Vendor Insurance Requirements: Risk Transfer and Protection

Contractual Indemnification

Vendor agrees to reimburse you for specified losses

When vendor has financial capacity to pay

Worthless if vendor bankrupt, undercapitalized

Insurance as Indemnification Backing

Vendor insurance provides capital to fund indemnification

Insurance carrier pays on vendor's behalf

Only covers risks within policy scope

Additional Insured Status

Your organization named on vendor's policy

You can claim directly against vendor's insurance

Limited to policy limits, subject to exclusions

Certificate of Insurance

Documentary evidence of coverage existence

Verification of coverage at certificate date

Not guarantee of payment, can lapse

Insurance Verification

Ongoing monitoring of coverage maintenance

Ensures continuous coverage throughout relationship

Requires systematic monitoring process

Policy Endorsements

Specific additions to standard policy coverage

Closes gaps in standard policy language

Must be specifically required and verified

Waiver of Subrogation

Insurer waives right to sue you after paying claim

Prevents insurer lawsuits against you post-payment

Must be explicitly included in policy

Primary and Non-Contributory Language

Vendor's insurance pays before yours

Your insurance not triggered for vendor failures

Critical for preventing your insurance rate increases

Financial Strength Rating

Carrier's ability to pay claims

Ensures carrier can actually pay large claims

Minimum rating thresholds required

Coverage Territory

Geographic scope where policy applies

International vendor operations covered

Must match vendor service delivery locations

Policy Period

Duration coverage remains in force

Time-bound protection window

Gaps between policy periods create exposure

Aggregate vs. Per-Occurrence Limits

Total vs. per-incident coverage caps

Determines available coverage for your claim

Shared aggregate depletes across all claims

Claims-Made vs. Occurrence Policies

When claim must be filed for coverage

Determines coverage for delayed-discovery incidents

Retroactive date critical for claims-made

Excess/Umbrella Coverage

Additional limits above primary policies

Protection for catastrophic losses

Must verify excess coverage actually in place

Self-Insured Retention

Amount vendor pays before insurance covers

Vendor's financial capacity to meet retention

High SIR undermines insurance value

General Liability (CGL)

Bodily injury, property damage, personal injury from vendor operations

All vendors with physical presence/operations

$1M per occurrence / $2M aggregate

Professional Liability (E&O)

Errors, omissions, negligent professional services

Professional service providers, consultants

$2M per claim / $2M aggregate

Cyber Liability

Data breaches, network security failures, privacy violations

Any vendor accessing/processing your data

$5M per claim / $5M aggregate

Technology E&O

Software failures, system outages, technology defects

Software vendors, SaaS providers, IT services

$3M per claim / $3M aggregate

Workers Compensation

Employee injuries during work for your organization

Vendors with employees performing on-site work

Statutory limits per state requirements

Commercial Auto

Vehicle accidents during vendor service delivery

Vendors using vehicles for your services

$1M combined single limit

Commercial Crime/Fidelity

Employee theft, fraud, dishonest acts

Vendors with access to your assets/finances

$1M per occurrence

Media Liability

Copyright infringement, libel, slander in content

Marketing agencies, content creators

$2M per claim / $2M aggregate

Products Liability

Injuries from defective products vendor provides

Product manufacturers, distributors

$5M per occurrence / $5M aggregate

Pollution Liability

Environmental contamination from vendor operations

Manufacturing vendors, chemical handlers

$2M per occurrence / $2M aggregate

Employment Practices Liability

Discrimination, wrongful termination claims

Staffing agencies, HR service providers

$1M per claim / $1M aggregate

Directors & Officers Liability

Fiduciary duty breaches, mismanagement

Strategic vendors, joint venture partners

$5M per claim / $5M aggregate

Umbrella/Excess Liability

Coverage above primary policy limits

High-risk vendors, critical service providers

$5M-$25M above primary limits

Property Insurance

Damage to vendor facilities housing your assets

Warehousing, colocation, manufacturing vendors

Replacement value of your assets

Business Interruption

Revenue losses from vendor service interruptions

Critical single-source vendors

Based on revenue dependency

Intellectual Property Insurance

IP infringement claims from vendor deliverables

Software developers, design agencies

$2M per claim / $2M aggregate

Critical (Tier 1)

Single source, processes sensitive data, has privileged access, business continuity dependency

