XML 35 R24.htm IDEA: XBRL DOCUMENT v3.24.1.u1
Cyber Related Matters
 3 Months Ended
Feb. 29, 2024
Health Care Organizations [Abstract]  
Cyber Related Matters Cyber Related Matters
November 2022 Cyber Incident

Following the detection of irregular activity on certain portions of our corporate network, we engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the incident. We do not expect to incur additional costs related to this incident as the investigation is closed. We incurred expenses of $2.7 million related this incident during the three months ended February 28, 2023.

MOVEit Vulnerability

As previously reported, on the evening of May 28, 2023, our MOVEit technical support team received an initial customer support call indicating unusual activity within their MOVEit Transfer instance. An investigative team was mobilized and, on May 30, 2023, the investigative team discovered a zero-day vulnerability in MOVEit Transfer (including our cloud-hosted version of MOVEit Transfer known as MOVEit Cloud). A "zero-day vulnerability" is a vulnerability that has been publicly disclosed (e.g., by an independent researcher or threat actor) before the software vendor has an opportunity to patch it. The investigative team determined the zero-day vulnerability (the “MOVEit Vulnerability”) could provide for unauthorized escalated privileges and access to the customer’s underlying environment in both MOVEit Transfer (the on-premise version) and MOVEit Cloud (a cloud-hosted version of MOVEit Transfer that we deploy in both (i) a public cloud format, as well as (ii) for a small group of customers, in customer-dedicated cloud instances that are hosted, separate and apart from the public instances of our MOVEit Cloud platform).

We will continue to assess the potential impact of the MOVEit Vulnerability on our business, operations, and financial results. MOVEit Transfer and MOVEit Cloud represented less than 4% in aggregate of our revenue for the three months ended February 29, 2024.

Litigation and Governmental Investigations

As of the date of the issuance of the financial statements, (i) we have received formal letters from 35 customers and others that claim to have been impacted by the MOVEit Vulnerability, some of which have indicated that they intend to seek indemnification from us related to the MOVEit Vulnerability, (ii) we have received a letter from an insurer providing for notice of a subrogation claim (where the insurer is seeking recovery for all expenses incurred in connection with the MOVEit Vulnerability), which has resulted in the filing of a lawsuit in the District of Massachusetts, and (iii) we are party to approximately 127 class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers, which the Judicial Panel on Multidistrict Litigation transferred to the District of Massachusetts for coordinated and consolidated proceedings.

We have also been cooperating with; (i) several inquiries from domestic and foreign data privacy regulators (as further described hereafter); (ii) several inquiries and two formal investigations from state attorneys general (as further described hereafter); (iii) a formal investigation from a U.S. federal law enforcement agency (as of the date of the filing of this report, the law enforcement investigation that we are cooperating with is not an enforcement action or formal governmental investigation of which we have been told that we are a target); and (iv) a formal investigation from the SEC (as further described hereafter).

On October 2, 2023, Progress received a subpoena from the SEC seeking various documents and information relating to the MOVEit Vulnerability. As described in the cover letter accompanying the subpoena, at this stage, the SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws, and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security. Progress is cooperating fully with the SEC in its investigation.
On December 21, 2023, Progress received a preservation notice from the Federal Trade Commission (the "FTC"), but has not otherwise received a request for information nor is Progress aware of any formal FTC investigation.

On January 18, 2024, Progress received a subpoena from the Office of the Attorney General for the District of Columbia seeking various documents and information relating to the MOVEit Vulnerability. At this stage, the investigation is a fact-finding inquiry, and the investigation does not mean that Progress or anyone else has violated applicable laws. Progress is cooperating fully with the Office of the Attorney General for the District of Columbia in its investigation.

On February 9, 2024, Progress received a subpoena from the Office of the Attorney General for the State of New Jersey seeking various documents and information relating to the MOVEit Vulnerability. At this stage, the investigation is a fact-finding inquiry, and the investigation does not mean that Progress or anyone else has violated applicable laws. Progress is cooperating fully with the Office of the Attorney General for the State of New Jersey in its investigation.

On November 3, 2023, the United Kingdom’s Information Commissioner’s Office informed Progress that based upon the information provided, the Commissioner’s Office determined that regulatory action against Progress was not required in relation to the MOVEit Vulnerability. Additionally, on March 14, 2024, the Office of the Australian Information Commissioner’s Office informed Progress that it has closed its file investigating the MOVEit Vulnerability.

Expenses Incurred and Future Costs

For the three months ended February 29, 2024, we incurred $1.0 million of costs related to the MOVEit Vulnerability. The costs recognized are net of received and expected insurance recoveries of approximately $0.8 million. The timing of recognizing insurance recoveries may differ from the timing of recognizing the associated expenses. We expect to incur investigation, legal and professional services expenses associated with the MOVEit Vulnerability in future periods. We will recognize these expenses as services are received, net of insurance recoveries. While a loss from these matters is reasonably possible, we cannot reasonably estimate a range of possible losses at this time, particularly while the foregoing matters remain ongoing. Furthermore, with respect to the litigation, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. Also, each of the governmental inquiries and investigations mentioned above could result in adverse judgements, settlements, fines, penalties, or other resolutions, the amount, scope and timing of which could be material, but which we are currently unable to predict. Therefore, we have not recorded a loss contingency liability for the MOVEit Vulnerability as of February 29, 2024.

In addition, we may accelerate or make additional investments in our information technology systems, infrastructure, software products or networks following the MOVEit Vulnerability, however, we currently do not expect such amounts to be material to any fiscal period.

Insurance Coverage

During the period when the November 2022 cyber incident and the MOVEit Vulnerability occurred, we maintained $15.0 million of cybersecurity insurance coverage, which is expected to reduce our exposure to expenses and liabilities arising from these events. As of February 29, 2024, we have recorded approximately $7.0 million in insurance recoveries, of which $2.5 million was related to the November 2022 cyber incident and $4.5 million was related to the May 2023 MOVEit Vulnerability, providing us with $8.0 million of additional cybersecurity insurance coverage (which is subject to a $0.5 million retention per claim). We will pursue recoveries to the maximum extent available under our insurance policies.