Eighth Circuit Allows Coverage for Wire Transfer Fraud after Employee Leaves Bank’s Computers Vulnerable to Cyber Attack

July 13, 2016

Insurance LawBanks typically have insurance, known as a Financial Institution Bond, covering losses resulting from a hacker gaining access to the bank’s computer systems. But Financial Institution Bonds, like most insurance policies, contain a variety of exclusions narrowing the coverage granted in the bond’s insuring agreement. For example, most bonds exclude coverage for losses resulting from employee negligence. Insurers therefore often deny coverage when a cyber attack follows the failure of an insured bank’s employees to secure the bank’s computer system. In such circumstances, the insurer argues that the employee negligence exclusion applies whenever employee negligence is a “but for” cause of the loss.

In other contexts, proof that an excluded peril is a but for cause of a loss does not justify an insurer’s denial of coverage. The insurer must prove that the excluded peril is the efficient proximate cause—essentially, the most important cause—of a loss. Uncertainty exists, however, regarding whether causation principles applicable to other types of insurance apply to Financial Institution Bonds. Consequently, the Eighth Circuit’s recent decision in State Bank of Bellingham v. BankInsure, Inc., __ F.3d __, 2016 WL 2943161 (8th Cir. May 20, 2016), is likely to be studied closely by lawyers litigating coverage for cyber attacks under Financial Institution Bonds.

Factual Background

The State Bank of Bellingham’s computers became infected with malware, allowing a criminal to gain access to Bellingham’s computers and transfer $485,000 to a foreign bank account. The fraudulent transfer occurred after a Bellingham employee completed a wire transfer for a bank customer in a manner that left Bellingham’s computer vulnerable to a cyber attack. Under Billingham’s procedures for wire transfers, two Bellingham employees were supposed to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases. The employee, however, completed the transfer herself by using her token, password, and passphrase as well as the token, password, and passphrase of a second employee. At the end of the work day, the employee left the two tokens in the computer and left the computer running. When she arrived at work the next day, she discovered the unauthorized wire transfers totaling $485,000. An investigation revealed that a “Zeus Trojan horse” virus had infected the computer and permitted access to the computer for the fraudulent transfers.

Bellingham submitted a claim for the loss under its Financial Institution Bond with BankInsure, Inc. The bond’s Insuring Agreement H covered loss resulting “directly” from computer fraud. However, the bond’s Exclusions section excluded coverage for Insuring Agreement H losses “caused by an Employee” and loss “resulting directly or indirectly” from the theft of confidential information, mechanical failure, errors in design or breakdown of electronic data processing media, or errors or omissions in programming or processing. Asserting that each of the quoted exclusions applied, BankInsure denied coverage. Bellingham sued BankInsure for breach of contract in federal district court.

Concurrent Causation Principles Apply

At the heart of the parties’ coverage dispute was Minnesota’s concurrent cause doctrine, which the Eighth Circuit had summarized in Friedberg v. Chubb & Son, Inc., 691 F.3d 948, 951 (8th Cir. 2012). Predicting how the Minnesota Supreme Court would rule based on an examination of various Minnesota cases, the Friedberg court held that an excluded peril’s contribution to a loss does not preclude coverage if a covered peril is “the efficient and proximate cause” of the loss. The court described the efficient and proximate cause of a loss as the “overriding cause,” and described a cause as the overriding cause if other causes are “a foreseeable and natural consequence” of that cause.

In granting summary judgment for Bellingham, the district court held that the “overriding” cause of the loss was computer fraud and thus the loss was covered. The court explained that the immediate cause of the loss—a computer hacker making a fraudulent wire transfer—was not a “foreseeable and natural consequence” of an excluded cause. Thus, even if various excluded causes—such as Bellingham’s employees’s numerous’ violations of policies and practices, the taking of confidential passwords, and Bellingham’s failure to update the computer’s anti-virus software—“played an essential role” in the loss, none of the excluded causes qualified as “the efficient and proximate cause.”

On appeal, BankInsure challenged the district court’s application of Minnesota’s concurrent causation doctrine. First, BancInsure argued the concurrent-causation doctrine does not apply to financial institution bonds. Second, assuming the concurrent-causation doctrine does apply, BancInsure claimed that the parties here contracted around the doctrine in the language of the Bond. Finally, BancInsure maintained that the district court erred in determining that the fraudulent conduct of hacking into the computer system was the efficient and proximate cause of the loss.

The Eighth Circuit rejected all three arguments and affirmed the court of appeal. The circuit court explained that Minnesota treats financial bonds as insurance and found no Minnesota case law that makes the state’s concurrent cause doctrine inapplicable to financial institution bonds. The bond’s requirement that loss result “directly” from fraudulent behavior did not, in the court’s view, impose a higher standard of proof on Bellingham.

Next, the court rejected BankInsure’s contention that bond language making exclusions applicable when the excluded peril is an “indirect” cause of loss precluded invocation of the concurrent cause doctrine. Although acknowledging that insureds and insurers may “contract around” the concurrent cause doctrine, the court emphasized that the contract language must be “clear and specific.” The court concluded as a matter of law that the bond’s reference to “indirectly” is not sufficiently clear and specific.

Finally, the court agreed with the district court’s conclusion that “the efficient and proximate cause” of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures.  The mere fact that the loss would not have occurred in the absence of Bellingham’s employees’ negligent actions was not, the court reasoned, enough to create coverage. The intrusion into Bellingham’s computer system by a malicious and larcenous virus and the subsequent loss of bank funds must be the “certain” or “inevitable” results of those actions.  The court therefore concluded that the “overriding cause” of Bellingham’s loss was the criminal activity of a third party.

Implications

The Eight Circuit’s rejection of BankInsure’s causation arguments is significant given the breadth of the exclusionary language typically found in policies providing protection against cyber crime. By denying coverage whenever an excluded cause is an indirect “but for” cause of a loss, insurers could avoid covering virtually any data breach. It is a rare case in which insurers cannot attribute a loss at least in part to system failures, company employees’ negligent adoption of inadequate cyber security protocols, negligent implementation of the company’s adopted cyber security protocols, negligent training of company employees on cyber security protocols,  and/or negligent failure to properly maintain and update the company’s cyber security software and related applications.

Titles by John DiMugno