Vendor Risk Management Insurance Explained: Key Insights for Brokers

Vendor risk management insurance sits at the intersection of procurement, legal, and risk finance - and most businesses handle it poorly. Swiss Re 2024 data shows that third-party liability claims (losses caused by vendors, contractors, and service providers) account for 29% of commercial GL losses by frequency and 34% by severity. That is not a niche exposure. It is a primary driver of commercial claims.

This deep dive gives brokers the full picture: how vendor risk tiers work, what insurance requirements belong at each tier, how contractual risk transfer tools interact with insurance, and what happens when a vendor's coverage fails at the moment of loss.

Key Takeaways

1. Third-party vendor claims account for 34% of commercial GL losses by severity, per Swiss Re 2024, making vendor risk management one of the highest-value activities in commercial risk management.
2. Critical-tier vendors - those with access to core operations, data, or physical premises - should carry limits 3x to 5x higher than standard vendor minimums, per IRMI 2025 vendor risk tiering guidelines.
3. ISO CGL additional insured endorsements CG 20 10 and CG 20 37 cover different exposures: ongoing operations and completed operations respectively - both are typically required for contractor additional insured status, per ISO 2024.
4. When a vendor's insurance is inadequate and a loss occurs, the client's own GL policy responds first, triggering premium increases and subrogation efforts that succeed less than 40% of the time when the vendor is underinsured, per NAIC 2025.
5. Businesses with four or more vendor risk tiers reduce total vendor-related claims costs by 31% compared to those using a single-tier approach, according to IIABA 2025 commercial lines risk management data.
6. Vendor risk management programs integrated with COI tracking software reduce compliance gaps by up to 65% versus manual programs, per IIABA 2025 agency technology benchmarks.

What Vendor Risk Management Insurance Actually Means

Vendor risk management insurance is not a coverage type. It is a program - a structured approach to identifying, quantifying, and transferring the risk that third-party vendors create for a business.

The program has three components working together. The first is the risk assessment: understanding what each vendor does, what can go wrong, and how bad the worst-case scenario is. The second is contractual risk transfer: using indemnification clauses, additional insured endorsements, and waivers of subrogation to shift legal and financial responsibility to the vendor. The third is insurance verification: confirming that the vendor's insurance is adequate to fund the risk transfer.

When any one of those three components fails, the others weaken. A strong indemnification clause is worthless if the vendor has no assets and $300K in GL coverage. Strong insurance requirements mean nothing without verification. Verification without risk-tiered requirements produces uniform minimum requirements that are too high for some vendors and far too low for others.

Vendor Risk Tiers: The Foundation of the Program

Risk tiering is the starting point for any vendor risk management insurance program. Not all vendors create the same exposure, and applying the same insurance requirements to a landscaping contractor and a data center vendor is both inefficient and imprecise.

Most vendor risk management programs use four tiers. The tier determines the insurance minimums, the contractual requirements, the verification frequency, and the escalation path when a vendor is noncompliant.

Critical Tier: Vendors with direct access to core operations, sensitive data, financial systems, or physical infrastructure. Examples: IT managed services providers, payroll processors, security system operators, primary material suppliers. A failure by a critical-tier vendor can halt operations. These vendors require the highest insurance minimums and the most frequent verification.

High Tier: Vendors that perform work on-site or that could cause significant harm to persons or property, but whose failure would not halt operations. Examples: general contractors, electrical subcontractors, roofing contractors, HVAC services. High-tier vendors require strong GL and workers compensation requirements and specific endorsement requirements.

Medium Tier: Vendors providing services with limited on-site access or moderate exposure potential. Examples: cleaning services, landscaping, delivery services, equipment maintenance. Standard minimums apply. Verification occurs at contract signing and annually at renewal.

Low Tier: Vendors with minimal exposure, no on-site access, and low contract value. Examples: office supply vendors, software-as-a-service providers without data access, occasional service providers. Basic GL minimums apply. Verification at contract signing only.

Vendor Risk Tier Matrix: Insurance Requirements by Tier

AI = Additional Insured. WOS = Waiver of Subrogation. P&NC = Primary and Non-Contributory. CSL = Combined Single Limit. Source: IRMI 2025 vendor risk tiering guidelines. Adjust limits upward based on contract value using 2x rule per ISO 2024.

Contractual Risk Transfer: The Three Tools That Work with Insurance

Insurance requirements alone do not transfer risk. The contractual provisions that accompany the insurance requirements determine whether the transfer is legally enforceable when a loss occurs.

Indemnification Clauses

An indemnification clause (or hold harmless agreement) is the vendor's contractual promise to cover losses they cause. The scope of the indemnification clause should be explicitly tied to the insurance requirements: the vendor agrees to indemnify the client to the extent their insurance covers the loss, and the insurance requirements are set to fund the maximum foreseeable indemnification obligation.

