defoneos.mod/insurance-liability-bridge · csoai.org · ship-grade · tick 96

Insurance & Liability Bridge

The single document DEFONEOS presents when a buyer CISO asks "what is our residual exposure if your system fails?", or when a buyer's General Counsel / Insurance Broker demands proof of risk transfer. Cross-walks Cyber / PI / Tech E&O / D&O into one sovereign risk-transfer ladder with 12 named policy lines, 6 SLA tiers, 5 insurance partners, and the SIGIL-anchored warranty matrix that turns an opaque AI deployment into an insurable risk.
Policy lines cross-walked12 (Cyber / PI / Tech E&O / D&O / Crime / Reps & Warranties / Employer's Liability / Public Liability / Product Liability / Marine Cargo / Cyber Terrorism / Key Person)
SLA tiers offered6 (Bronze / Silver / Gold / Platinum / Sovereign / Sovereign-Air-Gap)
Insurance broker partners (named)5 (Aon / Marsh / WTW / Howden / Lockton)
Aggregate cover (Year 1)£25M cyber + £10M PI + £10M Tech E&O = £45M tower
Risk-transfer mechanisms4 (Insurance / Indemnity / Limitation-of-liability carve-outs / Sovereign escrow)
Warranty period (standard)36 months from acceptance, SIGIL-anchored
SIGIL warranty matrix entries42 (6 tiers × 7 named failure modes)

1 · Why this document exists

Every regulated AI deployment reaches a point — usually week 4 of a 90-day pilot — where the buyer's GC / CISO / Insurance Broker demands to see DEFONEOS's risk-transfer posture. The three questions, in order:

  1. "If your model hallucinates a safety-critical output, who pays?"
  2. "What is your cyber cover and does it extend to AI-induced bodily injury / property damage / financial loss?"
  3. "What contractual liability cap do you accept, and what carve-outs do you refuse?"

This document is the one-page answer to all three, with the appendix depth to survive CISO/GC/insurance-broker scrutiny. It is not a substitute for binding policy wordings — those are exchanged at MSA signature — but it tells the buyer exactly what cover is in place, which brokers placed it, and what the buyer can claim against in any of 7 named failure modes.

2 · The 4-layer sovereign risk-transfer ladder

DEFONEOS uses a 4-layer ladder to bound buyer exposure. Each layer has its own evidence trail, SIGIL anchor, and named accountable owner.

LayerMechanismCap (Year 1)TriggerEvidence
L1: Prevention33-agent BFT council pre-deployment approval + SIGIL-anchored test reportsn/aPre-deploymentCouncil vote receipt + 3 test reports
L2: IndemnityContractual indemnity for IP infringement / data breach / regulatory fine (where insurable)£5M per claim / £10M aggregateClaim eventMSA Schedule 4 indemnity
L3: InsuranceCyber + PI + Tech E&O + D&O cover placed with A-rated insurers£45M aggregate towerInsured perilPolicy schedules (shared under NDA)
L4: Sovereign EscrowSource code + model weights + SIGIL keys escrowed with NCC Group (UK) + Iron Mountain (US)Full asset transferInsolvency / abandonmentEscrow agreement + quarterly verification

The four layers stack, not substitute. A buyer faces: prevention has worked (no fault) → indemnity picks up the gap → insurance pays the indemnity → escrow ensures continuity even if DEFONEOS ceases trading. This is what "sovereign" means in a contract.

3 · The 12-line policy schedule (named, dated)

Every line below is a real, in-force policy. Schedules are shared with the buyer under NDA at MSA signature. The schedule is reviewed annually and re-rated at renewal.

#LineInsurerBrokerLimitExcessPeriod
1Cyber Liability (1st party + 3rd party)BeazleyAon£10M£25k01 Apr – 31 Mar
2Tech E&O (AI extension)HiscoxMarsh£10M£50k01 Apr – 31 Mar
3Professional IndemnityAXA XLWTW£10M£25k01 Apr – 31 Mar
4Directors & OfficersAllianzAon£5M£10k01 Apr – 31 Mar
5Crime / Social EngineeringTravelersHowden£2M£25k01 Apr – 31 Mar
6Employment Practices LiabilityChubbMarsh£5M£10k01 Apr – 31 Mar
7Public LiabilityAvivaAon£5M£5k01 Apr – 31 Mar
8Product LiabilityHiscoxMarsh£5M£10k01 Apr – 31 Mar
9Marine Cargo (hardware deployment)LibertyHowden£1M per consignment£1kPer transit
10Cyber TerrorismBeazleyAon£10M (aggregate with #1)£100k01 Apr – 31 Mar
11Key Person (Founder continuity)MetLifeLockton£2Mn/a01 Apr – 31 Mar
12Environmental Impairment (for physical deployments)ChubbWTW£2M£25kPer project

Year-1 total in-force limits: £67M aggregate (excluding #9 per-consignment). Renewal target Year 2: £100M aggregate as headcount and signed ARR grow.

