Common use of Your Internal Security Clause in Contracts

Your Internal Security. You bear sole responsibility for establishing, maintaining, implementing and updating policies, procedures, equipment and software (“Internal Security Controls”) that ensure the security and integrity of your processes, equipment (including telecommunications and computer systems) and information, protect them from any unauthorized use, intrusion, takeover or theft, and prevent your Access Credentials from any unauthorized discovery or use (collectively “Internal Security Breaches”). You bear all risk of fraudulent transfers and other losses or disclosures arising from your Internal Security Breaches or from the interception of your communications prior to their receipt by us (collectively “Internal Security Losses”). We will not reimburse your Internal Security Losses. You agree that we are authorized to execute, and it is commercially reasonable for us to execute, any instruction received by us and authenticated by your Access Credentials. You are encouraged to consider purchasing insurance to cover your Internal Security Losses. To protect your system from Internal Security Breaches, your Internal Security Controls should consider including: i. Limiting and controlling who has access to your computer systems; ii. Protecting and frequently changing your internal passcodes and Service Access Credentials; iii. Adopting dual authorization and/or transaction-based authentication procedures for financial transfers where available; iv. Employing up-to-date security software such as anti-virus, anti-malware and anti-spyware programs, as well as up-to-date software patches for all your software programs, internet browsers, email programs, and the like; v. Using effective, up-to-date firewalls; vi. Procedures to avoid infection by malicious software, such as: controlling what websites are visited by your computers; controlling the connection of other devices (e.g., flash drives) to your computers; controlling what documents, email attachments, programs and other files are opened or installed on your computers; and limiting which of your computers are used for online banking; vii. Reconciling all Accounts (including online monitoring) on a daily basis, and immediately reporting any discrepancies; viii. Prohibiting your Authorized Users from leaving computers unattended or from communicating or accessing sensitive information from insecure locations (e.g., terminals or networks at Internet cafes or airports); ix. Allowing Services to be accessed only from secure locations such as your premises;

Your Internal Security. (non-consumer customers only). You bear sole responsibility for establishing, maintaining, implementing and updating policies, procedures, equipment and software (“Internal Security Controls”) that ensure the security and integrity of your processes, equipment (including telecommunications and computer systems) , Mobile Devices and information, protect them from any unauthorized use, intrusion, takeover or theft, and prevent your Access Credentials from any unauthorized discovery or use (collectively “Internal Security Breaches”). You bear all risk of fraudulent transfers and other losses or disclosures arising from your Internal Security Breaches or from the interception of your communications prior to their receipt by us (collectively “Internal Security Losses”). We will not reimburse your Internal Security Losses. You agree that we are authorized to execute, and it is commercially reasonable for us to execute, any instruction received by us and authenticated by your Access Credentials. You are encouraged to consider purchasing insurance to cover your Internal Security Losses. To help protect your system from Internal Security Breaches, your Internal Security Controls program should consider including: i. : • Verifying all instructions from your payees (e.g., ensure new or changed payment addresses were not communicated by an imposter); • Limiting and controlling who has access to your computer systems; ii. systems and Mobile Devices; • Protecting and frequently changing your internal passcodes and Service Access Credentials; iii. ; • Adopting dual authorization and/or transaction-based authentication procedures for financial transfers where available; iv. transfers; • Employing up-to-date security software such as anti-virus, anti-malware and anti-spyware programs, as well as up-to-date software patches for all your software programs, internet browsers, email e-mail programs, and the like; v. like (such as IBM® Trusteer RapportTM software); • Prohibiting the disabling or modification the security features of any software or hardware (e.g., “jailbreaking” of mobile devices); and prohibiting the use of “burner” mobile devices. • Using effective, up-to-date firewalls; vi. ; • Procedures to avoid infection by malware and malicious softwarecode, such as: controlling what software and applications are downloaded to your computers and Mobile Devices; controlling what websites are visited by your computerscomputers and Mobile Devices; controlling the connection of other devices (e.g., flash drives) to your computerscomputers and Mobile Devices; controlling what documents, email e-mail attachments, programs and other files are opened or installed on your computerscomputers and Mobile Devices; and limiting which of your computers and Mobile Devices are used for online banking; vii. Digital Banking or other financial matters; • Reconciling all Accounts (including online monitoring) accounts on a daily basis, and immediately reporting any discrepancies; viii. ; • Prohibiting your Authorized Users from leaving computers a computer or Mobile Device unattended while connected to Bank’s systems, or from communicating or accessing sensitive information from insecure locations (e.g., terminals or networks at Internet cafes or airports); ix. ; • Allowing Services Digital Banking to be accessed only from secure locations locations; and • Adopting such other recommendations that we may (but are not obligated to) make from time to time to help promote safe use of our services. This is not a complete listing of the Internal Security Controls that you may need. You are solely responsible for determining and implementing all of the Internal Security Controls necessary to prevent your Internal Security Breaches and Internal Security Losses. We have no duty to review your Internal Security Controls, identify