XML 47 R30.htm IDEA: XBRL DOCUMENT v3.24.4
Cyber Related Matters
 12 Months Ended
Nov. 30, 2024
Health Care Organizations [Abstract]  
Cyber Related Matters Cyber Related Matters
November 2022 Cyber Incident

Following the detection of irregular activity on certain portions of our corporate network, we engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the incident. Costs for this incident were primarily related to the engagement of external cybersecurity experts and other incident response professionals. We did not incur costs related to this incident during fiscal year 2024 and do not expect to incur additional costs as the investigation is closed. For the fiscal year ended November 30, 2023, we incurred expenses of $4.7 million, net of insurance reimbursements, related to this incident.
MOVEit Vulnerability

Description of Event

As previously disclosed, on the evening of May 28, 2023, we learned that our MOVEit Transfer (the on-premise version) and MOVEit Cloud (a cloud-hosted version of MOVEit Transfer) products were attacked via a "zero-day vulnerability" that could provide for unauthorized escalated privileges and access to the customer’s underlying environment (the "MOVEit Vulnerability"). A "zero-day vulnerability" is a vulnerability that has been publicly disclosed and/or exploited (e.g., by an independent researcher or threat actor) before the software vendor has an opportunity to patch it. We continue to monitor the impact of the MOVEit Vulnerability on our business, operations, and financial results. MOVEit Transfer and MOVEit Cloud represented less than 4% of our revenue in the periods presented.

Litigation and Governmental Investigations Arising from the MOVEit Vulnerability

As a result of the MOVEit Vulnerability, we are party to certain class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers, which the Judicial Panel on Multidistrict Litigation transferred to the District of Massachusetts for coordinated and consolidated proceedings (the "MDL"). The MDL has also consolidated the previously disclosed insurance subrogation claims (where an insurer is seeking recovery for expenses incurred on behalf of its insured in connection with the MOVEit Vulnerability) and, as of the date of this filing, one customer cross-claim.

We have also been cooperating with inquires and investigations from: (i) several domestic and foreign data privacy regulators (as of the date of this filing, we have assisted with all inquires and investigations, a number of which have been formally closed without regulatory action), (ii) several state attorneys general (as of the date of this filing, we have assisted with all inquires and investigations, and are not aware of any enforcement or regulatory actions directed against Progress), (iii) a U.S. federal law enforcement agency (as of the date of this filing, we have assisted with all inquiries under this investigation and this is not an enforcement action or formal governmental investigation targeting Progress), and (iv) on December 21, 2023, we received a preservation notice from the Federal Trade Commission (the "FTC"), but have not otherwise received a request for information, nor are we aware of any formal FTC investigation.

Such claims and investigations may have an adverse effect on how we operate our business and our results of operations, and in the future, we may be subject to additional governmental or regulatory investigations, as well as additional litigation or indemnification claims. Our financial liability arising from any of the foregoing will depend on many factors, including the extent to which governmental entities investigate the matter and limitations contained within our customer contracts; therefore, we are unable at this time to estimate the quantitative impact of any such liability with any reasonable degree of certainty. As our litigation response continues, we will continue to assess the potential impact of the MOVEit Vulnerability on our business, operations, and financial results. Also, each of the governmental inquiries and investigations mentioned above could result in adverse judgments, settlements, fines, penalties, or other resolutions, the amount, scope and timing of which could be material, but which we are currently unable to predict.

Expenses Incurred and Future Costs

For the fiscal years ended November 30, 2024 and 2023, we incurred net costs of $5.6 million and $1.5 million, respectively, related to the MOVEit Vulnerability. The costs recognized are net of insurance recoveries of $2.1 million and $3.7 million, respectively. The timing of recognizing insurance recoveries may differ from the timing of recognizing the associated expenses.

We expect to continue to incur investigation, legal and professional services expenses associated with the MOVEit Vulnerability in future periods. We will recognize these expenses as services are received, net of insurance recoveries. While a loss from these matters is reasonably possible, we cannot reasonably estimate a range of possible losses at this time, particularly while the foregoing matters remain ongoing. Furthermore, with respect to the MDL, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. Also, each of the governmental inquiries and investigations mentioned above could result in adverse judgements, settlements, fines, penalties, or other resolutions, the amount, scope and timing of which could be material, but of which we are currently unable to reasonably estimate. Therefore, we have not recorded a loss contingency liability for the MOVEit Vulnerability as of November 30, 2024.

Insurance Coverage

During the period when the November 2022 Cyber Incident and the MOVEit Vulnerability occurred, we maintained $15.0 million of cybersecurity insurance coverage, which is expected to reduce our exposure to expenses and liabilities arising from these events. As of November 30, 2024, we have recorded approximately $8.3 million in insurance recoveries, of which $2.5 million was related to the
November 2022 Cyber Incident and $5.8 million was related to the May 2023 MOVEit Vulnerability, providing us with approximately $6.7 million of additional cybersecurity insurance coverage under the applicable policy (which is subject to a $0.5 million retention per claim). We will pursue recoveries to the maximum extent available under our insurance policies.