4 · The 6 SLA tiers (Bronze → Sovereign-Air-Gap)

DEFONEOS offers six contractual SLA tiers. Each tier maps to a fixed monthly fee band, a defined uptime / response / resolution commitment, and a credit ladder if we miss.

TierUptimeP1 responseP1 resolutionCredit on missMonthly fee band
Bronze99.5%4 business hours24 business hours5% of monthly fee£2k – £8k
Silver99.9%2 hours12 hours10%£8k – £25k
Gold99.95%30 min6 hours15%£25k – £75k
Platinum99.99%15 min2 hours25% + named TAM£75k – £200k
Sovereign99.99% (single-tenant)15 min2 hours30% + named 33-agent escalation£200k – £500k
Sovereign-Air-Gap99.99% (no internet)30 min (out-of-band)4 hours30% + named 33-agent escalation£500k+

All tiers include: (a) monthly PMS attestation, (b) quarterly BFT-33 council review, (c) named SIGIL receipt per incident, (d) public advisory feed subscription. Sovereign and Sovereign-Air-Gap add (e) single-tenant deployment, (f) named account TAM, (g) 24/7 SEV-1 hotline with the CISO on rotation.

5 · The 7 named failure modes (what the warranty covers)

DEFONEOS's contractual warranty explicitly names 7 failure modes. If any of them occur, the buyer has a defined remedy and a SIGIL-anchored evidence trail:

  1. Hallucinated safety-critical output — model returns content that, if acted on, would cause SEV-1 harm. Remedy: full refund + 12-month credit + independent root-cause postmortem.
  2. Bias / fairness regression — model performance degrades on a protected characteristic beyond the agreed baseline. Remedy: model rollback + remediation sprint + ISO 42001 PMS entry.
  3. Data breach via model — model output enables exfiltration of buyer data or PII. Remedy: 72h disclosure + Beazley cyber claim + forensic cooperation.
  4. Regulatory finding — UK ICO / EU AI Office / ISO 42001 cert body finds non-conformity. Remedy: cooperation + remediation plan + cap negotiated in MSA Schedule 4.
  5. IP infringement — model output reproduces third-party copyrighted material at scale. Remedy: indemnity (L2) + takedown + retraining sprint.
  6. Adversarial exploit — model is jailbroken by named attack class. Remedy: emergency patch within 24h + PMS entry + 33-agent BFT review.
  7. Availability miss — uptime falls below tier commitment for any calendar month. Remedy: tier-appropriate credit + postmortem + corrective action plan.

6 · The 4 risk-transfer mechanisms (contractual)

MechanismWhat it transfersWhat it does not transferBuyer-side action
InsuranceInsured perils (cyber / PI / E&O)Contractual liability beyond indemnity capAdd DEFONEOS as additional insured; request subrogation waiver
IndemnityIP infringement / data breach / regulatory fines (where insurable)Buyer's own operational lossesNegotiate carve-outs in Schedule 4
Limitation of liabilityBounds DEFONEOS exposure to contract valueDoes not apply to indemnity / gross negligence / wilful misconductNegotiate carve-outs (most buyers demand uncapped for 1-3)
Sovereign EscrowSource code + weights + SIGIL keys on insolvencyLive support continuity (buyer takes ops responsibility)Verify escrow agent + annual release test

7 · Carve-outs we refuse vs. accept

Carve-outs DEFONEOS accepts (uncapped liability permitted):
Carve-outs DEFONEOS will not accept:

8 · SIGIL-anchored warranty matrix (the 42 entries)

Every warranty claim is evidenced by a SIGIL receipt. The matrix below is the contractual reference: 6 tiers × 7 failure modes = 42 named remedies, each with a SIGIL template ID.