deficiencies or make recommendations. We do not represent or warrant that any or all of the above recommendations or any future recommendations are adequate for your needs or will prevent Security Losses. We may at any time (but are not required to) limit access to any Digital Banking Channel or function to only those customers who have adopted specific Internal Security Controls. Our specification of any required Internal Security Controls shall not constitute a representation or warranty that they (a) are adequate for your security needs or will prevent any Internal Security Breach or Internal Security Losses, or (b) will be compatible with any computer system or other Internal Security Controls. You remain at all times solely responsible for your Internal Security Controls, Internal Security Breaches and Internal Security Losses. Although we may employ various systems and procedures from time to time to prevent losses by us, we assume no obligation for your Internal Security Losses. Zions Bancorporation, N.A.’s primary licensor for the Mobile Banking Software is mFoundry, Inc. (and/or one or more affiliates thereof, hereafter collectively “mFoundry”). mFoundry authorizes and requires Zions Bancorporation, N.A. to enter into the following end user agreement (the “End User Agreement”) with you for the use of mFoundry’s “Software” (defined below). By enrolling in Zions Bancorporation, N.A.’s Mobile Banking service, and during such time as your premises;Zions Bancorporation, N.A. maintains its rights to license the mFoundry Software, you hereby agree as follows:

Your Internal Security. (non-consumer customers only). You bear sole responsibility for establishing, maintaining, implementing and updating policies, procedures, equipment and software (“Internal Security Controls”) that ensure the security and integrity of your processes, equipment (including telecommunications and computer systems) , Mobile Devices and information, protect them from any unauthorized use, intrusion, takeover or theft, and prevent your Access Credentials from any unauthorized discovery or use (collectively “Internal Security Breaches”). You bear all risk of fraudulent transfers and other losses or disclosures arising from your Internal Security Breaches or from the interception of your communications prior to their receipt by us (collectively “Internal Security Losses”). We will not reimburse your Internal Security Losses. You agree that we are authorized to execute, and it is commercially reasonable for us to execute, any instruction received by us and authenticated by your Access Credentials. You are encouraged to consider purchasing insurance to cover your Internal Security Losses. To help protect your system from Internal Security Breaches, your Internal Security Controls program should consider including: i. : • Verifying all instructions from your payees (e.g., ensure new or changed payment addresses were not communicated by an imposter); • Limiting and controlling who has access to your computer systems; ii. systems and Mobile Devices; • Protecting and frequently changing your internal passcodes and Service Access Credentials; iii. ; • Adopting dual authorization and/or transaction-based authentication procedures for financial transfers where available; iv. transfers; • Employing up-to-date security software such as anti-virus, anti-malware and anti-spyware programs, as well as up-to-date software patches for all your software programs, internet browsers, email e-mail programs, and the like; v. like (such as IBM® Trusteer RapportTM software); • Prohibiting the disabling or modification the security features of any software or hardware (e.g., “jailbreaking” of mobile devices); and prohibiting the use of “burner” mobile devices. • Using effective, up-to-date firewalls; vi. ; • Procedures to avoid infection by malware and malicious softwarecode, such as: controlling what software and applications are downloaded to your computers and Mobile Devices; controlling what websites are visited by your computerscomputers and Mobile Devices; controlling the connection of other devices (e.g., flash drives) to your computerscomputers and Mobile Devices; controlling what documents, email e-mail attachments, programs and other files are opened or installed on your computerscomputers and Mobile Devices; and limiting which of your computers and Mobile Devices are used for online banking; vii. Digital Banking or other financial matters; • Reconciling all Accounts (including online monitoring) accounts on a daily basis, and immediately reporting any discrepancies; viii. ; • Prohibiting your Authorized Users from leaving computers a computer or Mobile Device unattended while connected to Bank’s systems, or from communicating or accessing sensitive information from insecure locations (e.g., terminals or networks at Internet cafes or airports); ix. ; • Allowing Services Digital Banking to be accessed only from secure locations locations; and • Adopting such as other recommendations that we may (but are not obligated to) make from time to time to help promote safe use of our services. This is not a complete listing of the Internal Security Controls that you may need. You are solely responsible for determining and implementing all of the Internal Security Controls necessary to prevent your premises;Internal Security Breaches and Internal Security Losses. We have no duty to review your Internal Security Controls, identify deficiencies or make recommendations. We do not represent or warrant that any or all of the above recommendations or any future recommendations are adequate for your needs or will prevent Security Losses. We may at any time (but are not required to) limit access to any Digital Banking Channel or function to only those customers who have adopted specific Internal Security Controls. Our specification of any required Internal Security Controls shall not constitute a representation or warranty that they (a) are adequate for your security needs or will prevent any Internal Security Breach or Internal Security Losses, or (b) will be compatible with any computer system or other Internal Security Controls. You remain at all times solely responsible for your Internal Security Controls, Internal Security Breaches and Internal Security Losses. Although we may employ various systems and procedures from time to time to prevent losses by us, we assume no obligation for your Internal Security Losses.