CGL: $2M/$4M, Cyber: $10M/$10M, Tech E&O: $5M/$5M, Umbrella: $10M

Additional insured, 60-day notice of cancellation, annual audits

High (Tier 2)

Multiple sources available, moderate data access, standard network access

CGL: $1M/$2M, Cyber: $5M/$5M, Prof E&O: $3M/$3M, Umbrella: $5M

Additional insured, 30-day notice of cancellation

Medium (Tier 3)

Easily replaceable, limited data access, no direct system access

CGL: $1M/$2M, Cyber: $2M/$2M, Prof E&O: $2M/$2M

Certificate of insurance verification

Low (Tier 4)

Commodity vendors, no data access, standard commercial services

CGL: $1M/$2M, Workers Comp: Statutory

Basic certificate collection

SaaS/Cloud Providers

Hosts your data, application availability dependency

CGL: $2M/$4M, Cyber: $10M/$10M, Tech E&O: $5M/$5M, Business Interruption: Based on RTO

Additional insured, source code escrow, SLA penalties

Payment Processors

PCI environment access, financial transaction processing

CGL: $2M/$4M, Cyber: $10M/$10M, Crime: $5M, Prof E&O: $5M/$5M

PCI DSS compliance, quarterly attestation

Healthcare Vendors

PHI access, HIPAA compliance obligations

CGL: $2M/$4M, Cyber: $10M/$10M, Prof E&O: $5M/$5M, HIPAA coverage

Business Associate Agreement, breach notification insurance

Staffing/Contractors

Employees working on-site or remotely

CGL: $1M/$2M, Workers Comp: Statutory, EPLI: $1M/$1M

Certificate verification for each placement

Manufacturing/Product Vendors

Physical products delivered to you or customers

CGL: $2M/$4M, Products Liability: $5M/$5M, Umbrella: $5M

Product recall insurance for consumer goods

Professional Service Firms

Consulting, advisory, audit services

Prof E&O: $3M/$3M, Cyber: $2M/$2M (if data access)

Engagement-specific insurance verification

Marketing/Creative Agencies

Content creation, brand representation

Prof E&O: $2M/$2M, Media Liability: $2M/$2M, Cyber: $2M/$2M

IP warranty, indemnification for copyright claims

Construction/Facilities Vendors

Physical work on your premises

CGL: $2M/$4M, Workers Comp: Statutory, Auto: $1M, Umbrella: $5M

Builder's risk for major projects

International Vendors

Operations outside primary jurisdiction

Coverage matching vendor service delivery territory

Local country coverage verification

Joint Venture Partners

Shared liability exposure, co-branded services

D&O: $5M/$5M, CGL: $5M/$10M, Cyber: $10M/$10M

Cross-indemnification, joint additional insured

Merger/Acquisition Targets

Potential liability assumption through acquisition

Full coverage review, representations & warranties insurance

Pre-acquisition insurance due diligence

Coverage Types and Limits

"Vendor shall maintain: (a) Commercial General Liability with limits of $2M per occurrence and $4M aggregate..."

Specifies required insurance types and minimum amounts

Vague language like "adequate insurance"

Additional Insured

"Customer shall be named as additional insured on CGL and Auto policies via ISO endorsement CG 20 10 or equivalent"

Provides direct coverage to your organization

Missing endorsement specification

Primary and Non-Contributory

"Vendor's insurance shall be primary and non-contributory to any insurance maintained by Customer"

Ensures vendor insurance pays before yours

Omitted from contract language

Waiver of Subrogation

"Vendor's insurers waive all rights of subrogation against Customer"

Prevents insurer lawsuits against you

Not included in standard contracts

Certificate Requirements

"Vendor shall provide certificate of insurance evidencing required coverage prior to service commencement"

Creates verification obligation

No certificate delivery deadline

Notice of Cancellation

"Vendor shall provide 60 days advance notice of any coverage cancellation, non-renewal, or material change"

Early warning of coverage loss

Shorter notice periods (10-30 days)

Insurance Carrier Requirements

"Coverage shall be provided by insurers with A.M. Best rating of A- VII or better"

Ensures carrier financial strength

No carrier quality requirements

Policy Period Coverage

"Required coverage shall be maintained throughout contract term and for 2 years following termination"

