How to Set Insurance Requirements for Suppliers (2026 Benchmark)

Last updated: May 2026

Setting insurance requirements for suppliers means specifying the coverage lines, limits, endorsements, and carrier quality each vendor must carry before doing business with you. Most procurement teams inherit this work rather than design it from scratch. The 2026 Insurance Requirements Benchmark, based on 291 supplier insurance requirement sets across five industries, documents what mature programs converge on. This guide walks through the baseline that holds across the dataset, the risk-tier and industry variations, and the operational decisions that follow once the requirements are written.

TL;DR: the 2026 supplier insurance baseline

• $1M General Liability Each Occurrence is required by 95% of supplier insurance programs in the 291-set dataset.
• Workers Compensation statutory limits are required by 100% of programs.
• AM Best A- is the carrier quality floor for 95% of programs.
• 30-Day Notice of Cancellation is required by 96% of programs at every risk tier.
• Umbrella coverage is required in three of seven cross-industry risk tiers: Moderate ($1M), High ($2M to $5M), and Pollution & Projects ($2M).
• 75% of programs operate one to three risk tiers; 25% operate four or more.
• Two industry exceptions push primary GL Each Occurrence to $5M: construction projects valued over $1M and retail high-risk operations.
• Enterprise programs managing 10,000-plus vendors raise severity layers (Umbrella, Employer's Liability, Crime) while holding primary GL at the dataset's $1M floor.

What insurance do organizations require from their suppliers?

Most supplier insurance programs require a shared baseline of four positions, plus additional coverages and endorsements that escalate by risk tier and industry. The four positions below hold across 95% or more of the 291-set dataset, regardless of industry, risk tier, or program size:

• $1M General Liability Each Occurrence (95% of programs).
• Workers Compensation statutory limits (100% of programs).
• AM Best A- carrier minimum (95% of programs).
• 30-Day Notice of Cancellation (96% of programs at every tier).

Each position carries caveats worth knowing. On General Liability, the remaining 5% is a single outlier organization setting the limit at $500K. On Workers Compensation, 82% accept state insurance fund limits where the coverage may be less or more than the required amount and 18% require Stop Gap coverage equal to the required limit; solo operators without employees are frequently granted exceptions. On AM Best, the only exception in the dataset is a single organization accepting B-rated carriers. On 30-day notice, 4% of programs require 60-day notice and no program in the dataset accepts more than 60 days.

Additional Insured status on General Liability is required by the majority of programs. The variance shows up on Auto, Commercial Property, and Equipment policies, not on GL itself.

If you are inheriting a supplier insurance program, the fastest diagnostic is whether your current requirements clear these four positions. Programs that do not are running a certificate-collection process with no coverage floor underneath. The practical fix is to update the MSA template, communicate the change to existing suppliers at their next renewal, and grandfather only the contracts where the cost of forcing the issue exceeds the residual risk.

Should you set insurance requirements by supplier or by category?

Set them by category first, then layer in supplier-specific exceptions. The 2026 benchmark documents seven risk-tier categories that programs use, organized by exposure type and intensity rather than by which specific supplier is providing the service. That structure reflects how mature programs actually make the decision.

Category-first thinking matters because the inherent risk of what you are purchasing usually outweighs the variance between specific suppliers in that category. Three contractors doing electrical work on a commercial build carry roughly the same exposure profile; the exposure does not change much based on which one you pick. What changes is whether you have correctly classified electrical work on commercial builds as a category that requires Builder's Risk, Completed Operations, Waiver of Subrogation, and a higher GL aggregate.

The practical implication: derive your tier definitions from your spend taxonomy, which is the way your procurement organization already classifies spend by category (janitorial, IT staffing, on-site contracting, professional services, transportation). The insurance tier should map to that taxonomy. Building a separate "risk tier" structure that does not align with your spend categories creates inconsistency in how procurement, legal, and risk teams talk about the same supplier.

Supplier-level adjustments still happen, primarily as exceptions: a sole proprietor without employees who cannot carry standard Workers Compensation, an established supplier with $50M umbrella who legitimately exceeds your requirements at every line, a specialty vendor with carrier limitations specific to their trade. The exception process is where supplier-level customization belongs. The base tier should be set at the category level.

