PROGRESS SOFTWARE CORP /MA 10-K Cybersecurity GRC - 2024-01-26

Page last updated on April 11, 2024

PROGRESS SOFTWARE CORP /MA reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-01-26 16:18:44 EST.

Filings

10-K filed on 2024-01-26

PROGRESS SOFTWARE CORP /MA filed an 10-K at 2024-01-26 16:18:44 EST
Accession Number: 0000876167-24-000031

Item 1C. Cybersecurity.

Not applicable.

Item 1A. Risk Factors.

If our security measures are breached, our products and services may be perceived as not being secure, customers may curtail or stop using our products and services, and we may incur significant legal and financial exposure. including but not limited to from loss of customer or company data, loss of customers or otherwise.

Our products and services involve the storage and transmission of our customers’ proprietary information and may be vulnerable to unauthorized access, computer viruses, cyber-attacks, distributed denial of service attacks and other disruptive problems. As disclosed on December 19, 2022, following the detection of irregular activity on certain portions of our corporate network, we engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the cyber incident (the “November 2022 Cyber Incident”). During the investigation, we and our external advisors uncovered evidence of unauthorized access to our corporate network, including evidence that certain company data had been exfiltrated. As demonstrated by the November 2022 Cyber Incident, due to the actions of outside parties, employee error, malfeasance, or otherwise, an unauthorized party may obtain access to our data or our customers’ data, which could result in its theft, destruction, corruption or misappropriation and thus legal and financial exposure. Security risks in recent years have increased significantly given the increased sophistication and activities of hackers, organized crime, including state-sponsored organizations and nation-states, and other outside parties. Cyber threats are continuously evolving, increasing the difficulty of defending against them. Increased risks of such attacks and disruptions also exist due to the Russian invasion of Ukraine beginning in February 2022. While we have implemented security procedures and controls aimed at addressing these threats, our security measures could be compromised, could prove to be inadequate or could fail. Any security breach or unauthorized access could result in significant legal and financial exposure, increased costs to defend litigation, indemnity and other contractual obligations, government fines and penalties, damage to our reputation and our brand, and a loss of confidence in the security of our products and services that could potentially have an adverse effect on our business and results of operations. Breaches of our network could disrupt our internal systems and business applications, including services provided to our customers. Additionally, data breaches could compromise technical and proprietary information, harming our competitive position. We may need to spend significant capital or allocate significant resources to protect against the threat of security breaches or to address security related concerns. If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures could be harmed and we could lose customers. In addition, our insurance coverage may not be adequate to cover all costs related to cybersecurity incidents and the disruptions resulting from such events.

Item 1A. Risk Factors.

If our products contain software defects or security flaws, it could harm our revenues by causing us to lose customers and could increase our liabilities by exposing us to costly governmental investigations or litigation. For example, the exploitation of the zero-day MOVEit Vulnerability in May 2023 has resulted in informal government inquiries, three formal government investigations, and private litigation.

Our products, despite extensive testing and quality control, may, and at times do, contain defects, vulnerabilities or security flaws. In the ordinary course of business, we may need to issue corrective releases of our software products to fix any defects, vulnerabilities, or security flaws. Depending upon the severity of any such matters, the detection and correction of such matters can be time consuming and costly. If any such issues are exploited by malicious threat actors, we could experience, among other things, material adverse impact to our revenues due to loss of customers and increased liabilities due to costly governmental investigations or litigation. In addition, any such matters could affect the ability of our products to work with hardware or other software products, delay the development or release of new products or new versions of products (due to a reallocation of our internal resources), and/or adversely affect market acceptance of our products, all of which could have a material adverse effect on our operating results and cash flows. For example, during the third quarter of 2023, we released patches for vulnerabilities affecting WS_FTP, one of our file-transfer products that is deployed on-premise in our customers’ environments. Notwithstanding our efforts to promptly patch such vulnerabilities and encourage customers to deploy the patch as quickly as possible, we do not have telemetry into our WS_FTP customers’ environments or control over their patching activity, and there have been reports of exploitation of these vulnerabilities following the release of our security patches.