When the indemnification clause is broader than the insurance, the vendor has agreed to obligations they cannot fund. When the insurance requirements are higher than the indemnification scope, the client pays for excess coverage that would never respond. Per AGC 2025, misalignment between indemnification scope and insurance requirements is present in 47% of standard-form construction contracts.

Additional Insured Endorsements

ISO CGL additional insured endorsements are the primary mechanism for making a client a covered party under the vendor's GL policy. Two forms matter:

CG 20 10 (Additional Insured - Owners, Lessees or Contractors - Scheduled Person or Organization): covers ongoing operations. This endorsement protects the client from claims arising while the vendor is actively working on the project.

CG 20 37 (Additional Insured - Owners, Lessees or Contractors - Completed Operations): covers completed operations. This endorsement protects the client from claims that arise after the project is finished - for example, a construction defect that manifests two years after project completion.

Both endorsements are typically required for contractor relationships. Accepting a blanket additional insured endorsement without specifying these forms leaves the completed operations exposure uncovered in many cases. Per ISO 2024, completed operations claims represent 38% of all contractor GL losses by dollar amount.

Waiver of Subrogation

A waiver of subrogation endorsement prevents the vendor's carrier from pursuing the client after paying a claim. Without it, the vendor's carrier pays the loss (assuming coverage) and then sues the client to recover if the client was even partially at fault.

This is particularly important in situations where both parties may have contributed to a loss - for example, a client's employee directing a vendor to work in an unsafe manner. Without a waiver of subrogation, the vendor's carrier can and will pursue the client for contribution. With the waiver, that right is contractually eliminated.

What Happens When a Vendor's Insurance Is Inadequate

Swiss Re 2024 documents that third-party vendor claims are more likely to involve coverage disputes, litigation, and underinsured defendants than first-party claims. This is the real cost of inadequate vendor risk management insurance programs.

When a vendor causes a loss and their coverage is inadequate, the sequence typically unfolds as follows:

1. The loss occurs. The vendor's carrier receives the claim.
2. If the vendor's policy covers the loss, it pays up to its limit. Any amount above the limit remains unpaid by the vendor's carrier.
3. If the client is named as an additional insured (correctly), the vendor's policy pays the client's defense costs and any covered judgment up to the vendor's limits.
4. Once the vendor's limits are exhausted, the client's own GL policy responds. This is the moment the client realizes their vendor minimum was insufficient.
5. The client's carrier pays the remaining loss (subject to the client's own policy terms and limits).
6. The client's carrier attempts subrogation against the vendor. Per NAIC 2025, subrogation against underinsured vendors succeeds less than 40% of the time, because the vendor typically lacks the assets to pay what the carrier recovered through litigation.
7. The client faces a premium increase at renewal based on the paid claim.

The net result: the client absorbs the loss through their own policy, pays higher premiums for years, and the vendor - who caused the loss - faces limited financial consequence. This is the direct cost of inadequate vendor risk management.

How ISO CGL Additional Insured Endorsements Work in Practice

The additional insured mechanism under ISO CGL forms is specific and technical. Understanding it allows agencies to give accurate advice to commercial clients and to spot deficiencies in vendor certificates that non-specialists miss.

Under ISO CG 00 01 (the standard CGL policy form), coverage is extended to additional insureds only by endorsement. The endorsement specifies: who qualifies as an additional insured, for what operations, and with what scope of coverage.

The most common forms used for vendor-client relationships:

CG 20 10: Covers the additional insured for bodily injury or property damage caused by the named insured's (vendor's) acts or omissions. This is the "ongoing operations" form. It covers losses during active work.

CG 20 37: Covers the additional insured for bodily injury or property damage included within the products-completed operations hazard. This is the "completed operations" form. It covers losses after work is finished.

CG 20 26 (Blanket Additional Insured): Automatically extends additional insured status to any party required by contract. This is convenient but provides coverage only to the extent required by the contract - and courts have interpreted this narrowly in some jurisdictions.

The key practical point: a COI that says "Additional Insured per written contract" is using the blanket form. Verify whether the blanket form in use is CG 20 26 or a proprietary equivalent, and whether it extends to completed operations. Many blanket forms do not.

COI Tracking and Vendor Risk Management Software Integration

Vendor risk management is not a once-a-year exercise. It is an ongoing operational function that requires systematic tracking of vendor status, insurance compliance, and risk tier assignments across potentially hundreds of vendor relationships.

COI tracking software addresses the insurance compliance component. Broader vendor management platforms integrate COI compliance with contract management, vendor performance data, and risk scoring to give a unified view of the vendor portfolio.