How do supplier insurance programs structure risk tiers?

Supplier insurance programs organize requirements into risk tiers so that lower-risk vendors are not held to limits designed for higher-risk operations. The 2026 benchmark documents seven risk-tier categories used across the 291-set dataset.

The seven tiers are:

• Low Risk
• Moderate Risk
• High Risk
• Towing & Auto
• Professional
• Pollution & Projects
• Liquor

GL Each Occurrence stays at $1M across all seven tiers in the cross-industry aggregate. Auto Combined Single Limit holds at $1M in six of the seven tiers; the Professional tier drops to $500K because professional service vendors typically are not driving on behalf of the program, which reduces the underlying auto exposure. Umbrella coverage is required in three of the seven tiers (Moderate, High, Pollution) and not required in the other four (Low, Towing, Professional, Liquor).

The seven-tier structure is what 25% of programs in the dataset use. The remaining 75% operate one to three tiers, often collapsing several of the categories above into a single Moderate or High tier and adding specialty-tier handling only as needed.

What are the standard general liability limits required from suppliers?

The most common General Liability requirement is $1M Each Occurrence with a $2M Aggregate at Moderate and High risk tiers, scaling to higher limits in construction projects over $1M and in retail high-risk operations.

Specifically across the dataset:

Low Risk tier: $1M Each Occurrence, $1M General Aggregate, $1M Products / Completed Ops Aggregate.

Moderate Risk tier: $1M Each Occurrence, $2M General Aggregate, $1M Products / Completed Ops Aggregate.

High Risk tier: $1M Each Occurrence, $2M General Aggregate, $2M Products / Completed Ops Aggregate.

Towing & Auto tier: $1M Each Occurrence, $2M General Aggregate, $1M Products / Completed Ops Aggregate.

Professional tier: $1M Each Occurrence, $1M General Aggregate, $1M Products / Completed Ops Aggregate.

Pollution & Projects tier: $1M Each Occurrence, $2M General Aggregate, $2M Products / Completed Ops Aggregate.

Liquor tier: $1M Each Occurrence, $2M General Aggregate, $1M Products / Completed Ops Aggregate.

Source: Certificial 2026 Insurance Requirements Benchmark, n=291.

Industry-specific deviations show up in construction and retail. Construction requirements step from $1M to $5M GL Each Occurrence for projects valued over $1M, the largest single-trigger limit jump in the dataset. Retail High Risk operations also require $5M GL Each Occurrence, with Co-Producers requiring $2M and Packaging Risks at $1M.

GL Personal & Advertising Injury holds at $1M across all seven tiers in the cross-industry aggregate, making it one of the most consistent secondary GL limits in the dataset alongside Each Occurrence.

The most common implementation mistake at this layer is specifying $1M Each Occurrence without also specifying the Aggregate. A supplier with $1M each / $1M aggregate technically meets a $1M EO requirement, but their per-occurrence capacity is already drawn down by any prior claims on the policy. By later in the policy year, that supplier's remaining capacity can be substantially less than the $1M Each Occurrence stated on the certificate. Specifying both Each Occurrence and Aggregate in the MSA is the fix. Verifying the residual Aggregate at intervals through the policy year is the second-order fix.

When is umbrella or excess liability required from a supplier?

Umbrella or excess liability is required where primary General Liability combined with the umbrella creates the total coverage the program needs for severity exposure. Where umbrella is required in the cross-industry aggregate, 60% of programs set the limit at $2M, 25% set it at $1M, and 15% set it above $2M (Certificial 2026 Insurance Requirements Benchmark, n=291). The exception is when General Liability coverage alone exceeds the combination required for GL plus Umbrella combined.

By tier in the cross-industry aggregate:

Low Risk tier: Umbrella not required.

Moderate Risk tier: Umbrella $1M.

High Risk tier: Umbrella $2M to $5M.

Towing & Auto tier: Umbrella not required.

Professional tier: Umbrella not required.

Pollution & Projects tier: Umbrella $2M.

Liquor tier: Umbrella not required.

