← All posts

Certificate of Insurance (COI): How to Read One, What to Require, and What It Doesn't Tell You

A certificate of insurance (COI) is proof of coverage - not a guarantee of it. Learn how to read an ACORD 25, what vendor insurance requirements to demand, and where the document's hidden gaps leave your business exposed.

Certificate of Insurance (COI): How to Read One, What to Require, and What It Doesn't Tell You

You ask a vendor for proof of insurance. They email you a one-page document. You check the policy limits, see a number that looks reasonable, and file it away. Contract signed. Work begins.

Six months later, a claim surfaces. You pull the certificate of insurance. The coverage you assumed was there isn't. The document you relied on as proof of coverage never actually guaranteed it.

This happens more often than most businesses realize. A certificate of insurance (COI) is one of the most requested documents in commercial contracting - and one of the most misunderstood. This guide walks through how to read a COI correctly, what vendor insurance requirements you should demand, what each field actually means, and where the document fails you in ways that matter.


What a Certificate of Insurance Actually Is

A certificate of insurance (COI) is a summary document - sometimes called a proof of insurance or proof of coverage. It is not a policy. It does not create, modify, or extend any coverage. It is a snapshot of coverage that existed at the moment the certificate was issued.

That distinction matters. The COI tells you what the policy looked like on a specific date. It does not tell you whether the policy is still active, whether it was amended after issuance, or whether the underlying coverage will actually respond to a claim involving your business.

Think of it as a receipt, not a contract. It confirms that insurance existed - not that it will protect you.


The Standard Form: ACORD 25

Most certificates of insurance in commercial use follow the ACORD 25 form - a standardized layout developed by the Association for Cooperative Operations Research and Development. If you have seen a COI, you have almost certainly seen an ACORD 25. It is the universal proof of insurance document across virtually every industry, from construction and manufacturing to technology and professional services.

Here is what each section of the ACORD 25 contains and what to look for.

Producer

The "producer" is the insurance broker or agent who issued the certificate. This is not the insurance carrier. If you have questions about coverage, the producer is your first contact - but their obligation runs to the named insured, not to you as the certificate holder.

Named Insured

The named insured is the business or individual whose coverage the certificate describes. Check this field carefully. The name on the certificate must match the entity you are contracting with exactly. A certificate issued to "Acme Services LLC" does not cover work performed by "Acme Services Inc." - those are legally distinct entities with separate insurance programs.

Coverage Lines and Policy Numbers

This section lists each active coverage line with its corresponding policy number, carrier name, and effective dates. Common lines you will see on a vendor's COI include:

  • Commercial general liability (CGL): covers third-party bodily injury and property damage - the most common vendor insurance requirement
  • Automobile liability: covers vehicles used in business operations
  • Workers compensation: covers employee injuries on the job
  • Umbrella or excess liability: extends limits above the underlying policies to meet higher contract requirements
  • Professional liability or errors and omissions (E&O): covers claims arising from professional services or advice
  • Cyber liability: covers data breaches and network security incidents - increasingly required in technology vendor contracts

Each line shows the policy period. If the certificate was issued today but the policy expires next month, flag it before work begins. The COI is only as current as the date it was issued.

Policy Limits

For each coverage line, the certificate shows the applicable limits. On a commercial general liability policy, you will typically see several limit types:

  • Each occurrence limit: the maximum the policy pays for a single covered event
  • General aggregate limit: the maximum the policy pays across all claims in a policy period
  • Products/completed operations aggregate: a separate aggregate that applies to claims arising from completed work
  • Personal and advertising injury limit: covers claims like defamation or copyright infringement
  • Medical expense limit: a no-fault coverage for minor injuries, typically a low dollar amount

A limit of $1,000,000 per occurrence with a $2,000,000 aggregate is standard for many mid-market businesses and contractors. Whether those limits are adequate for your specific contract is a separate question - and the certificate does not answer it.

Description of Operations

This free-text box is where the certificate gets specific to your relationship with the vendor. Additional insured status, waivers of subrogation, and primary and noncontributory language are listed here if they apply. Without this language, the certificate may offer you little direct protection even if the limits look strong.

This is the most important field on the ACORD 25. Read it carefully. A certificate with clean limits but an empty description of operations box may offer you no real protection at all.


Certificate Holder vs. Additional Insured: A Critical Distinction

This is the most widely misunderstood concept in certificate of insurance review. Certificate holder status and additional insured status are not the same thing - and confusing them can leave you entirely unprotected.

