Progress Software Corporation (PRGS) is the provider of MOVEit Transfer software, a program responsible for what is widely considered the largest hack so far in 2023, impacting at least 2,000 enterprises and 60 million individuals, according to media reports.
The Company has now issued a 10Q report (10/10/23) providing details on the attack and recoveries under its cyber insurance policies. See the key paragraph below and the larger cyber section at bottom, with information on cyber insurance in red. The disclosure also notes a new SEC subpoena, part of the new reality under SEC cyber reporting regulations.
The Company reports it has $15 million in cyber insurance coverage to cover both the MOVEit hack and a separate cyber incident in November 2022, of which app. $4.9 million has been recovered. That leaves about $10 million left, subject to retentions, to cover the landslide of legal claims coming at the company.
Progress says it has so far been hit with 58 class action lawsuits; received letters from 23 customers, some seeking indemnification (presumably against suits from customers of the customers; been notified by an insurer of a subrogation claim (the “insurer is seeking recovery for all expenses incurred in connection with the MOVEit Vulnerability”) and a subpoena earlier this month from the SEC.
We’re a little surprised the share price of Progress has not taken an even larger hit, given the legal issues above are likely just the beginning of the company’s legal troubles.
From the 10Q:
“During the period when the November 2022 cyber incident and the MOVEit Vulnerability occurred, we maintained $15.0 million of cybersecurity insurance coverage, which is expected to reduce our exposure to expenses and liabilities arising from these events. As of August 31, 2023, we have recorded approximately $4.9 million in insurance recoveries, of which $3.0 million was related to the November 2022 cyber incident and $1.9 million was related to the May 2023 MOVEit Vulnerability, providing us with $10.1 million of additional cybersecurity insurance coverage (which is subject to a $0.5 million retention per claim). We will pursue recoveries to the maximum extent available under our insurance policies.”
“Note 15: Cyber Related Matters
November 2022 Cyber Incident
Following the detection of irregular activity on certain portions of our corporate network, we engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the cyber incident. Costs for this cyber incident were primarily related to the engagement of external cybersecurity experts and other incident response professionals. We did not incur any meaningful costs related to this cyber incident for the three months ended August 31, 2023. For the nine months ended August 31, 2023, we incurred $4.2 million of costs related to this cyber incident. Costs are provided net of received and expected insurance recoveries of approximately $3.0 million, which was recognized during the first quarter of fiscal year 2023. The timing of recognizing insurance recoveries may differ from the timing of recognizing the associated expenses.
MOVEit Vulnerability
As previously reported, on the evening of May 28, 2023, our MOVEit technical support team received an initial customer support call indicating unusual activity within their MOVEit Transfer instance. An investigative team was mobilized and, on May 30, 2023, the investigative team discovered a zero-day vulnerability in MOVEit Transfer (including our cloud-hosted version of MOVEit Transfer known as MOVEit Cloud). The investigative team determined the zero-day vulnerability (the “MOVEit Vulnerability”) could provide for unauthorized escalated privileges and access to the customer’s underlying environment in both MOVEit Transfer (the on-premise version) and MOVEit Cloud (a cloud-hosted version of MOVEit Transfer that we deploy in both (i) a public cloud format, as well as (ii) for a small group of customers, in customer-dedicated cloud instances that are hosted, separate and apart from the public instances of our MOVEit Cloud platform).
We will continue to assess the potential impact of the MOVEit Vulnerability on our business, operations, and financial results. MOVEit Transfer and MOVEit Cloud represented less than 4% in aggregate of our revenue for the nine months ended August 31, 2023.
Litigation and Governmental Investigations
As of the date of the issuance of the financial statements, (i) we have received formal letters from 23 customers and others that claim to have been impacted by the MOVEit Vulnerability, some of which have indicated that they intend to seek indemnification from us related to the MOVEit Vulnerability, (ii) we have received a letter from an insurer providing for notice of a subrogation claim (where the insurer is seeking recovery for all expenses incurred in connection with the MOVEit Vulnerability), and (iii) we are party to 58 class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers (on October 4, 2023, the Judicial Panel on Multidistrict Litigation issued an order consolidating litigation relating to the MOVEit Vulnerability where we are a party in the United States District Court, District of Massachusetts).
We have also been cooperating with several inquiries from domestic and foreign data privacy regulators, inquiries from several state attorneys general, as well as formal investigations from: (i) a U.S. federal law enforcement agency (as of the date of the filing of this report, the law enforcement investigation that we are cooperating with is not an enforcement action or formal governmental investigation of which we have been told that we are a target), and (ii) the SEC (as further described hereafter). On October 2, 2023, Progress received a subpoena from the SEC seeking various documents and information relating to the MOVEit Vulnerability. As described in the cover letter accompanying the subpoena, at this stage, the SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws, and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security. Progress intends to cooperate fully with the SEC in its investigation.
Expenses Incurred and Future Costs
For the three and nine months ended August 31, 2023, we incurred $1.0 million of costs related to the MOVEit Vulnerability. The costs recognized are net of received and expected insurance recoveries of approximately $1.9 million, which was recognized during the third quarter of fiscal year 2023. The timing of recognizing insurance recoveries may differ from the timing of recognizing the associated expenses. We expect to incur investigation, legal and professional services expenses associated with the MOVEit Vulnerability in future periods. We will recognize these expenses as services are received, net of received and expected insurance recoveries. While a loss from these matters is possible, we cannot reasonably estimate a range of possible losses at this time, particularly while the foregoing matters remain ongoing. Furthermore, with respect to the litigation, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. Also, each of the governmental inquiries and investigations mentioned above could result in adverse judgements, settlements, fines, penalties, or other resolutions, the amount, scope and timing of which could be material, but which we are currently unable to predict. Therefore, we have not recorded a loss contingency liability for the MOVEit Vulnerability as of August 31, 2023.
Insurance Coverage
During the period when the November 2022 cyber incident and the MOVEit Vulnerability occurred, we maintained $15.0 million of cybersecurity insurance coverage, which is expected to reduce our exposure to expenses and liabilities arising from these events. As of August 31, 2023, we have recorded approximately $4.9 million in insurance recoveries, of which $3.0 million was related to the November 2022 cyber incident and $1.9 million was related to the May 2023 MOVEit Vulnerability, providing us with $10.1 million of additional cybersecurity insurance coverage (which is subject to a $0.5 million retention per claim). We will pursue recoveries to the maximum extent available under our insurance policies.”