What Is a Certificate of Insurance (COI)?

A certificate of insurance (COI) is a one-page document that summarizes an active insurance policy: who is covered, what types of coverage are in force, the limits, and the dates the coverage runs. It is proof, not the policy itself, and that distinction is where most enterprise compliance failures begin.

For a CFO or risk manager at a company doing $20M or more in revenue, the COI is rarely about your own coverage. It is about the hundreds of certificates flowing in from vendors, subcontractors, and service providers, each one a potential gap in your liability transfer if it is wrong, expired, or missing an endorsement. Get this wrong at scale and the average cost of a noncompliance event now runs close to $15 million.

• A COI confirms coverage existed at a single moment in time, which means a certificate collected in January says nothing about whether the policy was canceled in March.
• Most certificates follow the ACORD 25 form, standardized in 1976, so the layout is consistent even when the underlying coverage is not.
• Enterprise risk transfer depends on additional insured status and waiver-of-subrogation endorsements, neither of which appears reliably on the face of a certificate.
• A vendor’s certificate is only as good as the policy behind it, and the policy always governs in a dispute, not the COI.
• Tracking inbound certificates manually across a large vendor base is where compliance rates quietly slip from the 90s into the 40s without anyone noticing.

Who Asks You for a COI, and Why

At some point in almost every deal, someone asks for proof of insurance. It is a routine request. For a large business, it cuts both ways: you ask vendors for theirs, and partners ask you for yours.

The reasons are simple, even when the paperwork is not. A landlord wants to know you can cover damage to the space. A client wants proof before they let your team on site. A lender wants it during diligence.

• You sign a commercial lease, and the landlord wants proof before handing over keys.
• You close an enterprise contract, and the client requires evidence of coverage before work starts.
• You hire a vendor, and your own policy terms require you to collect their certificate first.
• You go through investor or lender diligence, and proof of active coverage is part of the checklist.
• You bid on a project, and a valid COI is a gate you clear before the contract is even on the table.

What a Certificate of Insurance Actually Tells You

Open any COI and you are looking at a snapshot. The form lists the insured business, the producer or broker who issued it, the carriers providing coverage, and a grid of policy types with their limits and effective dates.

What it does not tell you is whether the coverage will still be there next week. That is the single most misunderstood feature of the document, and the one that trips up companies relying on a folder of certificates as a risk management program.

• The “Insured” box names the vendor whose coverage the certificate describes.
• The “Certificate Holder” box names you, the party requesting proof, which gives you notice rights but not coverage rights.
• The coverage grid shows general liability, auto, workers’ compensation, umbrella, and any professional or cyber lines the vendor carries.
• The “Description of Operations” box is where additional insured language and project-specific terms are supposed to appear, and frequently do not.
• Limits and dates are listed per line, so a vendor can show strong general liability limits while carrying nothing on the cyber exposure your contract actually requires.

Why Does Your Business Need to Collect COIs From Vendors?

Every contractor you hire, every vendor on your premises, and every service provider touching your operations carries risk that can land on your balance sheet. The certificate is the front line of transferring that risk back where it belongs.

Construction recorded 1,075 fatalities in 2023, more than any other industry, according to the Bureau of Labor Statistics. When a subcontractor’s worker is injured on your site, the question of whose insurance responds depends entirely on whether the right coverage and endorsements were in place, and whether you can prove it.

• Collecting a COI before work begins gives you documented evidence that the vendor carried coverage at the start of the engagement.
• Requiring additional insured status shifts certain liabilities from your policy to the vendor’s, which directly affects your loss history and renewal pricing.
• A missing or expired certificate can void the risk transfer your contract assumed, leaving your general liability or umbrella policy to absorb a claim that was never your exposure.
• For a company with 250 vendors, even a 10% lapse rate means 25 open exposures at any given moment.
• Lenders, landlords, and your own carriers increasingly audit vendor compliance during underwriting, so gaps surface at the worst possible time.

How Do You Get a Certificate of Insurance?

Getting your own COI is straightforward once you carry a business insurance policy. You request it from your broker or carrier, and most are issued the same day, often within minutes through an agency’s system.

The harder question for an enterprise is not how to get one. It is how to specify what you require from incoming vendor certificates so that the documents you collect actually do the legal work you need them to do.

Certificate Holder vs. Additional Insured: The Distinction That Costs Companies Money

This is the difference that separates a real risk transfer from a piece of paper. Being a certificate holder means you receive a copy of the document and, depending on the policy, notice if it cancels. It does not extend any of the vendor’s coverage to you.

Additional insured status is different. It is an actual endorsement on the vendor’s policy that brings you under their coverage for claims arising from their work. When a lawsuit names both your company and the vendor, additional insured status is what lets you tender the defense to their carrier instead of burning your own limits.

• A certificate holder has visibility into the coverage but no contractual right to it.
• An additional insured can be defended and indemnified under the vendor’s policy for covered claims tied to the vendor’s operations.
• The endorsement form number matters, since a blanket additional insured endorsement behaves differently from a scheduled one naming specific parties.
• Plenty of vendors send certificates listing you correctly as certificate holder while never adding the endorsement that gives the listing teeth.
• Verifying the endorsement, not just the certificate box, is where a broker’s review earns its keep on every high-value vendor relationship.

Managing COI Compliance at Enterprise Scale

One certificate is a clerical task. Fifteen hundred certificates, each with its own expiration date, endorsement requirements, and renewal cycle, is a risk management function. This is the part the consumer-focused guides skip entirely.

Companies that have moved off spreadsheets and email follow-ups regularly report compliance climbing from the low 40s into the 90s, because the bottleneck was never collecting certificates. It was tracking them, flagging the gaps, and chasing renewals before coverage lapsed.

• Manual tracking fails predictably as vendor counts grow, because no one can monitor hundreds of expiration dates by hand.
• Cyber liability requirements are now appearing in more contracts, and many vendors carry inadequate coverage or none, creating a gap your certificate collection should surface.
• A broker-managed program reviews each incoming certificate against the specific contract it supports, rather than filing whatever arrives.
• Renewal tracking with advance alerts prevents the silent lapse that leaves a “compliant” vendor uninsured mid-engagement.
• Audit-ready records of who was covered, for what, and when, become essential the moment a claim or a lender review arrives.