When a vendor's insurance expires, your organization's exposure doesn't expire with it—the risk shifts to you. A lapsed certificate of insurance (COI) means that if an incident occurs while the vendor is working without active coverage, the costs that should have been transferred to the vendor's insurer may fall on your organization instead.
For property managers, general contractors, and risk teams, this can happen with everyday vendors: a snow removal contractor, maintenance provider, cleaning company, security firm, roofing subcontractor, or professional services vendor whose coverage is no longer active while work continues.
The consequences range from direct liability for workers' compensation claims and property damage to contested indemnity clauses and prolonged coverage disputes. Risk managers, compliance officers, property managers, and general contractors face this problem when vendor volumes exceed what manual tracking can reliably monitor.
COI tracking software exists specifically to close this gap—but understanding the full liability picture comes first.
Here's what this guide covers.
These two terms describe different things, and confusing them leads to misjudged risk. An expired certificate means the ACORD 25 or similar document on file has passed its stated policy period end date. An expired policy means the underlying insurance contract is no longer in force. The two don't always coincide—and the gap between them is where most compliance programs fail.
A certificate of insurance is a point-in-time document. It reflects coverage as of the date it was issued, showing the carrier, policy number, coverage types, limits, and effective dates. It doesn't update automatically when a policy renews, when coverage is modified, or when a policy lapses mid-term.
A vendor who renewed their general liability policy in March may still have a February certificate on file in your system. That certificate is technically expired, but coverage is active. Conversely, a vendor with a current-looking certificate may have had their policy cancelled — for non-payment, underwriting reasons, or carrier changes — without any notification reaching your office.
The certificate tells you what was true when it was issued. It doesn't tell you what's true today.
A certificate showing a future expiration date doesn't confirm active coverage. Policies can be cancelled mid-term. Carriers can non-renew. A vendor's coverage can be reduced or restricted by endorsement after the certificate was issued. None of these changes appear on the document you have on file.
Organizations that focus exclusively on expiration date monitoring—without a process for mid-term verification or cancellation notice tracking—are operating with an incomplete compliance picture. The certificate looks current. The coverage may not be.
For property managers and general contractors, this is where the operational risk becomes especially difficult to see. A vendor may appear compliant in the system because a certificate is present, while the underlying policy has changed, expired, or been cancelled without the certificate holder realizing it.
When a vendor works without active insurance and an incident occurs, the financial and legal consequences fall into four categories. Each plays out differently depending on the coverage type, the contract terms, and the jurisdiction.
In most states, if a contractor or subcontractor lacks workers' compensation coverage and their employee is injured on your property or job site, the general contractor or property owner can be held liable as the statutory employer. The specific rules vary by state—some impose joint and several liability; others allow recovery only against the primary contractor.
A slip-and-fall, a repetitive stress claim, or a minor back injury can produce medical costs and wage replacement obligations that outlast the original project by years.
General liability coverage protects against third-party claims for bodily injury and property damage arising from the vendor's operations. When that coverage lapses, any claim arising from the vendor's work during the lapse period has no insurance to transfer to.
The certificate holder and additional insured endorsement—the contractual mechanism most organizations rely on—is only effective while the policy is active. An additional insured endorsement on a cancelled policy provides no coverage. If the certificate holder doesn't know the policy was cancelled, they may not discover it until they file a claim and the carrier denies it.
In practical terms, that means the vendor relationship may still exist, the contract may still be in place, and the certificate may still be sitting in your system—but the coverage mechanism you expected to rely on may not respond.
Most vendor contracts include language requiring the vendor to indemnify your organization and hold it harmless from claims arising from the vendor's work. This language is only as effective as the vendor's ability to fulfill the obligation. Insurance is the mechanism that makes indemnity language practically enforceable. Without active coverage, an indemnity clause is a contractual right that may be uncollectable.
Some jurisdictions have found that indemnity agreements can be voided or limited when the indemnitee knowingly allowed uninsured work to continue; this makes the work hold order not just a compliance step but a legal protection.
This is why vendor insurance compliance is not only a document collection process. It is a risk transfer process. The contract creates the obligation, but active insurance is what gives that obligation financial backing.
For vendors providing professional services—engineers, architects, IT contractors, consultants—professional liability (E&O) coverage is the backstop for claims arising from errors in their work. Unlike GL policies, many E&O policies are written on a claims-made basis. This means coverage must be in force both when the error occurred and when the claim is filed.
A vendor whose E&O policy lapses after completing work may have no coverage for a claim filed months or years later, even if the policy was active when the work was performed. This is why E&O tail coverage verification matters as much as active policy monitoring.
For organizations that rely on design professionals, consultants, technology vendors, or other professional service providers, E&O lapses can create delayed exposure. The problem may not appear when the work is performed. It may surface months later, when a claim is filed and the vendor no longer has active coverage.
A COI compliance gap occurs when a certificate on file no longer reflects the vendor's actual coverage—due to a mid-term cancellation, policy modification, or unreturned renewal. These gaps are frequently invisible: the certificate looks current, but the coverage it represents has changed.
Certificate expirations are easy to calendar. What's harder to track: policies that renew on different schedules than the certificates on file; mid-term cancellations that generate no automatic notification to certificate holders; vendor consolidations, carrier changes, or policy modifications that render the existing certificate inaccurate; and certificates collected at project start but never re-verified during multi-year engagements.
The ACORD 25 form includes a field for cancellation notice to certificate holders—typically 30 days. This notice is issued by the carrier and depends on the carrier having accurate certificate holder information on file.
That means a certificate holder should not assume that a cancellation notice will always arrive, or that the absence of a notice confirms active coverage. Continuous monitoring still matters because the document in your system may not reflect the vendor's real-time insurance status.