Source: Certificial 2026 Insurance Requirements Benchmark, n=291.

Two industry deviations are worth knowing. Enterprise programs managing 10,000-plus vendors raise the High Risk umbrella requirement to $5M while holding primary GL at the dataset-wide $1M floor. Retail Co-Producer agreements require $10M, the highest umbrella requirement in the entire dataset.

The strategic read is that severity exposure scales faster than primary GL. Programs that grow their supplier base without revisiting their umbrella requirements end up with too little coverage at the layer where one large claim does the most damage.

What workers compensation limits do supplier programs require?

Workers Compensation statutory limits are required by 100% of programs in the dataset. The variance shows up in Employer's Liability limits and in how programs handle the four monopolistic Workers Compensation states (North Dakota, Ohio, Washington, and Wyoming).

Employer's Liability limits by industry segment:

• Property Management / Commercial Real Estate: $500K
• Construction: $500K
• Retail and Production (High Risk): $1M
• Film, Media, Entertainment: $1M
• Commercial Transportation: $1M
• Enterprise programs (10,000-plus vendors): $1M across most tiers

For monopolistic states, 82% of programs accept the state-fund policy regardless of dollar amount, while 18% require Stop Gap coverage equal to the program's standard Workers Compensation requirement, attached to the General Liability policy. Operationally, if your supplier base includes vendors operating in any of the four monopolistic states, your standard WC requirement creates an exception case procurement has to manage at the contract level. The 82/18 split in the dataset is the practical split between programs that accept the state-fund as the answer and programs that require parity through Stop Gap.

Solo operators without employees are frequently granted exceptions to the Workers Compensation requirement. This is also an exception case that procurement should formalize in the MSA template rather than handle ad hoc; ad-hoc exception handling is how programs end up with quiet drift away from their stated requirements over time.

Waiver of Subrogation on Workers Compensation is required in 100% of commercial transportation programs across both tiers, the strongest tier-wide WC endorsement signal in the dataset.

Which endorsements should suppliers be required to carry?

At minimum, require the endorsements the majority of programs at your supplier's tier require, then layer in additional High Risk endorsements only on suppliers whose work warrants the exposure. The 2026 benchmark tracks five endorsements across the dataset: Waiver of Subrogation, Primary and Non-Contributory, Ongoing Operations, Completed Operations, and 30-Day Notice of Cancellation. Program requirements escalate sharply at the High Risk and Pollution tiers and are minimal at Low Risk, so the practical recommendation depends on where your suppliers sit in your tier structure.

Endorsement program requirements in the cross-industry aggregate, by tier:

Waiver of Subrogation: Low 13%, Moderate 47%, High required, Pollution & Projects required.

Primary & Non-Contributory: Low 7%, Moderate 49%, High 78%, Pollution & Projects 91%.

Ongoing Operations: Low not required, Moderate 23%, High 72%, Pollution & Projects 93%.

Completed Operations: Low not required, Moderate 28%, High 81%, Pollution & Projects 89%.

30-Day Notice of Cancellation: Low 96%, Moderate 96%, High 96%, Pollution & Projects 96%.

Source: Certificial 2026 Insurance Requirements Benchmark, n=291.

Completed Operations reaches 81% at High Risk in the cross-industry mix and 84% in property management specifically, making it the most consistently required operations endorsement at the high-risk tier. The pattern concentrates in project-heavy programs.

Ongoing Operations sits at 23% at Moderate Risk and 72% at High Risk in the cross-industry mix, identifying it as a high-risk-tier marker rather than a baseline requirement.

For enterprise programs managing 10,000-plus vendors, Waiver of Subrogation is often required across all tiers, compared to 13% at Low and 47% at Moderate in the cross-industry mix. The enterprise pattern uses endorsement language to allocate contractual risk rather than relying on supplier-side monitoring to catch problems before they become coverage events.

How do enterprise programs (10,000-plus vendors) set requirements differently?

Programs managing 10,000 or more vendors raise their severity coverages (the layers above primary General Liability that absorb large claims, such as umbrella, employer's liability above statutory, and crime) and tighten endorsement requirements, while holding primary General Liability at the dataset's standard floor.