Continuous coverage during relationship

Coverage ends at contract termination

Self-Insured Retention Limits

"Self-insured retention or deductible shall not exceed $250,000 per occurrence"

Limits vendor out-of-pocket before insurance

No SIR caps specified

Coverage Territory

"Coverage shall apply to all locations where Vendor performs services under this Agreement"

Ensures geographic coverage matches operations

Domestic-only policies for global vendors

Cross-Liability/Severability

"Policies shall include cross-liability/severability of interest provisions"

Coverage applies separately to each insured

Standard contract doesn't address

Blanket Contractual Liability

"CGL policy shall include blanket contractual liability coverage for this Agreement"

Covers vendor's contractual indemnification obligations

Assumption of liability exclusions

Hired and Non-Owned Auto

"Auto policy shall include hired and non-owned vehicle coverage"

Covers rental cars and employee vehicles

Only owned vehicle coverage required

Claims-Made Retroactive Date

"Claims-made policies shall have retroactive date no later than contract commencement date"

Ensures coverage for incidents during relationship

No retroactive date requirement

Annual Certificate Updates

"Vendor shall provide updated certificates annually prior to policy renewal"

Ongoing coverage verification

One-time certificate at contract start

Right to Verify

"Customer may request complete policy copies to verify coverage adequacy"

Enables detailed coverage review

Certificate-only verification rights

Certificate Holder

Your organization correctly named and addressed

Wrong company name, old address

Reject certificate, request corrected version

Certificate Date

Issued recently (within 30 days)

Stale certificates from months/years ago

Request current certificate

Producer Information

Licensed insurance broker/agent contact details

Missing producer information

Verify producer legitimacy

Insurer Information

Carrier names and NAIC numbers

Unrecognized carriers, missing NAIC codes

Verify carrier A.M. Best rating

Policy Numbers

Actual policy numbers (not "TBD" or blank)

"TBD", "pending", generic numbers

Request certificate with actual policy numbers

Policy Effective Dates

Coverage in force during service period

Expired policies, future effective dates

Reject expired coverage

Coverage Limits

Limits meet contractual requirements

Limits below required amounts

Request increased coverage or escalate

Additional Insured Status

"Certificate holder is Additional Insured" in description

No additional insured notation

Request endorsement confirmation

Waiver of Subrogation

Specific notation in description section

No subrogation waiver noted

Request policy endorsement

Primary/Non-Contributory

Explicit language in description

No primary and non-contributory notation

Request policy endorsement language

Notice of Cancellation

Days of notice (should be 30-60 days minimum)

