Ransomware not only is increasing with disturbing frequency—it also is evolving to present new layers of risks. One major development of ransomware is “jackware.”
Jackware, like ransomware, involves the remote takeover of a computer. Whereas ransomware generally targets the data on servers and desktops, disrupting the flow of information and transactions, jackware targets physical devices themselves, particularly connected “smart” devices that have computer functionality embedded in them. Jackware enables the hacker to take control or shut down over all or part of the operational functions of a physical device, piece of equipment or machine.
In addition to smart products like cars, medical devices and home appliances, jackware can also infect any security, industrial and critical infrastructure systems that are operated by embedded computer functionality. While hacks of industrial targets like pipelines and blast furnaces have been in the news for nearly a decade, those once-rare instances now are growing in prevalence. The Russian invasion of Ukraine may also stimulate further and larger-scale attacks as Russian hackers have been probing U.S. energy infrastructure for weak spots to disrupt operations since sanctions were imposed.
Jackware can be a form of ransomware, as when a hacker gains access to a car with an embedded computer and locks the doors until a ransom is paid. Other examples include attacks on office equipment, industrial machinery and medical equipment. Further variations could include supply chain attacks, where components such as manufacturing equipment, transportation machinery, or refrigeration and climate control could be altered or disabled to destroy the goods being shipped.
Insurance Coverage for Jackware Losses and Liabilities
Jackware attacks may implicate a wider range of insurance policies than ransomware attacks. With ransomware, the primary loss almost always is monetary—the ransom paid. There also may be residual issues with the software or hardware, requiring replacement or repair to regain full operation of a computer system.
A jackware attack may cause property damage or even bodily injury. If machinery or equipment causes property damage or bodily injury to others, there may be third-party liability as well. Voluntary shutdown, undertaken to prevent such bodily injury and property damage, also may trigger losses that create liability.
A number of insurance policies may respond to a jackware event. Policyholders might look first to their cyber policies, many of which provide both first-party coverage and third-party coverage. Cyber policies should provide coverage for losses to data and computer or computer system components. Typically, however, cyber policies contain exclusions for bodily injury and for certain types of property damage. Those exclusions might pertain whether the claim is for coverage of a first-party loss or third-party liability. Property policies and general liability policies often fill the coverage gap for such losses.
In the wake of some cyberattacks, including ransomware attacks, policyholders have successfully sought coverage under a property policy for loss of data. Such losses were the center of the dispute in National Ink and Stitch v. State Auto Property and Casualty Insurance Co. and in EMOI Services, LLC v. Owners Insurance Co. Those cases held that coverage grants in property policies did extend coverage to loss of data and of computer software functionality. Those precedents bode well for coverage for the wider scope of property damage that jackware attacks may cause.
Property policies, particularly all-risk policies, also may provide coverage for loss of other types of property triggered by a cyberattack. If a jackware attack causes an equipment malfunction that in turn causes a fire, fire damage to the policyholder’s property should be covered.
Commercial general liability policies also may respond to a jackware attack—if, for example, an attack on the policyholder’s machinery causes that machinery to damage property belonging to others. CGL policies cover all loss the policyholder is legally obligated to pay based on liability from bodily injury or property damage.
In a hardening cyber insurance coverage market, coverage for cyber-related losses under other types of insurance policies is becoming increasingly important. Property policies and commercial general liability policies are important options. Not only should policyholders fight to keep cyber exclusions off of these policies, but also should fight for the coverage that those policies are written to provide for losses from property damage and bodily injury. Just because property policies or liability policies apply to portions of a loss from jackware does not mean that cyber coverage cannot apply. To the contrary, all three types of policies may provide coverage for a given scenario.