Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Nov. 30, 2025

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy.  We have policies and procedures for identifying, assessing and managing material risks

associated with cybersecurity threats.  To help protect our IT resources, we have instituted administrative, physical and

technical controls and processes and commissioned third-party assessments.  The technical defense measures we have

implemented are designed to address vulnerabilities that may arise, including from a security control failure.  These measures

currently involve a combination of artificial intelligence; machine learning computer network monitoring; malware and

antivirus resources; firewall systems; and endpoint detection and response.  We also utilize cloud service defenses; Internet

address and content filtering monitoring software intended to secure against known malicious websites and potential data

exfiltration; and enterprise gateway security for workforce mobile devices and applications.  Additionally, a variety of cyber

intelligence and threat monitoring sources provide us with ongoing updates on potential or emerging risks.  For all these

measures we rely on third-party providers that we believe are capable of performing the service for which they have been

engaged or on certain governmental agencies.  Before we engage a third-party provider for these types of services and

resources, we typically conduct a security review involving, as relevant to the service or resource, discussions with the

provider’s security personnel, evaluation of auditor reports, and other requested information and documentation. 

We evaluate, and adjust as determined appropriate, our cybersecurity strategies and measures based on the above-noted

threat monitoring sources, learnings from periodic incident response tabletop exercises in which members of senior

management participate; penetration tests and scanning exercises; and an annual cybersecurity and/or cloud security risk

assessment conducted with help from outside experts informed by the National Institute of Standards and Technology

Cybersecurity framework.  Our IT function also undertakes a specific risk review, assisted in part by independent consultants

and other third parties, that is integrated into the overall annual enterprise risk management assessment the board of directors’

audit and compliance committee oversees.  Our internal audit department incorporates the results from this risk review, and

cybersecurity-related enhancements identified through the review, in designing and conducting its IT function audits, in some

cases with a third-party firm’s assistance.

To support the ongoing identification and management of cybersecurity issues, all employees are required to complete

cybersecurity awareness training, including social engineering, password best practices, data classification and phishing

awareness, with additional training for handling of customer personal information.  We also publish a monthly security

awareness newsletter along with performing ongoing internal phishing assessments.

We also consider and evaluate cybersecurity risks associated with KBHS and third-party service providers that we have

identified as having the greatest potential to expose us to cybersecurity threats.  We have established due diligence procedures

with KBHS and such third-party service providers, as well as communication channels as part of their breach and incident

response processes.  We also review annually the System and Organization Controls reports of third-party vendors hosting our

data to ensure they maintain adequate access management controls including physical safeguards, disaster recovery capabilities,

data privacy and notification processes, onboarding processes, incident response procedures and periodic independent testing of

the vendor capabilities.  We depend on our third-party service providers, KBHS and outside service providers to our customers

with whom we share some personal identifying and confidential information to secure the information they receive from us. 

Our business strategy, results of operations, or financial condition may be materially affected if our IT resources are

compromised, whether by an intentional attack, natural or man-made disaster, electricity blackout, IT/cybersecurity failure,

systems misconfiguration, denial-of-service attacks, service provider error, mismanaged user access protocols, personnel action,

or otherwise.  Depending on source or severity, among other factors, should any such compromise(s) occur, we may be severely

limited in conducting operations for an extended period, experience internal control failures, be cut off from assets or funds,

face reputational damage, lose customers and related revenues and/or have private party or governmental legal proceedings

instituted against us, and incur significant expenses to resolve any such issues.  Similar impacts may result from a substantial

disruption, or security incident or breach, suffered by KBHS or an outside service provider to our customers, which could also

result in sensitive personal information being publicly disclosed or misused.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

We evaluate, and adjust as determined appropriate, our cybersecurity strategies and measures based on the above-noted

threat monitoring sources, learnings from periodic incident response tabletop exercises in which members of senior

management participate; penetration tests and scanning exercises; and an annual cybersecurity and/or cloud security risk

assessment conducted with help from outside experts informed by the National Institute of Standards and Technology

Cybersecurity framework.  Our IT function also undertakes a specific risk review, assisted in part by independent consultants

and other third parties, that is integrated into the overall annual enterprise risk management assessment the board of directors’

audit and compliance committee oversees.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance.  Our management is responsible for the ongoing assessment of, and for developing and implementing our

strategies and measures to address, material cybersecurity risks.  Our board of directors through its audit and compliance

committee oversees management’s cybersecurity assessment activities and protective strategies and measures.  This includes

engaging in periodic reviews with management covering, among other things, our cybersecurity practices and risks.  Several of

our directors have experience with overseeing cybersecurity practices and incident management.  Our chief information officer

(“CIO”) periodically provides this review to the audit and compliance committee, with the most recent review conducted in

January 2026.  The CIO, who has more than 35 years of experience in IT and cybersecurity, is supported by a chief information

security officer, who has more than 30 years of experience in IT and cybersecurity, and various employees and dedicated

contract personnel experienced with IT and cybersecurity matters who are responsible for procuring, using, maintaining,

updating and evaluating the cybersecurity measures detailed above.  These individuals also hold numerous cloud, security and

privacy certifications. 

