COI Compliance Requirements by Industry: 2026 Matrix

Insurance requirements are not one-size-fits-all. A janitorial vendor entering a Class A office building faces different risks than an electrical subcontractor on a ground-up construction site, a medical device supplier delivering to a hospital, or a transportation company hauling hazardous materials across state lines. The coverage types, minimum limits, endorsements, and special provisions that make sense for each scenario vary enormously.

Yet most organizations start with a generic template — $1M occurrence, $2M aggregate, "the usual" — and apply it uniformly. The result is either over-insurance (pricing vendors out of contracts they could safely perform) or under-insurance (accepting coverage that leaves real gaps when an incident occurs).

This guide provides the 2026 industry-standard requirements matrix, with deep dives into each vertical. Use it to build or refine your requirement templates, benchmark your current standards, and understand why specific coverages matter for specific industries.

The 2026 Industry Requirements Matrix

The following matrix represents standard market requirements as of 2026. Individual contracts may require higher or lower limits based on project scope, contract value, and risk tolerance.

Key: AI = Additional Insured; P&NC = Primary & Non-Contributory; occ = each occurrence; agg = general aggregate; CSL = combined single limit.

Property Management

Property management is one of the highest-volume verticals for COI tracking. A single portfolio may have hundreds of vendors — janitorial, landscaping, HVAC, security, pest control, elevator maintenance, fire protection, and more — each requiring current coverage.

Standard Requirements

• General Liability: $1M per occurrence / $2M general aggregate. Aggregate should apply per location (endorsement CG 25 04) so that claims at one property do not exhaust the aggregate for the entire portfolio.
• Workers' Compensation: Statutory limits with $1M/$1M/$1M employers' liability. No exceptions — even "sole proprietors" should provide evidence of exemption or coverage.
• Auto Liability: $1M combined single limit. Required for any vendor whose employees drive to your properties.
• Umbrella/Excess: $2M minimum for general vendors; $5M for high-risk trades (roofing, electrical, plumbing).
• Additional Insured: Required on GL and umbrella policies. The property owner, management company, and any lender or JV partner should all be named.
• Waiver of Subrogation: Required on GL, WC, and auto.

Common Gaps

1. Per-location aggregate missing: The vendor's aggregate applies per policy, meaning claims across all their clients reduce the coverage available for your property.
2. Janitorial vendors with no WC: Small cleaning companies frequently claim sole-proprietor exemptions. Verify the exemption is valid under state law — many states do not allow exemptions for companies with employees.
3. Elevator companies providing only GL: Elevator maintenance requires specialized coverage. Verify the GL policy does not exclude elevator or escalator work.
4. Expired certificates on file: In a portfolio with 200+ vendors, certificates expire constantly. Without automated tracking, expired coverage goes unnoticed for months.

Risk Scenarios

A landscaping vendor's employee is injured by a branch fall at your property. The vendor's WC policy has been cancelled due to nonpayment, but you still have the old certificate on file. The injured worker sues the property owner. Without the vendor's WC coverage — and without AI status on the vendor's GL — the property owner's own insurance is the first line of defense.

Verification Checklist

• GL occurrence and aggregate meet minimums
• Aggregate applies per location (CG 25 04 or equivalent)
• AI status confirmed with endorsement form number
• Waiver of Subrogation on GL, WC, and Auto
• All carriers rated AM Best A-VII or better
• Property-specific address listed in Description of Operations
• No excluded operations relevant to the work performed

Construction (General Contractors and Subcontractors)

Construction has the most complex insurance requirements of any industry. The stakes are high — bodily injury, property damage, and structural defect claims can reach tens of millions of dollars. The web of contractual relationships (owner to GC, GC to sub, sub to sub-sub) creates layered insurance obligations.

Standard Requirements

• General Liability: $1M per occurrence / $2M general aggregate. Aggregate must apply per project (endorsement CG 25 03). This is non-negotiable for GCs running multiple projects simultaneously.
• Workers' Compensation: Statutory limits. No exceptions. Construction is one of the highest-risk WC classes, and state enforcement is strict.
• Auto Liability: $1M CSL. "Any Auto" box should be checked — not just "Owned Auto."
• Umbrella/Excess: $5M minimum for GCs; $10M+ for large projects or high-rise work. Subcontractors: $2M-$5M depending on trade.
• Additional Insured: Required on GL and umbrella via CG 20 10 (ongoing operations) AND CG 20 37 (completed operations). Both endorsements are essential. CG 20 10 alone does not cover claims arising after the work is finished.
• Waiver of Subrogation: Required on GL (CG 24 04), WC (WC 00 03 13), and Auto (CA 04 44).
• Primary & Non-Contributory: Required on GL (CG 20 01 04 13 or equivalent blanket language). The sub's policy must pay first before the GC's policy contributes.

