As cyber insurance slowly moves from corporate to consumer coverage, some interestingly comprehensive policies have been introduced. One, introduced this month by AIG, puts a strong emphasis on services to prevent attacks rather than merely paying for them once they happen. We decided to dive into the fine print to see how much wiggle room the insurer gave itself.The new policy,\u00a0called Family CyberEdge, is designed as a supplement to existing homeowner\u2019s insurance and will cost an extra $597 for $50,000 limits for each key area, consisting of cyber extortion, data restoration, crisis management and cyber bullying, with no deductibles beyond a flat $1,000 for data restoration. Bump the coverage limit up to $100,000 and the annual premium rises to $972, or go for the maximum coverage of $250,000 and the annual premium comes in at $1,723.Those premiums, however, start to look quite reasonable when you peek into the contract and see the services covered.For cyberbullying of a family member, for example, a year of psychiatric services is covered, along with bills from PR, digital forensic analysis and cybersecurity firms, plus lost salary if the bullied person loses a job during the first 60 days after the cyberbullying is discovered. It also covers temporary relocation of the victim and \u201ctemporary private tutoring or any increase in expense for school enrollment for you or a family member to relocate to an alternative but similar school.\u201dThat\u2019s not bad. (Note: The current language leaves open the possibility that cyberbullying perpetrators may also have coverage \u2014 especially if they are sued, which could be covered under the homeowner\u2019s policy \u2014 but Jerry Hourihan, president of the AIG group that is offering this insurance, said that wasn\u2019t the intent.)A provision that is a bit more controversial is coverage for cyber extortion. The policy will reimburse an insured for paying a ransom \u201cpaid by you or a family member, with our prior written consent, to terminate or end a cyber extortion threat that is harming or would otherwise result in harm to you or a family member; and the costs for a service provider to conduct an investigation to determine the cause of a cyber extortion threat.\u201dThat\u2019s controversial because almost all security experts strongly recommend not paying such ransoms, since it only serves to encourage more cyber extortion. Once the word spreads that AIG will cough up any cyber extortion demand for those paying for this insurance, will their customers become especially attractive targets? Will AIG end up paying an ocean of such claims?Digging into the cyberattack coverage, AIG offers a fairly broad programming exclusion: \u201cWe do not cover any loss\u00a0resulting from an error in computer programming or error in instructions to a computer.\u201d On its own, this could open the door to rejecting almost any data attack. Is it an error in computer programming to leave the user open to a data attack? Couldn\u2019t the argument be made that any vulnerability a cyberthief leverages is \u201can error in computer programming\u201d?Is it an \u201cerror in instructions to a computer\u201d to set firewall protections that are not sufficiently strict?Here\u2019s a goodie that I would love to see CISOs use more often with enterprise security: \u201cIf requested, permit us to question you or a family member under oath at such times as may be reasonably required, about any matter relating to this insurance or you or your family member\u2019s claim, including any inspection of any computer system. In such event, you or your family member\u2019s statement containing your or a family member\u2019s answers will be signed.\u201dThen there are the issues of trust. AIG has a list of approved partners to deal with cyberattacks, extortion threats and stolen data. The policy requires full cooperation, or payments could be denied. \u201cCooperate with the service provider and us (AIG). You or a family member must permit the service provider to make calls on your or your family member\u2019s behalf to resolve the event.\u201dCooperation makes sense. But making calls on an insured\u2019s behalf gets tricky. Is the partner merely chasing down details and asking questions? Or are they making representations on behalf of the insured? This required trust might be a bit much to ask, given that only AIG gets to vet these companies.Then there are the preventative elements. \u201cYou have the duty to maintain security systems for the use of passwords, firewalls, and anti-virus software and the proper disposal of used hard drives or other storage media including CDs, DVD\u2019s, modems, or other mobile drives or devices. Take action to avoid future loss, including securing any computer systems or data.\u201dAlthough I love the big-picture sound of insisting on preventative measures, this section doesn\u2019t have any specifics. That means that it could be a blanket \u201cget out of paying for claims\u201d free card. Once an attack happens and forensics has determined how the attacker did the deed, it\u2019s easy to go back and point to something that the insured could have done differently to avoid the incident.If this were my policy, I would insist that the insurer spelled out more specifics so that I could prove compliance prior to an incident. As any PCI company knows, Visa loves to retroactively declare \u2014 after a breach \u2014 that a merchant was never properly PCI compliant based on breach details. AIG was apparently taking notes.All in all, personal cyber insurance is a good idea. But poring over the particulars of coverage policies \u2014 before a deal is signed \u2014 is always a good idea.