as a wholeCompany, (i) the Bank Company and its Subsidiaries have provided reasonable notice to their customers of their privacy and Personal Information collection and use policies on their websites and through other customer and public communications and the Transferred Company and its Subsidiaries are have complied with such policies, corresponding contractual requirements and all Privacy Laws relating to (A) the privacy of the users of the Company’s and its Subsidiaries’ respective products, services and websites and (B) the collection, use, processing, storage and disclosure of any Personal Information collected, used, processed, stored or disclosed by the Company or any of its Subsidiaries, (ii) there is no Action pending or, to the Knowledge of Seller, threatened against the Company or any of its Subsidiaries alleging any violation of such policies, corresponding contractual requirements or Privacy Laws, (iii) neither the execution and delivery of this Agreement nor the consummation of the Transactions will violate any such policy, corresponding contractual requirements or Privacy Laws and (iv) the Company and its Subsidiaries have taken commercially reasonable steps consistent with normal industry practice and in compliance with all applicable Privacy LawsLaws in relation to data security, data protection or data privacy to protect Personal Information against loss and unauthorized access, use, modification, disclosure or other misuse, and, to the Payment Card Industry Data Security Standard and with all public-facing privacy policies that cover Knowledge of Seller, in the Bank and the Transferred Subsidiaries; prior three (ii3) since January 1, 2019year period, there has been no unauthorized access, use, modification, disclosure or other misuse of the Personal Information such data or other information in respect of customers (including borrowers, depositors, clients and counterparties) of the Bank and the Transferred Subsidiaries in the possession or under the control of the Bank or the Transferred Subsidiaries, or other Persons performing services on behalf of the Bank or the Transferred Subsidiaries (with respect to the business of the Bank and the Transferred Subsidiaries), in each case, other than incidents that were resolved without cost, liability or the duty to notify any Personinformation. (b) Except as would not, individually or in the aggregate, reasonably be expected to be material to have a Material Adverse Effect on the Bank and the Transferred Subsidiaries, taken as a wholeCompany, (i) the Bank and Company IT Assets, taken together with the Transferred Subsidiaries own or have a license, service agreement or other right to use all IT Assets that are used will be provided pursuant to the Transitional Services Agreement, perform in a manner that permits the Company and its Subsidiaries to conduct their respective businessesbusinesses as currently conducted, (ii) the Bank Company and the Transferred its Subsidiaries have implemented take commercially reasonable actions, consistent with current industry standards, to protect the confidentiality, integrity and security of the Company IT Asset Assets (and all information and transactions stored or contained therein or transmitted thereby) against any unauthorized use, access, interruption, modification or corruption, including the implementation of commercially reasonable data securitybackup, relevant data backup disaster avoidance and recovery procedures and business continuity procedures with respect to all IT Assets used in the businesses of the Bank procedures, and the Transferred Subsidiaries (and all information, including Personal Information, processed thereby), (iii) to the Knowledge of Seller, in the prior three (3) year period, there has been no unauthorized use, access, interruption, modification or corruption of the Company IT Assets owned (or controlled by the Bank any information or thetransactions stored or contained therein or transmitted thereby).