The CG 20 10 / CG 20 37 Distinction

This is where many compliance teams fail:

• CG 20 10 provides Additional Insured status for ongoing operations — while the sub is actively working on site.
• CG 20 37 provides Additional Insured status for completed operations — after the sub has finished and left the site.

Construction defect claims are often filed years after project completion. Without CG 20 37, the GC has no AI status on the sub's policy for post-completion claims. This is a gap that may not be discovered until a lawsuit is filed.

Always require both endorsements.

Common Gaps

1. Missing CG 20 37: Many agents issue certificates referencing CG 20 10 but omit CG 20 37 because the underlying policy does not include completed operations AI coverage.
2. Umbrella not scheduled over all underlying policies: The umbrella may schedule GL but not auto or employers' liability. Verify the schedule.
3. Subcontractor exclusions: Some GL policies exclude specific construction operations (EIFS, roofing, excavation). Verify that the policy does not exclude the work the sub is performing.
4. Per-project aggregate missing: Without CG 25 03 or equivalent, the sub's aggregate is shared across all their projects — claims elsewhere reduce your available coverage.

Risk Scenarios

A subcontractor installs defective waterproofing on a 200-unit condominium project. Water intrusion is discovered three years after substantial completion, causing $8M in damage. The GC is named in the lawsuit. If the sub's certificate listed CG 20 10 but not CG 20 37, the GC has no Additional Insured coverage for this completed operations claim. The GC's own insurance responds — and the premiums increase for years.

Verification Checklist

• GL per-project aggregate confirmed (CG 25 03)
• CG 20 10 AND CG 20 37 endorsements referenced
• Waiver of Sub on GL, WC, and Auto (three separate endorsements)
• Primary & Non-Contributory on GL
• Umbrella schedules all underlying policies
• No exclusions for the contracted scope of work
• Carrier A-VII or better
• Policy dates cover the project duration plus completed operations tail

Healthcare

Healthcare insurance requirements reflect the unique regulatory environment — HIPAA, state medical practice acts, and the high severity of malpractice and data breach claims.

Standard Requirements

• General Liability: $1M per occurrence / $3M general aggregate. Healthcare facilities often require the higher $3M aggregate.
• Professional Liability (Medical Malpractice): Required for any vendor providing clinical services. Minimum $1M per claim / $3M aggregate. This is a separate policy from GL — do not accept GL alone for clinical vendors.
• Workers' Compensation: Statutory limits with $1M employers' liability.
• Auto Liability: $1M CSL.
• Umbrella/Excess: $5M minimum.
• Cyber Liability: Required for any vendor with access to Protected Health Information (PHI). Minimum $2M, with coverage for breach notification costs, regulatory fines, and forensic investigation. Must include HIPAA-specific coverage.
• EPLI: Recommended for staffing agencies and large service providers.

Common Gaps

1. Professional liability confused with GL: A clinical vendor provides a GL certificate but no professional liability policy. GL does not cover medical malpractice — these are fundamentally different coverage lines.
2. Cyber liability missing for IT vendors: Any vendor with access to electronic health records needs cyber coverage. This includes EHR vendors, billing companies, IT support firms, and even cleaning companies with access to areas where PHI is stored.
3. Claims-made professional liability without tail: If the vendor's professional liability is claims-made (most are), ask about tail coverage if the policy is not renewed.

Risk Scenarios

A medical staffing agency provides nurses to a hospital under a contract requiring $1M/$3M professional liability. The agency's certificate shows GL at $1M/$3M but does not list a separate professional liability policy. A nurse administered incorrect medication, resulting in patient injury and a $4M lawsuit. The GL policy excludes professional medical services. The hospital's own malpractice policy responds — an outcome the contract was designed to prevent.

Verification Checklist

• Professional liability policy listed separately from GL
• Cyber liability with HIPAA coverage confirmed
• Business Associate Agreement (BAA) in place alongside COI
• Claims-made retroactive date precedes contract start
• Carrier licensed in the state where services are provided

Hospitality

Hotels, restaurants, event venues, and resorts face premises liability, food and beverage liability, liquor liability, and event-related risks.

Standard Requirements

• General Liability: $1M per occurrence / $2M general aggregate.
• Workers' Compensation: Statutory limits. High employee turnover makes WC compliance monitoring especially important.
• Auto Liability: $1M CSL for vendors with delivery or transportation services.
• Umbrella/Excess: $5M minimum for venues; higher for large events.
• Liquor Liability: Required for any vendor serving or selling alcohol. This is a separate coverage that is excluded from standard GL policies. Minimum $1M per occurrence.
• Special Event Insurance: For one-time events, the event organizer should provide event-specific coverage naming the venue as Additional Insured.

