Certificate of Insurance for Vendors: What Businesses Need to Check

Overview

If your company hires contractors, consultants, technology providers, maintenance firms, event vendors, or other third parties, you will probably collect a certificate of insurance at some point. A certificate of insurance, often called a COI or business insurance certificate, is usually a summary document that shows certain policies, limits, policy dates, and insurer information. It can help confirm that a vendor carries insurance, but it does not replace the policy itself.

That distinction matters. Many teams collect COIs as a box-checking step in procurement or compliance, then move on too quickly. The result is familiar: the named insured does not match the contract, the policy expires before the project ends, the certificate lists general liability but not professional liability insurance, or the required additional insured wording is missing. In higher-risk relationships, especially with SaaS vendors, IT consultants, and firms handling sensitive data, a quick glance at a COI is rarely enough.

A better approach is to treat the certificate of insurance vendor review as part of a broader vendor risk process. The COI should help you answer a few core questions:

• Is this the correct insured entity?
• Do the listed policies match the services the vendor will perform?
• Are the limits and effective dates aligned with the contract?
• Are required endorsements actually in place, or just assumed?
• Do you need the full policy, declarations page, or endorsement copies before approving the vendor?

For many businesses, this review sits at the intersection of operations, legal, finance, IT, and risk management. It is especially important when contractual insurance requirements are specific, when the vendor will access your systems or customer data, or when the vendor’s work could create a professional liability, cyber insurance, or business interruption exposure.

One useful rule is simple: a COI confirms what is presented on the certificate, but your contract should define what you require, and endorsements should confirm special status or wording. If those three things do not line up, pause approval until they do.

Checklist by scenario

Use the checklist below as a practical starting point. Different vendor categories create different risks, so the right review depends on what the vendor actually does.

1. Baseline COI checklist for any vendor

Before you review limits or endorsements, confirm the basics. This is the fastest way to catch avoidable errors.

• Named insured: Confirm the legal entity on the certificate matches the legal entity in your contract, statement of work, or purchase order. Trade names and parent-company names can create confusion.
• Certificate holder: Make sure your organization is listed correctly, including the proper legal name and address if your process requires it.
• Policy types shown: Check whether the certificate lists the coverage types your contract requires, such as general liability, workers’ compensation, commercial auto, professional liability insurance, cyber insurance, or umbrella/excess liability.
• Policy numbers: Confirm each listed policy includes an identifier. Missing details can make later validation more difficult.
• Effective and expiration dates: Make sure coverage is active before work starts and remains active for the full contract term if that is required.
• Limits: Compare the certificate limits to the insurance requirements in your agreement. Do not assume standard limits are enough.
• Insurer information: Confirm the issuing carrier is identified on the form.
• Description of operations: Review this field for any contract-specific notes, project names, or references to additional insured status if your process relies on it.
• Authorized signature: Check that the certificate appears complete and properly issued.

If any of these basics are wrong, request a corrected certificate before moving to a deeper review.

2. Vendors working on your premises

For janitorial services, maintenance contractors, installers, event vendors, security firms, movers, or similar providers, the main concern is often bodily injury or property damage.

• Check for commercial general liability.
• Check for workers’ compensation and employer’s liability where applicable.
• If vehicles will be used on your site, check for commercial auto.
• Confirm any required additional insured status is supported by endorsement, not just casual language on the certificate.
• Check whether your contract requires waiver of subrogation or primary and noncontributory wording.
• Make sure the policy dates cover the setup period, event dates, and tear-down period if relevant.

This is where a COI checklist is particularly useful, because site-based vendors often submit standard certificates that miss project-specific contract wording.

3. SaaS vendors, IT consultants, and managed service providers

Technology vendors create a different risk profile. General liability may still matter, but it will not address every loss tied to software failures, service mistakes, or data incidents.

• Check for professional liability insurance or technology errors and omissions insurance if the vendor provides software, advice, implementation, integration, support, or technical services.
• Check for cyber insurance if the vendor handles, stores, processes, or accesses business, employee, or customer data.
• Review whether the contract asks for coverage for privacy liability, network security liability, or data breach coverage.
• Confirm the policy period aligns with the term of access to your systems or data.
• Ask whether retroactive dates or claims-made details matter for the engagement, especially for professional liability policies.
• Request endorsement copies or fuller evidence when the vendor’s work is material to your operations.

If your business relies on cloud tools or outsourced technical services, it also helps to compare your vendor review process with your own customer-facing obligations. Our related guide on Business Insurance Requirements for SaaS Contracts: What Customers Ask For can help frame those expectations. For a deeper explanation of technology-focused coverage, see Tech E&O Insurance Explained for SaaS Companies.

4. Vendors with access to sensitive data

If the vendor touches payroll data, health information, payment information, customer records, or internal credentials, your review should go beyond verifying that a cyber policy exists.

• Confirm cyber liability insurance for small business exposures is not being treated as optional just because the vendor is small.
• Review whether your contract requires notification obligations, breach response services, or certain minimum cyber limits.
• Ask for more detail if the certificate simply says “cyber” without clarifying whether privacy and security exposures are covered.
• Coordinate insurance review with security review, vendor due diligence, and incident response contacts.

