April 17, 2017
Authored by: Jerry Blanchard and David Zetoony
Over the last decade as the specter of cyber attacks has increased dramatically, financial institutions have been encouraged to look into the use of cyber fraud insurance as one means of minimizing risk. A recent decision by the 8th Circuit provides an interesting opportunity to see how such policies are going to be interpreted by the courts.
In 2011, an employee at Bellingham State Bank in Minnesota initiated a wire transfer through the Federal Reserve’s FedLine Advantage Plus system (FedLine). Wire transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a wire transfer via FedLine, two Bellingham employees had to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases. In this instance the employee initiated the wire by inputting the passwords both for herself and the other employee and inserted both of the physical tokens. After initiating the wire the employee left the two tokens in the computer and left it running overnight. Upon returning the next day the employee discovered that two unauthorized wire transfers had been made from Bellingham’s Federal Reserve account to two different banks in Poland. Kirchberg was unable to reverse the transfers through the FedLine system. Kirchberg immediately contacted the Federal Reserve and requested reversal of the transfers, but the Federal Reserve refused. The Federal Reserve, however, did contact intermediary institutions to inform them that the transfers were fraudulent, and one of the intermediary institutions was able to reverse one of the transfers. The other fraudulent transfer was not recovered.
Bellingham promptly notified BancInsure of the loss and made a claim under their financial institution bond which provided coverage for losses caused by such things as employee dishonesty and forgery as well as computer system fraud. After an investigation, it was determined that a “Zeus Trojan horse” virus had infected the computer and permitted access to the computer for the fraudulent transfers. BancInsure denied the claim based on several exclusions in the policy including employee-caused loss exclusions, exclusions for theft of confidential information, and exclusions for mechanical breakdown or deterioration of a computer system. In essence, the policy does not cover losses whose proximate cause was employee negligence or a failure to maintain bank computer systems. Bellingham contested the denial and brought suit in federal court for breach of contract.
The federal district court ultimately granted summary judgment in favor of Bellingham in the amount of $620,187.36. The court found that the proximate cause of the loss was the computer systems fraud and neither the employees’ violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the “efficient and proximate cause” of the bank’s loss.
BancInsure appealed to the 8th Circuit, arguing among other things, that the trial court should have left the question of proximate cause to a jury and reiterating its position that the true proximate cause of the loss was the bank and employee negligence.
The court concluded that an illegal wire transfer is not a “foreseeable and natural consequence” of the bank employees’ failure to follow proper computer security policies, procedures, and protocols. Even if the employees’ negligent actions “played an essential role” in the loss and those actions created a risk of intrusion into Bellingham’s computer system by a malicious and larcenous virus, the intrusion and the ensuing loss of bank funds was not “certain” or “inevitable.” The “overriding cause” of the loss Bellingham suffered remains the criminal activity of a third party and not any alleged negligence by the bank or the employee.
Bank Takeaway: The case illustrates the point that we have been making to financial institutions for some time now. Internal policies and procedures that have been implemented to reduce cyber fraud are there for a reason. Malware can infect a computer and lay there for an extended period of time just waiting for the opportunity to activate a fraudulent transfer. Requiring passwords to be updated on a regular basis and updating anti-virus software are vital to reducing risk. Finally, passwords should not be shared among employees.
Banks should also be sensitive to the fact that financial institution bonds are just like any other form contract that is continually being updated. Insurance companies know how to minimize their risk as well and one can assume that they will address this issue in the next version of the bond endorsement for computer system fraud. Similarly, never assume that all such endorsements are worded the same. Different companies may cover the same risks, but may do so with slightly different language. Even a slight variation in phrasing can have a major impact on whether a court determines that a claim is covered.
Finally, you should read new and renewal policies very carefully to make sure you understand where you are covered and where you are not. Policies evolve over time to meet emerging risks, there is no “standard” cyber risk policy as of yet and banks must understand the right questions to ask to make sure that the coverage they need is what they are actually being offered. Our Financial Services Corporate & Regulatory and Global Data Privacy Security Teams are well versed in bank insurance and the legal and regulatory risks presented by a data breach. We have assisted companies in analyzing the entirety of their insurance program and would be glad to assist you in reviewing existing coverage or guiding you as you look at future options.