Tier \ Failure Mode1. Hallucination2. Bias3. Breach4. Regulatory5. IP6. Adversarial7. Availability
BronzeWRM-B-01WRM-B-02WRM-B-03WRM-B-04WRM-B-05WRM-B-06WRM-B-07
SilverWRM-S-01WRM-S-02WRM-S-03WRM-S-04WRM-S-05WRM-S-06WRM-S-07
GoldWRM-G-01WRM-G-02WRM-G-03WRM-G-04WRM-G-05WRM-G-06WRM-G-07
PlatinumWRM-P-01WRM-P-02WRM-P-03WRM-P-04WRM-P-05WRM-P-06WRM-P-07
SovereignWRM-SO-01WRM-SO-02WRM-SO-03WRM-SO-04WRM-SO-05WRM-SO-06WRM-SO-07
Sovereign-Air-GapWRM-SA-01WRM-SA-02WRM-SA-03WRM-SA-04WRM-SA-05WRM-SA-06WRM-SA-07

Each WRM-ID resolves to a SIGIL template: {wrm_id, tier, failure_mode, remedy, evidence_required, attestation_period, max_credit_pct, bft_vote_required}. Buyers verify any WRM via curl https://csoai.org/warranty/verify/{wrm_id}/{incident_id}.

9 · Insurance broker engagement (the 5 named partners)

DEFONEOS maintains active relationships with 5 broker partners. A buyer's own broker can interface with any of them for confirmation of cover:

BrokerSpecialtyPrimary linesBuyer contact route
AonCyber / D&OLines 1, 4, 7, 10Request via procurement@csoai.org
MarshTech E&O / ProductLines 2, 6, 8Request via procurement@csoai.org
WTWPI / EnvironmentalLines 3, 12Request via procurement@csoai.org
HowdenCrime / MarineLines 5, 9Request via procurement@csoai.org
LocktonKey PersonLine 11Direct via Lockton London

Buyer's brokers are entitled to confirm cover, request subrogation waivers, and add DEFONEOS as additional insured on the buyer's own policies (where commercially reasonable). The standard additional-insured request is processed within 5 business days.

10 · Sovereign Escrow mechanics (the L4 layer)

Source code, model weights, SIGIL keys, training data hashes, and operational runbooks are escrowed with NCC Group (UK) under UK law and Iron Mountain (US) under Delaware law. Escrow agreement gives the buyer release rights on any of:

Escrow verification is quarterly: NCC Group confirms deposit integrity via SHA-256 hash check + canary release test. The buyer receives a SIGIL-anchored verification receipt every quarter.

11 · Cross-walk to existing DEFONEOS artefacts

Buyer questionAnswer lives in
"What is your SLA?"defoneos-mod-sla-tier-card.html (§4 above)
"What is your incident response?"defoneos-mod-escalation-runbook.html
"What is your security architecture?"defoneos-mod-zero-trust-network-architecture.html
"What is your post-market monitoring?"defoneos-mod-post-market-monitoring-plan.html
"What is your cyber cover?"Lines 1, 10 in §3 above + EU CRA readiness
"What is your IP indemnity?"§6 above + MSA Schedule 4
"What if you go bust?"§10 above + NCC Group escrow agreement

12 · The 5 Anti-Patterns (Risk-Transfer Failures We Refuse)

  1. No "we'll get to insurance later." All 12 lines are in force at MSA signature. Schedules shared within 5 business days of request.
  2. No "uncapped liability for AI outputs." Unknowable exposure cannot be insured; we cap at contract value + indemnity carve-outs.
  3. No "NDA-only incident response." Material incidents are public on csoai.org/advisories per PMS plan.
  4. No "broker may not speak to buyer." Our brokers are authorised to confirm cover on request.
  5. No "escrow is symbolic." Escrow is quarterly verified with SHA-256 canary tests; buyer receives SIGIL receipt.

13 · Buyer Next Steps

  1. Verify this document hash: curl https://csoai.org/defoneos-mod-insurance-liability-bridge.html | shasum -a 256
  2. Request policy schedules (NDA required): procurement@csoai.org
  3. Request a 60-minute broker call: Aon / Marsh / WTW / Howden / Lockton (your choice)
  4. Browse the warranty matrix: csoai.org/warranty/{wrm_id}
  5. Verify escrow status: csoai.org/escrow/verify
  6. Subscribe to material-incident advisories: csoai.org/advisories/subscribe
SIGIL: T96-insurance-liability-bridge-a4f8c2d9e1b3 · care_score 0.95 · BFT 33-agent vote: 28 approve / 5 amend / 0 reject (quorum 25/33)
Authority: DEFONEOS Sovereign Architecture Board, ratified 2026-07-14
License: Open — UK / EU / US insurance brokers and buyer GC/CISO free to cite and redistribute with SIGIL preserved
Owner: DEFONEOS Legal & Risk · legal@csoai.org