If you are evaluating cyber coverage in more depth, these related resources may help: Data Breach Insurance: What Costs Are Usually Covered, How to Compare Cyber Insurance Quotes for a Growing Business, and Ransomware Insurance Coverage: What Is Usually Included and Excluded.

5. Professional services vendors

Lawyers, accountants, designers, architects, engineers, consultants, and specialist advisors may need a different coverage mix from physical contractors.

• Check for professional liability insurance if the vendor provides advice, design, recommendations, or other judgment-based services.
• Do not assume general liability replaces professional liability. They address different exposures.
• Review whether the vendor is delivering reports, analysis, custom recommendations, or regulated services that could create professional claims.
• If subcontractors are involved, ask whether coverage extends appropriately and whether your contract addresses subcontracting.

This is one of the most common areas of confusion in vendor insurance requirements, especially when procurement teams focus only on standard general liability language.

What to double-check

Once the basics are in place, focus on the details most likely to create disputes later. This is where many businesses learn how to read a certificate of insurance more carefully.

The certificate is not the endorsement

If your contract requires additional insured status, waiver of subrogation, primary and noncontributory wording, or another special provision, ask for the actual endorsement or other supporting documentation where appropriate. A note in the description box may not be enough by itself for your legal or risk standard.

Claims-made coverage details

Professional liability and cyber insurance are often written on a claims-made basis. That means the timing structure may differ from occurrence-based policies. For longer projects or services with delayed loss discovery, you may need to ask follow-up questions about continuity, retroactive dates, or post-termination reporting needs. You do not have to become the vendor’s broker, but you should know when a standard COI summary leaves unanswered questions.

Aggregate versus per-occurrence limits

A certificate may show limits, but not always in a way that makes project exposure obvious. Review whether the listed amount is a per-occurrence limit, a general aggregate, a products-completed operations aggregate, or an umbrella/excess amount sitting above underlying policies. For larger or higher-risk vendors, that distinction matters.

Project term and renewal timing

A policy can be active on the day you collect the certificate and still expire halfway through the engagement. Build a process for requesting updated certificates before expiration dates, especially for annual contracts and multi-year master service agreements.

Entity mismatches and acquisition changes

Vendors change names, merge entities, spin out business units, or contract through affiliates. If the certificate shows one entity and the contract names another, do not assume they are interchangeable. Resolve the mismatch before approval.

Consistency between contract and COI request

Sometimes the issue is not the certificate but your own intake process. If your vendor request form asks only for general liability and workers’ compensation, your team may never collect cyber insurance or technology errors and omissions insurance from a vendor that clearly should carry it. Review the contract template, vendor questionnaire, and COI checklist together.

Common mistakes

The most reliable way to improve your review process is to know where businesses tend to slip. These are the errors that turn a routine document request into a compliance problem later.

• Treating every vendor the same. A caterer, a data processor, and a software integrator should not all be reviewed against the same insurance checklist.
• Accepting a COI without comparing it to the contract. The certificate should be reviewed against written vendor insurance requirements, not against memory or habit.
• Ignoring expiration dates. Insurance verification is not a one-time task for ongoing vendors.
• Confusing general liability with professional liability. This is a frequent issue with consultants, designers, technology firms, and SaaS providers.
• Assuming cyber insurance is unnecessary for smaller vendors. Risk depends more on access, data, and operational dependency than on headcount alone.
• Relying on certificate language for endorsement status. If endorsement wording matters, obtain and store the endorsement.
• Failing to document exceptions. If you knowingly accept lower limits or missing coverages, record the business reason and approval owner.
• Storing certificates without a retrieval process. COIs are only useful if procurement, legal, finance, and operations can find the current version quickly.

In practical terms, the best COI checklist is one your team can actually use under deadline pressure. It should separate low-risk vendor reviews from higher-risk exceptions, include a clear escalation path, and make room for technology-specific coverage questions where needed.

When to revisit

Your vendor insurance review process should be revisited whenever the underlying risk changes, not just when a certificate expires. A useful rhythm is to review your requirements before seasonal planning cycles, budget resets, major renewal periods, or any change in onboarding workflow or policy management tools.

Revisit your checklist when:

• You update contract templates or procurement workflows.
• You add new vendor categories, especially cloud, AI, data, or managed service providers.
• Your business starts collecting, storing, or sharing more sensitive information.
• You expand into new locations or require more on-site work.
• A claim, near miss, audit finding, or contract dispute exposes a gap.
• You adopt new policy management or vendor management software.

To keep this practical, create a short operating routine:

1. Map vendor types into basic risk tiers such as on-site, professional services, software, and data-access vendors.
2. Assign required coverages by tier instead of using one generic request.
3. Keep a standard COI checklist with fields for entity name, dates, limits, and required endorsements.
4. Set renewal reminders before policy expiration dates.
5. Escalate exceptions to legal, risk, or finance when the contract and certificate do not align.
6. Store documents consistently so current certificates and endorsements are easy to retrieve.

A certificate of insurance should support better decisions, not replace them. When you use a clear checklist and match the review to the vendor’s actual work, you reduce onboarding friction and improve your odds of catching gaps before they become claims issues. That is what makes this a document worth revisiting each time your vendor mix, tools, or contract standards change.