XML 32 R21.htm IDEA: XBRL DOCUMENT v3.25.2
Cyber Related Matters
 9 Months Ended
Aug. 31, 2025
Health Care Organizations [Abstract]  
Cyber Related Matters Cyber Related Matters
MOVEit Vulnerability

As previously disclosed, on the evening of May 28, 2023, we learned that our MOVEit Transfer (the on-premise version) and MOVEit Cloud (a cloud-hosted version of MOVEit Transfer) products were attacked by a threat actor who compromised and exfiltrated personal data from various customer-controlled MOVEit Transfer environments (the "MOVEit Vulnerability"). As a result of the MOVEit Vulnerability, we are party to certain class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers, which have been centralized in multi-district litigation in the District of Massachusetts (the "MDL"). The MDL remains in a relatively early litigation stage in which motions to dismiss were filed and partially granted in July 2025, resulting in the dismissal of approximately half of the pending claims. Following the court’s ruling on the motions to dismiss, we filed a motion for reconsideration in which we asked the court to reconsider its ruling on some of the undismissed claims. The MDL is not expected to conclude within this fiscal year. We have also been cooperating with inquiries and investigations from various governmental authorities, none of which have, as of this filing, resulted in any prosecution or enforcement actions.

Expenses Incurred and Future Costs

During the three and nine months ended August 31, 2025, we incurred net costs of approximately $0.7 million and $2.1 million, respectively, related to the MOVEit Vulnerability. The costs recognized are net of insurance recoveries of $0.4 million and $1.7 million for the three and nine months ended August 31, 2025, respectively. During the three and nine months ended August 31, 2024, we incurred net costs of approximately $0.9 million and $5.0 million, respectively, related to the MOVEit Vulnerability. The costs recognized are net of insurance recoveries of $0.6 million and $2.5 million for the three and nine months ended August 31, 2024, respectively. The timing of recognizing insurance recoveries may differ from the timing of recognizing the associated expenses.

We expect to continue to incur investigation, legal and professional services expenses associated with the MOVEit Vulnerability in future periods. We will recognize these expenses as services are received, net of insurance recoveries. While a loss from these matters is reasonably possible, we cannot reasonably estimate a range of possible losses at this time, particularly while the foregoing matters remain ongoing. Furthermore, with respect to the MDL, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. Also, each of the governmental inquiries and investigations mentioned above could result in adverse judgments, settlements, fines, penalties, or other resolutions, the amount, scope and timing of which could be material, but of which we are currently unable to reasonably estimate. Therefore, we have not recorded a loss contingency liability for the MOVEit Vulnerability as of August 31, 2025.

Insurance Coverage

During the period when the MOVEit Vulnerability occurred, we maintained $15.0 million of cybersecurity insurance coverage, which is expected to reduce our exposure to expenses and liabilities arising from these events. As of August 31, 2025, we have approximately $5.0 million of remaining cybersecurity insurance coverage under the applicable policy. We will pursue recoveries to the maximum extent available under our insurance policies.