Weakest link: Your employees jeopardize cyber-insurance coverage

This blog has repeatedly covered risks to banks and businesses from cyber-attack. Prudent banks and businesses need to train employees, develop an incident response plan, and purchase insurance to cover the inevitable cyber-attack. A recent case from Minnesota demonstrates how even the most robust cyber-attack response plan can be jeopardized by every plan’s weakest link: employees.

The case of State Bank of Bellingham v. BancInsure, Inc. began with a fraudulent wire transfer by State Bank of Bellingham in the fall of 2011. The fraudulent wire transfer occurred through the Federal Reserve’s FedLine system. The bank had a desktop computer that connected to FedLine’s Virtual Private Network (“VPN”) where the bank initiated wire transfers. In order to complete a wire transfer a user had to enter an authorized username, two passwords, a third password generated by a security token issued by FedLine, and enter a second username and set of passwords.

On the morning of October 28, 2011, a bank employee arrived at the bank to find that two wire transfers totaling $940,000 had been initiated to bank accounts in Poland. The bank employee immediately tried to stop the wires, but the bank was experiencing a denial-of-service attack (“DoS”) that crippled the bank’s ability to access the Internet. The bank contacted the Federal Reserve and the Federal Reserve contacted intermediary banks that were able to reverse one of the two wires. The bank ultimately lost $485,000.

The bank made a claim on its bond, but the carrier denied coverage. As part of the dispute with the carrier the bank conducted its own forensic examination of the computer that initiated the wire transfers. The forensic examination revealed:

• The bank had failed to implement automatic software and hardware security updates;

• A bank employee had received a spam email message and clicked on a link that downloaded multiple pieces of malware;

• The malware, known as the Zeus virus, allowed hackers to obtain all of the passwords and usernames for initiating wire transfers;

• One of the reasons Zeus was able to obtain all of the passwords is because bank employees left the FedLine secure token—a USB drive—plugged into the computer at all times;

• Antivirus software detected the Zeus virus and warned employees, but it appears bank employees failed to command the antivirus software to remove the Zeus virus;

• Multiple non-business websites were accessed on the FedLine computer, including Facebook and personal email accounts;

• There was a history of spam email messages being opened from personal email accounts; and

• The FedLine computer was accessible by any bank employee because the computer was not password protected.

Employees’ use of the FedLine computer created a gaping hole in the bank’s cyber-defenses. Moreover, all of the problems identified by the forensic investigation were problems associated with human behavior, not with a deficiency in the bank’s technical cyber-defenses.

The bond carrier asserted three policy exclusions that barred coverage for the attack: (1) the employee exclusion, (2) loss from theft of confidential information exclusions, and (3) loss from a mechanical failure or gradual deterioration of a computer system exclusion. Applying Minnesota law, the court concluded that none of the exclusions applied because the overriding cause of the loss was the hackers’ fraud.

While the bank was ultimately made whole, the case came down to whether a court viewed the employees’ conduct as the overriding cause of the bank’s loss. While there is no doubt that but for the actions of the hackers the fraudulent wire transfers would not have occurred, it is also true that but for the conduct of the employees the FedLine computer would not have been vulnerable. This case presents a close question and it is not hard to imagine a different court deciding the case differently. A court could also easily decide that because the question of cause is so close a jury would need to decide the outcome.

The State Bank of Bellingham was made whole, but it isn’t clear that every bank in the same position will be made whole too. The better course is to learn from the mistakes in this case, and spend time thinking about how to strengthen every organization’s weakest links: its employees.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.