Privacy and Cybersecurity. (a) Except The Company and its Subsidiaries are in compliance in all material respects with, and during the past three (3) years have been in compliance in all material respects with, (i) all applicable Laws relating to the privacy and/or collection, retention, protection and use of personal information collected, used, or held for use in connection with the business of the Company or its Subsidiaries, (ii) the Company’s and its Subsidiaries’ published privacy, cybersecurity and data security policies, as would notapplicable, and (iii) the Company’s and its Subsidiaries’ contractual obligations concerning cybersecurity, data security and the security of the information technology systems used by the Company and its Subsidiaries (the foregoing (i)-(iii), “Privacy and Cybersecurity Requirements”), other than any non-compliance that, individually or in the aggregate, has not been and would not reasonably be expected to be material to the Bank Company and its Subsidiaries. There are not, and have not been, any Actions by any Person, or any investigations by any Governmental Authority, pending or, to the Transferred Subsidiariesknowledge of the Company, taken as threatened against the Company or its Subsidiaries alleging a wholeviolation of any Privacy and Cybersecurity Requirements. The Company and its Subsidiaries take appropriate measures to protect personal information against unauthorized access, use, modification, or other misuse, including through administrative, technical and physical safeguards. (b) During the past three (3) years, (i) there have been, no security breaches of the Bank Company IT Systems, and the Transferred Subsidiaries are in compliance with all applicable Privacy Laws, the Payment Card Industry Data Security Standard and with all public-facing privacy policies that cover the Bank and the Transferred Subsidiaries; (ii) since January 1, 2019, there has been no failure, breakdown, performance reduction, disruption, or other adverse event affecting any Company IT Systems that adversely affected the Company’s and its Subsidiaries’ business or operations. The Company and its Subsidiaries have aligned their cybersecurity practices with relevant industry standards, carried out external and internal penetration tests and vulnerability assessments of the Company IT Systems and their business environment to identify any cybersecurity threats and have remediated any and all material vulnerabilities identified through such tests and assessments. (c) The Company and its Subsidiaries have established and maintained, and use reasonable efforts to ensure that all third Persons controlling Company IT Systems or processing personal information in connection with a product or service of the Company or its Subsidiaries have established and maintained, commercially reasonable and legally compliant measures to protect the Company IT Systems and all Trade Secrets and personal information in their possession or control against unauthorized access, use, modification, disclosure or other misuse misuse, including through written internal and external policies and procedures, and organizational, administrative, technical and physical safeguards. To the knowledge of the Personal Information or other information in respect of customers (including borrowersCompany, depositors, clients and counterparties) neither the Company nor any Subsidiary of the Bank and Company, nor, to the Transferred Subsidiaries in the possession or under the control knowledge of the Bank Company, any third Person controlling any Company IT System or the Transferred Subsidiariesprocessing personal information on their behalf, has (i) experienced any incident in which such information was stolen or other Persons performing services on behalf improperly accessed, including in connection with a breach of the Bank security or the Transferred Subsidiaries (ii) received any written notice or complaint from any Person with respect to the business any of the Bank and foregoing, nor has any such notice or complaint been threatened in writing against the Transferred Company or any of the Company’s Subsidiaries), in each case, other than incidents that were resolved without cost, liability or the duty to notify any Person. (bd) Except as would not, individually or in the aggregate, reasonably be expected to be material to the Bank and the Transferred Subsidiaries, taken as a whole, (i) the Bank and the Transferred Subsidiaries own or have a license, service agreement or other right to use all IT Assets that are used in their respective businesses, (ii) the Bank and the Transferred Subsidiaries have implemented commercially reasonable IT Asset and data security, relevant data backup and business continuity procedures with respect to all IT Assets used in the businesses The consummation of the Bank transactions contemplated hereby shall not breach or otherwise cause any violation in any material respect of any Privacy and the Transferred Subsidiaries (and all information, including Personal Information, processed thereby), (iii) the IT Assets owned or controlled by the Bank or theCybersecurity Requirements.

Privacy and Cybersecurity. (a) Except as would notThe Company and its Subsidiaries are in compliance with, and during the past three (3) years have been in compliance with, (i) all applicable Laws relating to the privacy and/or security of personal information, (ii) the Company’s and its Subsidiaries’ posted or publicly facing privacy policies, and (iii) the Company’s and its Subsidiaries’ contractual obligations concerning cybersecurity, data security and the security of the information technology systems used by the Company and its Subsidiaries (the foregoing clauses (i) through (iii), “Privacy and Cybersecurity Requirements”), other than any non-compliance that, individually or in the aggregate, has not been and would not reasonably be expected to be material to the Bank Company and its Subsidiaries. There are not, and have not been in the Transferred Subsidiariespast three (3) years, taken as any Actions by any