By Kyle Sawdey | CRO & EVP of Underwriting | Updated May 2026
By now, most people in our industry have seen the headlines. Stryker, a Fortune 300 medical device giant with $25 billion in revenue, had its global Microsoft environment hit by a destructive wiper attack on March 11. Over 200,000 endpoints wiped. 50 terabytes of data potentially stolen. An ECG transmission system used by paramedics temporarily knocked offline. Operations disrupted across 79 countries.
The attacker? An Iran-linked hacktivist group called Handala, exploiting what appears to be weaponized access to Microsoft Intune: Stryker’s own device management platform turned against them.
That last part deserves attention. The tool that was supposed to manage and secure their devices became the delivery mechanism for mass erasure. That’s not a failure of perimeter security. That’s a failure of identity governance, privileged access controls, and the kind of ongoing threat monitoring that flags compromised credentials before they’re activated.
Here’s the detail that stopped me cold, though.
Stryker didn’t have cyber insurance.
An external company’s security research team published a post-mortem noting that in the months before the attack, infostealer logs showed stolen credentials tied to Stryker identities: credentials that would have gated access to their SSO, identity providers, and device management stack. The exact infrastructure that was ultimately weaponized against them.
The firm’s point was blunt: if Stryker had been a policyholder, their underwriting process would have flagged those stolen credentials and required remediation before binding. The insurance process itself, not just the policy, would have been a security forcing function. That’s exactly how we approach underwriting at SeedPod, and it’s why our cyber insurance requirements and minimum controls checklist exists: not just to qualify coverage, but to close the gaps that make attacks like this possible in the first place.
Stryker had the resources to weather this. They have a global security program, certifications, IR plans, and the kind of legal and technical infrastructure that comes with being a Fortune 300 company. They’ll recover.
Most SMBs won’t.
The average SMB doesn’t have a war room. They don’t have a Palo Alto Networks Unit 42 forensic team on retainer. They don’t have a comms team drafting customer reassurance updates. When a wiper hits an SMB or their MSP’s RMM stack, it’s often lights out. Permanently. The financial math after an uninsured incident is brutal, and most small businesses don’t survive it.
A few things this moment demands from our corner of the market:
- MDM/RMM tools are now a primary attack surface, not just a management convenience. MFA on Intune, multi-person approval for destructive actions, and strict role separation aren’t optional hygiene; they’re existential controls for MSPs. Our underwriting reflects this. If you’re an MSP and want to understand exactly what we look for, the minimum controls checklist is a good starting point.
- Credential exposure is pre-breach, not post-breach. Infostealer logs containing SSO and admin credentials sitting in dark web forums aren’t a monitoring problem; they’re an active incident waiting to happen. If your clients’ credentials are already out there, the clock is running. This is one of the reasons we built our underwriting process to surface these risks before a policy binds, not after a claim is filed.
- Your MSP is your first line of defense. Are you actually using them that way? MSPs exist to do more than keep the lights on. The best ones are proactively hardening your tech stack, flagging vulnerabilities before they become incidents, and guiding you toward the controls that meaningfully reduce your risk. If your relationship with your MSP is purely reactive, you’re leaving your most valuable security resource on the table.
The Stryker attack is a vivid illustration of where cyber risk is heading: nation-state actors, geopolitically motivated destruction rather than ransomware, supply chain dependencies as amplifiers, and critical operational infrastructure at stake. For healthcare organizations specifically, where operational downtime has direct patient safety consequences, the stakes couldn’t be higher. We cover the coverage landscape for this sector in our guide to cyber insurance for hospitals and health systems.
The question for every MSP, every SMB, and every insurance professional in this space isn’t whether these attacks will reach your clients. It’s whether the defenses and the insurance backstop are already in place when they do.
At SeedPod, we’re building for that reality. Because for the companies we protect, there’s no Palo Alto on speed dial. There’s just their MSP and us.
If you’re ready to understand what coverage looks like for your organization and what controls underwriters actually require, get a quote or reach out directly.
Related Resources
- Cyber Insurance for Hospitals and Health Systems
- Cyber Insurance Exclusions: What Most Policies Won’t Cover
- Cyber Insurance War Exclusions: How to Read the Fine Print
- What Underwriters Look for in a Cyber Insurance Application
- Cyber Insurance for MSPs
If the Stryker incident raised questions about how your own policy would respond to a third-party-originated disruption, that is worth answering before the next one. Contact SeedPod Cyber to review your contingent business interruption coverage and vendor dependency exposure.