The Stryker cyberattack, in which Iran-linked group Handala claims to have wiped more than 200,000 systems and extracted 50 terabytes of data, has raised difficult questions for insurers grappling with the blurred line between cybercrime and state-sponsored sabotage.
The US medical device giant, which employs 56,000 people across 61 countries and holds a $450 million contract with the US Department of Defense, received no ransom demand. The attack was purely destructive.
That marks a departure from the ransomware playbook that has dominated cyber claims in recent years. A report found that data theft without encryption accounted for 57.6% of extortion cases that year, but the Stryker cyberattack involved no extortion at all.
A NetSecurity analysis noted that wiper attacks generate costs far exceeding typical ransomware incidents, partly because the destruction of forensic evidence complicates investigations.
Chris Butler, resilience director at business continuity firm Databarracks, said the attack represented a fundamental shift. "The usual intention of a ransomware attack is profit, whereas in this instance the intent was purely disruption and destruction," he said.
Stryker's size and defense ties may have made it a target, Butler added, warning that businesses with no direct role in geopolitical conflicts could still be caught in the collateral damage.
The Handala attack is now among the cases testing cyber war exclusion wordings across the insurance market.
Iranian state-sponsored actors and allied hacktivist groups have been conducting disruptive operations against US networks since at least early 2025, with the cyber dimension of the Middle East conflict emerging as a material exposure for insurers and their clients, a Kennedys analysis has noted.
Read more: Confronting the next wave of cyber threats
Lloyd's mandated in 2022 that all standalone cyber policies carry clauses excluding losses from state-backed cyberattacks, effective from March 2023. The most widely adopted wording, LMA5567, does not blanket-exclude state-linked incidents. Instead, it applies a threshold test tied to whether an operation causes "major detrimental impact" on a state's essential services. Some brokers and MGAs have since sought carve-backs restoring partial cover for collateral damage.
Marsh has flagged non-concurrency as a persistent problem, with some clients facing five or more different war exclusion wordings in a single tower of coverage.
For Iran-linked attacks against US targets, attribution remains the central difficulty. Handala has claimed responsibility for the Stryker cyberattack, but no formal US government determination has been issued.
The fallout has spread beyond Stryker itself. Butler said the company's customers have begun disconnecting from its systems to guard against potential malware transmission, even though Stryker has stated its products are safe to use.
"Manual alternatives are less efficient and more costly, but they're sometimes the only way to keep services running," Butler said.
He cautioned that the attackers may have retained copies of the wiped data for future extortion, and that the only reliable path to recovery lay in isolated, air-gapped backups.
