Silent cyber, unintended coverage buried in commercial P&C policy forms, represents an industry PML estimated between $10 billion and $250 billion or more depending on scenario modeled, yet most commercial cat models treat it as zero (Lloyd's of London systemic risk scenarios; Kovrr, 2024). AI natural-language processing tools can now scan full commercial wordings, classify cyber-adjacent provisions against ISO benchmark exclusion language, and produce a portfolio-level silent cyber PML estimate. For actuaries certifying aggregate cat models used for financial statement purposes, that capability creates a new obligation: understanding what the AI classified and whether its accuracy is sufficient to rely on for the model's scope.
The Accumulation Problem Cat Models Have Ignored
Silent cyber is not a coverage gap in the traditional sense. It is coverage that exists, embedded in property forms, general liability policies, marine cargo, workers compensation, and directors and officers programs, without either the insurer or the insured explicitly agreeing that cyber events are included. A conventional commercial property policy written before the mid-2010s says nothing about whether a ransomware attack that triggers a business interruption loss is covered. Courts, adjusters, and coverage counsel have answered that question differently across jurisdictions, which is exactly the problem for a carrier trying to aggregate its PML.
The July 2024 CrowdStrike software update failure illustrated what silent cyber accumulation looks like at scale. Approximately 8.5 million Windows systems crashed simultaneously, triggering business interruption claims at airlines, hospitals, financial institutions, and logistics providers (Gen Re, February 2025). Total estimated damage ran to at least $10 billion (Gen Re, February 2025). The incident was not a malicious cyber attack. It was a faulty software update. Many commercial property and business interruption policies cover software-caused operational failures, many exclude them, and many say nothing explicit. Carriers whose policies fell into the third category discovered they had a coverage determination problem multiplied across thousands of accounts at once.
That concentration dynamic is the actuarial concern. Silent cyber is not a frequency problem; it is an accumulation problem. A single systemic cyber event, whether malicious or incidental, can simultaneously trigger cyber-adjacent provisions across an entire commercial book. The probability distribution of losses is not the same as independent low-severity claims. It resembles a cat peril more than a liability development pattern, which means the standard actuarial reserving tools are the wrong frame. The right frame is PML modeling, and PML modeling requires knowing which policies carry the exposure.
Lloyd's recognized this in July 2019 with Market Bulletin Y5258, which mandated that every policy written at Lloyd's must either explicitly affirm or explicitly exclude cyber coverage. The mandate applied in four phases, beginning January 1, 2020 for first-party property damage policies and extending through mid-2021 to marine, aviation, liability, and specialty classes. The LMA published property and marine cyber clauses to support the endorsement process. ISO followed with two mandatory commercial property endorsements in the US market: CP 10 75 12 20, which excludes all losses caused by a cyber incident, and CP 10 76 12 20, which excludes cyber-caused losses but preserves coverage for specified ensuing physical causes triggered by a cyber incident (ISO, December 2020). Carriers had to choose one of the two forms; the prior silence was no longer permissible on commercial property renewals.
The compliance mandate addressed new policy language. It did not retroactively resolve ambiguity in in-force portfolios, nor did it answer the accumulation question for carriers with large renewal books. A carrier renewing 50,000 commercial accounts through 2023 and 2024, applying the ISO endorsements prospectively, still had significant back-book exposure in multi-year policies and earlier-vintage accounts. The ISO choice also created a forward-looking pricing question: the carrier that chose CP 10 75 (straight exclusion) priced and reserved the book differently from the one that chose CP 10 76 (ensuing cause exception). Those decisions were made at the account level by underwriters, not aggregated and analyzed at the portfolio level by actuaries, which is precisely the gap AI wording analysis closes.
The Policy Scanning Methodology
Running silent cyber scanning exercises across mixed commercial P&C portfolios, a consistent finding is that affirmative cyber accounts for 20 to 30 percent of portfolio premium while silent exposure turns up in another 40 to 50 percent of the book that never appeared in any prior cyber cat model input. That residual 40 to 50 percent is what AI wording tools are designed to surface.