Certificate HolderAdditional Insured
What it meansYou receive notice of cancellationYou have direct rights under the policy
Created byListing your name/address in the COI headerAn endorsement attached to the underlying policy
Protection in a claimNone - purely administrativeYes - carrier defends and indemnifies you
Appears on the ACORD 25Yes, in the certificate holder boxMust be confirmed in the description of operations
Requires policy endorsementNoYes - the AI endorsement must exist on the actual policy

Many businesses receive a COI, see their name on the document, and assume they are protected. They are not - unless the description of operations specifically names them as an additional insured and the underlying endorsement exists.


The Fields That Actually Protect You

The coverage limits get the most attention. The description of operations box is where the real protection lives - or doesn't. These three provisions are what most contract requirements and vendor risk management programs are designed to secure.

Additional Insured Status

When you require a vendor to name you as an additional insured on their policy, you gain direct rights under their commercial insurance program. If their work causes a claim that comes back to you, their policy responds to your defense and indemnification - not just theirs.

Additional insured status must be endorsed onto the policy - it is not created by the certificate itself. If the ACORD 25 shows you as an additional insured but no endorsement exists on the underlying policy, the carrier is not bound. The ACORD 25 form explicitly disclaims that it confers no rights on the certificate holder. Always request the actual additional insured endorsement pages when this protection matters.

Waiver of Subrogation

Subrogation is the right of an insurance carrier to pursue a third party after paying a claim. If your vendor's carrier pays a claim and then decides you were partly responsible, they can come after you - unless a waiver of subrogation endorsement is in place.

When a waiver of subrogation is endorsed onto the policy, the carrier gives up that right. The certificate should confirm the waiver applies to you specifically. Without it, a vendor's carrier can recover from you even after you accepted their certificate as proof of coverage. This is one of the most commonly overlooked contract requirements in vendor risk management.

Primary and Noncontributory Language

If a claim involves both your commercial insurance program and your vendor's policy, which one pays first? Without primary and noncontributory language, carriers argue about contribution - and you may end up burning through your own limits on a claim that should have been the vendor's responsibility entirely.

Primary and noncontributory language requires the vendor's policy to respond first and in full before your coverage is touched. This language must appear on the certificate and exist as an endorsement on the underlying policy to be enforceable.


Vendor Insurance Requirements: What to Demand

Most businesses request a COI without specifying what the certificate must show. That is a mistake. Before onboarding any vendor, contractor, or service provider, define your minimum vendor insurance requirements in writing. Here is what to include for most commercial contracts:

Coverage TypeTypical Minimum RequirementNotes
Commercial General Liability (CGL)$1M per occurrence / $2M aggregateRequire additional insured endorsement and waiver of subrogation
Workers CompensationStatutory limitsRequired in most states for any vendor with employees on-site
Employer's Liability$1M each accidentOften paired with workers comp
Commercial Auto Liability$1M combined single limitRequired if vendor uses vehicles in the scope of work
Umbrella / Excess Liability$2M–$5M depending on contract valueConfirms limits are adequate for high-exposure engagements
Professional Liability (E&O)$1M–$2M per claimCritical for technology, consulting, and professional services vendors
Cyber Liability$1M minimumRequired if vendor handles your data or connects to your systems

These minimums are a starting point. High-risk contracts, large project values, or work involving your facilities or systems may warrant significantly higher limits. Your own commercial insurance broker can help calibrate what to require based on your specific exposure.

Beyond limits, always require: (1) your company named as additional insured on CGL and umbrella policies, (2) a waiver of subrogation in your favor, and (3) primary and noncontributory language - all confirmed in the description of operations box and backed by actual policy endorsements.


What the Certificate Does Not Tell You

This is where most businesses get into trouble. A COI looks authoritative. It carries carrier names, policy numbers, and dollar limits. But it withholds exactly the information that matters most when a claim surfaces.

It Does Not Confirm the Policy Is Still Active

A certificate reflects coverage at the time of issuance. A policy can be cancelled, lapsed for non-payment, or materially amended after the certificate is issued. The certificate holder notification requirement - typically 30 days' notice of cancellation - is often qualified with language like "endeavor to" provide notice, which creates no hard obligation on the carrier.

For projects that extend beyond a few months, re-verify proof of coverage at the policy renewal point. Do not assume the certificate you received at contract signing reflects current status.

It Does Not Show Exclusions

A policy limit of $2,000,000 means nothing if the claim you are facing falls under a policy exclusion. Certificates show limits, not exclusions. A vendor's general liability policy may exclude professional services, contractual liability, pollution, or work in certain industries. None of that appears on the COI.

This is one of the most common hidden gaps in commercial insurance - coverage that looks sufficient on paper until the claim arrives and the exclusion applies. The only way to know what is excluded is to review the actual policy or have your broker request a coverage summary.

It Does Not Confirm the Endorsement Exists

A certificate can state that you are named as an additional insured. But unless the endorsement is actually attached to the underlying policy, that statement is not binding on the carrier. The ACORD 25 form itself includes a disclaimer stating it confers no rights on the certificate holder - this is printed on every standard ACORD certificate.

