The Eighth Circuit Court of Appeals reached an important decision regarding insurance coverage for cyber thefts from banks. The key takeaways from the case, State Bank of Bellingham v. BancInsure, Inc., — F.3d —, No. 14-3432 (8th Cir. May 20, 2016), are:
- Failure by a bank’s employees to follow established security measures may negate coverage for a cyber theft. An “employee-caused loss” exclusion will apply, even to an otherwise covered theft, if the bond includes language that excludes coverage for losses that are caused in part by excluded conduct.
- Minnesota’s concurrent-cause doctrine applies to financial institution bonds.
- A financial institution bond may exclude losses that are caused by a covered cause and an excluded cause, if the bond language includes proper “anti-concurrent causation” language.
- A financial institution bond that excludes coverage for losses “indirectly” caused by an excluded cause and covered loss is not sufficient to escape Minnesota’s concurrent cause doctrine. Coverage will be afforded even if it was caused in part by an excluded cause.
The facts of this case show how narrowly Bellingham escaped with coverage.
The case started when Bellingham used the Federal Reserve’s FedLine virtual private network to make wire transfers. To complete the transaction, two Bellingham employees had to login, insert individual encryption tokens, and enter a series of passphrases. A single employee entered her and another employee’s information to complete the transaction. The employee mistakenly failed to logout and left both tokens in the computer. The next day she discovered two unauthorized wire transfers to banks in Poland. While one of the transfers was stopped, the other, in the amount of $485,000 went through. That transfer was not recovered. An investigation determined that a “Zeus Trojan horse” virus had infected the computer and permitted access to the computer for the fraudulent transfers
Bellingham sought coverage for the loss through its financial institution bond issued by BancInsure. The bond provided first-party coverage for losses caused by employee dishonesty, forgery, and computer fraud. BancInsure denied coverage based on: the employee-caused loss exclusions; exclusions for theft of confidential information; and exclusions for mechanical breakdown or deterioration of a computer system. Bellingham brought suit for breach of contract, and BancInsure counterclaimed for a declaration of no coverage.
BancInsure’s primary contention was the employee-causef loss exclusion – “loss resulting directly or indirectly from theft of confidential information” – applied to bar coverage. BancInsure claimed the exclusion applied because Bellingham’s employee opened a spam email containing the malware, disabled antivirus software, failed to protect her password, used another employee’s password information, and failed to remove the tokens and shutdown the computer. This, BancInsure claimed, opened the door to the fraudulent transfer. Bellingham countered that BancInsure could not satisfy Minnesota’s concurrent cause doctrine of establishing that an excluded cause was the “overriding” cause of the loss. See Henning Nelson Constr. Co. v. Fireman’s Fund Am. Life Ins. Co., 383 N.W.2d 645, 653 (Minn. 1986); Friedberg v. Chubb & Son, Inc., 691 F.3d 948, 952 (8th Cir. 2012).
The district court agreed, holding the efficient proximate cause of the loss was the hacker’s theft, not Bellingham’s employee’s neglect. In other words, without the fraudster’s actions, there would have been no loss even if all of the other circumstances existed. BancInsure appealed.
The Eighth Circuit affirmed. The panel rejected BancInsure’s three principal arguments. First, the court held the concurrent-cause doctrine applies to financial institution bonds, as Minnesota generally treats financial institution bonds as insurance policies.
Second, the court found BancInsure’s bond did not include an “anti-concurrent cause” exclusion. Under Minnesota law, parties may include “anti-concurrent causation” language in contracts to prevent the application of the concurrent-causation doctrine; however, in those cases where courts have found the contract contains an anti-concurrent causation clause, the language used is clear and specific. These are quite common. Here, however, the exclusion’s use of “indirectly” did not amount to a “clear and specific” anti-concurrent-cause language. Accordingly, even though an excluded cause might have been partly applicable, the claim was not barred under the policy.
Lastly, BancInsure claimed the fraudulent hacking of the computer system was not the overriding, or efficient and proximate, cause of the loss. Instead, BancInsure contended the question should have been left to the jury. The Eighth Circuit rejected the argument. Instead, the court held that even if the bank employees’ negligent actions played an essential role in the loss and those actions created a risk of intrusion into Bellingham’s computer system, the intrusion and the ensuing loss of bank funds was not “certain” or “inevitable.” The “overriding cause” of the loss Bellingham suffered remains the criminal activity of a third party.
While the result is good for Bellingham, many bond issuers will insert anti-concurrent clause provisions in the future. If such a clause were present in this case, it is quite likely Bellingham would have no coverage for the $485,000 hacking attack. Because nearly every hacking loss involves a bank employee’s negligence somewhere along the line, insureds could be left holding a rather large bill. Insured banks must be diligent to ensure employees are following cyber security protocols to preserve coverage. And banks should become familiar with the language of their bonds to determine whether maximum protection is afforded.