One of the most common vendor compliance mistakes is applying the same COI requirements to every vendor regardless of what they do. A software consultant and a commercial cleaning company present fundamentally different risk profiles. Your insurance requirements should reflect that.
This guide covers how to set appropriate COI requirements by vendor type and industry, and the coverage minimums commonly required in each category.
Why Coverage Minimums Matter
A COI that shows any coverage is not a compliant COI. The coverage must be sufficient to cover the actual risk that vendor represents to your organization.
If you require $1M general liability and a vendor provides a COI showing $500K, that COI does not satisfy your requirement — regardless of the expiration date or the insured name. Your requirements need to be specific about coverage type and limit.
Standard Coverage Requirements by Vendor Type
General Business Service Vendors
(Consultants, advisors, marketing agencies, technology contractors — no physical presence at your site)
Minimum requirements:
- General Liability: $1,000,000 per occurrence / $2,000,000 aggregate
- Professional Liability / E&O: $1,000,000 per claim (for service providers)
- Workers' Compensation: Statutory limits (if they have employees)
On-Site Service Vendors
(Facilities management, cleaning services, maintenance, catering, security)
Minimum requirements:
- General Liability: $1,000,000 per occurrence / $2,000,000 aggregate
- Workers' Compensation: Statutory limits
- Employer's Liability: $500,000 per occurrence
- Your company listed as additional insured
Construction and Trades
(General contractors, subcontractors, electricians, plumbers, HVAC, structural work)
Minimum requirements:
- General Liability: $1,000,000 per occurrence / $2,000,000 aggregate
- Workers' Compensation: Statutory limits
- Employer's Liability: $1,000,000 per occurrence
- Commercial Auto: $1,000,000 combined single limit (if vehicles used)
- Umbrella/Excess: $5,000,000 — for higher-risk work, this should be higher
- Your company listed as additional insured and certificate holder
Technology Vendors with Data Access
(SaaS vendors, data processors, cloud infrastructure, managed security providers)
Minimum requirements:
- General Liability: $1,000,000 per occurrence / $2,000,000 aggregate
- Professional Liability / E&O: $2,000,000 per claim
- Cyber Liability: $1,000,000 per occurrence (critical for vendors with data access)
- Workers' Compensation: Statutory limits
Healthcare Vendors
(Staffing agencies, medical equipment providers, clinical service providers)
Minimum requirements:
- General Liability: $1,000,000 per occurrence / $2,000,000 aggregate
- Professional Liability / Medical Malpractice: $1,000,000 per occurrence / $3,000,000 aggregate
- Workers' Compensation: Statutory limits
- Employer's Liability: $500,000 per occurrence
Financial Services Vendors
(Payroll processors, accounting firms, financial consultants, lenders)
Minimum requirements:
- General Liability: $1,000,000 per occurrence / $2,000,000 aggregate
- Professional Liability / E&O: $2,000,000 per claim
- Cyber Liability: $2,000,000 per occurrence (for those with financial data access)
- Crime/Fidelity Bond: $500,000 (for those handling funds)
Customizing Requirements for Your Risk Profile
These are starting points, not mandates. Your actual requirements should be calibrated to:
Your contract value with the vendor. Higher-value contracts justify higher insurance requirements. If a vendor failure could cost you $5M, requiring $1M in professional liability is inadequate.
The vendor's exposure on your premises. A vendor doing one day of work in your lobby needs less coverage than a vendor doing six months of construction on your building.
Your industry's norms. Some industries have established insurance requirements that carry weight — construction is heavily standardized, for example. Align with your industry where standards exist.
Your own liability exposure. Your required limits should be sufficient to cover claims that could be made against you arising from the vendor's work.
What to Do When a Vendor Cannot Meet Your Requirements
Some vendors — particularly smaller sole proprietors and very small businesses — may be unable to obtain coverage at your required limits. You have several options:
Require the vendor to obtain a certificate of insurance that meets your requirements. This is the right answer for significant vendor relationships. If they cannot get the coverage, that is relevant information about their size and risk profile.
Adjust requirements proportionally for smaller vendors. If the engagement is low-risk and low-value, accepting lower limits is a risk decision you can make explicitly rather than by accident.
Document the exception. If you accept a vendor with coverage below your stated requirements, document that you made this decision intentionally, the reason for the exception, and the compensating controls in place.
Require vendor indemnification. Contractually require the vendor to indemnify you for losses arising from their work. This does not replace insurance — an uninsured vendor cannot pay a large indemnification claim — but it creates a contractual record of liability allocation.