Person, or any investigations by any Governmental Authority, pending to which the Company or any of the Company’s Subsidiaries is a wholenamed party or, to the knowledge of the Company, threatened in writing against the Company or its Subsidiaries alleging a violation of any Privacy and Cybersecurity Requirements. (b) During the past three (3) years, (i) there have been no material breaches of the Bank security of, and the Transferred Subsidiaries are in compliance with all applicable Privacy Laws, the Payment Card Industry Data Security Standard and with all public-facing privacy policies that cover the Bank and the Transferred Subsidiaries; (ii) since January 1, 2019, there has have been no failure, breakdown, performance reduction, disruption, or other adverse event that materially adversely affected the Company’s and its Subsidiaries’ business or operations with respect to, any Company IT Systems owned or controlled by the Company or its Subsidiaries, or to the knowledge of the Company, those controlled by any third Person. The Company and its Subsidiaries have materially aligned their cybersecurity practices with relevant industry standards (including by carrying out penetration tests and vulnerability assessments of the Company IT Systems controlled by the Company or its Subsidiaries and their business environment) and have remediated any and all material identified vulnerabilities. (c) The Company and its Subsidiaries have established and at all times maintained, and use all commercially reasonable efforts to ensure that all third Persons controlling Company IT Systems or processing personal information in connection with a product or service of the Company or its Subsidiaries have established and maintained, commercially reasonable and legally compliant measures to protect the Company IT Systems and all trade secrets, material confidential information, and sensitive or personally identifiable information in their possession or control against unauthorized access, use, modification, disclosure or other misuse misuse, including through written internal and external policies and procedures, and organizational, administrative, technical and physical safeguards. Neither the Company nor any Subsidiary of the Personal Information or other information in respect of customers (including borrowersCompany, depositorsnor, clients and counterparties) to the knowledge of the Bank and the Transferred Subsidiaries Company, any third Person controlling any Company IT System or processing personal information on their behalf, has (A) experienced any material incident in the possession which such information was stolen or under the control improperly accessed, including in connection with a breach of the Bank or the Transferred Subsidiariessecurity, or other Persons performing services on behalf of the Bank (B) received any written notice or the Transferred Subsidiaries (complaint from any Person with respect to the business any of the Bank and foregoing, nor has any such notice or complaint been threatened in writing against the Transferred Company or any of the Company’s Subsidiaries), in each case, other than incidents that were resolved without cost, liability or the duty to notify any Person. (bd) Except as would notTo the knowledge of the Company, individually the consummation of the transactions contemplated hereby shall not breach or otherwise cause any violation in any material respect of any Privacy and Cybersecurity Requirements, or result in the aggregate, reasonably be expected to be material to the Bank and the Transferred Subsidiaries, taken as a whole, (i) the Bank and the Transferred Company or any of its Subsidiaries own being prohibited from receiving or have a license, service agreement or other right to use all IT Assets that are used in their respective businesses, (ii) the Bank and the Transferred Subsidiaries have implemented commercially reasonable IT Asset and data security, relevant data backup and business continuity procedures with respect to all IT Assets used using any personal information in the businesses of the Bank and the Transferred Subsidiaries (and all information, including Personal Information, processed thereby), (iii) the IT Assets owned manner currently received or controlled by the Bank or theused.

Privacy and Cybersecurity. (a) Except as would notThe Company and its Subsidiaries are in compliance with, and during the past three (3) years have been in compliance with, (i) all applicable Laws governing privacy and/or security of personal information, (ii) the Company’s and its Subsidiaries’ posted or publicly facing privacy policies, and (iii) the Company’s and its Subsidiaries’ contractual obligations concerning cybersecurity, data security and the security of the information technology systems used by the Company and its Subsidiaries (the foregoing clauses (i)-(iii), “Privacy and Cybersecurity Requirements”), other than any non-compliance that, individually or in the aggregate, has not been and would not reasonably be expected to be material to the Bank Company and its Subsidiaries. There are not, and have not been in the Transferred past three (3) years, any Actions by any Person or, to the knowledge of the Company, by any Governmental Authority, pending to which the Company or any of the Company’s Subsidiaries is a named party or, to the knowledge of the Company, threatened in writing against the Company or its Subsidiaries alleging a violation of any Privacy and Cybersecurity Requirements. (b) During the past three (3) years, there have been no material breaches of the security of any Company IT Systems owned or controlled by the Company or its Subsidiaries, or to the knowledge of the Company, those controlled by any third Person. The Company and its Subsidiaries have implemented and maintained commercially reasonable cybersecurity practices (including by carrying out penetration tests and vulnerability assessments of the Company IT Systems controlled by the Company or its Subsidiaries and their business environment to identify any cybersecurity threats) and