If additional insured status is material to your contract, request a copy of the actual endorsement from the policy. Most carriers and brokers can issue a copy of the CG 20 10 or CG 20 37 endorsement alongside the COI. If they refuse or cannot produce it, that is a red flag.

It Does Not Show Deductibles or Self-Insured Retentions

A vendor may carry a $1,000,000 per occurrence limit with a $250,000 self-insured retention (SIR) - meaning they absorb the first $250,000 of any claim before the carrier responds. You would not know this from the COI. For large contracts with smaller vendors, a high retention can effectively eliminate the commercial insurance coverage you thought you were relying on.

The difference between a deductible and a self-insured retention matters here - an SIR requires the insured to fund defense costs directly, not just absorb a post-claim reimbursement. Ask specifically about retentions on contracts above $500,000.

It Does Not Address Claims-Made Timing

Some coverage lines - professional liability (E&O), D&O, and cyber liability - are written on a claims-made basis rather than occurrence. This means the policy in force when the claim is reported must cover the period when the act occurred. A certificate showing active coverage today does not guarantee the vendor's prior acts are covered, nor does it tell you what happens if the policy lapses.

If you are contracting with a professional services firm, technology vendor, or any business carrying claims-made coverage, ask what their retroactive date is - the earliest point in time from which the policy covers prior acts. The COI will not tell you. If the retroactive date post-dates the beginning of your relationship, you have a coverage gap.


How to Get a Certificate of Insurance

If you are a vendor being asked to provide a COI - or a business that needs one before you can start a job - here is how the process typically works:

  1. Contact your insurance broker or agent with the certificate request. You will need the certificate holder's name and address, and any specific requirements from your client (limits, additional insured language, waivers).
  2. Your broker will prepare the ACORD 25 form and issue it, typically within 24–48 hours. Many modern brokers and insurtech platforms can generate a COI within minutes.
  3. If the requesting party requires additional insured status or a waiver of subrogation, your broker must endorse those provisions onto your policy - not just note them on the certificate. This may take an extra day if underwriter approval is needed.
  4. Review the certificate before sending it. Confirm your entity name is spelled exactly as it appears on your policy, the policy dates are current, and all requested endorsements are reflected in the description of operations box.
  5. Deliver the COI along with the specific endorsement pages if they were requested.

If you are frequently asked for proof of insurance to start jobs or close vendor deals, your broker should be able to set up a process so certificates can be issued quickly whenever you need them. Delays in getting a COI issued are a common deal blocker - especially in construction, technology, and enterprise procurement.


COI Tracking: Managing Vendor Certificates Over Time

Most businesses have a vendor management problem they do not recognize as an insurance problem. They collect certificates at contract signing and never look at them again. A year later, the vendor's policy has renewed, cancelled, or materially changed - and nobody knows.

Effective COI management means tracking expiration dates, flagging gaps before they become problems, and re-verifying proof of coverage at renewal. Here is what a basic COI tracking system should do:

  • Log every vendor certificate with the issuing date, policy expiration date, and coverage lines confirmed
  • Set automated reminders 30–45 days before each vendor's policy expiration to request an updated certificate
  • Track which vendors have active additional insured endorsements and waiver of subrogation provisions
  • Flag any certificate holder notification if a vendor's policy is cancelled mid-contract
  • Document when endorsement pages were actually received - not just when the COI was filed

For businesses managing a large vendor base - construction firms, property managers, enterprises with complex supply chains - manual COI tracking creates compliance gaps. Dedicated certificate management tools, or working with a broker who provides active vendor risk management support, can eliminate the exposure.


What Most Businesses Get Wrong

Most businesses treat certificate review as a compliance checkbox. They confirm a COI exists, verify the limits meet the contract minimum, and move on. They do not check the description of operations. They do not request endorsements. They do not re-verify mid-contract. They do not ask whether any coverage lines are claims-made.

The result is a false sense of protection. The certificate gets filed. The project proceeds. And when a claim surfaces, the gaps appear - gaps that were always there, just never examined.

The certificate is a starting point, not an endpoint. Treat it as a prompt to ask the right questions, not a substitute for them.


A Practical COI Review Checklist

When you receive a certificate of insurance, work through these questions before accepting it as proof of coverage:

  • Does the named insured exactly match the contracting entity - same legal name, same entity type?
  • Are the policy effective dates current - and will they remain active through project completion?
  • Do the limits meet your vendor insurance requirements, both per occurrence and in aggregate?
  • Does the description of operations box name you specifically as an additional insured?
  • Does the certificate confirm a waiver of subrogation in your favor?
  • Does it include primary and noncontributory language?
  • Have you requested the actual endorsement pages confirming additional insured status?
  • Do you know whether any coverage lines are written on a claims-made basis - and what the retroactive date is?
  • Have you confirmed there are no unusually large deductibles or self-insured retentions?
  • Do you have a process to re-verify this COI at policy renewal?

