Security Control: The IT department has implemented and continually monitors security controls, including firewalls, end-point detection and response, intrusion detection/prevention systems, file integrity monitoring and data encryption, to protect against cybersecurity threats. These tools and controls are regularly updated to address vulnerabilities and ensure the security of information technology infrastructure.

Reviews of IT Internal Controls: Reviews are performed by the Company’s internal audit team to assess the effectiveness of IT internal controls and compliance with regulatory policies and cybersecurity best practices, and any identified weaknesses are promptly addressed.

Vulnerability Scans: Vulnerability scans are executed quarterly across the environment to proactively identify software weaknesses and vulnerabilities that could be exploited in a cybersecurity attack. Any identified vulnerabilities are promptly addressed.

Encryption and Data Protection: Encryption methods are in place to protect certain sensitive data. There are also programs in place to monitor and secure the Company’s retained data.

Asset Inventory: The Company maintains an up-to-date inventory of all assets, including hardware, software, data and network infrastructure. Assets critical to the Company’s operations have been identified and prioritized accordingly.

Continuous Monitoring: The IT department has implemented monitoring tools and processes to detect and respond to cybersecurity threats in real time.

A third-party security information and event management (“SIEM”) partner provides security monitoring and alerts twenty-four hours a day, seven days a week. The Company engages an independent Qualified Security Assessor organization to perform penetration testing in order to validate the Company’s Payment Card Industry (“PCI”) compliance and adherence to the PCI Data Security Standard. The Company also collaborates with outside legal counsel to ensure compliance with regulatory requirements.

The Company has implemented and continues to maintain its IT policies, standards, procedures, and controls to oversee, identify and manage cybersecurity risks associated with third-party service providers. These include, but are not limited to, an IT acceptable use policy, a contractor/consultant work policy and a vendor management policy.

Impact of Risks from Cybersecurity Threats

The Company has experienced cybersecurity incidents in the ordinary course of business and will continue to experience risks from cybersecurity threats that could have a material adverse effect on its business strategy, results of operations, or financial condition. Although prior cybersecurity incidents have not had a material adverse effect on the Company’s business strategy, results of operations, or financial condition to date, any actual or perceived breach of its security could cause operational disruption and result in delays or inability to produce, print and deliver its publications and other third-party print publications, damage the Company’s reputation, cause the Company to lose existing customers, prevent the Company from attracting new customers, or subject the Company to third-party lawsuits, regulatory investigations and fines or other actions or liabilities, any of which could materially adversely affect the Company’s business strategy, results of operations, or financial condition. In addition, more resources may be needed for the security of the Company’s information technology systems in the future, which could increase the cost of doing business or otherwise materially adversely affect the Company’s business strategy, results of operations, or financial condition.

Governance

Both management and the Company’s board of directors are involved in the oversight of risks from cybersecurity threats. The Company’s information security program is designed to ensure that management and the board of directors are adequately informed about, and provided with the tools necessary to monitor, (i) material risks from cybersecurity threats and (ii) the Company’s efforts related to the prevention, detection, mitigation and remediation of cybersecurity incidents.

Role of the Board of Directors

The board of directors has delegated to the Audit Committee oversight responsibility for the Company’s risk management, including cybersecurity. The Audit Committee receives an annual comprehensive report from the Company’s President and Chief Financial Officer (“CFO”) and Vice President (“VP”) of IT Operations and Strategy covering the Company’s cybersecurity posture, incidents, if any, and risk mitigation efforts, and receives ad hoc reporting of any material cybersecurity incidents.

‎

Role of Management

Management plays a crucial role in assessing and managing material risks from cybersecurity threats. At the management level, the Company’s cybersecurity risk management and strategy is led by its VP of IT Operations and Strategy, who reports to the CFO. The qualifications of the VP of IT Operations and Strategy include 25 years of IT management, cybersecurity and information governance experience. The VP of IT Operations and Strategy is regularly informed about the latest developments in cybersecurity, including emerging threats and technologies to adapt security measures accordingly. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity incidents. Management’s role includes:

Risk Assessment: Management conducts annual cybersecurity risk assessments to identify and evaluate potential threats and vulnerabilities. Management considers the likelihood and potential impact of various cybersecurity risks, considering the Company’s assets, systems and operations, in order to prioritize mitigation efforts.

Cybersecurity Policies and Procedures: Management reviews and approves the Company’s cybersecurity policies and procedures and communicates these policies and procedures to all employees to ensure adherence to established security protocols.

Incident Response Plan Oversight: Management reviews, updates and approves the Company’s incident response plan. Management ensures that the plan is tested annually to determine the Company’s ability to respond effectively.

Compliance with Regulations: Management implements and maintains compliance with relevant cybersecurity regulations and standards applicable to the Company.

Budgeting and Resource Allocation: Management reviews budgets for cybersecurity initiatives and ensures that adequate resources are allocated to address cybersecurity risks and that investments in cybersecurity align with the Company’s risk tolerance and strategic objectives.

Reporting to the Audit Committee: Management provides an annual comprehensive report to the Audit Committee on the Company’s cybersecurity posture, incident response activities and risk mitigation efforts.

The VP of IT Operations and Strategy is promptly informed of potential cybersecurity risks, threats and vulnerabilities by the Company’s IT security team or the Company’s SIEM partner. Once an incident has been identified, the VP of IT Operations and Strategy and the IT security team assess the criticality and impact of the incident on the Company’s business operations. The VP of IT Operations and Strategy then formulates and oversees a response to contain, eradicate and resolve incidents in accordance with the Company’s incident response plan. Management is responsible for reporting incidents to the appropriate authorities as necessary and engaging the Audit Committee on all material incidents.