With policyholders facing increased losses from hacking and business email compromise, insurers are fighting hard to escape their obligations under
financial institution bonds, crime policies and cyber insurance policies. In a case that bolsters policyholders seeking coverage for digital fraud, the
U.S. Court of Appeals for the Eighth Circuit held that a bank’s financial institution bond provided coverage for losses arising from the fraudulent
transfer of $485,000 by computer hackers to a foreign bank, even though the bank’s employees were negligent in securing the bank’s computer network.
In its May 20 decision, issued in State Bank of Bellingham v. BancInsure, Inc., No. 14-3432, --- F.3d ---, 2016 WL 2943161 (8th Cir. May 20, 2016)
, the Eighth Circuit affirmed the District Court’s conclusion that the efficient and proximate cause of the loss was the criminal activity of the
The Underlying Breach and Loss
In October 2011, an employee of the State Bank of Bellingham (the “Bank”) completed a wire transfer, which required several security steps, including the
entry of the names and passwords of two Bank employees and the insertion of two physical tokens. At the end of the work day, the employee left the two
tokens in the computer and left the computer running. Prior to the wire transfer, a Zeus Trojan horse virus had infected the Bank’s computer system. This
virus then allowed a computer hacker to access the Bank’s network and transfer funds to accounts in Poland (the “Loss”).
The Bank held a financial institution bond issued by BancInsure providing coverage for losses such as those arising from dishonesty and computer systems
fraud. The Bank submitted a claim and proof of loss to BancInsure seeking coverage for the Loss. BancInsure denied coverage, relying on exclusions for (a)
employee-caused losses, (b) theft of confidential information, and (c) mechanical breakdown or deterioration of a computer system.
The Litigation and the District Court Decision
The Bank filed suit seeking damages for the insurer’s breach of contract. The U.S. District Court for the District of Minnesota granted the Bank’s motion
for summary judgment, holding that the “computer systems fraud was the efficient and proximate cause of [Bank’s] loss,” and “neither the employees’
violations of policies and practices ... the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the
efficient and proximate cause of [Bank’s] loss.”
The Eighth Circuit Decision
Minnesota law applied to the interpretation of the bond, and the Eighth Circuit addressed Minnesota’s concurrent causation doctrine, which provides the
standard for causation in insurance contracts. Under this doctrine,
where an excluded peril “contributed to the loss,” an insured may recover if a covered peril is ... “the efficient and proximate cause” of the loss.
Conversely, it follows that if an excluded peril is the efficient and proximate cause of the loss, the coverage is excluded. An “efficient and proximate
cause,” in other words, is an “overriding cause.”
BancInsure first argued that the concurrent-causation doctrine does not apply to financial institution bonds, “because a financial institution bond
requires the insured initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.” The court rejected
this argument, observing that “no Minnesota case precludes application of the concurrent-causation doctrine to financial institution bonds.”
BancInsure also asserted that the parties had “contracted around the doctrine,” because the bond’s exclusions state that they apply to losses caused either
directly or indirectly by the peril listed in the exclusion. The court also rejected this argument, holding that although parties can contract around the
doctrine, Minnesota law requires such language to be “clear and specific.” The court held that the simple reference to “indirect” in the bond was not
sufficient to avoid the concurrent causation doctrine.
Finally, BancInsure argued that the causation issue should have been left to the jury and that the court erred in finding that the criminal acts by the
third party were the efficient and proximate cause of the Loss. In rejecting BancInsure’s argument, the Eighth Circuit relied on its decision in Friedberg v. Chubb & Son, Inc., 691 F3d 948 (8th Cir. 2012), in which the court addressed the concurrent causation doctrine in connection with
a first-party claim. In Friedberg the insureds’ home suffered water damage. An investigation determined that defective construction had allowed
water to enter the home. The court held that “although the water intrusion played an essential role in the damage to the house, once the house was plagued
with faulty construction, it was a foreseeable and natural consequence that water would enter.” The court applied the concurrent causation doctrine and
held that the policy did not provide coverage.
Based on the reasoning in Friedberg, the Eighth Circuit held that “the efficient and proximate cause of the loss in this situation was the illegal transfer
of the money and not the employees’ violations of policies and procedures.” Specifically, the court held that “[u]nlike the water damage in Friedberg, an
illegal wire transfer is not a ‘foreseeable and natural consequence’ of the Bank employees’ failure to follow proper computer security policies,
procedures, and protocols.” That is, even if the employee’s actions are found to have played an essential role in a virus attacking the Bank’s system, “the
intrusion and the ensuing loss ... suffered remains the criminal activity of a third party.”
The Eighth Circuit’s ruling is a noteworthy win for policyholders. As criminals find more ways to attack computer systems and initiate transfers of funds,
insurers face increased exposure to these types of claims, which often result from a combination of illegal activity and imperfect network security.
Financial institution bonds and commercial crime policies commonly exclude “indirect loss,” and insurers frequently argue that despite criminal activity,
the “direct” cause of the loss is the negligence of the policyholder’s employees.
The Eighth Circuit’s ruling in State Bank of Bellingham v. BancInsure, Inc., provides policyholders with a strong argument that employee
negligence does not bar coverage for fraudulent wire transfers. The case also supports the argument that courts should not apply a unique causation
standard to financial institution bonds but should instead apply basic principles of insurance law to interpret the language of the bond.