Your Internal Security. You bear sole responsibility for establishingagree to establish, maintainingimplement, implementing maintain and updating update (as appropriate) policies, procedures, equipment and software (“Internal Security Controls”) that, with respect to the initiation, processing and storage of ACH, wire and other transactions, will: (a) protect the confidentiality and integrity of non-public personal information, including financial information, of a natural person used to create or contained within an ACH or other Order and any related addenda record (“Protected Information”) until its destruction, (b) protect against anticipated threats or hazards to the security or integrity of Protected Information until its destruction, (c) protect against unauthorized use of Protected Information that ensure could result in harm to a natural person, and (d) comply with all applicable regulatory guidelines on access to and security for the systems you use to initiate, process, and store ACH, wire and other transactions. Your Internal Security Controls must also safeguard the security and integrity of your processes, equipment (including telecommunications computer system and computer systems) and information, protect them information from any unauthorized use, intrusion, takeover or theft, and prevent your Access Credentials Password from any unauthorized discovery or use (collectively “Internal Security Breaches”). You bear all risk of fraudulent transfers and other losses or disclosures arising from your Internal Security Breaches or from the interception of your communications prior to their receipt by us (collectively “Internal Security Losses”). We will not reimburse your you in connection with Internal Security Losses. You agree that we are authorized to execute, and it is commercially reasonable for us to execute, any instruction received by us and authenticated by with your Access CredentialsPassword. You are encouraged to consider purchasing insurance to cover your Internal Security Losses. To protect your system from Internal Security Breaches, your Internal Security Controls should consider including: i. a. Limiting and controlling who has access to your computer systems; ii. b. Protecting and frequently changing your internal passcodes and Service Access Credentials; iii. c. Adopting dual authorization default setting of “return” for Payee Positive Pay and ACH Positive Pay exception items; d. Adopting Dual Control and/or transaction-based authentication procedures for financial transfers and templates where available; iv. e. Employing up-to-date security software such as anti-virus, anti-malware and anti-spyware programs, as well as up-to-date software patches for all your software programs, internet browsers, email programs, and the like; v. f. Using effective, up-to-date firewalls; vi. Procedures g. Maintaining procedures to avoid infection by malicious software, such as: controlling what websites are visited by your computers; controlling the connection of other devices (e.g., flash drives) to your computers; controlling what documents, email attachments, programs and other files are opened or installed on your computers; and limiting which of your computers are used for online bankingonlinebanking; vii. Reconciling all Accounts (including online monitoring) on a daily basis, and immediately reporting any discrepancies; viii. Prohibiting your Authorized Users from leaving computers unattended or from communicating or accessing sensitive information from insecure locations (e.g., terminals or networks at Internet cafes or airports); ix. Allowing Services to be accessed only from secure locations such as your premises;

Your Internal Security. You bear sole responsibility for establishingagree to establish, maintainingimplement, implementing maintain and updating update (as appropriate) policies, procedures, equipment and software (“Internal Security Controls”) that, with respect to the initiation, processing and storage of ACH, wire and other transactions, will: (a) protect the confidentiality and integrity of non-public personal information, including financial information, of a natural person used to create or contained within an ACH or other Order and any related addenda record (“Protected Information”) until its destruction, (b) protect against anticipated threats or hazards to the security or integrity of Protected Information until its destruction, (c) protect against unauthorized use of Protected Information that ensure could result in harm to a natural person, and (d) comply with all applicable regulatory guidelines on access to and security for the systems you use to initiate, process, and store ACH, wire and other transactions. Your Internal Security Controls must also safeguard the security and integrity of your processes, equipment (including telecommunications computer system and computer systems) and information, protect them information from any unauthorized use, intrusion, takeover or theft, and prevent your Access Credentials Password from any unauthorized discovery or use (collectively “Internal Security Breaches”). You bear all risk of fraudulent transfers and other losses or disclosures arising from your Internal Security Breaches or from the interception of your communications prior to their receipt by us (collectively “Internal Security