Common Gaps

1. Liquor liability not verified: Standard GL policies exclude liability arising from the sale, distribution, or serving of alcohol. A venue must verify that vendors with liquor service have a separate liquor liability policy or an endorsement adding it back to the GL.
2. Food vendors without product liability: Caterers and food service companies need product liability coverage (included in standard GL, but verify the products-completed operations aggregate is adequate).
3. Valet parking companies with inadequate auto coverage: Valet services should carry garagekeepers liability in addition to commercial auto — standard auto policies may not cover damage to customers' vehicles in the vendor's care, custody, and control.

Verification Checklist

• Liquor liability confirmed for alcohol-related vendors
• Products-completed operations aggregate adequate for food service
• Event-specific coverage for one-time events
• Garagekeepers liability for valet services
• AI status on GL and umbrella

Logistics and Transportation

Logistics introduces federal regulatory requirements alongside standard insurance needs. The Federal Motor Carrier Safety Administration (FMCSA) mandates minimum insurance levels that often exceed what a contract alone would require.

Standard Requirements

• General Liability: $1M per occurrence / $2M general aggregate.
• Auto Liability: $1M per occurrence minimum; FMCSA requires $750,000 minimum for general freight carriers and $5,000,000 for hazmat carriers. Many contracts require $1M regardless of FMCSA minimums.
• Motor Cargo Insurance: $1M minimum (often $250K-$500K for smaller carriers). Covers damage to goods being transported.
• Umbrella/Excess: $5M minimum for carriers handling high-value freight.
• Workers' Compensation: Statutory limits.
• Environmental / Pollution Liability: Required if transporting hazardous materials. Standard auto and GL policies exclude pollution claims.
• MCS-90 Endorsement: Required by FMCSA for interstate carriers. This endorsement guarantees that the auto policy will pay for public liability claims involving the covered vehicle, even if the policy would otherwise exclude the claim. It protects the public, not the insured.

Common Gaps

1. Cargo coverage insufficient for the goods being transported: A carrier has $100K in cargo coverage but is hauling $500K in electronics. The shipper absorbs the $400K gap.
2. Pollution exclusion on auto policy: A tanker truck overturns and spills fuel. The auto policy's pollution exclusion denies the environmental cleanup claim. Without a separate pollution liability policy, cleanup costs (often $1M+) fall to the shipper or property owner.
3. Non-owned trailer coverage missing: Many carriers use trailers they do not own. Standard auto policies may not cover damage to non-owned trailers. Trailer interchange insurance fills this gap.
4. FMCSA filing lapses: Carriers must maintain proof of insurance on file with FMCSA (Form BMC-91 or BMC-34). A lapse in filing can result in loss of operating authority.

Verification Checklist

• Auto liability meets FMCSA minimums for cargo type
• Motor cargo coverage meets the value of goods shipped
• MCS-90 endorsement confirmed for interstate carriers
• FMCSA operating authority active (verify at SaferSys.org)
• Pollution liability if transporting hazmat
• DOT number and MC number verified

Manufacturing

Manufacturing presents product liability and environmental exposure that demand higher limits and specialized coverages.

Standard Requirements

• General Liability: $2M per occurrence / $4M general aggregate. Higher limits reflect the severity of product liability claims.
• Products Liability: $2M minimum (included within GL, but verify the products-completed operations aggregate separately).
• Workers' Compensation: Statutory limits. Manufacturing has some of the highest WC experience modification rates due to workplace injury frequency.
• Auto Liability: $1M CSL.
• Umbrella/Excess: $10M minimum. Product liability claims can reach tens of millions; adequate umbrella coverage is essential.
• Environmental / Pollution Liability: Required for manufacturers using chemicals, generating waste, or operating near sensitive environmental areas. Minimum $2M.
• Product Recall Coverage: Emerging requirement for manufacturers whose products could require mass recall. Not included in standard GL — this is a separate policy.

Common Gaps

1. GL aggregate too low relative to production volume: A manufacturer producing millions of units annually with a $2M aggregate can exhaust coverage with a single product defect affecting a large batch.
2. No completed operations tail: Product liability claims often surface years after delivery. Ensure coverage extends beyond the policy period.
3. Environmental coverage excluded from GL: Standard CGL policies contain absolute pollution exclusions. A manufacturer with any environmental exposure needs a standalone pollution policy.

