Cyber Related Matters	9 Months Ended
Cyber Related Matters	Aug. 31, 2024
Health Care Organizations [Abstract]
Cyber Related Matters	Cyber Related Matters November 2022 Cyber Incident Following the detection of irregular activity on certain portions of our corporate network, we engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the incident. We did not incur costs related to this incident during fiscal year 2024 and do not expect to incur additional costs as the investigation is closed. We did not incur any meaningful costs related to this cyber incident for the three months ended August 31, 2023. We incurred net expenses of $4.2 million related to this incident during the nine months ended August 31, 2023. MOVEit Vulnerability As previously reported, on the evening of May 28, 2023, we learned that our MOVEit Transfer (the on-premise version) and MOVEit Cloud (a cloud-hosted version of MOVEit Transfer) products were attacked via a “zero-day vulnerability” that could provide for unauthorized escalated privileges and access to the customer’s underlying environment (the “MOVEit Vulnerability”). A "zero-day vulnerability" is a vulnerability that has been publicly disclosed and/or exploited (e.g., by an independent researcher or threat actor) before the software vendor has an opportunity to patch it. We continue to monitor the impact of the MOVEit Vulnerability on our business, operations, and financial results. MOVEit Transfer and MOVEit Cloud represented less than 4% in aggregate of our revenue for the nine months ended August 31, 2024. Litigation and Governmental Investigations Arising from the MOVEit Vulnerability As previously reported, as a result of the MOVEit Vulnerability, we are party to certain class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers, which the Judicial Panel on Multidistrict Litigation transferred to the District of Massachusetts for coordinated and consolidated proceedings (the "MDL"). The MDL also includes the previously disclosed subrogation claim (where an insurer is seeking recovery for expenses incurred on behalf of its insured in connection with the MOVEit Vulnerability). Also as previously disclosed, we have also been cooperating with inquires and investigations from: (i) several domestic and foreign data privacy regulators (a number of which have been closed without regulatory action), (ii) several state attorneys general, and (iii) one formal investigation from a U.S. federal law enforcement agency (as of the date of the filing of the financial statements, this is not an enforcement action or formal governmental investigation of which we have been told that we are a target). As previously disclosed, we received a subpoena from the Securities and Exchange Commission’s Division of Enforcement (the “SEC”) on October 2, 2023, as part of a fact-finding inquiry seeking various documents and information relating to the MOVEit Vulnerability. In a letter dated August 7, 2024, the SEC notified us that the Commission had concluded its investigation and did not intend to recommend an enforcement action against Progress (the “Termination Letter”). The Termination Letter was provided under the guidelines set out in the final paragraph of Securities Act Release No. 5310. Expenses Incurred and Future Costs For the three and nine months ended August 31, 2024, we incurred net costs of $0.9 million and $5.0 million, respectively, related to the MOVEit Vulnerability. The costs recognized are net of insurance recoveries of $0.6 million and $2.5 million for the three and nine months ended August 31, 2024, respectively. The timing of recognizing insurance recoveries may differ from the timing of recognizing the associated expenses. We expect to continue to incur investigation, legal and professional services expenses associated with the MOVEit Vulnerability in future periods. We will recognize these expenses as services are received, net of insurance recoveries. While a loss from these matters is reasonably possible, we cannot reasonably estimate a range of possible losses at this time, particularly while the foregoing matters remain ongoing. Furthermore, with respect to the litigation, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. Also, each of the governmental inquiries and investigations mentioned above could result in adverse judgements, settlements, fines, penalties, or other resolutions, the amount, scope and timing of which could be material, but which we are currently unable to predict. Therefore, we have not recorded a loss contingency liability for the MOVEit Vulnerability as of August 31, 2024. In addition, we may accelerate or make additional investments in our information technology systems, infrastructure, software products or networks following the MOVEit Vulnerability, however, we currently do not expect such amounts to be material to any fiscal period. Insurance Coverage During the period when the November 2022 cyber incident and the MOVEit Vulnerability occurred, we maintained $15.0 million of cybersecurity insurance coverage, which is expected to reduce our exposure to expenses and liabilities arising from these events. As of August 31, 2024, we have recorded approximately $7.5 million in insurance recoveries, of which $2.5 million was related to the November 2022 cyber incident and $5.0 million was related to the May 2023 MOVEit Vulnerability, providing us with approximately $7.5 million of additional cybersecurity insurance coverage under the applicable policy (which is subject to a $0.5 million retention per claim). We will pursue recoveries to the maximum extent available under our insurance policies.