Losses”). We will not reimburse your you in connection with Internal Security Losses. You agree that we are authorized to execute, and it is commercially reasonable for us to execute, any instruction received by us and authenticated by with your Access CredentialsPassword. You are encouraged to consider purchasing insurance to cover your Internal Security Losses. To protect your system from Internal Security Breaches, your Internal Security Controls should consider including: i. a. Limiting and controlling who has access to your computer systems; ii. b. Protecting and frequently changing your internal passcodes and Service Access Credentials; iii. c. Adopting dual authorization default setting of “return” for Payee Positive Pay and ACH Positive Pay exception items; d. Adopting Dual Control and/or transaction-based authentication procedures for financial transfers and templates where available; iv. e. Employing up-to-date security software such as anti-virus, anti-malware and anti-spyware programs, as well as up-to-date software patches for all your software programs, internet browsers, email programs, and the like; v. f. Using effective, up-to-date firewalls; vi. Procedures g. Maintaining procedures to avoid infection by malicious software, such as: controlling what websites are visited by your computers; controlling the connection of other devices (e.g., flash drives) to your computers; controlling what documents, email attachments, programs and other files are opened or installed on your computers; and limiting which of your computers are used for online banking; vii. Reconciling all Accounts (including online monitoring) on a daily basis, and immediately reporting any discrepancies; viii. Prohibiting your Authorized Users from leaving computers unattended or from communicating or accessing sensitive information from insecure locations (e.g., terminals or networks at Internet cafes or airports); ix. Allowing Services to be accessed only from secure locations such as your premises;

Your Internal Security. (non-consumer customers only). You bear sole responsibility for establishing, maintaining, implementing and updating policies, procedures, equipment and software (“Internal Security Controls”) that ensure the security and integrity of your processes, equipment (including telecommunications and computer systems) , Mobile Devices and information, protect them from any unauthorized use, intrusion, takeover or theft, and prevent your Access Credentials from any unauthorized discovery or use (collectively “Internal Security Breaches”). You bear all risk of fraudulent transfers and other losses or disclosures arising from your Internal Security Breaches or from the interception of your communications prior to their receipt by us (collectively “Internal Security Losses”). We will not reimburse your Internal Security Losses. You agree that we are authorized to execute, and it is commercially reasonable for us to execute, any instruction received by us and authenticated by your Access Credentials. You are encouraged to consider purchasing insurance to cover your Internal Security Losses. To help protect your system from Internal Security Breaches, your Internal Security Controls program should consider including: i. : • Verifying all instructions from your payees (e.g., ensure new or changed payment addresses was not communicated by an imposter); • Limiting and controlling who has access to your computer systems; ii. systems and Mobile Devices; • Protecting and frequently changing your internal passcodes and Service Access Credentials; iii. ; • Adopting dual authorization and/or transaction-based authentication procedures for financial transfers where available; iv. transfers; • Employing up-to-date security software such as anti-virus, anti-malware and anti-spyware programs, as well as up-to-date software patches for all your software programs, internet browsers, email e-mail programs, and the like; v. like (such as IBM® Trusteer RapportTM software); • Prohibiting the disabling or modification the security features of any software or hardware (e.g., “jailbreaking” of mobile devices); and prohibiting the use of “burner” mobile devices. • Using effective, up-to-date firewalls; vi. ; • Procedures to avoid infection by malware and malicious softwarecode, such as: controlling what software and applications are downloaded to your computers and Mobile Devices; controlling what websites are visited by your computerscomputers and Mobile Devices; controlling the connection of other devices (e.g., flash drives) to your computerscomputers and Mobile Devices; controlling what documents, email e-mail attachments, programs and other files are opened or installed on your computerscomputers and Mobile Devices; and limiting which of your computers and Mobile Devices are used for online banking; vii. Digital Banking or other financial matters; • Reconciling all Accounts (including online monitoring) accounts on a daily basis, and immediately reporting any discrepancies; viii. ; • Prohibiting your Authorized Users from leaving computers a computer or Mobile Device unattended while connected to Bank’s systems, or from communicating or accessing sensitive information from insecure locations (e.g., terminals or networks at Internet cafes or airports); ix. ; • Allowing Services Digital Banking to