As disclosed via a Form 8-K filed on June 5, 2023, on the evening of May 28, 2023 (Eastern Time), our MOVEit technical support team received an initial customer support call indicating unusual activity within their MOVEit Transfer instance. An investigative team was mobilized and, on May 30, 2023, the investigative team discovered a zero-day vulnerability in MOVEit Transfer (including our cloud-hosted version of MOVEit Transfer known as MOVEit Cloud). The investigative team determined the zero-day vulnerability (the “MOVEit Vulnerability”) could provide for unauthorized escalated privileges and access to the customer’s underlying environment in both MOVEit Transfer (the on-premise version) and MOVEit Cloud (a cloud-hosted version of MOVEit Transfer that we deploy in both (i) a public cloud format, as well as (ii) for a small group of customers, in customer-dedicated cloud instances that are hosted, separate and apart from the public instances of our MOVEit Cloud platform). We promptly took down MOVEit Cloud for further investigation and notified all then-known current and former MOVEit Transfer and MOVEit Cloud customers in order to apprise them of the MOVEit Vulnerability and alert them to immediate remedial actions. In parallel, our team developed a patch for all supported versions of MOVEit Transfer and MOVEit Cloud, which was released on May 31, 2023, and allowed for the restoration of MOVEit Cloud that same day.

MOVEit Transfer is a secure file-transfer software that is installed by customers on-premise and does not have any on-going telemetry after installation that allows us to track, among other things, a customer’s product usage, deployed version, file transfer activity (including any data that is transferred by or stored within the customer’s MOVEit Transfer instance), or whether the customer has applied any security patches or bug fixes to their MOVEit Transfer instance. However, a number of MOVEit Transfer customers and others have disclosed that malicious threat actors have exploited the MOVEit Vulnerability to obtain access to their environments and portions of their sensitive customer data.

We have not seen any evidence that sensitive customer data has been exfiltrated from the public MOVEit Cloud instances. For a small group of customers, we provide dedicated MOVEit Cloud instances that are hosted, for each such customer, separate and apart from the public instances of our MOVEit Cloud platform. Two of our dedicated MOVEit Cloud customers have reported that malicious threat actors have exploited the MOVEit Vulnerability to obtain access to their dedicated MOVEit Cloud environment. As of the date of the filing of this report on Form 10-K, one such customer has confirmed that no sensitive data was compromised and the other has reported that certain personally identifiable information was exfiltrated.

As of the date of the filing of this report on Form 10-K, (i) we have received formal letters from 31 customers and others that claim to have been impacted by the MOVEit Vulnerability, some of which have indicated that they intend to seek indemnification from us related to the MOVEit Vulnerability, (ii) we have received a letter from an insurer providing notice of a subrogation claim (where the insurer is seeking recovery for all expenses incurred in connection with the MOVEit Vulnerability), which has resulted in the filing of a lawsuit in the United States District Court for the District of Massachusetts (“District of Massachusetts”), and (iii) we are party to approximately 118 class action lawsuits filed by individuals who claim to have been impacted by exfiltration of data from the environments of our MOVEit Transfer customers, which the Judicial Panel on Multidistrict Litigation transferred to the District of Massachusetts for coordinated and consolidated proceedings.

We have also been cooperating with several inquiries from domestic and foreign data privacy regulators; inquiries from several state attorneys general; as well as formal investigations from: (i) a U.S. federal law enforcement agency (as of the date of the filing of this report, the law enforcement investigation that we are cooperating with is not an enforcement action or formal governmental investigation of which we have been told that we are a target), (ii) the SEC (as further described hereafter), and (iii) the Office of the Attorney General for the District of Columbia (as further described hereafter); all of which could have adverse impacts on our business and operations and the results thereof.

On October 2, 2023, we received a subpoena from the SEC seeking various documents and information relating to the MOVEit Vulnerability. As described in the cover letter accompanying the subpoena, at this stage, the SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws, and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security. Progress intends to cooperate fully with the SEC in its investigation.

