The company's Corporate Identity Protection policy is targeted at businesses with revenues of up to US$100 million or those holding up to one million identities. It offers coverage for expenses such as legal liability damages, defense costs, regulatory action, notification costs and identity theft recovery services stemming from a breach.

The policy was introduced in response to growing concerns among small businesses about breach disclosure laws in multiple states that require firms to notify consumers of data compromises, said Nancy Callahan, vice president of the New York-based AIG's ID theft and fraud division.

"Our belief is that businesses have started to understand that they have this obligation to protect data," Callahan said. "They know if they do have an information breach they are going to face substantial unbudgeted expenses."

The policies start at $995 a year and go up to a "couple of thousand dollars" for coverage ranging from $250,000 to $5 million, Callahan said. Large companies can buy policies that pay up to $25 million for breach-associated costs under a separate program for bigger firms.

AIG's policy offers small and medium-sized businesses a "reasonable" way to deal with the financial fall-out from a data breach, said Khalid Kark, an analyst with Cambridge, Mass.-based Forrester Research Inc. Traditionally, such companies have balked at buying any sort of cyber insurance because of the relatively high premiums associated with such policies, he said. But concern over data breach disclosure laws and the costs of complying with them may make more companies inclined to give such policies a shot "if they think the price is reasonable," he said.