SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
Pursuant to Section 13 OR 15(d)
of the Securities Exchange Act of 1934
Date of Report (Date of Earliest Event Reported):
(Exact name of registrant as specified in its charter)
(State or other jurisdiction of
incorporation or organization)
|(Address of principal executive offices)||(Zip code)|
Registrant’s telephone number, including area code:
(Former name or former address, if changed since last report)
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions (seeGeneral Instruction A.2. below):
Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)
Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)
Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))
Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))
Securities registered pursuant to Section 12(b) of the Exchange Act:
Title of each class
Name of each exchange
on which registered
Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 under the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).
Emerging growth company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
|ITEM 8.01.|| |
PROG Holdings, Inc. (the “Company”) today announced that its Progressive Leasing subsidiary (“Progressive Leasing”) recently experienced a cybersecurity incident affecting certain of Progressive Leasing’s systems. Promptly after detecting the incident, the Company engaged leading third-party cybersecurity experts and took immediate steps to respond to, remediate and investigate the incident. Law enforcement was also notified. There has been no major operational impact to any of Progressive Leasing’s services as a result of the incident and the Company’s other subsidiaries have not been impacted.
The Company’s investigation into the incident, including identification of the data involved, remains ongoing. Based on preliminary findings from the Company’s investigation, the Company believes the involved data contained a substantial amount of personally identifiable information, including social security numbers, of Progressive Leasing’s customers and other individuals. Progressive Leasing will provide notice to those individuals whose personally identifiable information was involved in the incident, as well as to regulatory authorities, in accordance with applicable laws.
While no company can ever eliminate the risk of a cyberattack, the Company has taken, and will continue to take, appropriate steps, working with its third-party cybersecurity experts, to further harden its systems to protect against future incidents.
The Company has incurred, and may continue to incur, significant expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by the Company’s cybersecurity insurance, has not been determined. Although the Company is unable to predict the full impact of this incident, the Company does not currently expect that it will have a material effect on the Company’s financial condition and results of operations.
This Current Report on Form 8-K contains statements that constitute “forward-looking statements” within the meaning of the Private Securities Litigation Reform Act of 1995, Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934, each as amended. All statements other than statements of historical fact made herein are forward-looking statements, including, without limitation, statements about the Company’s ongoing investigation, the Company’s beliefs regarding the involved data containing a substantial amount of personally identifiable information of Progressive Leasing’s customers and other individuals, future notifications to those individuals and regulatory authorities, steps the Company is taking to further harden its systems, expenses to be incurred in connection with responding to, remediating and investigating the matter and whether these expenses will be offset by the Company’s cybersecurity insurance and the incident’s effect on the Company’s financial condition and results of operations. The Company has based these forward-looking statements on current expectations and assumptions regarding the incident, which are subject to risks and uncertainties that could cause actual results to differ materially from those expressed or implied in the forward-looking statements. These risks and uncertainties include, but are not limited to, the Company’s ability to respond to and remediate the incident or any future cybersecurity incidents; additional information uncovered during the investigation informing the Company’s assessment of the full impact of the incident; the compromise or improper use of sensitive, proprietary, confidential, financial or personal data or other information resulting in negative consequences such as fines, penalties, or loss of reputation, competitiveness or customers; incremental expenses associated with the Company’s ongoing assessment and investigation of the incident; the nature and scope of any claims, litigation or regulatory proceedings that may be brought against the Company or other affected parties as a result of the incident; the availability of cybersecurity insurance coverage; the potential impact of this incident on the Company’s financial condition and results of operations; the length and scope of any disruptions to Progressive Leasing caused by the incident; and other legal, reputational and financial risks resulting from this or other cybersecurity incidents. Additional risks and uncertainties that may cause actual results to differ materially include the risks and uncertainties listed in the Company’s filings with the Securities and Exchange Commission (the “SEC”), including the Company’s Annual Report on Form 10-K for the fiscal year ended December 31, 2022, filed with the SEC on February 22, 2023. In providing forward-looking statements, the Company is not undertaking any duty or obligation to update these statements publicly as a result of new information, future events or otherwise, except as required by law.
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
|PROG HOLDINGS, INC.|
|Chief Financial Officer|
Date: September 21, 2023