On December 21, 2023, we received a preservation notice from the Federal Trade Commission (the “FTC”), but have not otherwise received a request for information nor is Progress aware of any formal FTC investigation.

On January 18, 2024, we received a subpoena from the Office of the Attorney General for the District of Columbia seeking various documents and information relating to the MOVEit Vulnerability. At this stage, the investigation is a fact-finding inquiry, and the investigation does not mean that Progress or anyone else has violated applicable laws. Progress intends to cooperate fully with the Office of the Attorney General for the District of Columbia in its investigation.

Such claims and investigations may have an adverse effect on how we operate our business and our results of operations, and in the future, we may be subject to additional governmental or regulatory investigations, as well as additional litigation or indemnification claims. Following the discovery of the MOVEit Vulnerability and the various remedial actions described here, we have discovered and patched additional vulnerabilities within the MOVEit Transfer and MOVEit Cloud platforms. While we are currently not aware of any evidence that these additional vulnerabilities were exploited by malicious threat actors, we cannot guarantee that we have or will uncover and/or address all vulnerabilities within the MOVEit platform or any of our other products prior to exploitation by threat actors.

Our financial liability arising from any of the foregoing will depend on many factors, including the extent to which governmental entities investigate the matter and limitations contained within our customer contracts; therefore, we are unable at this time to estimate the quantitative impact of any such liability with any reasonable degree of certainty. As our fact-gathering investigation and litigation response continues, we will continue to assess the potential impact of the MOVEit Vulnerability on our business, operations, and financial results. Also, each of the governmental inquiries and investigations mentioned above could result in adverse judgements, settlements, fines, penalties, or other resolutions, the amount, scope and timing of which could be material, but which we are currently unable to predict.

Item 1A. Risk Factors.

Our business could be damaged, and we could be subject to liability, in the event of any unauthorized access to our data or our customers’ data, including through privacy and data security breaches, such as or in addition to the MOVEit Vulnerability.

The use of certain of our products, including MOVEit Cloud, involves the transmission or storage of third-party data in our environment, some of which may be considered personally identifiable, confidential, or sensitive. In the ordinary course of business, we face security threats from malicious threat actors that could obtain unauthorized access to our systems, infrastructure, products, and networks. We anticipate that these threats will continue to grow in scope and complexity over time.

For example, once we discovered the MOVEit Vulnerability on May 30, 2023, we (i) promptly took down MOVEit Cloud for investigation, and (ii) notified all then-known current and former MOVEit Transfer and MOVEit Cloud customers in order to apprise them of the MOVEit Vulnerability and alert them to immediate remedial actions. In parallel, our team developed a patch for all supported versions of MOVEit Transfer and MOVEit Cloud, which was released on May 31, 2023 and allowed for the restoration of MOVEit Cloud that same day. While we believe that our actions have, and will continue to, reduce the likelihood of similar vulnerabilities occurring in the future in our MOVEit product line, malicious threat actors might use techniques to exploit other zero-day vulnerabilities or use other means that we are unable to defend against, in order to compromise and infiltrate our systems, infrastructure, networks, and products, including, but not limited to, MOVEit or other products. In addition, MOVEit Transfer is a secure file-transfer software that is installed by customers on-premise and does not have any on-going telemetry after installation that allows us to track, among other things, a customer’s product usage, deployed version, file transfer activity (including any data that is transferred by or stored within the customer’s MOVEit Transfer instance), or whether the customer has applied any security patches or bug fixes to their MOVEit Transfer instance.

While we devote a significant amount of resources to cyber security related matters in the operation of our business, we may fail to detect the existence of a breach and be unable to prevent unauthorized access to user and company content across our systems, infrastructure, products, and networks. The techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and are often not recognized until launched against a target. They may originate from less regulated or remote areas around the world, or from state-sponsored actors. If our security measures are breached, we may suffer reputational damage, our products may be perceived as insecure, and we may lose existing customers, or fail to attract and retain new customers.