have remediated any and all material vulnerabilities identified in such tests and assessments. (c) The Company and its Subsidiaries have taken as appropriate actions (including implementing commercially reasonable technical, physical or administrative safeguards) to ensure that all third Persons controlling Company IT Systems or processing personal information in connection with a wholeproduct or service of the Company or its Subsidiaries have taken commercially reasonable and legally compliant measures to protect the Company IT Systems and all Trade Secrets, (i) the Bank material confidential information, and the Transferred Subsidiaries are sensitive or personally identifiable information in compliance with all applicable Privacy Lawstheir possession or under their control against any unauthorized use, the Payment Card Industry Data Security Standard and with all public-facing privacy policies that cover the Bank and the Transferred Subsidiaries; (ii) since January 1, 2019, there has been no unauthorized access, use, modification, disclosure or other misuse misuse, including when such personal information is provided or made available to third Persons, through policies or procedures and organizational, contractual, administrative, technical or physical safeguards. Neither the Company nor any Subsidiary of the Personal Information or other information in respect of customers (including borrowersCompany, depositorsnor, clients and counterparties) to the knowledge of the Bank and Company, any third Person controlling any Company IT System or processing personal information on their behalf, has experienced any material incident in which such information was stolen or improperly accessed, including in connection with a breach of security. Neither the Transferred Company nor any of its Subsidiaries in the possession has received any written notice or under the control of the Bank or the Transferred Subsidiaries, or other Persons performing services on behalf of the Bank or the Transferred Subsidiaries (complaint from any Person with respect to the business any of the Bank and foregoing, nor has any such notice or complaint been threatened in writing against the Transferred Company or any of the Company’s Subsidiaries), in each case, other than incidents that were resolved without cost, liability or the duty to notify any Person. (bd) Except as would notTo the knowledge of the Company, individually the consummation of the transactions contemplated hereby shall not breach or otherwise cause any violation in any material respect by the Company or its Subsidiaries of any Privacy and Cybersecurity Requirements, or result in the aggregate, reasonably be expected to be material to the Bank and the Transferred Subsidiaries, taken as a whole, (i) the Bank and the Transferred Company or any of its Subsidiaries own being prohibited from receiving or have a license, service agreement or other right to use all IT Assets that are used in their respective businesses, (ii) the Bank and the Transferred Subsidiaries have implemented commercially reasonable IT Asset and data security, relevant data backup and business continuity procedures with respect to all IT Assets used using any personal information in the businesses of the Bank and the Transferred Subsidiaries (and all information, including Personal Information, processed thereby), (iii) the IT Assets owned manner currently received or controlled used by the Bank Company or theits Subsidiaries.

Privacy and Cybersecurity. (a) Except as would not, individually or in the aggregate, reasonably be expected to be material to the Bank and the Transferred Subsidiaries, taken as a whole, (i) the Bank and the Transferred Subsidiaries are in compliance with all applicable Privacy Laws, the Payment Card Industry Data Security Standard and with all public-facing privacy policies that cover the Bank and the Transferred Subsidiaries; (ii) since January 1, 2019, there has been no unauthorized access, use, modification, disclosure or other misuse of the Personal Information or other information in respect of customers (including borrowers, depositors, clients and counterparties) of the Bank and the Transferred Subsidiaries in the possession or under the control of the Bank or the Transferred Subsidiaries, or other Persons performing services on behalf of the Bank or the Transferred Subsidiaries (with respect to the business of the Bank and the Transferred Subsidiaries), in each case, other than incidents that were resolved without cost, liability or the duty to notify any Person. (b) Except as would not, individually or in the aggregate, reasonably be expected to be material to the Bank and the Transferred Subsidiaries, taken as a whole, (i) the Bank and the Transferred Subsidiaries own or have a license, service agreement or other right to use all IT Assets that are used in their respective businesses, (ii) the Bank and the Transferred Subsidiaries have implemented commercially reasonable IT Asset and data security, relevant data backup and business continuity procedures with respect to all IT Assets used in the businesses of the Bank and the Transferred Subsidiaries (and all information, including Personal Information, processed thereby), (iii) the IT Assets owned or controlled by the Bank or thethe Transferred Subsidiaries are in good working order and operate and perform in accordance with their applicable specifications and as required in connection with the operation of the business of the Bank and the Transferred Subsidiaries as currently conducted, (iv) such IT Assets are free of defects, vulnerabilities, viruses, malware and other corruptants and (v) since January 1, 2019, there has been no material unauthorized use, access, interruption, modification or corruption of the IT Assets used by the Bank or the Transferred Subsidiaries (or any information or transactions stored or contained therein or transmitted thereby, including any information in respect of customers (including borrowers, depositors, clients and counterparties) of the Bank and the Transferred Subsidiaries).

