Even the most well-designed security plan for preventing financial losses from fraudulent acts has a potential weak spot—the humans at the bank who are responsible for implementing the plan. A bank employee’s negligence in failing to prevent the financial loss often plays a contributing role even when criminal conduct by outside individuals is involved. When that happens, banks can turn to their financial institution bond (FIB) to cover the loss, but have often discovered that, in the insurer’s view, the bank employee’s errors in failing to prevent the loss precludes coverage. However, an important decision from the United States Court of Appeals for the Eighth Circuit recently addressed that situation and clarified that under Minnesota law, employee errors that contribute to the loss do not necessarily result in the loss of coverage.
The case involved a bank that used the Federal Reserve’s FedLine system to make wire transfers and a desktop computer connected to a VPN device provided by the Federal Reserve. The bank’s security plan to prevent fraudulent wire transfers required two bank employees to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases.
However, at the end of one work day, in violation of the bank’s policies and procedures, an employee left the two tokens in the computer and left the computer running. The next morning, the bank discovered that two unauthorized wire transfers totaling $485,000 had been made to two different banks in Poland. The bank’s first step was to try to reverse the transactions through the FedLine system. After that failed, the bank notified its FIB insurer and immediately began an investigation. It ultimately learned that a “Zeus Trojan horse” virus had infected the desktop computer used for wire transfers and permitted hackers access to the computer for the fraudulent transfers.
The bank then submitted a claim under its FIB for the loss. The FIB provided coverage specifically for losses from computer fraud, including losses from fraudulent changes to computer programs that resulted in fraudulent wire transfers. However, the FIB also included a long list of exclusions to coverage, including an exclusion for “loss caused by an employee.” The insurer denied coverage for the claim based on that exclusion, among others. The bank then sued the insurer, and the insurer countersued the bank seeking a determination from the court that the FIB provides no coverage for the loss.
After the bank won at the trial court level, the insurer appealed to the U.S. Eighth Circuit Court of Appeals.
The appellate court decided the case in favor of the bank. Applying Minnesota law, the court held that even though the bank employee’s negligence contributed to the loss, it did not preclude all coverage for the loss. As the court explained, under general insurance law principles applied in Minnesota, a loss can be caused by a combination of events, some of which are covered by insurance and some of which are not. When the loss is brought about in that way—by a mixture of covered and uncovered causes—the rule under Minnesota law is that the loss is covered as long as none of the excluded causes or events is the primary or the “overriding” cause of the loss. In other words, coverage exists even if an event excluded from coverage under an insurance policy contributes to the loss.
On appeal, the insurer first argued that this “concurrent-cause” rule under Minnesota law does not apply to FIBs. It argued that an FIB is fundamentally different from a typical insurance policy because it requires an insured to show that its loss was “directly” caused by a covered cause. The appellate court rejected that argument, concluding that Minnesota treats FIBs as insurance policies. That is consistent with how purchasers of the FIBs think of them.
Next the insurer argued that the employee’s clear violation of the bank’s policies and procedures (an excluded cause) was more than just a contributing cause, but was the primary cause of the loss, because without it, there would have been no loss. The appellate court disagreed. It concluded that the primary and overriding cause of the loss was the fraudulent hacking of the computer system by a criminal third party, an event that the FIB specifically covers, and that the employee’s error was simply a contributing cause. Therefore, the exclusion for “loss caused by an employee” did not preclude all coverage. The bank was entitled to indemnification of its entire loss.
This decision is important because FIBs contain a very long list of exclusions. Most losses are brought about only because several things have gone wrong at the same time. The various contributing factors to the loss can often involve at least one type of action that is excluded by the FIB. This decision helps to establish that coverage will remain, as long as the principal cause of the loss is covered by the FIB.