If any answer is no or unknown, go back to the vendor before work starts. A certificate that does not satisfy your requirements is not proof of coverage - it is a document that shifts risk back to you.


The Limits of the Document

A certificate of insurance is a useful tool. It is not a reliable one on its own. It summarizes coverage without guaranteeing it. It confirms limits without disclosing exclusions. It can reflect endorsements that do not exist on the underlying policy. It shows coverage on the day it was issued and says nothing about what happens next.

The businesses that get burned are the ones that stop at the certificate. The ones that stay protected treat it as the beginning of a coverage conversation - not the end of one.

If your own commercial insurance program has gaps you have not examined closely, that is a separate problem worth addressing before a claim forces the conversation. Aiden builds a real-time risk profile using 140+ signals and performs coverage gap analysis before binding - not after. Learn more at aidenrisk.com.


FAQs

What is a certificate of insurance (COI)?

A certificate of insurance (COI) is a one-page summary document - also called proof of insurance or proof of coverage - that describes the coverage lines, policy limits, carriers, and effective dates for an insured party. It is issued on the standardized ACORD 25 form. It is not a policy and does not create or modify coverage. It reflects the state of coverage at the time of issuance only.

Does being listed as a certificate holder make me an additional insured?

No. Certificate holder status and additional insured status are fundamentally different. A certificate holder receives notice of cancellation - subject to the carrier's effort to provide it. An additional insured has direct rights under the policy and can be defended and indemnified under the vendor's commercial insurance program. Additional insured status must be endorsed onto the policy and confirmed in the description of operations box on the certificate.

What insurance limits should I require from vendors?

Most commercial vendor contracts require at minimum: $1M per occurrence / $2M aggregate commercial general liability, statutory workers compensation, $1M employer's liability, and $1M commercial auto if vehicles are used. For professional services or technology vendors, add professional liability (E&O) and cyber liability at $1M–$2M per claim. Higher-risk or higher-value contracts should require umbrella coverage of $2M–$5M or more above these primary limits.

How long is a certificate of insurance valid?

A COI is valid as of the date it was issued - it reflects coverage at that moment, not ongoing coverage. The policy period shown on the certificate indicates when the underlying policies expire, but the policy can be cancelled, modified, or allowed to lapse at any time after the certificate is issued. For long-term contracts, request a fresh certificate at each policy renewal and verify coverage mid-project for engagements exceeding six months.

Can a certificate of insurance be faked or inaccurate?

Yes. A certificate can be issued with incorrect information, and it can describe endorsements that were never added to the underlying policy. The ACORD 25 form itself states it confers no rights on the certificate holder. For high-value contracts, request the actual endorsement pages directly from the carrier or broker. If a vendor is unwilling to provide endorsement documentation, treat that as a red flag.

What does "claims-made" mean on a certificate of insurance?

Claims-made means the policy only responds to claims reported during the active policy period, for acts that occurred after the retroactive date. If a vendor's professional liability, cyber, or D&O policy is claims-made and lapses or is not renewed with tail coverage, prior acts may lose coverage entirely. The certificate shows current status but does not explain the retroactive date or tail provisions. Always ask about claims-made policies when contracting with professional services or technology vendors.

What is a waiver of subrogation and why should I require it?

Subrogation is a carrier's right to recover from a third party after paying a claim on behalf of the named insured. Without a waiver of subrogation endorsement, a vendor's carrier can pursue you for contribution even after you accepted their certificate as proof of coverage. A waiver of subrogation endorsement eliminates that right - but it must be listed on the certificate and actually endorsed onto the underlying policy to be enforceable.

Why does the description of operations box matter so much?

The description of operations box on the ACORD 25 is where additional insured designations, waivers of subrogation, and primary and noncontributory language are recorded. These provisions determine whether the vendor's commercial insurance program actually extends to protect you in a claim scenario. A certificate with strong limits but an empty description of operations box may offer you no real protection at all - you are just a certificate holder, not an additional insured.

What is the difference between a named insured and an additional insured?

The named insured is the primary policyholder - the business or individual who purchased and owns the commercial insurance policy. An additional insured is a third party who has been added to the policy by endorsement, giving them direct rights to coverage under that policy for claims arising from the named insured's work. Your vendor is the named insured; you become an additional insured when they endorse you onto their policy.

Want a risk assessment for your business?

Aiden's AI risk engine analyzes 140+ data vectors to surface coverage gaps before a claim forces the question.

Analyze Your Risk →