The technical approach centers on natural-language processing applied to the full policy document, not just the declarations page. A commercial property or GL policy can run 40 to 80 pages including endorsements, schedules, and riders. The scanning engine ingests the complete document, applies tokenization and semantic classification to each provision, and scores each provision against a reference taxonomy of cyber coverage benchmarks. The taxonomy is built from the ISO model forms, the LMA cyber clause library, and market-standard manuscript wordings. Each provision receives a classification: explicitly excluded, explicitly affirmed, or ambiguous. Ambiguous provisions, which include wording that partially addresses cyber events or that uses non-standard language for which benchmark equivalence is unclear, are flagged for human review rather than auto-classified.
Kovrr announced the first fully integrated silent and affirmative cyber risk solution in October 2018, combining policy wording analysis with data harvesting to build tailored risk scenarios for each insurer's book (Business Wire, October 2018). The output is not just a coverage determination per policy; it is a loss process model that connects the policy's cyber-related provisions to specific attack vectors and loss severities. Cytora, in partnership with Google Cloud, has developed similar LLM-driven extraction capabilities that classify commercial risk fields from full submission documents, including manuscript endorsement language that does not appear in standard form databases (Google Cloud Blog, 2024).
The accuracy constraint is real. Modern LLM-based wording classifiers achieve high accuracy on standard ISO-language policies and known manuscript variants, but residual error rates on novel or highly customized wordings remain a documented concern. The practical implication is a portfolio scanning output that has two tiers: a high-confidence stratum of policies classified with low uncertainty, and a residual stratum requiring underwriter or counsel review. For a portfolio of 50,000 commercial accounts, the high-confidence stratum might cover 85 to 90 percent of policies; the remainder requires manual adjudication. The PML calculation should reflect this uncertainty with appropriate sensitivity ranges, not a single point estimate derived from assuming 100 percent classification accuracy.
From Industry Range to Portfolio-Specific PML
The $10 billion to $250 billion industry-level PML range is too wide to be actionable for treaty reinsurance design. That range is driven almost entirely by scenario assumptions: what constitutes a covered cyber trigger, how far up the loss chain coverage extends (direct damage versus contingent BI versus supply chain), and what the geographic and sector composition of the exposed book looks like. A carrier writing exclusively US mid-market commercial property has a very different silent cyber profile from one with a globally diversified specialty book. The industry range is a risk communication tool, not an input to a reinsurance structure.
AI scanning changes the unit of analysis from the industry to the portfolio. The output of a scanning exercise is a policy-level coverage classification that can be aggregated directly into the cat model. Each policy in the high-confidence stratum gets a binary or probabilistic cyber exposure flag; each flagged policy gets an estimated loss factor applied at the relevant severity tier; the aggregate PML is the sum of expected losses across plausible scenarios, accounting for accumulation across simultaneously triggered accounts. That portfolio-specific PML can be hundreds of millions for a large regional commercial carrier, or in the low single-digit billions for a national carrier with a dense urban commercial property book, and it is a fundamentally different number from any industry average proxy.
The treaty reinsurance implication is direct. At the April 2026 renewal, non-proportional affirmative cyber reinsurance rates fell 32% on a risk-adjusted basis (Gallagher Re, April 2026). That rate decline makes buying reinsurance for explicitly affirmative cyber exposure cheaper than at any point in recent history. A carrier that has converted its silent exposure to explicitly affirmative exposure through the ISO CP 10 76 endorsement route can now buy reinsurance coverage for that exposure at soft-market rates. A carrier that has not completed the scanning exercise does not know what it has and therefore cannot design the program.
The carrier that can show its reinsurance broker a portfolio-level silent cyber PML derived from scanning data, broken down by policy class, endorsement status, and scenario severity, can also have a precise conversation about whether that PML should sit inside or outside the affirmative cyber treaty. Carriers without that analysis are negotiating blind, which tends to resolve against the cedant in pricing discussions.
The Actuarial Certification Challenge
The signing actuary certifying an aggregate cat model for financial statement or regulatory purposes faces a scope determination: what risks are in scope, and what risks are explicitly excluded? For hurricane and earthquake, the scope is usually clear. For cyber, it has never been clear because silent cyber has never been measured.
Two scenarios now create a certification issue. In the first, the carrier has completed a wording scan and the silent cyber PML is material. If the signing actuary knows this and the cat model excludes silent cyber, the certification should include a scope limitation disclosure. The model covers affirmative cyber accumulation risk but excludes the silent cyber component, which has been estimated at [X] through wording analysis. That disclosure is a factual representation of the model's scope, not a deficiency finding, but it requires the actuary to have the wording analysis results in hand.