Specifically:

• Umbrella raised to $5M at High Risk, compared to the $2M to $5M range in the cross-industry aggregate.
• Workers Compensation Employer's Liability raised to $1M across most tiers, compared to $500K in property management and construction segments.
• Crime coverage required at $1M, a layer that is absent from the standard cross-industry baseline.
• Professional Liability required at $1M, where it applies to the supplier's scope.
• Waiver of Subrogation required across all tiers, compared to 13% at Low and 47% at Moderate in the cross-industry mix.
• Primary General Liability held at $1M Each Occurrence, the same floor used across the dataset.

The strategic read is that programs at enterprise scale do not raise the primary GL floor for every vendor. They raise the layer above primary, where one severe loss has the most impact, and they tighten the endorsement language that controls how loss is allocated between the supplier and the program.

How do insurance requirements vary by industry?

The five industry breakdowns in the 2026 benchmark show that primary GL Each Occurrence holds at $1M across most industries at most tiers, with two exceptions where it jumps to $5M (construction projects over $1M, retail high-risk operations). Severity coverages and specialty layers are where the industries separate most.

A summary of how the five industries plus the 10K+ vendor cut compare at the high-risk profile:

Property Management / Commercial Real Estate: GL Each Occurrence $1M, Umbrella / Excess $2M to $5M, Workers Comp Employer's Liability $500K. Notable specialty coverage: Pollution $1M, Liquor $1M, Towing layer.

Construction (projects over $1M): GL Each Occurrence $5M, Umbrella / Excess $2M to $5M, Workers Comp Employer's Liability $500K. Notable specialty coverage: Builder's Risk at full contract value, Pollution $1M to $5M.

Retail and Production (High Risk): GL Each Occurrence $5M, Umbrella / Excess $5M, Workers Comp Employer's Liability $1M. Notable specialty coverage: Cyber $5M (Packaging), Product Recall $5M.

Film, Media, Entertainment (Specialty): GL Each Occurrence $1M, Umbrella / Excess $2M, Workers Comp Employer's Liability $1M. Notable specialty coverage: Pyrotechnics $3M, Aircraft $5M, All-Risk Property.

Commercial Transportation: GL Each Occurrence $1M, Umbrella / Excess typically excluded, Workers Comp Employer's Liability $1M. Notable specialty coverage: Cargo $25K, Reefer $25K.

Enterprise programs (10,000-plus vendors, High Risk): GL Each Occurrence $1M, Umbrella / Excess $2M to $5M, Workers Comp Employer's Liability $1M. Notable specialty coverage: Crime $1M, Professional $1M.

Source: Certificial 2026 Insurance Requirements Benchmark, n=291.

Two patterns explain the variation. First, the high-floor GL programs (Construction over $1M projects, Retail High Risk) sit in industries where a single incident can produce nine-figure damages and a $1M primary is insufficient to attach excess at a meaningful layer. Second, the specialty coverages are tied to operational exposure rather than to general risk intensity. Builder's Risk, Cargo, Pyrotechnics, Aircraft, and Cyber each show up only in industries where the underlying operation creates that specific exposure.

If you are building a new supplier program in an industry not represented in the table above, the typical pattern is to start from the cross-industry aggregate, then add industry-specific specialty coverages based on the actual operations of your supplier base.

How many risk tiers should your supplier program have?

75% of programs in the dataset operate one to three risk tiers across their supplier base. 25% operate four or more, segmented by risk level, work type, or specialty exposure (Certificial 2026 Insurance Requirements Benchmark, n=291).

Tier count typically depends on:

• Number of distinct exposure profiles in your supplier base. A program buying only janitorial services has one profile; a program buying janitorial, on-site contracting, transportation, and professional services has four.
• Whether you have specialty operations that do not fit a single Moderate or High tier. Pollution, Liquor, Towing, and Professional are the most common breakouts in the dataset.
• Volume of suppliers per tier. A tier needs enough suppliers in it to justify the operational overhead of a separate MSA template and exception workflow.
• Industry mix. Construction and Retail programs require higher GL floors that do not collapse into a cross-industry Moderate or High tier.