Spreadsheet-based tracking monitors what was collected, not what's currently active. A compliance manager can build a calendar of expiration dates and set reminders. Confirming that coverage is still active at any given moment requires contacting the vendor, requesting a new certificate, and waiting for the carrier to issue one.
The typical renewal cycle creates a window of several days to several weeks where a vendor's old certificate has expired and the new one hasn't been received. During that window, the vendor may continue working and the compliance record shows an expired certificate. At low vendor volumes, manual follow-up can close this window reliably.
At higher volumes, multiple vendors may be in this unconfirmed state simultaneously—a function of monitoring capacity, not intent.
This is the point where manual COI tracking often stops being a workflow problem and becomes a risk management problem. The team may know what needs to happen, but the volume of renewal dates, follow-ups, document reviews, and exception handling makes consistent execution difficult.
Discovering an expired or lapsed certificate is a three-step problem: contain the immediate exposure, document the situation, and restore compliance before work resumes.
When a lapse is confirmed, the sequence matters:
The sequence above applies whether the lapse is one day old or one month old. The length of the gap affects the exposure. It doesn't change the protocol.
The same response applies when the issue involves a vendor, subcontractor, tenant contractor, or professional services provider. If active coverage cannot be confirmed, work should not continue until the coverage gap has been resolved and documented.
Every communication related to a vendor lapse should be in writing and timestamped. The record should include:
This documentation establishes your organization's response timeline, which matters significantly if a claim arises that could be associated with the lapse period.
A work hold order should be issued anytime coverage can't be confirmed as active. This includes expired certificates, certificates in the renewal window where a current certificate hasn't been received, and any situation where the carrier or vendor has indicated a change in coverage status.
Hold orders are a standard compliance mechanism. The friction of issuing and resolving one is substantially less than the exposure created by allowing unconfirmed work to continue.
A hold order does not necessarily mean the vendor is uninsured. It means your organization cannot verify that the required coverage is active. That distinction matters because it allows teams to act quickly without overstating what has been confirmed.
Even organizations with documented compliance programs make predictable errors in how they identify, respond to, and prevent lapses. These are the most common ones.
Treating an expired certificate as a confirmed lapse—or vice versa. An expired certificate date doesn't mean the underlying policy has lapsed; the policy may have renewed without a new certificate being issued. The reverse is equally true: a certificate showing a future date doesn't confirm active coverage. Verification requires checking policy status directly—not reading the certificate date and stopping there.
Allowing work to continue during the renewal window. The period between a certificate's expiration date and receipt of a verified replacement is not a grace period. Coverage status is unconfirmed. Standard practice is to pause work until the new certificate is received and meets contract requirements. The discomfort of a brief work hold is preferable to the liability exposure of unconfirmed coverage.
Treating certificate collection as an ongoing compliance program. Collecting certificates at project start is the beginning of a compliance process, not the process itself. Organizations that collect thoroughly at onboarding and then don't monitor expirations or mid-term changes are exposed to every lapse that occurs after collection, which is most of them.
Applying the same response to all coverage types. A lapsed general liability policy and a lapsed E&O policy require different responses. For GL, the concern is active incidents during the lapse. For claims-made E&O, the concern extends to claims filed after the lapse—even for work that was completed while coverage was active. Knowing which coverage type has lapsed changes how the situation should be documented and escalated.
Delaying the work hold order while waiting for more information. The instinct to confirm the lapse is real before stopping work is understandable. It's also a documented source of additional exposure. Issue the hold order immediately, then investigate. The documentation of a timely hold order is far more useful than a delayed one issued after the facts are fully established.
Assuming the vendor will notify you when coverage changes. Vendors may not realize they need to send an updated certificate after a renewal, carrier change, endorsement change, cancellation, or reinstatement. A reliable COI compliance process does not depend on vendors initiating every update.
Using the same tolerance for every vendor. A low-risk administrative vendor and a high-risk subcontractor performing physical work on-site do not create the same exposure. Your escalation rules should account for the type of work, the required coverage, and the operational consequences of allowing work to continue without verified insurance.
Prevention is a monitoring problem, not a collection problem. Most organizations collect certificates adequately at project start. The failure point is ongoing monitoring—the period between initial collection and the end of the vendor relationship.
A certificate approaching expiration needs to be flagged before it expires. Best practice is to begin renewal outreach at 60 days before expiration, with follow-up at 30, 15, and 7 days. This provides enough runway to request the certificate, give the vendor time to contact their carrier, and receive and verify the new certificate before the old one lapses.
For vendors with annual renewal cycles, this means the monitoring process for any given certificate is essentially continuous; by the time one renewal is processed, the next cycle's outreach window is approaching.
Automated renewal reminders triggered by expiration dates remove the human memory dependency that causes most lapses. Sending a reminder at 60 days doesn't guarantee renewal by expiration, but it creates a documented record of outreach and gives the vendor adequate time to respond.
Re-verification is equally important. Receiving a new certificate isn't the same as confirming it meets requirements. The certificate should be reviewed against contract specifications: coverage types, per-occurrence and aggregate limits, endorsements, additional insured status, waiver of subrogation, and effective dates. A certificate that shows active coverage but fails to meet a contractual requirement is a compliance gap that looks like compliance.
A systemic compliance approach has five structural elements:
As the vendor list grows, the maintenance burden grows proportionally—and the error rate follows.
Vendor insurance lapse exposure is a monitoring problem. Once you understand where the gaps form—stale certificates, missed renewal windows, mid-term cancellations that go unnoticed—the solution is a continuous monitoring process, not a one-time collection event.
bcs COI tracking software automates the monitoring, verification, and renewal outreach process that manual tracking can't sustain at scale. Premium features are free for up to 25 vendors — no credit card required, no time limit.