A federal appellate court ruling in favor of a Minnesota bank that sued its insurer for coverage of costs associated with a fraudulent wire transfer, is significant. But it may not have a substantial impact on other bank cases, financial fraud experts say.
See Also: How to Mitigate Credential Theft by Securing Active Directory
The U.S. Court of Appeals for the Eighth Circuit recently upheld a Minnesota district court's ruling that fraud losses suffered by the State Bank of Bellingham should be covered by the bank's insurance provider, BancInsure, an Oklahoma-based company that in November 2013 changed its name to Red Rock Insurance Co. The district court awarded State Bank $620,187, plus attorney's fees.
BancInsure appealed the ruling, arguing that Minnesota law governing insurance contracts do not apply to financial institution bonds. But the appellate court disagreed.
The lawsuit was filed in the aftermath of an October 2011 incident in which a computer the bank used to conduct wire transfers through the Federal Reserve's FedLine Advantage Plus system was infected with malware, according to court records. The computer was infected after one of the bank's five employees neglected to remove two physical tokens from the PC used after conducting a legitimate wire transfer, court filings state.
"It's very significant and is right on the mark," says financial fraud expert Avivah Litan, a Gartner analyst. "Hackers can usually find a way into an enterprise, and insurers shouldn't insure if they aren't prepared to deal with that fact. ... So yes, this decision is a win, but not a big win, because I expect insurance companies to continue challenging this type of ruling in future cases."
Litan predicts insurance companies will increasingly include cyberattack coverage exclusions in their policies for banks. "It's a little ... like homeowners' insurance. There are so many exclusions that most occurrences of damage to a house, short of a catastrophic fire, are not covered. And if consumers do file claims, their rates go up while they get little insurance coverage in return."
Other fraud experts predict the Minnesota case won't have much of an impact on other legal disputes between banks and insurers because it focused primarily on one state's laws.
Court Rules Cyberheist Covered by Policy
In the Bellingham case, the tokens were left in the PC overnight, the court records show. When the employee returned the next day, she saw that two unauthorized wire transfers had successfully been sent to two different banks in Poland; the bank was only able to reverse one of the unauthorized wires after contacting the Fed. The other wire, totaling $485,000, could not be reversed, court records show.
"In order to complete a wire transfer via FedLine, two Bellingham employees had to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases," according to court records.
In 2010, State Bank purchased a financial institution bond from BancInsure. The bond, a type of insurance, provided coverage for losses, such as those caused by an employee's dishonesty and forgery, as well as computer-system fraud.
State Bank sued BancInsure when BancInsure denied the bank's claim, saying BancInsure breached its contract. The bank's coverage was not sold as cyber insurance.
BancInsure said it denied the bank's claim, according to court records, because the bank's fraud loss resulted from an employee's mistake, and not because of the theft of confidential information, mechanical breakdowns or the deterioration of computer systems.
But the district court agreed with the bank that the fraud loss should be covered by bond, noting that "the computer system's fraud was the efficient and proximate cause of [Bellingham's] loss," and ultimately resulted because hackers broke in, not because an employee approved a fraudulent wire or maliciously scheduled one.
"Neither the employees' violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer's anti-virus software was the efficient and proximate cause of [Bellingham's] loss," the district court found.
The insurer appealed the decision, but the appellate court upheld the lower court's ruling. "We find that Minnesota courts would adhere to the general rule of treating financial institution bonds as insurance policies and interpreting those bonds in accordance with the principles of insurance law," the appellate court notes in its ruling. "We agree with the district court's conclusion that 'the efficient and proximate cause' of the loss in this situation was the illegal transfer of the money and not the employees' violations of policies and procedures."
Neither BancInsure nor State Bank replied to Information Security Media Group's request for comment.
Ruling's Impact Likely To Be Limited
Cybersecurity attorney Chris Pierson, CISO and general counsel at invoicing and payments provider Viewpost, questions whether the ruling will have much of an impact on other cases because of its focus on Minnesota law.
"Since this determination is based on the specific language of the policy and state law, it is not a broad brush to all insurance cases," he says. "The court's perspective that failing to remove a dual-factor and tokenized authentication medium is not 'a reasonably foreseeable event likely to cause the exploitation of an illegal money transfer' is hard to swallow. A lot more remains to be seen of this case."
Attorney Stan Orszula, a partner at the law firm Barack Ferrazzano Financial Institutions Group, notes that insurance companies closely watch case law and adjust their contracts after rulings like this one to ensure they don't have to cover big payouts for losses going forward.
"This type of incident could happen to anybody - an employee leaving a token behind or in a computer - so the insurance companies will adjust what they cover," he predicts.
But the court recognized that the fraud loss was tied to a malware infection, Orzsula says. "This loss would not have happened were it not for the criminal. You obviously have to be diligent about your security; but there are limits, and no one can be expected to cover every attack."
Looking ahead, Orzsula predicts insurers sued by banks in similar cases might ask courts to use the Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool to help determine if a bank took reasonable security precautions to prevent fraud (see Gartner's Litan: FFIEC Assessment Tool Falls Short).
"Could that tool be used in litigation to prove whether a bank had reasonable security in place?" Orszula asks. "Could insurance companies use it to ask, 'How was your cybersecurity at the time of the attack? Did you assess your security properly? Did you take certain steps to mitigate risks?'"