The practical rule is that the right tier count is the smallest number that lets you avoid over-insuring low-risk vendors while still meeting your severity requirements at the high end. Programs that start with one tier and outgrow it commonly move to a three-tier Low / Moderate / High structure first, then add exposure-type sub-tiers as specific supplier categories scale.

Whatever tier count you choose, build an exception workflow before you need it. A working exception process names the requirement being waived, the supplier's actual coverage or alternative risk mitigation, the dollar threshold or risk category that triggered the exception, the approver's name and role (procurement, legal, risk, executive), and the review date for the exception. Most programs scale escalation by contract value, with line-level deviations approved at procurement, multi-line or sub-floor deviations approved at risk or legal, and enterprise-vendor exceptions approved at the executive level. The exception record should attach to the supplier's profile rather than live as a separate document, so the next audit or renewal review surfaces it automatically.

How do you verify that suppliers actually carry the coverage they show on their certificate?

This is the question the requirements work does not answer on its own. A certificate of insurance is a snapshot at the moment it was issued. It says nothing about what happens on day 30, day 90, or day 300 of the policy year. Static PDF certificates carry no live link to the underlying policy.

The most common discoveries during a manual COI audit are policies that were cancelled for non-payment after the certificate was issued, limits that were reduced at renewal in ways the certificate on file does not reflect, and vehicles or named insureds that were removed from a schedule mid-term. The certificate looks valid. The coverage is not.

The operational fix is a continuous data connection between the supplier's insurance agent and the requestor's compliance dashboard, replacing the static PDF with a Smart COI that updates the moment the agent records a change. Cancellations, limit reductions, schedule modifications, and renewal extensions all surface in the dashboard the same day they happen. When a supplier's policy lapses on June 12, the compliance dashboard reflects it on June 12, not at next year's renewal review.

This matters most at scale. A procurement team managing 100 suppliers can manually call agents at renewal and stay reasonably current. A team managing 1,000 cannot. A team managing 10,000 is structurally incapable of manual verification, which is one reason the dataset shows enterprise programs tightening endorsement language (Waiver of Subrogation, Primary and Non-Contributory) rather than relying on monitoring frequency to catch problems. The endorsements shift the contractual risk in case of a coverage gap; live monitoring closes the gap before it becomes a coverage event.

The benchmark documents what the requirement should be. Smart COI monitoring documents whether the supplier actually has it.

How do you apply this benchmark to your own program?

The 2026 benchmark supports a four-step sequence for building or revising a supplier insurance program:

1. Set the cross-industry baseline. $1M GL Each Occurrence, Workers Compensation statutory, AM Best A-, and 30-Day Notice of Cancellation. Confirm your MSA template includes all four.
2. Derive your tiers from your spend taxonomy. Map insurance tiers to the same categories your procurement organization already uses (janitorial, IT staffing, on-site contracting, professional services, transportation).
3. Add industry-specific specialty coverages where exposure warrants them. Builder's Risk for construction, Cargo for transportation, Pyrotechnics and Aircraft for film and entertainment, Cyber for retail and packaging, Pollution for environmental work.
4. Build the exception workflow before you need it. Define the requirement being waived, the alternative risk mitigation, the approver by contract value, and the review date. Attach the exception record to the supplier profile.

The sequencing matters. Set the baseline first, derive tiers from your spend taxonomy, then add specialty coverages where exposure warrants them. Skip steps and you end up with insurance requirements that look mature on paper but do not align with how your procurement team actually classifies and manages suppliers.

Frequently asked questions

What is the most common general liability limit required from a supplier?

The most common General Liability Each Occurrence requirement is $1M, required by 95% of supplier insurance programs in the 2026 benchmark (n=291). The standard companion limits are $2M General Aggregate and $1M to $2M Products / Completed Operations Aggregate at Moderate and High risk tiers.

Should you require additional insured status from every supplier?

Additional Insured status on General Liability is required by the majority of programs in the 2026 benchmark. The variance is on Auto, Commercial Property, and Equipment policies, not on GL. Most programs require AI on GL by default and add AI on Auto and Equipment for vendors operating vehicles or working with leased equipment.