Privacy and Cybersecurity. (a) Except The Company and its Subsidiaries maintain and are in compliance with, and during the last five (5) years have maintained and been in compliance with all Data Protection Requirements. To the extent Company and its Subsidiaries use Artificial Intelligence (“AI”)/Machine Learning (“ML”) models to conduct their operations and/or create their product and services, Company and its Subsidiaries have taken all necessary steps and obtained necessary rights, permissions, and approvals to permit the use of Personal Data in such AI/ML products and services. There are no pending Actions by any Person, or to the knowledge of the Company, any circumstances that may reasonably be expected to lead to an Action (including by any Governmental Authority) against the Company or any of its Subsidiaries alleging a violation of any third Person’s privacy or Personal Data rights by the Company or its Subsidiaries in connection with the foregoing, except as would not, individually or in the aggregate, not reasonably be expected to be material to the Bank business of the Company and the Transferred Subsidiaries, its Subsidiaries taken as a whole. The Company and its Subsidiaries have taken all necessary steps or, prior to Closing, will obtain any necessary rights, permissions, and approvals to permit the transfer of Personal Data in connection with the consummation of the Transactions, and such transfer will not violate in any material respect any applicable Laws. (i) During the Bank last five (5) years, there have been no breaches of the security of the IT Systems of the Company and its Subsidiaries, including actual or potential unauthorized access, destruction, loss, use, modification, or disclosure of Personal Data owned, stored, used, maintained, or controlled by the Transferred Company and its Subsidiaries, and (ii) during the last five (5) years, there have been no disruptions in any IT Systems, in each case, that materially adversely affected the Company’s and its Subsidiaries’ business or operations, and have not been remedied in all material respects. The IT Systems used by the Company and its Subsidiaries in the conduct of their business: (A) are sufficient for the conduct of its business as currently conducted and as proposed to be conducted, by the Company and its Subsidiaries as of the Closing; (B) are in good working condition, ordinary wear and tear excepted, to effectively perform all computing, information technology, and data processing operations necessary for the conduct of its business; (C) are free of any material viruses, defects, bugs, and errors; and (D) are in compliance with all applicable Privacy Laws. The Company and its Subsidiaries take commercially reasonable measures (and any other measures required by applicable Law) to protect IT Systems and Personal Data owned, stored, used, maintained or controlled by or on behalf of the Payment Card Industry Data Security Standard Company and with all public-facing privacy policies that cover the Bank its Subsidiaries from and the Transferred Subsidiaries; (ii) since January 1, 2019, there has been no against unauthorized access, use, modification, disclosure or other misuse misuse, including through implementation and adherence to industry standard administrative, technical and physical safeguards and policies such as, but not limited to, data backup plans, disaster avoidance and recovery procedures, business continuity procedures, and encryption and other security protocols. Neither the Company nor any Subsidiary of the Company has (A) experienced any material incident in which Personal Information Data was stolen or other information improperly accessed, including in connection with a breach of security or Company’s and its Subsidiaries’ IT Systems, (B) received any written notice or complaint from any Person with respect of customers (including borrowers, depositors, clients and counterparties) to any of the Bank and foregoing incident, or has any such notice or complaint been threatened in writing against the Transferred Subsidiaries in the possession Company or under the control any of the Bank or the Transferred Company’s Subsidiaries, or (C) experienced any failures, breakdowns, continued substandard performance, or other Persons performing services on behalf adverse events affecting Company and any of its Subsidiaries’ IT Systems. Each employee of the Bank Company or the Transferred any of its Subsidiaries (with respect has received training regarding information security that is relevant to each such employee’s role and responsibility within the business of the Bank and the Transferred Subsidiaries)such employee’s access to Personal Data, in each case, IT Systems and other than incidents that were resolved without cost, liability or the duty to notify any Person. (b) Except as would not, individually or in the aggregate, reasonably be expected to be material to the Bank data and the Transferred Subsidiaries, taken as a whole, (i) the Bank and the Transferred Subsidiaries own or have a license, service agreement or other right to use all IT Assets that are used in their respective businesses, (ii) the Bank and the Transferred Subsidiaries have implemented commercially reasonable IT Asset and data security, relevant data backup and business continuity procedures with respect to all IT Assets information used in the businesses conduct of the Bank and Company’s or the Transferred Subsidiaries (and all information, including Personal Information, processed thereby), (iii) the IT Assets owned or controlled by the Bank or theapplicable Company Subsidiary’s business.

