Due Diligence

Third-Party Insurance Basics and Understanding Insurance Documents

By: Hilary Jewhurst on April 16 2024

6 min read

One often overlooked way to manage risks when working with your third-party vendors is by making sure your vendors have the necessary insurance coverage. To validate your third-party vendor’s insurance coverage, it's a common practice to ask for and review a copy of their certificate of insurance (COI), but what do you do once you’ve received the COI? To make sense of it and ensure that it's valid, it's useful to understand some basic terminology and types of policies.

Third-Party Insurance Terminology to Know

Certificate of Insurance – The vendor’s COI summarizes the insurance policies and their limitations. It includes policy details such as coverage types, limits, provider, policy number, named insured(s), and effective periods. COIs are not the insurance contract between the insurer and the insured.
Policyholders – The policyholder who purchases insurance is the named insured on the policy and the COI.
Certificate Holder – Many organizations require a COI to validate vendor insurance coverage. However, being a certificate holder only allows you to view policy details and doesn’t grant any rights. The policy doesn’t cover your organization and you won’t be notified of any changes or cancellations.
Additional Insured – In some cases, you may want your organization named as an additional insured party. Vendors can extend their liability coverage to other parties, like clients, lenders, and joint-venture partners, by adding an additional insured endorsement to their policy.
Limits of Liability – The liability limit is the maximum amount an insurance policy will pay out.

For example: If your vendor has cyber insurance with a limit of $1 million per claim/$5 million aggregate, it means they will pay up to $1 million per claim and no more than $5 million total. If the damage exceeds $1 million per customer, the vendor or your organization will have to pay for any additional damages beyond the limit.
Indemnity – "Indemnification" or "indemnity" in a contract means one party compensates the other for losses, damages, or liabilities. This transfers the responsibility of fixing errors.

Common Types of Third-Party Vendor Insurance

Commercial insurance, also known as business insurance, protects businesses from unforeseen losses during regular operations. It covers property damage, legal liability, and employee-related risks. Umbrella policies provide additional coverage. The specific type of insurance vendors need will vary based on your industry, the vendor’s industry, and the service or product the vendor will provide.

Third-party vendors may need multiple types of insurance, including:

General Liability: Protects against injury, damage to property, and advertising injury such as slander, libel, or copyright infringement that occurred at a third party’s business.
Professional Liability or Errors and Omissions Insurance: Covers damage caused by negligence, malpractice, or errors by a third party that result in harm to a customer.
Cyber Insurance: Protects against the financial impact of cyberattacks. First party and third-party liability are subcategories.
Workers' Compensation Insurance: Covers employees who suffer from work-related injuries or illnesses. This insurance is designed to protect workers and their families from financial hardship due to medical expenses and lost wages.
Commercial Property Insurance: Protects businesses from property damage, theft, vandalism, and other types of damage.

third party insurance basics understanding insurance documents

What to Look for in a Third-Party Vendor’s Certificate of Insurance

Once you’ve received the COI from the third-party vendor, it’s important to know what to look for in the document. Here are three best practices to follow when reviewing a vendor’s COI:

Make sure the COI has been sent to your organization from the vendor’s insurer. While it’s uncommon, fraud does happen, so getting the COI directly from the insurer will help validate its authenticity.
Look for the ACORD format. The vendor’s COI will say ACORD (Association for Cooperative Operations Research and Development) on the top of the document and in the footer. ACORD is the global standards-setting body for insurance and related financial services industries. While there are other COI formats, the ACORD format is the most widely used and is the gold standard for COIs. If the COI is not in the ACORD format, you may want to review it with your organization’s insurance provider for confirmation.

From there validate that the following information is included and accurate:
- The business name in the Insured Box matches your contract
- Validate the insured address
- The insurance agent/broker contact information
- The name of the insurer(s) providing coverage
- The type of coverage
- The amount of coverage
- A policy number
- The policy’s expiration date
- A description of coverage
- COI requester name and contact information.
Pro Tip: Your organization must determine the types and amounts of coverage necessary. When it comes to choosing the right insurance policies for your vendors, it can be overwhelming to navigate through the many options available. The best way to approach this is to seek the help of a licensed insurance professional who can guide you in identifying the types of insurance and coverage amounts that your vendors should have.

You can start by reaching out to your organization's insurance carrier, as they have a good understanding of the coverage your organization has and can help identify any gaps. It's important to note that your insurance carrier will want to minimize their exposure and ensure your organization is transferring liability to the vendors, as appropriate, to reduce potential payouts.
Track COI dates. Validate insurance policy effective dates and track them, noting expiration dates. COIs are valid for one year or a specific period.

Frequently Asked Third-Party Vendor Certificate of Insurance Questions

Do you have to ask for and review every vendor COI? Whether or not you need to review every vendor COI depends on your organization’s risk appetite and resources. While reviewing vendor COIs is a best practice, some organizations feel they don’t have the resources to review COIs for every vendor. Some organizations may, for example, determine that COI reviews will only occur for moderate or high-risk vendors.

While this can save some time, keep in mind that even a low-risk vendor can cause damage to your organization, employees, facilities, and customers – not to mention your reputation. Learning how to review a COI isn’t terribly difficult, can be done quickly before finalizing the engagement, and provides assurance that your organization won’t be left holding the bag financially.
Does your organization always need to be “additional insured”? Adding an additional insured is a prudent and effective risk mitigation strategy that can help organizations avoid potential financial losses. This approach holds the party most likely to be responsible for a claim financially liable for it, rather than the organization having to file claims under its own policies.

To illustrate, imagine a hypothetical scenario where your vendor experiences a data breach, and your organization isn’t listed as an additional insured. In such a situation, an injured party like your customer may sue your organization for damages, despite the vendor being responsible for the breach. This could potentially hold your organization liable for any losses related to the breach. Therefore, it’s imperative to add an additional insured to safeguard your organization against such risks.
How often do you need to review the vendor’s COI? Reviewing the initial COI before you execute the contract and finalize the vendor engagement is essential. Keep in mind that insurance expiration dates will not necessarily correspond to your contract’s length and execution dates.

Typically, COIs are valid for one year or per a specific time period as stated on the COI. For this reason, tracking the COI is essential so you can ensure there are no lapses in the vendor’s insurance during the contract term. Remember that if the vendor’s insurance is expired and an incident occurs, your organization may bear the financial burden. Tracking the expiration date will help your organization minimize any potential financial exposure.

It’s important to review a vendor's COI before signing a contract and periodically thereafter when the COI is due to expire. Knowing the meaning of COI-related terms and the types of insurance that your vendors should have can help you quickly review and verify the validity. It’s good practice for your organization to be named as an additional insured in many cases.

Still, if you have any questions regarding being named as additional insured or any other issue related to vendor insurance, you can seek assistance from your organization's licensed insurance provider. Ultimately, ensuring your vendors have the right insurance coverage can greatly benefit your organization and provide you with peace of mind.

Infographic

Collecting a COI is an important part of the due diligence process. Learn how to do complete vendor due diligence reviews in this eBook.

how do vendor due diligence reviews complete breakdown

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo

Product

Solutions

Risk Categories

Why Venminder

Education

About

Software

Vendor Risk Assessments

Managed Services

Ongoing Monitoring

Venminder Exchange

Use Cases

Industries

Why Venminder

Sample Vendor Risk Assessments

Resources

Webinars

Community

Weekly Newsletter

Venminder Samples

State of Third-Party Risk Management 2023!