XML 33 R24.htm IDEA: XBRL DOCUMENT v3.23.2
Cyber Related Matters
 6 Months Ended
May 31, 2023
Health Care Organizations [Abstract]  
Cyber Related Matters Cyber Related Matters
November 2022 Cyber Incident

Following the detection of irregular activity on certain portions of our corporate network, we engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the cyber incident. Cyber incident costs relate to the engagement of external cybersecurity experts and other incident response professionals. We incurred $1.5 million and $4.2 million of cyber incident costs for the three and six month periods ended May 31, 2023, respectively. Costs are provided net of received and expected insurance recoveries of approximately $3.0 million, which was recognized during the first quarter of fiscal year 2023. The timing of recognizing insurance recoveries may differ from the timing of recognizing the associated expenses.

MOVEit Vulnerability

On the evening of May 28, 2023, our MOVEit technical support team received an initial customer support call indicating unusual activity within their MOVEit Transfer instance. An investigative team was mobilized and, on May 30, 2023, the
investigative team discovered a zero-day vulnerability in MOVEit Transfer (including our cloud-hosted version of MOVEit Transfer known as MOVEit Cloud). The investigative team determined the zero-day vulnerability (the “MOVEit Vulnerability”) could provide for unauthorized escalated privileges and access to the customer’s underlying environment in both MOVEit Transfer (the on-premise version) and MOVEit Cloud (a cloud-hosted version of MOVEit Transfer that we deploy in both (i) a public cloud format, as well as (ii) for a small group of customers, in a customer-dedicated cloud instance which is managed separately from the public-cloud).

The Company has engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the MOVEit Vulnerability. As the investigation remains ongoing, the Company will continue to assess the potential impact on its business, operations and financial results. MOVEit Transfer and MOVEit Cloud represented approximately 4% in aggregate of the Company’s revenue for the six months ended May 31, 2023.

Litigation and Governmental Investigations

As of the date of the filing of this report on Form 10-Q, (i) four customers that claim to have been impacted by the MOVEit Vulnerability have indicated that they intend to seek indemnification from the Company related to the MOVEit Vulnerability, and (ii) there have been eleven class action lawsuits filed by individuals who claim to have been impacted by exfiltration of data from the environments of our MOVEit Transfer customers. The Company has also been cooperating with several inquiries and one formal investigation from domestic and foreign law enforcement agencies and data privacy regulators.

Expenses Incurred and Future Costs

Given that the MOVEit Vulnerability occurred near the end of the current quarter, we incurred minimal costs during the second quarter of fiscal year 2023. We expect to incur investigation, legal and professional services expenses associated with the MOVEit Vulnerability in future periods. We will recognize these expenses as services are received, net of received and expected insurance recoveries. While a loss from these matters is possible, we cannot reasonably estimate a range of possible losses at this time and our investigation into the matter is ongoing. Furthermore, with respect to the litigation, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. Therefore, we have not recorded a loss contingency liability for the MOVEit Vulnerability as of May 31, 2023.

Insurance Coverage

We maintain cybersecurity insurance and other types of insurance coverage for up to $15.0 million in losses, which are expected to reduce our exposure to liabilities arising from the November 2022 cyber incident and the MOVEit Vulnerability. We will pursue recoveries to the maximum extent available under the policies. As of May 31, 2023, we have recorded approximately $3.0 million in insurance recoveries, all of which was related to the November 2022 cyber incident, providing us with $12.0 million of additional coverage (which is subject to a $0.5 million per claim deductible).