Privacy and Cybersecurity. (a) Except as would notThe Company and its Subsidiaries are in compliance with, and during the past three (3) years have been in compliance with, (i) all applicable Laws relating to the privacy and/or security of personal information, (ii) the Company’s and its Subsidiaries’ posted or publicly facing privacy policies, and (iii) the Company’s and its Subsidiaries’ contractual obligations concerning cybersecurity, data security and the security of the information technology systems used by the Company and its Subsidiaries (the foregoing clauses (i)-(iii), “Privacy and Cybersecurity Requirements”), other than any non-compliance that, individually or in the aggregate, has not been and would not reasonably be expected to be material to the Bank Company and its Subsidiaries. There are not, and have not been in the Transferred Subsidiariespast three (3) years, taken as any Actions by any Person, or any investigations by any Governmental Authority, pending to which the Company or any of the Company’s Subsidiaries is a wholenamed party or, to the knowledge of the Company, threatened in writing against the Company or its Subsidiaries alleging a violation of any Privacy and Cybersecurity Requirements. (b) During the past three (3) years, (i) there have been no material breaches of the Bank security of, and the Transferred Subsidiaries are in compliance with all applicable Privacy Laws, the Payment Card Industry Data Security Standard and with all public-facing privacy policies that cover the Bank and the Transferred Subsidiaries; (ii) since January 1, 2019, there has have been no failure, breakdown, performance reduction, disruption, or other adverse event that materially adversely affected the Company’s and its Subsidiaries’ business or operations with respect to, any Company IT Systems owned or controlled by the Company or its Subsidiaries, or to the knowledge of the Company, those controlled by any third Person. The Company and its Subsidiaries have materially aligned their cybersecurity practices with relevant industry standards (including by carrying out penetration tests and vulnerability assessments of the Company IT Systems controlled by the Company or its Subsidiaries and their business environment) and have remediated any and all material identified vulnerabilities. (c) The Company and its Subsidiaries have established and at all times maintained, and use all reasonable efforts to ensure that all third Persons controlling Company IT Systems or processing personal information in connection with a product or service of the Company or its Subsidiaries have established and maintained, commercially reasonable and legally compliant measures to protect the Company IT Systems and all trade secrets, material confidential information, and sensitive or personally identifiable information in their possession or control against unauthorized access, use, modification, disclosure or other misuse misuse, including through written internal and external policies and procedures, and organizational, administrative, technical and physical safeguards. Neither the Company nor any Subsidiary of the Personal Information or other information in respect of customers (including borrowersCompany, depositorsnor, clients and counterparties) to the knowledge of the Bank and the Transferred Subsidiaries Company, any third Person controlling any Company IT System or processing personal information on their behalf, has (A) experienced any material incident in the possession which such information was stolen or under the control improperly accessed, including in connection with a breach of the Bank or the Transferred Subsidiariessecurity, or other Persons performing services on behalf of the Bank (B) received any written notice or the Transferred Subsidiaries (complaint from any Person with respect to the business any of the Bank and foregoing, nor has any such notice or complaint been threatened in writing against the Transferred Company or any of the Company’s Subsidiaries), in each case, other than incidents that were resolved without cost, liability or the duty to notify any Person. (bd) Except as would notTo the knowledge of the Company, individually the consummation of the transactions contemplated hereby shall not breach or otherwise cause any violation in any material respect of any Privacy and Cybersecurity Requirements, or result in the aggregate, reasonably be expected to be material to the Bank and the Transferred Subsidiaries, taken as a whole, (i) the Bank and the Transferred Company or any of its Subsidiaries own being prohibited from receiving or have a license, service agreement or other right to use all IT Assets that are used in their respective businesses, (ii) the Bank and the Transferred Subsidiaries have implemented commercially reasonable IT Asset and data security, relevant data backup and business continuity procedures with respect to all IT Assets used using any personal information in the businesses of the Bank and the Transferred Subsidiaries (and all information, including Personal Information, processed thereby), (iii) the IT Assets owned manner currently received or controlled by the Bank or theused.