With policyholders facing increased losses from hacking and business email compromise, insurers are fighting hard to escape their obligations under financial institution bonds, crime policies and cyber insurance policies. In a case that  bolsters policyholders seeking coverage for digital fraud, the U.S. Court of Appeals for the Eighth Circuit held that a bank’s financial institution bond provided coverage for losses arising from the fraudulent transfer of $485,000 by computer hackers to a foreign bank, even though the bank’s employees were negligent in securing the bank’s computer network.

In its May 20 decision, issued in State Bank of Bellingham v. BancInsure, Inc., No. 14-3432, — F.3d —, 2016 WL 2943161 (8th Cir. May 20, 2016), the Eighth Circuit affirmed the District Court’s conclusion that the efficient and proximate cause of the loss was the criminal activity of the third-party hackers.

The Underlying Breach and Loss

In October 2011, an employee of the State Bank of Bellingham (the “Bank”) completed a wire transfer, which required several security steps, including the entry of the names and passwords of two Bank employees and the insertion of two physical tokens.  At the end of the work day, the employee left the two tokens in the computer and left the computer running.  Prior to the wire transfer, a Zeus Trojan horse virus had infected the Bank’s computer system.  This virus then allowed a computer hacker to access the Bank’s network and transfer funds to accounts in Poland (the “Loss”).

The Bank held a financial institution bond issued by BancInsure providing coverage for losses such as those arising from dishonesty and computer systems fraud.  The Bank submitted a claim and proof of loss to BancInsure seeking coverage for the Loss.  BancInsure denied coverage, relying on exclusions for (a) employee-caused losses, (b) theft of confidential information, and (c) mechanical breakdown or deterioration of a computer system.

The Litigation and the District Court Decision

The Bank filed suit seeking damages for the insurer’s breach of contract.  The U.S. District Court for the District of Minnesota granted the Bank’s motion for summary judgment, holding that the “computer systems fraud was the efficient and proximate cause of [Bank’s] loss,” and “neither the employees’ violations of policies and practices … the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bank’s] loss.”

The Eighth Circuit Decision

Minnesota law applied to the interpretation of the bond, and the Eighth Circuit addressed Minnesota’s concurrent causation doctrine, which provides the standard for causation in insurance contracts.  Under this doctrine,

where an excluded peril “contributed to the loss,” an insured may recover if a covered peril is … “the efficient and proximate cause” of the loss. Conversely, it follows that if an excluded peril is the efficient and proximate cause of the loss, the coverage is excluded.  An “efficient and proximate cause,” in other words, is an “overriding cause.”

BancInsure first argued that the concurrent-causation doctrine does not apply to financial institution bonds, “because a financial institution bond requires the insured initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.”  The court rejected this argument, observing that “no Minnesota case precludes application of the concurrent-causation doctrine to financial institution bonds.”

BancInsure also asserted that the parties had “contracted around the doctrine,” because the bond’s exclusions state that they apply to losses caused either directly or indirectly by the peril listed in the exclusion.  The court also rejected this argument, holding that although parties can contract around the doctrine, Minnesota law requires such language to be “clear and specific.” The court held that the simple reference to “indirect” in the bond was not sufficient to avoid the concurrent causation doctrine.

Finally, BancInsure argued that the causation issue should have been left to the jury and that the court erred in finding that the criminal acts by the third party were the efficient and proximate cause of the Loss. In rejecting BancInsure’s argument, the Eighth Circuit relied on its decision in Friedberg v. Chubb & Son, Inc., 691 F3d 948 (8th Cir. 2012), in which the court addressed the concurrent causation doctrine in connection with a first-party claim.  In Friedberg the insureds’ home suffered water damage. An investigation determined that defective construction had allowed water to enter the home. The court held that “although the water intrusion played an essential role in the damage to the house, once the house was plagued with faulty construction, it was a foreseeable and natural consequence that water would enter.”  The court applied the concurrent causation doctrine and held that the policy did not provide coverage.

Based on the reasoning in Friedberg, the Eighth Circuit held that “the efficient and proximate cause of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures.”  Specifically, the court held that “[u]nlike the water damage in Friedberg, an illegal wire transfer is not a ‘foreseeable and natural consequence’ of the Bank employees’ failure to follow proper computer security policies, procedures, and protocols.” That is, even if the employee’s actions are found to have played an essential role in a virus attacking the Bank’s system, “the intrusion and the ensuing loss … suffered remains the criminal activity of a third party.”

Impact

The Eighth Circuit’s ruling is a noteworthy win for policyholders. As criminals find more ways to attack computer systems and initiate transfers of funds, insurers face increased exposure to these types of claims, which often result from a combination of illegal activity and imperfect network security. Financial institution bonds and commercial crime policies commonly exclude “indirect loss,” and insurers frequently argue that despite criminal activity, the “direct” cause of the loss is the negligence of the policyholder’s employees.

The Eighth Circuit’s ruling in State Bank of Bellingham v. BancInsure, Inc., provides policyholders with a strong argument that employee negligence does not bar coverage for fraudulent wire transfers. The case also supports the argument that courts should not apply a unique causation standard to financial institution bonds but should instead apply basic principles of insurance law to interpret the language of the bond.