How do you document an insurance exception when a supplier cannot meet a requirement?

An exception record should include the specific requirement being waived, the supplier's actual coverage or alternative risk mitigation, the dollar threshold or risk category that triggered the exception, the approver's name and role (procurement, legal, risk, executive), and the review date for the exception. Most programs scale escalation by contract value. The exception record should attach to the supplier's profile, not live separately, so the next audit or renewal review surfaces it automatically.

What is the difference between requiring coverage and verifying coverage?

Requiring coverage means specifying in the supplier contract what insurance the supplier must carry. Verifying coverage means confirming the supplier actually carries it on the day of loss, not just on the day the certificate was issued. A certificate of insurance documents coverage at a single point in time. Continuous verification through a live data feed from the supplier's insurance agent confirms coverage stays in force across the contract term. Most coverage gaps occur in the interval between certificate issuance and the next renewal or audit.

When should umbrella or excess liability be required?

Umbrella coverage is required in three of the seven risk tiers in the cross-industry aggregate: Moderate ($1M), High ($2M to $5M), and Pollution & Projects ($2M). It is not required at Low, Towing, Professional, or Liquor tiers. Enterprise programs managing 10,000-plus vendors raise umbrella at High Risk to $5M.

What is the difference between Combined Single Limit and split limits on auto liability?

Combined Single Limit (CSL) expresses Auto Liability as one number that applies to bodily injury and property damage combined ($1M CSL means $1M total). Split limits express the same coverage as three numbers ($500K bodily injury per person / $500K bodily injury per accident / $500K property damage). Among programs that allow split limits, 69% use $500K/$500K/$500K, 12% use $1M/$1M/$1M, and 19% use $100K/$300K/$100K (n=291).

What does AM Best A- mean and why is it a common minimum?

AM Best is the dominant insurance carrier rating agency. An A- rating ("Excellent") indicates strong financial stability and ability to pay claims. 95% of supplier programs in the 2026 benchmark require AM Best A- as the carrier minimum, making it the de facto floor for carrier quality across the dataset (n=291).

What is Workers Compensation Stop Gap coverage?

Stop Gap is an endorsement on the General Liability policy that provides Employer's Liability coverage in monopolistic Workers Compensation states (North Dakota, Ohio, Washington, Wyoming), where the standard commercial Workers Compensation market does not write coverage. 18% of programs in the 2026 benchmark require Stop Gap coverage equal to the standard Workers Compensation requirement in these states. The other 82% accept the state-fund policy regardless of dollar amount.

Do enterprise programs use different insurance requirements than smaller programs?

Yes. Programs managing 10,000 or more vendors raise severity coverages (Umbrella to $5M at High Risk, Workers Compensation Employer's Liability to $1M across most tiers, Crime to $1M, Waiver of Subrogation often required across all tiers) while holding primary General Liability at the $1M floor used across the dataset.

About the 2026 Insurance Requirements Benchmark

This guide draws on the 2026 Insurance Requirements Benchmark, published by Certificial. The benchmark documents 291 supplier insurance requirement sets contributed by organizations operating across five industries (Property Management and Commercial Real Estate, Construction, Retail and Production, Film/Media/Entertainment, and Commercial Transportation), plus a separate breakdown for organizations managing 10,000 or more vendors. Data current as of April 2026.

The full benchmark, including all coverage tables, endorsement requirement breakdowns, and industry-specific cuts, is available at certificial.com/insurance-requirements-benchmark-report.

What this means for your procurement program

Setting the requirements is the first half of the job; verifying the coverage stays in force across the contract term is the second. Three operational outcomes follow from moving suppliers from static certificates to live monitoring: faster supplier onboarding, scalability without adding compliance headcount, and audit defensibility when an incident requires documenting what was known and when.

Certificial is the Smart COI platform for procurement, risk, and compliance teams managing supplier insurance compliance at scale. Smart COIs replace static PDF certificates with a live data connection between the supplier's insurance agent and the requestor's compliance dashboard. Coverage changes, cancellations, and renewals surface the moment they happen.

Schedule a demo