be accessed only from secure locations locations; and • Adopting such other recommendations that we may (but are not obligated to) make from time to time to help promote safe use of our services. This is not a complete listing of the Internal Security Controls that you may need. You are solely responsible for determining and implementing all of the Internal Security Controls necessary to prevent your Internal Security Breaches and Internal Security Losses. We have no duty to review your Internal Security Controls, identify deficiencies or make recommendations. We do not represent or warrant that any or all of the above recommendations or any future recommendations are adequate for your needs or will prevent Security Losses. We may at any time (but are not required to) limit access to any Digital Banking Channel or function to only those customers who have adopted specific Internal Security Controls. Our specification of any required Internal Security Controls shall not constitute a representation or warranty that they will (a) are adequate for your security needs or will prevent any Internal Security Breach or Internal Security Losses, or (b) will be compatible with any computer system or other Internal Security Controls. You remain at all times solely responsible for your Internal Security Controls, Internal Security Breaches and Internal Security Losses. Although we may employ various systems and procedures from time to time to prevent losses by us, we assume no obligation for your Internal Security Losses. ZB, N.A.’s primary licensor for the Mobile Banking Software is mFoundry, Inc. (and/or one or more affiliates thereof, hereafter collectively “mFoundry”). mFoundry authorizes and requires ZB, N.A. to enter into the following end user agreement (the “End User Agreement”) with you for the use of mFoundry’s “Software” (defined below). By enrolling in ZB, N.A.’s Mobile Banking service, and during such time as your premises;ZB, N.A. maintains its rights to license the mFoundry Software, you hereby agree as follows:

Your Internal Security. (non-consumer customers only) You bear sole responsibility for establishing, maintaining, implementing and updating policies, procedures, equipment and software (“Internal Security Controls”) that ensure the security and integrity of your processes, equipment (including telecommunications and computer systems) , Mobile Devices and information, protect them from any unauthorized use, intrusion, takeover or theft, and prevent your Access Credentials from any unauthorized discovery or use (collectively “Internal Security Breaches”). You bear all risk of fraudulent transfers and other losses or disclosures arising from your Internal Security Breaches or from the interception of your communications prior to their receipt by us (collectively “Internal Security Losses”). We will not reimburse your Internal Security Losses. You agree that we are authorized to execute, and it is commercially reasonable for us to execute, any instruction received by us and authenticated by your Access Credentials. You are encouraged to consider purchasing insurance to cover your Internal Security Losses. To help protect your system from Internal Security Breaches, your Internal Security Controls program should consider including: i. : • Verifying all instructions from your payees (e.g., ensure new or changed payment addresses were not communicated by an imposter); • Limiting and controlling who has access to your computer systems; ii. systems and Mobile Devices; • Protecting and frequently changing your internal passcodes and Service Access Credentials; iii. ; • Adopting dual authorization and/or transaction-based authentication procedures for financial transfers where available; iv. transfers; • Employing up-to-date security software such as anti-virus, anti-malware and anti-spyware programs, as well as up-to-date software patches for all your software programs, internet browsers, email e-mail programs, and the like; v. like (such as IBM® Trusteer RapportTM software); • Prohibiting the disabling or modification the security features of any software or hardware (e.g., “jailbreaking” of mobile devices); and prohibiting the use of “burner” mobile devices. • Using effective, up-to-date firewalls; vi. ; • Procedures to avoid infection by malware and malicious softwarecode, such as: controlling what software and applications are downloaded to your computers and Mobile Devices; controlling what websites are visited by your computerscomputers and Mobile Devices; controlling the connection of other devices (e.g., flash drives) to your computerscomputers and Mobile Devices; controlling what documents, email e-mail attachments, programs and other files are opened or installed on your computerscomputers and Mobile Devices; and limiting which of your computers and Mobile Devices are used for online banking; vii. Digital Banking or other financial matters; • Reconciling all Accounts (including online monitoring) accounts on a daily basis, and immediately reporting any discrepancies; viii. Prohibiting your Authorized Users from leaving computers unattended or from communicating or accessing sensitive information from insecure locations (e.g., terminals or networks at Internet cafes or airports); ix. Allowing Services to be accessed only from secure locations such as your premises;