tl;dr
The US-Iran conflict arrived in cyber insurance this week via Handala's devastating wiper attack on Stryker, forcing a live market test of Lloyd's war exclusion wording LMA5567 and exposing the gap between what policyholders assume is excluded and what the clause actually requires.
Away from the geopolitical noise, Conning's new study finds that underwriting discipline has strengthened meaningfully but flags systemic accumulation risk and pricing pressure as structural threats to long-term scalability—while the UK's new cybersecurity strategy adds pressure on underwriters to rethink compliance-based risk assessment.
On the product front, Brit launched C360 with an "any one claim" SME structure and Spektrum Labs embedded Limit's wholesale marketplace directly into its resilience platform, signaling a market actively building for the next chapter even as it navigates the current one.
🗓️ Upcoming Events
NetDiligence Cyber Risk Summit
The Summit provides insights on new trends in the Canadian cyber insurance market.
Dates: April 8-9, 2026
Location: Toronto, ON
Register: Event Info
Intelligent Insurer Cyber Risk & Insurance Innovation
The conference brings together stakeholders in cyber insurance delving deep into crucial topics such as the threat landscape, war exclusions, systemic risk and market conditions.
Dates: April 21-22, 2026
Location: Chicago, IL
Register: Event Info
Partner Spotlight: DynaRisk
Treaty cyber programmes don’t underperform because demand isn’t there.
They underperform because most carriers and brokers lack the insight to make cyber risk tangible and measurable.
For brokers, that means low engagement and poor conversion.
For underwriters, it means limited visibility, higher losses and exposure that’s harder to control.
In a soft market, that gap is holding back growth and performance.
DynaRisk analysed what high-performing white-label and embedded cyber programmes are doing differently.
This guide breaks down:
• Why most cyber programmes stall
• What top performers do differently
• How intelligence is improving conversion, visibility and portfolio performance
Download here
Iran Conflict & Cyber War Exclusions
Stryker Cyberattack Tests Insurers' War Exclusion Boundaries: Iran-linked Handala's wiper attack on Stryker—200,000+ systems wiped, 50TB exfiltrated across 79 global offices—is forcing insurers to apply Lloyd's LMA5567 war exclusion wording in a live coverage dispute where US government attribution remains formally undetermined and the "major detrimental impact" threshold is legally undefined.
Cyberattack Against Stryker Highlights Potential Impacts of Iran War on Healthcare Industry: The Stryker attack has exposed healthcare as the highest-exposure sector for Iran-linked cyber operations, with 28 health organizations among the top 12% of large US firms most vulnerable and operational disruptions cascading from medical device supply chain outages into frontline hospital operations.
Market Intelligence
Conning Releases 2026 Cyber Insurance Focus Study: The Increasing Insurability of Cyber Risk: Conning's new study finds that while underwriting discipline has meaningfully strengthened as cyberattacks more than double since 2018, uneven demand growth, pricing pressure, and systemic accumulation concerns raise long-term scalability questions for the U.S. cyber insurance market.
Comments on UK Govt Cyber Security Strategy: The UK's new national cybersecurity strategy, with its shift toward real-world resilience over compliance-based frameworks, is prompting insurers to reconsider whether regulatory compliance can still serve as a valid proxy for cyber risk in their underwriting assessment processes.
New Products & Partnerships
Brit Launches New Cyber Product for SMEs: Brit has launched C360, a new Lloyd's cyber product for SMEs offering the full policy limit on an "any one claim" basis for unlimited events per policy period, with zero retention and 24/7 emergency response—targeting the persistent SME protection gap amid rising attacks on small and mid-market businesses.
Spektrum Embeds Limit Cyber Insurance Wholesaler Into Cyber Resilience Platform: Spektrum Labs has embedded Limit's digital wholesale insurance marketplace directly into its Cyber Resilience Platform, enabling businesses with continuously validated security posture to access carrier markets with one click—turning real-time security proof into instant coverage and eliminating the annual-questionnaire bottleneck that disconnects underwriting from actual risk.
