By Kyle Sawdey, CRO & EVP of Insurance, SeedPod Cyber
By now, most people in our industry have seen the headlines. Stryker — a Fortune 300 medical device giant with $25 billion in revenue — had its global Microsoft environment hit by a destructive wiper attack on March 11. Over 200,000 endpoints wiped. 50 terabytes of data potentially stolen. An ECG transmission system used by paramedics temporarily knocked offline. Operations disrupted across 79 countries.
The attacker? An Iran-linked hacktivist group called Handala, exploiting what appears to be weaponized access to Microsoft Intune: Stryker’s own device management platform turned against them.
That last part deserves to sit with you for a second. The tool that was supposed to manage and secure their devices became the delivery mechanism for mass erasure. That’s not a failure of perimeter security. That’s a failure of identity governance, privileged access controls, and, critically, the kind of ongoing threat monitoring that flags compromised credentials before they’re activated.
Here’s the detail that stopped me cold, though.
Stryker didn’t have cyber insurance.
An external company’s security research team published a post-mortem noting that in the months before the attack, infostealer logs showed stolen credentials tied to Stryker identities: credentials that would have gated access to their SSO, identity providers, and device management stack. The exact infrastructure that was ultimately weaponized against them.
The firm’s point was blunt: if Stryker had been a policyholder, their underwriting process would have flagged those stolen credentials and required remediation before binding. The insurance process itself, not just the policy, would have been a security forcing function.
Stryker had the resources to weather this (or at least to try). They have a global security program, certifications, IR plans, and the kind of legal and technical infrastructure that comes with being a Fortune 300 company. They’ll recover.
Most SMBs won’t.
The average SMB doesn’t have a war room. They don’t have a Palo Alto Networks Unit 42 forensic team on retainer. They don’t have a comms team drafting customer reassurance updates. When a wiper hits an SMB or their MSP‘s RMM stack, it’s often lights out. Permanently.
A few things I think this moment demands from our corner of the market:
- MDM/RMM tools are now a primary attack surface, not just a management convenience. MFA on Intune, multi-person approval for destructive actions, and strict role separation aren’t optional hygiene; they’re existential controls for MSPs. Our underwriting reflects this.
- Credential exposure is pre-breach, not post-breach. Infostealer logs containing SSO and admin credentials sitting in dark web forums aren’t a “monitoring” problem; they’re an active incident waiting to happen. If your clients’ credentials are already out there, the clock is running.
- Your MSP is your first line of defense. Are you actually using them that way? MSPs exist to do more than keep the lights on. The best ones are proactively hardening your tech stack, flagging vulnerabilities before they become incidents, and guiding you toward the controls that meaningfully reduce your risk. If your relationship with your MSP is purely reactive (break something, fix it), you’re leaving your most valuable security resource on the table. Lean on their expertise. That’s what they’re there for.
The Stryker attack is a vivid illustration of where cyber risk is heading. Nation-state actors, geopolitically-motivated destruction rather than ransomware, supply chain dependencies as amplifiers, and critical operational infrastructure at stake.
The question for every MSP, every SMB, and every insurance professional in this space isn’t whether these attacks will reach your clients. It’s whether the defenses, and the insurance backstop, are already in place when they do.
At SeedPod, we’re building for that reality. Because for the companies we protect, there’s no Palo Alto on speed dial. There’s just their MSP and us.
This content is intended for informational purposes only and does not constitute legal, technical, or insurance advice. References to third-party companies, incidents, or products are based on publicly available information and are not intended to imply any affiliation, endorsement, or criticism. Coverage availability, terms, and eligibility vary by risk and are subject to underwriting review. Consult a licensed insurance professional for guidance specific to your situation.