Spring 2024

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

New SEC rules put a premium on advance planning and response strategies for potential

cybersecurity breaches. BY ROSE ZU AND MATT SAIDEL

A Primer for Investor Relations Professionals

Colonial Pipeline. MGM. Change Healthcare. At first glance, these are not companies you typically group together, but

they all have the dubious honor in recent years (and even the past few months) of being victims of widely disruptive ransomware attacks. Ransomware—a type of malware that hackers use to encrypt critical systems

or data unless payment is made—can be profoundly disruptive to any organiza- tion’s operations. Tese attacks have become more common and more expensive to remediate and recover from. According to Statista, more than 72% of businesses worldwide were affected

by ransomware attacks in 2023 compared to 56% in 2019. Over the same period, Chainalysis reports that hackers were paid nearly $1 billion annually by firms to resolve ransomware incidents. As scary as that is, ransomware is only one form of cybersecurity threat:

Statista counted 8 million data records breached in the fourth quarter of 2023 alone, and IBM estimates that the average cost to resolve a data breach was nearly $4.5 million per breach. Tese numbers show that cybersecurity incidents—whether responding to a

live incident or preparing for the likelihood of one occurring—are increasingly becoming a fact of life for companies, and the costs to resolve and remediate them are significant, and often material. With increased frequency and cost, it is little wonder that investors are focus- ing on their portfolio companies’ cybersecurity protocols. Adding to the scope of investor scrutiny are the new rules on cybersecurity disclosures that the U.S. Securities and Exchange Commission (SEC) announced last year.

Understanding the SEC Disclosure Requirements Adopted on July 26, 2023, the new SEC rules on cybersecurity require both inci- dent reporting and annual reporting on risk mitigation and governance. Material cybersecurity incidents are required to be disclosed within four business days “after a registrant determines that a cybersecurity incident is material.”

niri.org/ irupdate IR UPDAT E ■ SPRING 2 0 24 1 5

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32 | Page 33 | Page 34 | Page 35 | Page 36 | Page 37 | Page 38 | Page 39 | Page 40 | Page 41 | Page 42 | Page 43 | Page 44 | Page 45 | Page 46 | Page 47 | Page 48