XML 45 R29.htm IDEA: XBRL DOCUMENT v3.23.4
Cyber Related Matters
 12 Months Ended
Nov. 30, 2023
Health Care Organizations [Abstract]  
Cyber Related Matters Cyber Related Matters
November 2022 Cyber Incident

Following the detection of irregular activity on certain portions of our corporate network, we engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the incident. Costs for this incident were primarily related to the engagement of external cybersecurity experts and other incident response professionals. For
the fiscal year ended November 30, 2023, we incurred $4.7 million of costs related to this incident. Costs are provided net of insurance recoveries of $2.5 million. We do not expect to incur additional costs related to this incident as the investigation is closed.

MOVEit Vulnerability

On the evening of May 28, 2023, our MOVEit technical support team received an initial customer support call indicating unusual activity within their MOVEit Transfer instance. An investigative team was mobilized and, on May 30, 2023, the investigative team discovered a zero-day vulnerability in MOVEit Transfer (including our cloud-hosted version of MOVEit Transfer known as MOVEit Cloud). The investigative team determined the zero-day vulnerability (the “MOVEit Vulnerability”) could provide for unauthorized escalated privileges and access to the customer’s underlying environment in both MOVEit Transfer (the on-premise version) and MOVEit Cloud (a cloud-hosted version of MOVEit Transfer that we deploy in both (i) a public cloud format, as well as (ii) for a small group of customers, in customer-dedicated cloud instances that are hosted, separate and apart from the public instances of our MOVEit Cloud platform).

We will continue to assess the potential impact of the MOVEit Vulnerability on our business, operations, and financial results. MOVEit Transfer and MOVEit Cloud represented less than 4% in aggregate of our revenue for the fiscal year ended November 30, 2023.

Litigation and Governmental Investigations

As of the date of the filing of this report on Form 10-K, (i) we have received formal letters from 31 customers and others that claim to have been impacted by the MOVEit Vulnerability, some of which have indicated that they intend to seek indemnification from us related to the MOVEit Vulnerability, (ii) we have received a letter from an insurer providing for notice of a subrogation claim (where the insurer is seeking recovery for all expenses incurred in connection with the MOVEit Vulnerability), which has resulted in the filing of a lawsuit in the District of Massachusetts, and (iii) we are party to approximately 118 class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers, which the Judicial Panel on Multidistrict Litigation transferred to the District of Massachusetts for coordinated and consolidated proceedings.

We have also been cooperating with several inquiries from domestic and foreign data privacy regulators; inquiries from several state attorneys general; as well as formal investigations from: (i) a U.S. federal law enforcement agency (as of the date of the filing of this report, the law enforcement investigation that we are cooperating with is not an enforcement action or formal governmental investigation of which we have been told that we are a target), (ii) the SEC (as further described hereafter), and (iii) the Office of the Attorney General for the District of Columbia (as further described hereafter). On October 2, 2023, Progress received a subpoena from the SEC seeking various documents and information relating to the MOVEit Vulnerability. As described in the cover letter accompanying the subpoena, at this stage, the SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws, and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security. Progress intends to cooperate fully with the SEC in its investigation.

On December 21, 2023, Progress received a preservation notice from the Federal Trade Commission (the "FTC"), but has not otherwise received a request for information nor is Progress aware of any formal FTC investigation.

On January 18, 2024, Progress received a subpoena from the Office of the Attorney General for the District of Columbia seeking various documents and information relating to the MOVEit Vulnerability. At this stage, the investigation is a fact-finding inquiry, and the investigation does not mean that Progress or anyone else has violated applicable laws. Progress intends to cooperate fully with the Office of the Attorney General for the District of Columbia in its investigation.

Expenses Incurred and Future Costs

For the fiscal year ended November 30, 2023, we incurred $1.5 million of costs related to the MOVEit Vulnerability. The costs recognized are net of received and expected insurance recoveries of approximately $3.7 million. The timing of recognizing insurance recoveries may differ from the timing of recognizing the associated expenses. We expect to incur investigation, legal and professional services expenses associated with the MOVEit Vulnerability in future periods. We will recognize these expenses as services are received, net of insurance recoveries. While a loss from these matters is reasonably possible, we cannot reasonably estimate a range of possible losses at this time, particularly while the foregoing matters remain ongoing. Furthermore, with respect to the litigation, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. Also, each of the governmental inquiries and investigations mentioned above could result in adverse judgements, settlements, fines, penalties, or other resolutions, the amount, scope and timing of which could be material, but which we are currently unable to predict. Therefore, we have not recorded a loss contingency liability for the MOVEit Vulnerability as of November 30, 2023.
Insurance Coverage

During the period when the November 2022 Cyber Incident and the MOVEit Vulnerability occurred, we maintained $15.0 million of cybersecurity insurance coverage, which is expected to reduce our exposure to expenses and liabilities arising from these events. As of November 30, 2023, we have recorded approximately $6.2 million in insurance recoveries, of which $2.5 million was related to the November 2022 Cyber Incident and $3.7 million was related to the May 2023 MOVEit Vulnerability, providing us with $8.8 million of additional cybersecurity insurance coverage (which is subject to a $0.5 million retention per claim). We will pursue recoveries to the maximum extent available under our insurance policies.