📖 Deeper Dive
The Stryker Test Case: What the Iran War Is Teaching Cyber Insurers About War Exclusion Wording
Stryker was hit with a wiper attack on March 11, 2026. The attack, claimed by Handala, a group linked by Palo Alto Networks' Unit 42 to Iran's Ministry of Intelligence and Security, is the first significant live test of Lloyd's state-backed cyber attack exclusion mandate since it took effect in March 2023. After the NotPetya/Merck litigation exposed the inadequacy of legacy war exclusion language for cyber incidents, the Lloyd's mandate and the adoption of LMA5567 wording were the market's structured response. Stryker is now asking whether that response was sufficient or whether it simply shifted the ambiguity from one clause to another.
What Happened
Handala claimed responsibility for wiping more than 200,000 systems, servers, and mobile devices across 79 Stryker offices globally, and exfiltrating 50 terabytes of data. Stryker, a $22B+ medical device manufacturer whose equipment (surgical robots, orthopedic implants, imaging systems) is deployed in operating rooms worldwide, including NHS facilities, confirmed the disruption. Handala presents publicly as a hacktivist collective, but Unit 42 assesses it as an operational front for Iran's MOIS, specifically designed to allow Iran plausible deniability over its cyber operations.
How LMA5567 Actually Works and Where It Falls Short
The Lloyd's 2022 mandate required all standalone cyber policies to include an exclusion for losses from state-backed cyber operations, effective March 2023. The most widely adopted wording, LMA5567, does not blanket-exclude state-linked incidents. It applies a threshold: the exclusion only triggers when an operation causes a "major detrimental impact on the functioning of a state due to direct or indirect effects on the availability, integrity, or delivery of an essential service."
The problem is that "major detrimental impact" is not defined anywhere in the clause. Marsh's deputy cyber practice leader has stated publicly: "We still don't have an explanation for that." This creates a live question around Stryker: Does an attack that disrupts the global supply chain of the world's largest surgical equipment manufacturer, affecting hospital operations and NHS equipment availability, meet that threshold? The argument can be made either way, and without a definition in the wording, it will likely be made in court.
The Attribution Trap
Even assuming LMA5567's threshold is met, triggering the exclusion requires formal attribution to a state actor something insurers have historically been unable to obtain quickly or cleanly.
Handala claims responsibility openly, but operates under a hacktivist persona specifically designed to obscure Iranian state involvement. Unit 42 has assessed Handala as an MOIS front. But no formal US government determination has been issued regarding the Stryker attack. Without an official government or court-validated attribution, insurers face a difficult choice: pay under the policy while a coverage dispute winds through litigation, or deny and risk the reputational and legal exposure of a wrongful denial.
This is structurally the same challenge that complicated NotPetya claims before Merck's court victories forced the industry's hand. LMA5567 was supposed to solve the attribution problem. But it specifies no attribution authority: the insurer, the government, or a court. That gap is now exposed.
The NotPetya Shadow
The Merck/NotPetya dispute (ultimately settled confidentially in January 2024) established that the legacy war exclusion language used in property policies, written for kinetic warfare, did not apply to state-backed cyberattacks in the way insurers hoped. That ruling accelerated the Lloyd's mandate. LMA5567 was specifically designed for cyber, written with state-linked operations in mind.
The difference now: LMA5567 is purpose-built for this scenario. Insurers have a structurally stronger argument than they did in Merck. But the wording's undefined thresholds and absent attribution authority mean coverage disputes will still end up in court. The question is whether the outcome favors the insured, as Merck did, or the insurer. Healthcare clients with Stryker-adjacent exposure should not assume either way.
Strategic Considerations for Brokers
Pull client cyber policies and identify the war exclusion wording in force. LMA5567, LMA5564, and older property-derived language carry materially different risk profiles for Iran-linked scenarios. Know what your clients actually have.
Define the attribution process at renewal before a claim forces the question. Negotiate clarity on whose determination triggers the exclusion: insurer assessment, formal government designation, or judicial finding. Getting this into policy language now prevents a coverage fight at the worst possible time.
Healthcare clients deserve a specific conversation today. Hospitals, MedTech manufacturers, pharma companies, and device distributors face concentrated exposure to Iran-linked operations. War exclusion language, sub-limits, and contingent BI from supply chain disruptions all warrant a dedicated review.
Carve-back language for collateral damage is now worth the fight. Some brokers have successfully restored partial coverage for "collateral damage" from cyber operations during active conflicts. In the current environment, this is a viable and warranted negotiating position for clients in exposed sectors.
Till next time,