10-day notice or no notice period

Negotiate longer notice period

Coverage Types

All required coverage types listed

Missing cyber liability, professional E&O

Request missing coverage certificates

Aggregate Limits

Aggregate vs. per-occurrence clearly shown

Confusion between aggregate and occurrence

Clarify with broker/vendor

Description of Operations

Accurate description of services vendor provides

Generic descriptions not matching actual work

Request accurate description

Certificate Disclaimers

Standard ACORD disclaimer language

Non-standard disclaimers limiting coverage

Consult risk/legal team

Endorsement References

Specific endorsement numbers/forms referenced

No endorsement documentation

Request actual endorsement copies

Initial Certificate Collection

At contract signature

Contract execution contingent on certificate receipt within 10 days

Contract management system integration

Certificate Verification

Upon receipt

24-point checklist review, deficiency notification

Certificate tracking database

Expiration Monitoring

Daily automated scan

90/60/30-day expiration alerts to vendor and procurement

Insurance tracking software

Renewal Certificate Collection

45 days before expiration

Automated renewal request to vendor

Email automation, workflow triggers

Policy Change Notifications

As received from vendor

Material change review, compliance verification

Vendor notification portal

Quarterly Certificate Audits

Quarterly

Comprehensive review of all active vendor certificates

Certificate repository audit reports

Vendor Insurance Compliance Reporting

Monthly

Dashboard showing compliant vs. non-compliant vendors

Risk dashboard, executive reporting

Non-Compliance Escalation

Upon expiration without renewal

Service suspension, executive escalation

Automated escalation workflows

Certificate Repository Management

Ongoing

Centralized storage, version control, audit trail

Document management system

Carrier Financial Rating Monitoring

Quarterly

A.M. Best rating review for all vendor carriers

Rating service integration

Endorsement Verification

Annually or upon renewal

Request actual endorsement copies for critical vendors

Policy document repository

Self-Insured Retention Monitoring

Annually

Verify SIR/deductible levels remain within limits

Certificate detail tracking

Coverage Territory Verification

Annually for international vendors

Confirm coverage matches service delivery locations

Geographic coverage matrix

Aggregate Limit Depletion Tracking

Semi-annually for critical vendors

Request declarations page showing remaining aggregate

Vendor relationship management

Retrospective Coverage Review

Post-incident

Verify coverage was in force during incident timeline

Incident response integration

First-Party Data Breach Response

Forensics, legal counsel, notification, credit monitoring, PR crisis management

"Costs to investigate and respond to privacy breach or security failure"

Pre-existing security failures, known vulnerabilities

Business Interruption

Revenue losses from system outages or ransomware

"Loss of business income resulting from network security failure"

Losses from scheduled maintenance, non-security outages

Cyber Extortion/Ransomware

Ransom payments, negotiation costs

"Extortion threat to compromise, alter, or destroy data"

Cryptocurrency payment restrictions, government sanction violations

Data Restoration

Costs to recover or recreate lost/destroyed data

"Expenses to restore, recreate, or recover electronic data"

Data restoration from vendor's own errors (non-security)

Network Security Liability

Third-party claims from security failures

"Failure to prevent unauthorized access to computer systems"

Contractual liability, prior acts, known vulnerabilities

Privacy Liability

Regulatory fines, third-party privacy claims

"Violation of privacy regulations or unauthorized disclosure of personal information"

Intentional violations, GDPR fines (sometimes excluded)

Media Liability

Copyright infringement, defamation in digital content

"Publication of content that violates intellectual property rights"

Traditional print media, non-digital content

Technology E&O

Software failures, system design flaws

"Failure of technology services to perform as warranted"

Vendor's intentional misconduct, contractual performance guarantees

Regulatory Defense and Penalties

Legal defense, regulatory fines, PCI penalties

"Regulatory proceedings and civil fines resulting from security failure"

Criminal fines, intentional violations

Notification and Credit Monitoring

Breach notification letters, credit monitoring services

"Cost to notify affected individuals and provide identity protection services"

Voluntary notifications (not legally required)

Social Engineering/Funds Transfer Fraud

Losses from phishing, fraudulent payment instructions

"Fraudulent instruction to transfer money resulting from social engineering"

Traditional embezzlement, internal fraud

Dependent Business Interruption

Losses from vendor/cloud provider outages

"Loss of income from failure of third-party service provider"

Losses from vendor contract disputes (non-security)

Retroactive Coverage

Claims for incidents before policy inception

"Retroactive date of [contract start date or earlier]"

Claims-made policies default to policy inception date

Extended Reporting Period

Coverage continuation after policy cancellation

"Option to purchase 1-3 year tail coverage"

Automatic termination without tail option

Aggregate Limit Structure

Total available coverage across all claims

"Per claim and aggregate limits" vs. "aggregate limit only"

Shared aggregate across all policyholders (rare but problematic)

Services Covered

Policy covers specific services vendor provides to you

Match policy "insured services" to contract scope of work

Reject generic policies that don't cover actual services

Claims-Made Structure

Understanding retroactive dates and tail coverage

Verify retroactive date precedes contract start

Require tail coverage after contract termination

Prior Acts Coverage

Coverage for work performed before policy inception

Confirm no prior acts exclusion or verify retroactive date

Critical for ongoing vendor relationships

Contractual Liability

Coverage for vendor's contractual indemnification obligations

Verify blanket contractual liability endorsement

Many E&O policies exclude assumed liability

Technology Services

IT consulting, software development covered under E&O vs. Tech E&O

Determine if separate Technology E&O needed

Some E&O policies exclude technology services

Cyber Events

Professional services failures vs. network security failures

Determine if cyber liability needed in addition to E&O

E&O typically excludes security/privacy events

IP Infringement

Coverage for copyright, trademark, patent claims

Verify intellectual property coverage included

Often requires separate IP insurance

Regulatory Violations

Professional services causing regulatory violations

Confirm regulatory defense coverage

Some policies exclude regulatory matters

Financial Services

Investment advice, fiduciary services

Specialized E&O for financial/fiduciary services

Generic E&O inadequate for financial advice

Healthcare Services

Medical professional liability vs. general E&O

Verify medical professional liability for healthcare vendors

E&O insufficient for medical services

Claims Expenses

Legal defense inside or outside policy limits

Defense costs within limits reduce available coverage

Prefer defense outside limits when possible

Extended Reporting Period (Tail)