We have a cybersecurity incident response plan (“CIRP”) that, among other things. defines roles and responsibilities,

outlines steps for managing a cybersecurity event that is assessed to be a cybersecurity incident, including determining whether

such an incident is material and required to be publicly disclosed per SEC rules, and specifies internal and external

communication channels with respect to a cybersecurity incident.  Our IT function, which is led by the CIO, maintains and is

initially responsible for executing on our CIRP and specific runbooks, which describe processes for evaluating and escalating,

depending on severity, within the enterprise and up to our senior executive management and board of directors the

cybersecurity threats and incidents, or potential threats or incidents, identified through our cybersecurity measures.  This team

also maintains other policies and procedures concerning cybersecurity matters, such as encryption standards, antivirus

protection, remote access, multifactor authentication, data classification, confidential information and the use of the internet,

social media, email and wireless devices.  We also maintain insurance coverage for cybersecurity insurance as part of our

overall insurance portfolio.

Our IT systems have faced a variety of phishing, denial-of-service and other attacks.  Although we have not identified any

cybersecurity incidents during the fiscal years covered by this report that have materially affected or are reasonably likely to

materially affect our business strategy, consolidated results of operations or consolidated financial condition, we can provide no

assurance that our security measures will be successful and therefore we may experience a cybersecurity incident that materially

affects our business strategy, consolidated results of operations, consolidated financial condition or reputation, including, but

not limited to those described above.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our board of directors through its audit and compliance committee oversees management’s cybersecurity assessment activities and protective strategies and measures.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our chief information officer

(“CIO”) periodically provides this review to the audit and compliance committee, with the most recent review conducted in

January 2026.

Cybersecurity Risk Role of Management [Text Block]

Our chief information officer

(“CIO”) periodically provides this review to the audit and compliance committee, with the most recent review conducted in

January 2026.  The CIO, who has more than 35 years of experience in IT and cybersecurity, is supported by a chief information

security officer, who has more than 30 years of experience in IT and cybersecurity, and various employees and dedicated

contract personnel experienced with IT and cybersecurity matters who are responsible for procuring, using, maintaining,

updating and evaluating the cybersecurity measures detailed above.  These individuals also hold numerous cloud, security and

privacy certifications. 

We have a cybersecurity incident response plan (“CIRP”) that, among other things. defines roles and responsibilities,

outlines steps for managing a cybersecurity event that is assessed to be a cybersecurity incident, including determining whether

such an incident is material and required to be publicly disclosed per SEC rules, and specifies internal and external

communication channels with respect to a cybersecurity incident.  Our IT function, which is led by the CIO, maintains and is

initially responsible for executing on our CIRP and specific runbooks, which describe processes for evaluating and escalating,

depending on severity, within the enterprise and up to our senior executive management and board of directors the

cybersecurity threats and incidents, or potential threats or incidents, identified through our cybersecurity measures.  This team

also maintains other policies and procedures concerning cybersecurity matters, such as encryption standards, antivirus

protection, remote access, multifactor authentication, data classification, confidential information and the use of the internet,

social media, email and wireless devices.  We also maintain insurance coverage for cybersecurity insurance as part of our

overall insurance portfolio.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Our management is responsible for the ongoing assessment of, and for developing and implementing our

strategies and measures to address, material cybersecurity risks.  Our board of directors through its audit and compliance

committee oversees management’s cybersecurity assessment activities and protective strategies and measures.  This includes

engaging in periodic reviews with management covering, among other things, our cybersecurity practices and risks.  Several of

our directors have experience with overseeing cybersecurity practices and incident management.  Our chief information officer

(“CIO”) periodically provides this review to the audit and compliance committee, with the most recent review conducted in

January 2026.  The CIO, who has more than 35 years of experience in IT and cybersecurity, is supported by a chief information

security officer, who has more than 30 years of experience in IT and cybersecurity, and various employees and dedicated

contract personnel experienced with IT and cybersecurity matters who are responsible for procuring, using, maintaining,

updating and evaluating the cybersecurity measures detailed above.  These individuals also hold numerous cloud, security and

privacy certifications. 

We have a cybersecurity incident response plan (“CIRP”) that, among other things. defines roles and responsibilities,

outlines steps for managing a cybersecurity event that is assessed to be a cybersecurity incident, including determining whether

such an incident is material and required to be publicly disclosed per SEC rules, and specifies internal and external

communication channels with respect to a cybersecurity incident.  Our IT function, which is led by the CIO, maintains and is

initially responsible for executing on our CIRP and specific runbooks, which describe processes for evaluating and escalating,

depending on severity, within the enterprise and up to our senior executive management and board of directors the

cybersecurity threats and incidents, or potential threats or incidents, identified through our cybersecurity measures.  This team

also maintains other policies and procedures concerning cybersecurity matters, such as encryption standards, antivirus

protection, remote access, multifactor authentication, data classification, confidential information and the use of the internet,

social media, email and wireless devices.  We also maintain insurance coverage for cybersecurity insurance as part of our

overall insurance portfolio.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The CIO, who has more than 35 years of experience in IT and cybersecurity, is supported by a chief information

security officer, who has more than 30 years of experience in IT and cybersecurity, and various employees and dedicated

contract personnel experienced with IT and cybersecurity matters who are responsible for procuring, using, maintaining,

updating and evaluating the cybersecurity measures detailed above.  These individuals also hold numerous cloud, security and

privacy certifications.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Our chief information officer

(“CIO”) periodically provides this review to the audit and compliance committee, with the most recent review conducted in

January 2026.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true