In the second scenario, the carrier has included AI-generated silent cyber PML estimates in the cat model inputs. The signing actuary must now attest to the reasonableness of the model, which means understanding the classification methodology well enough to assess whether the NLP accuracy is sufficient for the purpose. This is a different validation exercise from reviewing the cat model's loss functions or the reinsurance treaty structure. It requires understanding the training data for the classification engine, the taxonomy of cyber coverage benchmarks used, the handling of ambiguous wordings, and the error rate in the high-confidence stratum. None of this is standard cat model validation practice, which is why the certification challenge is genuine rather than theoretical.
The American Academy of Actuaries Cyber Risk Task Force has addressed the general challenge of cyber risk quantification for actuaries, noting that the line requires special consideration given data limitations, concentration risk, and the evolving regulatory environment (Academy of Actuaries Cyber Risk Toolkit, 2025). Silent cyber scanning intersects all three: the data is generated by AI tools with documented accuracy constraints, the concentration risk is the entire point of the exercise, and Lloyd's and ISO regulatory mandates have transformed it from a theoretical concern to a compliance requirement.
Actuaries working in this space should establish a validation framework for any AI-generated wording classification that feeds into a cat model or financial statement. That framework should address, at minimum: the benchmark taxonomy used and whether it reflects current ISO and LMA model language, the error rate in the high-confidence classification stratum and whether it has been validated on a holdout sample, the protocol for ambiguous-wording adjudication and whether the volume of residual manual review is documented, and the version control for the classification engine, since model updates can change prior classifications retroactively.
The CP 10 75 versus CP 10 76 Decision Point
The ISO endorsement choice is not just a coverage decision. It is a pricing and reserving decision with actuarial certification consequences.
CP 10 75 12 20 is a clean cyber incident exclusion. The endorsement excludes "loss or damage caused directly or indirectly by a cyber incident," and the exclusion applies regardless of other contributing causes. A carrier attaching CP 10 75 to all commercial property policies has made a definitive scope decision: cyber incidents do not trigger property coverage. The actuarial consequence is that silent cyber PML is zero on CP 10 75 accounts, subject to the residual interpretive risk from novel wordings. The underwriting consequence is that the carrier needs an alternative product to offer insureds who want cyber-triggered property coverage.
CP 10 76 12 20 adds ensuing cause exceptions. The endorsement excludes cyber-caused losses but restores coverage for specified physical causes that a cyber incident triggers: if a ransomware attack causes an industrial control system to fail, which causes a fire, the fire damage is covered even though the initiating cause was cyber. The exception mirrors the ensuing loss doctrine courts have applied under pre-endorsement wordings. A carrier attaching CP 10 76 has explicitly priced the ensuing physical damage path and needs an actuarially credible loss cost for it.
AI scanning data provides the exposure base for that loss cost calculation. The scanning output identifies which policies carry the ensuing cause exception, what property values are at risk at those accounts, and what the distribution of industrial control system or technology-dependent operations looks like across the book. Without scanning, the actuary is estimating an ensuing-cause loss cost against an unknown exposure denominator. With scanning, the denominator is explicit and the loss cost calculation is a conventional severity application problem.
The choice between the two endorsements also affects how reinsurance treaties respond. A strict CP 10 75 book has lower silent cyber aggregation exposure but loses premium from insureds who need the ensuing cause path. A CP 10 76 book retains premium but needs the silent cyber PML priced into the treaty structure. AI scanning is the mechanism that makes the CP 10 76 path actuarially tractable at portfolio scale.
Reinsurance Submission Quality Is Becoming a Differentiator
Treaty reinsurers managing their own accumulated cyber exposure across cedant books have begun asking for documentation of silent cyber scanning results as part of submission packages. The logic is straightforward: a reinsurer writing aggregate excess coverage across a cedant's commercial book needs to know whether the cedant has quantified the silent cyber component. If the cedant's cat model excludes silent cyber, the reinsurer faces a basis risk: a systemic cyber event could generate losses from the silent book that exhaust the cedant's retention and trigger the treaty, even though the treaty was priced against only the affirmative cyber PML.