Cost and duration of tail coverage option

Negotiate vendor-paid tail upon termination for claims-made

Critical for claims-made policies

Subcontractor Coverage

Does vendor's E&O cover subcontractor errors

Verify subcontractor work covered

Exclusions for work performed by others

Geographic Territory

Where policy provides coverage

Match to vendor service delivery locations

Domestic policy for international services inadequate

Insured vs. Insured Exclusion

Claims between multiple insureds on same policy

Relevant for parent/subsidiary vendor structures

Can block coverage for intercompany claims

Software Defects

Failures, bugs, performance issues in software

Software doesn't perform as specified/warranted

Intentional design decisions, known defects

System Outages

Downtime, unavailability, service interruptions

SaaS provider outage causing customer losses

Scheduled maintenance, force majeure events

Data Loss

Accidental deletion, corruption of customer data

Vendor system failure destroys your data

Deliberate deletion, backup failures

Integration Failures

APIs, interfaces not working with other systems

Integration project fails to deliver functionality

Incompatible third-party systems, scope changes

Project Failures

Software development projects that don't deliver

Custom software doesn't meet requirements

Customer requirement changes, scope creep

Performance Failures

System doesn't meet SLA performance metrics

Response time, throughput below guaranteed levels

Performance degradation from customer usage patterns

Implementation Errors

Mistakes during system installation/configuration

Misconfigured system causes production issues

Customer-directed configuration decisions

Migration Failures

Data loss or corruption during system migrations

Migration project fails, data corruption occurs

Legacy system incompatibilities beyond vendor control

Security Vulnerabilities

Software vulnerabilities enabling attacks

Vendor's software vulnerability exploited

Known vulnerabilities vendor warned about

Intellectual Property

Third-party IP infringement in vendor's software

IP lawsuit alleging vendor software infringes patents

Open source license violations, intentional copying

Source Code Escrow

Coverage for source code escrow triggers

Vendor bankruptcy, abandonment requiring escrow release

Escrow material incomplete, out of date

Third-Party Software

Vendor's use of third-party components

Third-party component failure causes customer issue

Customer-selected third-party components

Scalability Failures

System can't handle load growth

Production system fails under increased volume

Volume growth beyond contracted capacity

Compatibility Issues

Software incompatible with customer environment

Software doesn't work with customer's systems

Customer environment changes vendor wasn't notified of

Documentation Errors

Incorrect documentation causing implementation failures

Following vendor documentation causes system issues

Customer deviations from documentation

Vendor Risk Assessment

Determine vendor risk tier, data access, criticality

Risk tier determines insurance requirements

Risk team approval of tier classification

Insurance Requirement Definition

Specify required coverage types, limits, endorsements

Requirements match vendor risk profile

Legal/Risk team approval of requirements

RFP/Contract Insurance Language

Include insurance requirements in vendor RFP/contract

Clear, enforceable insurance provisions

Legal review of contract language

Vendor Insurance Disclosure

Request vendor's current insurance information

Vendor discloses existing coverage

Procurement validation of disclosure

Initial Gap Analysis

Compare vendor coverage to requirements

Identify coverage gaps, deficiencies

Risk team review of gap materiality

Coverage Exception Process

Document and approve insurance requirement exceptions

Risk acceptance for below-standard coverage

Executive approval for exceptions

Certificate Request

Require certificate delivery before contract execution

Certificate required as contract condition precedent

Procurement holds contract until certificate received

Additional Insured Endorsement

Verify additional insured status confirmed

Additional insured endorsement language verified

Risk/Legal approval of endorsement form

Waiver of Subrogation

Confirm subrogation waiver included

Waiver language in certificate or endorsement

Insurance team verification

Primary and Non-Contributory

Verify vendor coverage is primary

Primary language in certificate or endorsement

Insurance/Legal confirmation

Carrier Financial Rating

Verify A.M. Best rating meets minimum (A- VII or better)