Verification Checklist

• GL occurrence and aggregate at $2M/$4M or higher
• Products-completed operations aggregate confirmed separately
• Umbrella at $10M or higher
• Environmental liability confirmed if applicable
• Product recall coverage confirmed if applicable
• Carrier A-VII or better (critical for high-severity claims)

Government and Education

Public sector contracts carry the most stringent insurance requirements, often specified by statute or regulation rather than negotiation.

Standard Requirements

• General Liability: $1M per occurrence / $2M general aggregate minimum. Some federal contracts require higher.
• Workers' Compensation: Statutory limits. Federal contracts under the Defense Base Act may require special WC coverage for overseas workers.
• Auto Liability: $1M CSL.
• Umbrella/Excess: $5M-$10M depending on contract value.
• Professional Liability: Required if providing professional or consulting services. $1M-$5M depending on contract scope.
• Cyber Liability: Required for any vendor handling government data. CMMC (Cybersecurity Maturity Model Certification) compliance may be required for defense contracts. FERPA compliance for education.
• EPLI (Employment Practices Liability): Required by many public entities to protect against discrimination and harassment claims by the vendor's employees working on government premises.
• Performance and Payment Bonds: While not insurance, these are often required alongside COIs for construction contracts over $150,000 (per the Miller Act for federal contracts).

Special Provisions

• FAR (Federal Acquisition Regulation) compliance: Federal contracts specify insurance requirements in FAR 28.307, including minimum types and amounts.
• Carrier rating requirements: Government contracts typically require AM Best A-VII or better. Some require A-VIII or A-IX for high-value contracts.
• Indemnification and hold harmless: Government entities often cannot indemnify vendors, meaning the vendor's insurance is the sole protection layer.
• Sovereign immunity considerations: Government entities have different liability exposure than private organizations, which affects how insurance requirements are structured.

Verification Checklist

• All FAR 28.307 requirements met (federal contracts)
• Carrier rated AM Best A-VII or better (verify specific contract requirement)
• Cyber liability with government data protection provisions
• EPLI confirmed
• Performance/payment bonds in place if construction
• Professional liability if consulting/professional services
• CMMC certification verified for defense-related contracts

Emerging Coverage Trends for 2026

Cyber Liability

Cyber insurance has moved from "nice to have" to mandatory across nearly every industry. Key drivers:

• Ransomware severity: Average ransom payment exceeded $500K in 2025, with total incident costs (downtime, forensics, notification, legal) often 3-5x the ransom itself.
• Regulatory expansion: State privacy laws (modeled on CCPA/CPRA) now exist in 20+ states, each carrying their own penalty structures.
• Supply chain attacks: A vendor's cyber breach can expose your organization's data and systems. Requiring cyber coverage from vendors is now standard risk management.

Emerging minimums: $2M for standard vendors; $5M+ for vendors with access to sensitive data, PII, or system integration.

Employment Practices Liability (EPLI)

EPLI covers claims by employees alleging discrimination, harassment, wrongful termination, and other employment-related violations. The trend toward requiring EPLI from vendors reflects the reality that a vendor's employee working on your premises can file claims implicating your organization.

Emerging minimums: $1M for vendors with employees working on-site.

Environmental / Pollution Liability

Climate-related regulations and PFAS ("forever chemicals") litigation are expanding environmental liability exposure. Manufacturers, construction companies, and waste management vendors face increasing pollution liability requirements.

Emerging minimums: $2M-$5M for manufacturers and contractors with environmental exposure.

Building Custom Requirement Templates

The matrix above provides baselines, but effective compliance programs build vendor-type-specific templates:

Step 1: Categorize Vendors by Risk Tier

• Tier 1 (High Risk): Vendors performing physical work on your premises, handling sensitive data, or providing professional services. Examples: construction subs, IT vendors with system access, clinical staffing agencies.
• Tier 2 (Medium Risk): Vendors with moderate exposure. Examples: janitorial, landscaping, delivery services.
• Tier 3 (Low Risk): Vendors with minimal on-site presence or exposure. Examples: office supply delivery, equipment rental, consulting with no data access.

Step 2: Define Requirements Per Tier

Step 3: Automate Tracking

Manual tracking breaks down beyond 50 vendors. At scale, organizations need systems that automatically flag expired certificates, coverage gaps, and non-compliant limits — whether through dedicated compliance platforms, AI-powered verification tools, or integrated vendor management systems.

Step 4: Review Annually

Insurance markets shift. New coverage types emerge. Regulatory requirements change. Review your requirement templates annually against current market conditions and loss experience. What was adequate in 2024 may be insufficient in 2026.

The goal is not to create barriers for vendors — it is to ensure that when an incident occurs, the right insurance responds first, at adequate limits, with the endorsements that protect your organization. This matrix gives you the framework. Your risk profile determines the details.