Cedants who can demonstrate a scanning-based silent cyber PML estimate, with documentation of methodology, scope, and accuracy validation, earn credibility with reinsurers who are themselves trying to close the same gap across their entire portfolio of cedants. This creates a selection dynamic: carriers with mature scanning programs win better treaty terms than carriers presenting opaque cat models that exclude a material source of accumulation risk.
The global cyber insurance market reached approximately $15.3 billion in gross written premiums in 2024 (Munich Re, 2024). The affirmative cyber market is priced, rated, and actively monitored. The silent book, embedded across the much larger commercial P&C premium base estimated at well over $300 billion annually in the US alone, has been mostly invisible to cat accumulation management. AI wording analysis is the mechanism that makes the invisible book visible. The actuarial profession's role is to set the standards for what constitutes sufficient evidence to rely on that analysis for cat model certification and treaty reinsurance design.
Why This Matters for Actuaries
Pricing actuaries face a loss cost fork at the ISO endorsement choice. CP 10 76 accounts carry an ensuing physical damage exposure that needs an actuarially supported loss cost; AI scanning provides the exposure denominator for that calculation. Pricing without the denominator amounts to setting a rate on an unknown exposure base.
Reserving actuaries face a reporting lag problem. Silent cyber losses in non-cyber policies may be reported significantly later than affirmative cyber claims, because they require coverage determination before the insurer acknowledges the loss. Development triangles built on affirmative cyber experience do not capture this lag. A portfolio with significant unresolved silent cyber exposure should show a separate reserve segment, not a blended development pattern.
Cat model actuaries face the certification scope question directly. Any commercial P&C cat model that excludes silent cyber should document the exclusion explicitly. Any model that includes AI-generated silent cyber PML should include a validation section addressing classification methodology, accuracy rates, and sensitivity of the PML to the residual uncertainty in the ambiguous-wording stratum.
ERM actuaries face a correlation problem that neither affirmative cyber programs nor traditional P&C programs fully address: a systemic cyber event triggers both books simultaneously. The silent cyber component is not diversification from the affirmative book; it is additive exposure that amplifies the tail. Capital models that treat the two books as independent are miscalibrated by construction.
The Lloyd's mandate and ISO endorsement program created the compliance forcing function. AI wording scanning created the measurement tool. The actuarial profession now has to close the loop on what relying on that tool requires for certification purposes.
Further Reading
- Mythos Forces Cyber Insurers to Rethink Aggregation Risk and Underwriting Models – How correlated cyber loss scenarios require cat-style modeling approaches rather than frequency-severity frameworks.
- Cyber and AI Liability Converge Into One Digital Risk Line – How CGL AI exclusions and cyber coverage evolution are merging into a single digital risk framework with pricing implications.
- US Cyber Reinsurance Rates Drop 32% at April 2026 Renewals – The soft reinsurance market context that makes converting silent exposure to affirmative coverage economically attractive right now.
- Chubb Cyber Report Shows Large-Account Severity Doubled and Supply Chain Losses Multiplied – The severity and accumulation data that illustrates what silent cyber losses look like when they materialize.
- One Ransomware Gang Drove 40% of Cyber Claims, Skewing Loss Models – Concentration risk in affirmative cyber that parallels the silent cyber accumulation problem in non-cyber books.
Sources
- Kovrr: Announces First Fully Integrated Silent Cyber Risk Solution (Business Wire, October 2018)
- Lloyd's Market Bulletin Y5258 and Y5277: Providing Clarity for Lloyd's Customers on Coverage for Cyber Exposures (Lloyd's, 2019-2020)
- Gen Re: ISO's Cyber Incident Exclusion Endorsements (CP 10 75, CP 10 76) for Commercial Property Forms (October 2020)
- Gen Re: The CrowdStrike Incident: A Wake-Up Call for Insurers? (February 2025)
- Munich Re: Cyber Insurance Risks and Trends 2026
- Google Cloud Blog: Cytora Uses Generative AI to Assess Underwriting Risk (2024)
- Kovrr: Silent Cyber Risk Exposure and Visibility Case Study (2024)
- Reinsurance News: US Cyber Rates Drop 32% at April 1, 2026 (Gallagher Re)
- American Academy of Actuaries Cyber Risk Task Force: Global Cyber Risk Toolkit (2025)
- Guy Carpenter: Silent Cyber: No Longer Silent (July 2020)