Carrier financial strength acceptable

Risk team approval or escalation

Contract Execution Hold

Prevent contract signature without compliant certificate

Insurance compliance gate for contract execution

Procurement enforces execution hold

Certificate Filing

Store certificate in centralized repository

Certificate indexed by vendor, expiration date

Certificate tracking system entry

Expiration Date Tracking

Enter policy expiration dates in monitoring system

Automated alerts configured

System administrator validation

Ongoing Monitoring Setup

Configure renewal alerts, compliance reporting

Vendor added to quarterly audit scope

Risk team monitoring activation

Expiration Alerts

90/60/30 days before expiration

Automated email to vendor, procurement, risk team

90-day: Renewal reminder, 60-day: Escalation, 30-day: Service suspension warning

Certificate Renewals

Upon policy renewal

Vendor submits updated certificate

Certificate review, compliance verification

Quarterly Compliance Audits

Quarterly

Review all active vendor certificates, identify non-compliance

Non-compliant vendor report, executive escalation

Carrier Rating Monitoring

Quarterly

Review A.M. Best ratings for all vendor carriers

Carriers below minimum rating flagged for vendor notification

Policy Change Notifications

As received

Review material changes for continued compliance

Approve changes or request corrective action

Expired Coverage Follow-Up

Within 5 days of expiration

Contact vendor, procurement, request immediate renewal

Service suspension if not renewed within 10 days

Non-Compliance Escalation

Upon detecting non-compliance

Vendor notification, procurement hold, executive escalation

Service suspension until compliance restored

Aggregate Depletion Checks

Semi-annually for critical vendors

Request declarations page showing aggregate usage

Require increased limits if aggregate significantly depleted

Post-Incident Coverage Verification

Immediately following vendor incident

Verify coverage was in force during incident

File claim or pursue alternative recovery

Annual Comprehensive Review

Annually

Complete policy review for critical vendors

Update requirements based on relationship changes

Vendor Merger/Acquisition

Upon notification of M&A

Verify insurance transfers or new entity coverage

Require new certificates from acquiring entity

Endorsement Verification

Annually for critical vendors

Request actual endorsement copies

Verify endorsements match certificate representations

Coverage Territory Updates

Annually for international vendors

Verify coverage territory matches service locations

Require additional territory endorsements

Contract Amendment Reviews

Upon contract changes

Assess if amendments require insurance updates

Update insurance requirements for scope changes

Executive Dashboard Updates

Monthly

Update compliance metrics for executive reporting

Board/executive reporting on vendor insurance compliance

Incident Notification

Notify vendor of incident, potential claim

Within 24-48 hours of discovery

Prompt notification preserves coverage

Insurance Verification

Confirm vendor's insurance was in force during incident

Within 72 hours

Pull certificate, verify policy period

Additional Insured Status Confirmation

Verify your organization named as additional insured

Within 1 week

Request policy declarations, endorsements

Claim Notice to Vendor

Formal claim letter to vendor asserting indemnification

Within 2 weeks

Trigger vendor's obligation to notify their insurer

Insurer Identification

Identify vendor's insurance carrier, claim contact

Within 2 weeks

Certificate shows carrier, policy number

Direct Notice to Insurer

If additional insured, notify vendor's insurer directly

Within 30 days of incident

Preserve your direct rights under policy

Loss Documentation

Document all losses, expenses, damages

Ongoing throughout incident response

Comprehensive loss documentation for claim

Insurer Communication

Coordinate with vendor's insurer on claim

Ongoing

Monitor claim status, adjuster assignment

Defense Coordination

If insurer provides defense, coordinate legal strategy

As litigation develops

Ensure your interests protected

Settlement Negotiations

Participate in settlement discussions

As negotiations occur

Verify settlement adequately covers your losses

Coverage Disputes

If insurer denies coverage, assess dispute options

Within 60 days of denial

Arbitration, litigation against insurer

Alternative Recovery

If insurance insufficient, pursue vendor assets

Following insurance exhaustion

Collection, bankruptcy proceedings

Subrogation Coordination

Coordinate with your insurer's subrogation against vendor

After your insurer pays your claim

Your insurer may pursue vendor's insurer

Claim Closure

Document final recovery, lessons learned

After settlement/judgment

Update vendor risk assessment based on incident

Vendor Relationship Review

Assess whether to continue vendor relationship

Post-incident

Consider termination, enhanced requirements

Professional Liability (Financial Services E&O)

