Eighth Circuit Finds Coverage Under a Financial Institution Bond For a Hacker’s Fraudulent Wire Transfer Notwithstanding Employee Negligence

State Bank of Bellingham v. BancInsure, Inc., No. 14-3432 (8th Cir. May 20, 2016).The Eighth Circuit held that Bellingham, a small Minnesota bank, was entitled to coverage under a financial institution bond when a hacker broke into the bank’s network and performed two fraudulent wire transfers, notwithstanding that the hack was enabled by employee negligence. The bank utilizes the Federal Reserve’s FedLine Advantage Plus system to make wire transfers. That system requires two bank employees to physically insert tokens into a desktop computer to make a transfer. An employee accidentally left a computer running overnight with the tokens inserted, and two unauthorized transfers were made by a hacker. The first transfer was successfully intercepted and reversed, but the second could not be, and the bank sought coverage for a total loss of $485,000. The insurer, BancInsure denied coverage on the basis that the bank’s employee had acted negligently in leaving the desktop running overnight with the tokens inserted, and the loss thus fell within an exclusion for employee-caused loss.

Minnesota law applied, and Minnesota has adopted the concurrent causation doctrine, which affords coverage when multiple causes contribute to a loss, even though one of the causes is excluded. The court rejected the argument that this doctrine did not apply to financial institution bonds, and that the standard of proof of causation was higher for financial institution bonds than for general insurance policies. Applying the test of whether the loss was “directly caused” by the employee’s negligence, the court held that the “efficient and proximate cause” (the “overriding cause”) of the loss was the transfer by the hacker, not the negligence of the employee. It thus affirmed summary judgment in favor of the bank.