Installed Building Products, Inc.

“of the Board, which is responsible for oversight of our cybersecurity risk management processes. The chairman of our Audit Committee has earned a CERT Certificate in Cybersecurity Oversight from the National Association of Corporate Directors, which aids the Audit Committee’s understanding of cybersecurity risks and assists the Audit Committee in overseeing the risk management program.”

“The Audit Committee and the Board actively participate in discussions with management and amongst themselves regarding cybersecurity risks. Senior leadership, including our CIO, briefs the Board and the Audit Committee on cybersecurity risks and the effectiveness of our cybersecurity program as part of updates on our overall ERM program. Our Vice President of Internal”

“Audit also provides the Audit Committee with an assessment of any material changes to cybersecurity risks and controls as a result of cybersecurity threats on at least a semi-annual basis.”

“IT and/or IS inform the CIO concerning cybersecurity risks and events, including any mitigation and remediation efforts. Cybersecurity incidents are escalated to the Incident Response Team (“IRT”), which is headed by the CIO. The IRT is responsible for overseeing our incident response strategy, including remediation. For ongoing events, those responsible for investigating the incident are required to continuously update the IRT and the CIO until the event is considered to be resolved. Significant cybersecurity incidents are referred to a committee responsible for evaluating whether the inciden…”

“using criteria based on our ERM program. This committee is comprised of a cross functional team of various senior members of management including the areas of Finance, Accounting, Legal, IT, IS and Risk.”