$5M per claim / $5M aggregate

Fiduciary liability, investment advice coverage

SEC, FINRA compliance requirements

Cyber Liability

$10M per claim / $10M aggregate

Regulatory defense, PCI fines, funds transfer fraud

State banking regulators, federal privacy laws

Crime/Fidelity Bond

$5M per occurrence

Employee dishonesty, third-party theft

FINRA Rule 4360 fidelity bond requirements

Directors & Officers

$10M per claim / $10M aggregate

Regulatory investigation coverage

Fiduciary duty protection

Fiduciary Liability

$5M per claim / $5M aggregate

ERISA coverage for retirement plan services

DOL compliance for plan administrators

Errors & Omissions

$5M per claim / $5M aggregate

Regulatory defense, supervisory liability

Investment advisor compliance

Medical Professional Liability

$1M per occurrence / $3M aggregate

All licensed practitioners covered

State medical board requirements

Cyber Liability with HIPAA Coverage

$10M per claim / $10M aggregate

OCR investigation defense, breach notification

HIPAA/HITECH compliance, state breach laws

Business Associate Liability

$5M per claim / $5M aggregate

BAA contractual liability coverage

HIPAA Business Associate obligations

General Liability

$2M per occurrence / $4M aggregate

Contractual liability, HIPAA covered

Healthcare facility access requirements

Professional Liability (Healthcare E&O)

$3M per claim / $3M aggregate

Credentialing errors, utilization review

Joint Commission, CMS requirements

Technology Errors & Omissions

$5M per claim / $5M aggregate

SaaS failures, cloud service interruption

SLA compliance, service level guarantees

Cyber Liability

$10M per claim / $10M aggregate

Dependent business interruption, ransomware

Data breach notification laws, GDPR

General Liability

$2M per occurrence / $4M aggregate

Contractual liability coverage

Commercial general liability standards

Intellectual Property

$3M per claim / $3M aggregate

Copyright, patent, trademark infringement

IP warranty protection

Media Liability

$2M per claim / $2M aggregate

Content liability, software copyright

DMCA safe harbor considerations

Products Liability

$5M per occurrence / $5M aggregate

Completed operations, contractual liability

Consumer Product Safety Commission compliance

General Liability

$2M per occurrence / $4M aggregate

Products-completed operations hazard

ISO CGL form endorsements

Commercial Auto

$2M combined single limit

Hired/non-owned vehicles

Interstate commerce requirements

Umbrella/Excess

$10M over primary

Follow-form excess over all primary policies

Catastrophic loss protection

Product Recall Insurance

$2M per occurrence

Costs to recall, destroy defective products

FDA, CPSC recall requirements

Pollution Liability

$2M per occurrence / $2M aggregate

Manufacturing pollution, transportation

EPA, state environmental regulations

"Our limits are lower than your requirements"

Current policy has $1M, you require $5M

"Our risk assessment determined $5M necessary for your data access. Can you increase limits or reduce scope?"

Staged increase: $2M now, $5M within 12 months

"Adding your company as additional insured increases premium"

Additional insured adds nominal cost ($50-200)

"Additional insured is non-negotiable—it's how we ensure direct coverage. Cost is minimal and reasonable business expense."

Vendor can increase service pricing to cover premium

"We can't provide certificate before contract signature"

Carrier won't issue certificate without executed contract

"Certificate is condition precedent to contract execution. Your broker can issue certificate contingent on contract execution."

Certificate issued same day as contract signature

"Our policy excludes what you require"

Standard policy excludes cyber events, for example

"Exclusion creates unacceptable gap. Either add coverage via endorsement or we accept the residual risk with executive approval."

Risk acceptance with documented limitation

"We're too small to afford that much coverage"

Startup/small vendor with limited budget

"Coverage requirement reflects the risk your data access creates. If you can't insure the risk, we can't accept it."

Reduced scope reducing risk, lowering requirements

"Our E&O is claims-made, not occurrence"

Vendor has claims-made policy with short tail

"Claims-made acceptable if retroactive date predates our contract and you commit to tail coverage upon termination."

Vendor purchases extended reporting period

"We self-insure above $X"

Large vendor with self-insurance program

"Self-insurance acceptable for financially strong vendors. Provide financial statements and self-insurance documentation."

