Cyber Insurance
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Stryker Has Said It Doesn’t Carry Cyber insurance

Medical technology manufacturer Stryker notified investors that its March 11 cyberattack will have an impact on first quarter results. The company not appear to have a cyber insurance policy in place to potentially cover costs associated with the attack.
See Also: Reduce Cloud Risk in Healthcare with Security by Default
Stryker in a filing to the U.S. Securities and Exchange Commission said its global manufacturing, ordering and distribution operations are restored, but that the incident created a material impact.
Stryker considered factors “including the scope and duration of the operational disruption, the systems affected and the potential for customer, regulatory and other impacts.” The company is slated to release its first quarter results on April 30. It reported net sales of $25.1 billion in 2025.
But in its latest disclosure Stryker also asserted that the incident “has not had, and is not reasonably likely to have, a material impact on Stryker’s 2026 full-year guidance.”
In March, soon after the attack was discovered, Stryker said it had not yet determined whether the incident was reasonably likely to have a material impact on the company.
Hacktivist group Handala, widely suspected of being a front for Iran’s Ministry of Intelligence, has boasted of exfiltrating 50 terabytes of “critical data” for Stryker. The group said it permanently erased “in just a few hours” 200,000 devices and 12 petabytes of Stryker data “that took years to collect and billions of dollars to protect.”
Handala appears to have gained access to Stryker’s Active Directory infrastructure and used Microsoft Intune endpoint management tool to remotely wipe the devices and servers.
Stryker contends the incident did not impact devices and systems connected to customers but the IT outage disrupted the company’s electronic ordering and related systems used by clients (see: Health Sector Braces for Stryker Hack Supply Chain Shock).
No Cyber Coverage?
Stryker on corporate website webpage – last updated in August 2022 – said it does not have cyber insurance.
“We have a thorough global security program encompassing both corporate and product security that is committed to attaining and retaining external certifications including Global ISO 27001 and the SOC 2 certification of Stryker’s health cloud,” the company said.
Stryker “has not entered into an information security risk insurance policy,” the company said.
In Stryker’s case, whether or not it bought cyber insurance might be a moot point. “After a big incident it’s of course always possible that a company may wish it had insurance coverage – but in this case I think it’s quite possible that a war exclusion might apply given the ongoing conflict in Iran and limit how much Stryker could have claimed under a cyber insurance policy,” said Josephine Wolff, an associate professor at the Fletcher School at Tufts University who studies cyber insurance.
Insurers have been aggressive in excluding incidents they say are the result of nation-state conflicts on the ground that premiums can’t measure the potential risk.
“So while cyber insurance policies do typically cover at least some of the legal fees and settlement costs associated with class action litigation, as well as business interruption costs associated with attacks on availability, that’s no guarantee that a policy would have compensated Stryker for this particular incident under these particular circumstances,” Wolff said.
Cyber insurance can include coverage for business interruption, said attorney Kate Repko, counsel and co-chair of the insurance recovery group cyber task force at law firm Haynes Boone. It’s possible that other policies also do so such as commercial general liability, directors and officers, and property coverage, she added.
Stryker does face a growing stack of proposed class action lawsuits involving the incident (see: Stryker Wiper Attack Hackers Boast As Lawsuits Pile Up).
“Depending upon the nature of the class action allegations, coverage could be triggered under cyber or management liability policies, such as directors and officers” insurance, Repko said.
Stryker did not immediately respond to a request for additional details regarding the attack, and to confirm that it does not have cyber insurance.
Stryker on its website says its cybersecurity program “leverages a defense-in-depth strategy that is supported by a highly experienced team of cybersecurity experts.”
