The U.S. Court of Appeals for the Eighth Circuit recently held that a bank was entitled to recover its cybertheft losses under its financial institution bond, despite its employee’s violation of the bank’s internal policies and procedures, and despite the bank’s failure to update its antivirus software, holding that Minnesota’s “concurrent causation” doctrine applies to financial institution bonds.

A copy of the opinion is available at:  Link to Opinion.

A computer at the plaintiff bank became infected with malware, which allowed a criminal third party to transfer nearly half a million dollars to a foreign bank account.

An employee of the plaintiff bank completed a wire transfer through the Federal Reserve’s FedLine system. The next day, the employee noticed two unauthorized wire transfers made to a foreign bank account.  The employee was unable to reverse the transfers and the Federal Reserve refused to reverse the transfers. Only one of the fraudulent transfers was reversed by an intermediary institution.

The plaintiff bank had a financial institution bond issued by the defendant insurer. The bond covered losses such as those caused by employee dishonesty and forgery, as well as computer system fraud.

After an investigation by the defendant insurer, it was determined that a “Zeus Trojan horse” virus infected the plaintiff bank’s computer and permitted access to the computer for fraudulent transfers. The plaintiff bank sought coverage for the loss under its bond issued by the defendant insurer. The defendant insurer denied coverage based on exclusions in the bond.

Specifically, the insurer claimed the loss was not covered based on employee-caused losses, exclusions for theft of confidential information, and exclusions for mechanical breakdown or deterioration of a computer system.

The bank filed suit on the bond alleging a breach of contract. The trial court granted summary judgment in favor of the bank, holding that the computer systems fraud was the efficient and proximate cause of the bank’s loss, and neither the employees’ violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of the plaintiff’s loss.  In addition, the trial court held it was not then a ‘foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer. Thus, even if those circumstances ‘played an essential role’ in the loss, they were not ‘independent and efficient causes’ of the loss. The defendant insurer appealed.

As this was a diversity action, Minnesota law governed the interpretation of the bond.  As you may recall, Minnesota has a “concurrent causation” doctrine, under which an insured is entitled to recover from an insurer when the cause of the loss is not excluded under the policy, even though an excluded cause may have also contributed to the loss.

The insurer argued that, despite the general applicability of the concurrent causation doctrine to Minnesota insurance contracts, the doctrine is supposedly not similarly applicable to financial institution bonds because a bond requires the insured to initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.  Thus, the insurer argued the standard of proof is higher for financial institution bonds than under the concurrent causation doctrine.

However, the Eighth Circuit held that Minnesota generally treats financial institution bonds as insurance policies, and no Minnesota case precludes the application of the concurrent causation doctrine to financial institution bonds. Thus, the Eighth Circuit found that Minnesota courts would adhere to the general rule of treating financial institution bonds as insurance policies, and interpreting them in accordance with the principles of insurance law.

Rejecting the insurer’s argument that the bond imposed a higher standard of proof, the Court held that the bank still had to show that its loss was directly caused by the fraudulent transfer, and that the application of the concurrent causation doctrine did not interfere with that requirement.

Next, the Eighth Circuit rejected the insurer’s argument that the parties drafted around the concurrent causation doctrine in the bond.  The Court held that parties may include “anti-concurrent causation” language in contracts to prevent the application of the concurrent causation doctrine, but in those cases where courts have found the contract contains an anti-concurrent causation clause, the language used is clear and specific.  The Eighth Circuit held that the bond’s reference to “indirectly” in its exclusion was not a sufficient invocation of the “anti-concurrent causation” provision, and thus that the bond at issue in this matter did not contain such a provision.

Lastly, the insurer argued that the trial court erred in concluding the fraudulent hacking was the overriding, proximate cause of the loss. The Eighth Circuit relied on its application of the concurrent causation doctrine in Friedberg v. Chubb & Son, 691 F.3d 948 (8th Cir. 2012). The Friedbergs had extensive water damage in their home. The Friedbergs claimed their policy covered the water damage to their home because the loss resulted from the combination of both faulty construction and the presence of water. The policy contained exclusion for losses caused by faulty construction.

The Eighth Circuit held, where an excluded peril contributed to the loss, an insured may recover if a covered peril is the efficient and proximate cause of the loss. Conversely, the Court held, it follows that if an excluded peril is the efficient and proximate cause of the loss, then coverage is excluded.  The Eighth Circuit explained that an efficient and proximate cause, in other words, is an overriding cause. Thus, the Court held, the policy did not cover the Friedbergs’ loss.

Here, the Eighth Circuit agreed with the trial court’s finding that the proximate cause of the loss was the illegal transfer of the money, and not the employee’s violation of policies and procedures.

The Court held that an illegal wire transfer is not a foreseeable and natural consequence of the bank employee’s failure to follow proper computer security policies, and that the overriding cause of the loss the bank suffered was the criminal activity of a third party.

Accordingly, the Eighth Circuit found that the trial court properly granted summary judgment to the bank, and affirmed the ruling.