Accept self-insurance with financial verification

"That coverage type doesn't apply to us"

Vendor believes cyber liability irrelevant to their services

"Our risk assessment determined cyber exposure exists. If you disagree, explain why cyber risk doesn't apply to your services."

Risk team re-evaluates if vendor explanation valid

"We can't provide waiver of subrogation"

Vendor's insurer won't waive subrogation

"Subrogation waiver protects us from insurer lawsuits after they pay claims. It's standard in commercial contracts."

Legal reviews whether absence of waiver is acceptable

"Adding primary and non-contributory language"

Vendor unfamiliar with requirement

"This ensures your insurance pays before ours, preventing our premium increases from your incidents."

Include in next policy renewal if not available now

"Our carrier isn't A.M. Best rated A-"

Vendor uses regional or surplus lines carrier

"We require financially strong carriers able to pay large claims. Provide alternative carrier or accept coverage limitation."

Accept lower-rated carrier with reduced limits

"Our contract indemnifies you; why do you need insurance?"

Vendor believes indemnification sufficient

"Indemnification without insurance backing is worthless if you can't pay. Insurance provides capital to fund indemnification."

No compromise—insurance required

"Can we phase in coverage over time?"

Vendor wants to gradually increase limits

"Acceptable for rapidly growing vendors. Commit to staged increases with timeline and interim limits."

Annual limit increases: $2M→$3M→$5M over 3 years

"Our insurance is through a group/association policy"

Vendor covered under industry association plan

"Association policies acceptable if they provide required limits and endorsements. Provide certificate demonstrating compliance."

Verify group policy meets requirements

"We need to see your insurance requirements before quoting"

Vendor wants to price insurance cost into proposal

"Absolutely—here are our insurance requirements. Factor premium costs into your pricing."

Provide requirements during RFP

Below-Limit Coverage

Vendor has $2M when $5M required

Business justification, risk assessment, alternative controls

VP Risk approval, enhanced contractual protections

Missing Coverage Type

Vendor lacks cyber liability for data-processing services

Risk materiality, vendor willingness to obtain, cost impact

SVP Risk approval, security audit, limited data access

Unrated or Low-Rated Carrier

Vendor's insurer below A- rating

Carrier financial strength, vendor relationship criticality

CFO approval, vendor financial review, alternative security

Self-Insurance

Large vendor with formal self-insurance program

Vendor financial statements, self-insurance fund adequacy

Finance team approval, parent company guarantee

Claims-Made Without Tail

Vendor E&O claims-made with no tail commitment

Policy retroactive date, relationship duration, exit risk

Legal approval, extended notice period for termination

Missing Additional Insured

Vendor policy doesn't include additional insured

Insurer restrictions, policy language limitations

General Counsel approval, enhanced indemnification language

High Self-Insured Retention

Vendor SIR $1M when $250K maximum acceptable

Vendor financial capacity to fund SIR, claim likelihood

CFO approval, vendor financial monitoring

Coverage Territory Gaps

Domestic policy for international vendor operations

Service delivery location risk, data transfer controls

Risk/Legal approval, data localization requirements

Aggregate Depletion

Vendor's aggregate limits significantly depleted

Remaining aggregate availability, probability of claim

Quarterly aggregate monitoring, limit restoration requirement

Startup/Small Vendor

Vendor too small/new to afford standard requirements

Vendor criticality, risk level, alternative vendors available

CEO approval, reduced scope, enhanced monitoring

Specialty Coverage Unavailable

Required coverage type not available in market

Coverage market availability, alternative risk transfer

Board approval, alternative risk financing, vendor guarantee

Cost Prohibitive

Insurance cost would make vendor economically unviable

Vendor relationship value, alternative vendor availability

Executive approval, alternative vendors assessment

Government/Nonprofit Exemption

Government entity or nonprofit with sovereign immunity

Legal liability limitations, alternative protections

Legal approval, sovereign immunity verification

Mutual Indemnification

Vendor requires reciprocal insurance requirements

Symmetry of risk, mutual exposure

Legal negotiation, balanced requirements

Temporary Coverage Gap

Vendor between policies, coverage lapsing temporarily

Gap duration, interim risk controls

Service suspension during gap, daily risk monitoring