An Iranian state-aligned cyberattack on a Fortune 500 medical device maker raises complex questions about war exclusion wording in cyber policies, Moody’s warns.

Stryker Corporation’s global operations shut down on March 11 after a “wiper attack” designed to remove or overwrite data.

It was the first confirmed attack by Iran since the war with the US and Israel began.

Analyst Moody’s says the breach shows that despite an internet blackout, Iranian-allied groups retain the capability for destructive cyber operations against major Western corporations.

Moody’s director of cyber model development Christopher Vos says the key question is whether this is the beginning of a broader campaign or an isolated incident.

Moody’s says the breach signals that “cyber activity may now supplement or replace kinetic retaliation”.

It says cyber policy exclusions may hinge on attribution to a state, nature of the hostile act, the impact on state-level essential services or a combination of these factors.

“An attack against an individual corporation, however severe, likely sits below the systemic thresholds most exclusions were designed to address.

“A more difficult question is whether a co-ordinated campaign of individual, subsystemic attacks, spread across a variety of sectors and insureds, could collectively reach a point where exclusions trigger.”

An update from Stryker on March 15 said all its products were safe to use. The breach was restricted to its internal Microsoft environment, and it was working on restoring systems that directly support customers, ordering and shipping.