In addition to internal resources, we frequently rely on third parties when deploying our cybersecurity related infrastructure, and in doing so, may be exposed to security risks outside of our direct control. In connection therewith, we rely on outside vendors and contractors to perform certain services necessary for the operation and testing of certain of our products, and they may fail to adequately secure our platform or discover vulnerabilities in our products.

While we have implemented security procedures and controls aimed at addressing these threats and patching vulnerabilities, our security measures could be compromised and our attempts to implement security measures and patch vulnerabilities could prove to be inadequate or could fail. Any such failure could result in significant legal and financial exposure, increased costs to defend litigation, indemnity and other contractual obligations, government fines and penalties, damage to our reputation and our brand, and a loss of confidence in the security of our products and services that could potentially have an adverse effect on our business and results of operations. In addition, our insurance coverage may not be adequate to cover all costs related to cybersecurity incidents or the exploitation of vulnerabilities as well as the disruptions and liabilities resulting from such events.

Item 1A. Risk Factors.

A failure of our information technology systems, including a cyber incident, could have a material adverse effect on our business.

We rely on our technology infrastructure, and the technology infrastructure of third parties, for many functions, including selling our products, supporting our ISVs and other third-party channels, fulfilling orders and billing, and collecting and making payments. This technology infrastructure may be vulnerable to damage or interruption from natural disasters, power loss, telecommunication failures, terrorist attacks, the outbreak of wars or other armed conflicts, the escalation of hostilities, geopolitical tensions or trade wars, acts of terrorism or " acts of God," particularly involving geographies in which we or third parties on whom we depend have operations, computer intrusions or other similar cyber intrusions, vulnerabilities and viruses, software errors, computer denial-of-service attacks and other similar events. A significant number of the systems making up this infrastructure are not redundant, and our disaster recovery planning may not be sufficient for every eventuality. This technology infrastructure may fail or be vulnerable to damage or interruption because of actions by third parties or employee error or malfeasance. In addition, depending upon the severity of any such actions, we may not carry business interruption insurance sufficient to protect us from all losses that may result from interruptions in our services as a result of such technology infrastructure failures or provide us with the ability to cover all contingencies. Any interruption in the availability of our websites and on-line interactions with customers or partners may cause a reduction in customer or partner satisfaction levels, which in turn could cause additional claims, reduced revenue or loss of customers or partners. Despite any precautions we may take, these problems could result in, among other consequences, a loss, destruction, corruption or misappropriation of company or customer data, loss of confidence in the stability and reliability of our offerings, damage to our reputation, and legal liability, all of which may adversely affect our business, financial condition, operating results and cash flows.

Item 1A. Risk Factors.

Catastrophic events, including but not limited to cyber events, may disrupt our business.

We rely on our network infrastructure and enterprise applications, internal technology systems and website for our development, marketing, operations, support and sales activities. In addition, we rely on third-party hosted services, and we do not control the operation of third-party data center facilities, which increases our vulnerability. A disruption, infiltration or failure of these systems or third-party hosted services in the event of a major earthquake, fire, flood, tsunami or other weather event, power loss, telecommunications failure, software or hardware malfunctions, pandemics, cyber-attack or other similar interruptions to our business, war, terrorist attack or other catastrophic event that our disaster recovery plans do not adequately address, could cause system interruptions, reputational harm, loss of intellectual property, delays in our product development, lengthy interruptions in our services, breaches of data security and loss, destruction, misappropriation or corruption of critical company or customer data. A catastrophic event including a cyber event a war or an act of terrorism that results in the loss, destruction, misappropriation, corruption or disruption of any of our data, our customer’s data or our data centers or our critical business or information technology systems could severely affect our ability to conduct normal business operations and, as a result, our future operating results could be adversely affected, and the adverse effects of any such catastrophic event would be exacerbated if experienced at the same time as another unexpected and adverse event.

Company Information