FINANCIAL INSTITUTION BOND COVERS LOSS FROM HACKING


This entry was posted by on .

In State Bank v. BancInsure, Inc., 2016 U.S. App. LEXIS 9235 (8th Cir. May 20, 2016), the United States Court of Appeals for the Eighth Circuit held that a $485,000 fraudulent wire transfer perpetrated through the use of malware residing on a bank employee’s computer was covered under the bank’s financial institution bond.  The facts are straightforward.

The insured used the Federal Reserve’s FedLine Advantage Plus system to perform wire transfers. The transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a transfer, two bank employees had to enter their individual user names, and each had to insert individual physical tokens into the computer, and provide individual passwords and passphrases.

In the matter at issue, a bank employee completed a FedLine wire transfer. However, instead of following company policy and protocol by engaging the participation of a second employee, as required, the bank employee instead completed the transfer using her token, password, and passphrase as well as the token, password, and passphrase of a second employee on the same computer.  At the end of the work day, the employee then left the two tokens in her computer and left the computer running overnight.  When the employee returned to work the next morning, she discovered that two unauthorized wire transfers had been made from the bank’s Federal Reserve account.  Money from one of the transfers was recovered.  However, $485,000 wired in the second transfer was not recovered.  Id. at *1-2.

An investigation revealed that malware resided on the computer, permitting infiltration that allowed completion of the fraudulent transfers. Id. at *2.  The bank sought coverage under its financial institution bond, which provided coverage for losses caused by computer system fraud.  The insuring agreement covered, in part:

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within

any Computer System operated by the Insured, whether owned or leased, or any Computer System identified in the application for this Bond, or a Computer System first used by the Insured during the Bond Period, provided the entry or change causes

(1) property to be transferred, paid or delivered,

(2) an account of the Insured or of its customer to be added, deleted, debited or credited, or

(3) an unauthorized account or fictitious account to be debited or credited.

Id. at *3-4, n.2.

The carrier denied coverage, citing certain exclusions in the bond for loss based on employee-caused loss, theft of confidential information, and mechanical breakdown or deterioration of a computer system.  Id. at *3.  The carrier cited the following exclusions, which prohibited coverage for:

(h) loss caused by an Employee . . . resulting directly from misplacement, mysterious unexplainable disappearance or destruction of or damage to Property;

. . . .

(bb) (4) loss resulting directly or indirectly from theft of confidential information,

. . . .

(bb) (12) loss resulting directly or indirectly from

(a) mechanical failure, faulty construction, error in design, latent defect, fire, wear or tear, gradual deterioration, electrical disturbance or electrical surge which affects a Computer System,

(b) failure or breakdown of electronic data processing media, or

(c) error or omission in programming or processing,

. . . .

(bb) (17) loss caused by a director or Employee of the Insured . . . .

Id. at *4, n.3.

Coverage litigation ensued.  The carrier argued that the employee’s breach of company policy caused the loss and thus the loss was excluded.  Specifically, the carrier contended that the malware would not have allowed the hacker to fraudulently transfer the lost money had the bank employee (1) engaged a second employee to perform the original wire transfer, and (2) had not left the computer running overnight with two tokens in it.  Based on Minnesota’s concurrent-causation doctrine, the trial court nevertheless held that the bond covered the loss.  The trial court concluded that “the computer systems fraud was the efficient and proximate cause of [Bellingham’s] loss,” and that “neither the employees’ violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bellingham’s] loss.”  Id. at *6.  The court further held that “it was not then a ‘foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer. Thus even if those circumstances ‘played an essential role’ in the loss, they were not ‘independent and efficient causes’ of the loss.”  Id. at *6-7.  The carrier appealed and the Eighth Circuit affirmed.

On appeal, the carrier first argued that the concurrent-causation doctrine, which applies to insurance contracts, did not apply to financial institution bonds because a financial institution bond requires the insured to initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.  Id. at *8.  The Eighth Circuit disagreed, stating that Minnesota courts adhere to the general rule of “treating financial institution bonds as insurance policies and interpreting those bonds in accordance with the principles of insurance law.”  Id. at *9.

The carrier next argued that exclusions 2(bb)(4) and 2(bb)(12) contracted around the concurrent-causation doctrine because those exclusions applied to both direct and “indirect” causation.  Id. at *10.  The Eighth Circuit disagreed.  Although noting that “[p]arties may include ‘anti-concurrent causation’ language in contracts to prevent the application of the concurrent-causation doctrine,” such language must be “clear and specific.”  Id.  The court concluded that, “[a]s a matter of law, the Bond’s reference to ‘indirectly’” was not clear and specific, and was insufficient to circumvent the doctrine.  Id. at *11.

Finally, the carrier argued that even if the district court correctly applied the concurrent-causation doctrine, it erred in concluding that the fraudulent hacking of the computer system by a criminal third party was the overriding, or efficient and proximate, cause of the loss.  At a minimum, the carrier contended, the issue should have been one for the jury to decide.  Id. at *11.  Again, the court disagreed, concluding that the fraudulent wire transfers was not a foreseeable or inevitable result of the employees’ negligence and actions:

We agree with the district court’s conclusion that “the efficient and proximate cause” of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures. . . .  an illegal wire transfer is not a “foreseeable and natural consequence” of the bank employees’ failure to follow proper computer security policies, procedures, and protocols.  Even if the employees’ negligent actions “played an essential role” in the loss and those actions created a risk of intrusion into Bellingham’s computer system by a malicious and larcenous virus, the intrusion and the ensuing loss of bank funds was not “certain” or “inevitable.”

Id. at *13-14.  According to the court, “[t]he ‘overriding cause’ of the loss Bellingham suffered remains the criminal activity of a third party.”  Id. at *14.  Therefore, it held that the district court properly granted the bank summary judgment.

This entry was posted in Data Breach Insurance Coverage, Uncategorized.