A step-by-step guide to defining coverage types, calibrating limits by risk level, and building a vendor compliance program that holds up in practice.
Minimum insurance requirements for vendors are the coverage types and dollar limits an organization specifies in contracts and onboarding documents to confirm that every vendor carries adequate insurance before and throughout an engagement.
They typically address four coverage categories: commercial general liability, workers' compensation and employers' liability, commercial auto liability, and umbrella or excess liability — each with defined per-occurrence limits, aggregate limits, and any required endorsements such as additional insured status. Without documented minimums, the contracting organization absorbs liability for losses that should have fallen on the vendor's insurer.
Risk managers, procurement teams, general contractors, and property managers establish these requirements whenever vendors, subcontractors, tenants, or suppliers perform work that creates on-site or third-party liability exposure — and certificate of insurance tracking is the process organizations use to confirm those requirements are continuously met.
Setting vendor minimum insurance requirements: a 5-step framework
Most compliance gaps don't stem from organizations having no requirements, but from requirements that are inconsistently applied, poorly calibrated, or never verified after the contract is signed. This framework addresses all three failure points.
Step 1: Classify vendors by work type and risk exposure
Before setting any dollar figures, segment your vendor pool. A vendor who ships supplies to your warehouse presents different risk than one who sends workers onto your job site or into a tenant-occupied building.
A workable classification system uses two dimensions:
- Physical access: Does the vendor work on your property, on a client's property, or entirely off-site?
- Work type: Is the work manual and physical, professional and advisory, or administrative?
The intersection of these factors determines the appropriate risk tier. On-site physical work — construction trades, facility maintenance, equipment installation — sits at the highest tier. Off-site administrative or professional services sit at the lowest. Vendors whose scope shifts between projects should be classified at the highest applicable tier for each engagement.
Step 2: Select the required coverage types
With vendors classified by risk tier, select the coverage types appropriate for each tier. Four apply to nearly all vendor categories.
Commercial general liability (CGL) covers bodily injury and property damage claims arising from the vendor's operations, products, or completed work. It's the foundational coverage for any vendor insurance program. The standard CGL policy form in the U.S. market is the ISO CG 00 01; familiarity with that form helps when reviewing certificates for coverage gaps or exclusions.
Workers' compensation and employers' liability cover the vendor's employees for work-related injuries and occupational diseases. The employers' liability component, typically listed as Coverage B, addresses lawsuits from employees whose injuries fall outside the workers' comp statute. State law governs required workers' comp limits; "statutory limits" is the correct contract language.
Commercial auto liability covers bodily injury and property damage caused by vehicles used in the vendor's operations, whether owned, hired, or non-owned. Auto coverage applies whenever a vendor drives vehicles as part of contracted work, including personal vehicles used for business purposes.
For higher-risk vendor categories, umbrella or excess liability coverage fills the gap when underlying GL, auto, and employers' liability limits may not cover a serious loss. Most construction contracts specify umbrella requirements explicitly.
Some vendor work types require coverage beyond these four:
- Professional liability (errors and omissions): Required for engineers, architects, consultants, and IT service providers
- Cyber liability: Required for vendors with access to data systems or personally identifiable information
- Pollution liability: Required for vendors working with hazardous materials, fuel systems, or environmental remediation
Step 3: Set minimum limits based on risk tier
With coverage types established, calibrate the dollar limits. The table below reflects commonly cited minimums across the industry.
Two factors most commonly justify higher limits than the standard tier:
- Contract value: Larger contracts create larger potential losses.
- Work scope and hazard level: Roofing, demolition, steel erection, and work near electrical systems carry higher injury and property damage exposure than general maintenance or landscaping. The specific work being performed — not just the vendor category — should inform the final limit determination.
- Important note: Minimum insurance requirements should be reviewed with legal counsel, an insurance broker, or a risk advisor before being added to contracts. The right limits depend on jurisdiction, industry, contract language, loss history, project scope, and the organization’s own risk tolerance.
Step 4: Document requirements in contracts and onboarding materials
Coverage and limit decisions are only enforceable when correctly documented. Two documents need to reflect your requirements: the contract and the vendor onboarding package.
In the contract or subcontract: Include an insurance requirements section listing each coverage type, minimum limits, required endorsements, and the condition that vendors provide certificates before work begins and upon each renewal. If the contract language conflicts with your onboarding document, the contract governs.
In vendor onboarding materials: Provide a written summary of your insurance requirements that vendors can share directly with their insurance agents. This reduces collection delays and helps agents issue compliant certificates on the first submission.
Two endorsements deserve specific attention because they're frequently omitted from certificates.
Additional insured endorsements extend the vendor's CGL policy to cover the contracting organization for claims arising from the vendor's work. Without it, claims against the contracting organization go to its own insurer, not the vendor's. Most construction contracts and commercial leases require additional insured status as a standard condition. Listing the contracting organization as a certificate holder is not the same as naming them as an additional insured.
Waiver of subrogation prevents the vendor's insurer from suing the contracting organization after paying a claim. Without it, a vendor's carrier retains the right to pursue the contracting organization for recovery. Waivers of subrogation are standard in construction contracts and common in commercial leasing.
Both endorsements must appear on or be attached to the certificate of insurance at submission.
Step 5: Verify certificates and monitor compliance on an ongoing basis
Certificate verification covers three checks:
- Coverage confirmation: Does the certificate list the required coverage types and limits?
- Endorsement confirmation: Does the certificate — or an attached endorsement document — confirm additional insured status, waiver of subrogation, and any other required modifications?
- Expiration tracking: When does each underlying policy expire, and what is the process for requesting renewal certificates before a lapse occurs?
A certificate collected at contract signing reflects coverage on that specific date. Policies expire, get cancelled, or change mid-term. Without an active monitoring system, coverage gaps remain invisible until a claim surfaces them. That's the failure mode documented requirements are designed to prevent.
Common mistakes when setting vendor insurance requirements
Even well-designed programs run into predictable failure points. These five account for most compliance breakdowns.
- Applying uniform minimums across all vendor types. Flat requirements applied to every vendor, regardless of work type or contract value, either burden low-risk vendors unnecessarily or leave coverage gaps where risk is highest. Risk-tiered requirements are more defensible and more practical to administer.
- Specifying only one limit on CGL policies. A requirement written as "minimum $1M in general liability" without specifying per-occurrence and aggregate limits creates a gap. A policy whose aggregate is already partially exhausted meets that requirement on paper, but may not cover the next claim.
- Collecting certificates without confirming endorsements. The ACORD 25 certificate doesn't by itself extend coverage to the contracting organization — the additional insured endorsement does. Programs that collect COIs without confirming the endorsement is in place have a coverage gap they won't discover until a claim is filed and the vendor's insurer declines to defend.
- Setting requirements and never updating them. Requirements that haven't been reviewed in several years may no longer reflect current contract values, operational scope, or loss history. An annual review, or a review triggered by contract renewal or a significant new engagement, keeps the framework current.
- Treating certificate collection as the end of the process. Collection addresses compliance at a single point in time. Ongoing monitoring addresses compliance across the entire contract term. Programs that file certificates without tracking expirations are effectively unmanaged after onboarding.
Once your vendor insurance requirements are defined, consistent enforcement is where most programs stall. COI tracking software automates certificate collection, flags non-compliant limits and missing endorsements, and monitors expirations without the manual follow-up that breaks down at scale.
Try bcs free — full platform access for up to 25 vendors, no credit card required.
Frequently asked questions