Key integration points between COI tracking and vendor risk management platforms:

Risk tier assignment: The vendor's assigned risk tier drives the insurance requirements stored in the COI tracking system. When a vendor's tier changes (due to a new contract or expanded scope), the system updates the requirements automatically.

Compliance status dashboards: Risk management teams see real-time compliance status by vendor, by tier, and by coverage line. Compliance gaps surface before they become active risk exposures.

Renewal automation: The system tracks every policy expiration across the vendor portfolio and sends automated renewal requests to vendors and their brokers in advance. This eliminates the 34% expired COI rate that myCOI 2025 documents in programs relying on manual tracking.

Audit trail: Every compliance event - receipt of a COI, identified deficiency, correction request, approval - is logged and time-stamped. This documentation is material in coverage disputes and litigation.

Per IIABA 2025, integrated vendor risk management and COI tracking programs reduce compliance gaps by up to 65% compared to manual programs, and agencies offering these integrated services retain commercial accounts at a 23% higher rate.

The Agency's Role in Vendor Risk Management

Brokers who understand vendor risk management insurance provide a service that most competitors cannot. The typical broker collects a COI at contract inception and moves on. The broker who understands risk tiering, contractual risk transfer, and how insurance fits into a broader vendor management program delivers advice that directly affects the client's financial outcomes.

Specific ways agencies add value in vendor risk management:

Building the risk tier matrix. Help the client identify their critical, high, medium, and low-risk vendors and assign insurance requirements appropriate to each tier. This is a consulting engagement that generates COI management business.

Reviewing contractual risk transfer provisions. Identify misalignments between the client's indemnification clauses and their insurance requirements. Flag contracts where the vendor's coverage is insufficient to fund the indemnification obligation.

Advising on additional insured endorsement requirements. Specify which ISO forms are required for which vendor categories. Verify that the forms received match the requirements, not just that "additional insured" appears on the COI.

Providing renewal support. Use COI management software to automate renewal requests across the client's entire vendor portfolio. This is a high-value, scalable service that the client cannot easily replicate internally.

Swiss Re 2024 estimates that well-structured vendor risk management programs reduce a business's third-party GL claims frequency by 18% and severity by 24% compared to businesses with no formal program. Agencies that build these programs for clients create measurable, documentable risk reduction that justifies the service fee and strengthens the account relationship.

Frequently Asked Questions

What is vendor risk management insurance? Vendor risk management insurance is not a single coverage type. It is the insurance component of a vendor risk management program - the set of insurance requirements, verification processes, and contractual risk transfer tools that a business uses to manage the liability exposure created by its vendors and contractors. It typically includes GL, auto, workers compensation, and specialty lines requirements that vary by vendor risk tier.

How do vendor risk tiers affect insurance requirements? Risk tiers reflect the potential severity of a vendor loss. Critical-tier vendors - those with access to core operations or data - carry GL limits of $2M per occurrence or higher, plus specialty lines such as cyber and professional liability. Low-tier vendors may only need $300K per occurrence GL. Per IIABA 2025, businesses using a four-tier system reduce total vendor-related claims costs by 31% compared to single-tier programs.

What is the difference between ISO CG 20 10 and CG 20 37? CG 20 10 extends additional insured coverage for ongoing operations - losses that occur while the vendor is actively working. CG 20 37 extends additional insured coverage for completed operations - losses that manifest after the work is finished, such as construction defects. Per ISO 2024, completed operations claims represent 38% of contractor GL losses by dollar amount, making CG 20 37 essential for any contractor relationship.

What happens when a vendor causes a loss that exceeds their policy limit? The vendor's policy pays up to its limit. Any amount above the limit is not covered by the vendor's insurance. If the client is named as an additional insured, the vendor's policy pays the client's covered losses up to the vendor's limit. Once exhausted, the client's own policy responds. The client then faces a premium increase and the client's carrier attempts subrogation against the vendor - which succeeds less than 40% of the time when the vendor is underinsured, per NAIC 2025.

How does a waiver of subrogation protect businesses in vendor relationships? Without a waiver of subrogation, the vendor's carrier can sue the client after paying a claim if the client contributed to the loss. With the waiver, the vendor's carrier gives up that right contractually. This is particularly important when both parties may have contributed to a loss - for example, when a client's employee directed a vendor to work in an unsafe condition.

How does COI tracking software support vendor risk management? COI tracking software automates the compliance monitoring function: tracking expiration dates across the entire vendor portfolio, sending renewal requests automatically, comparing COI limits against tier-specific requirements, and tracking endorsement receipt and verification. Per IIABA 2025, integrated programs reduce compliance gaps by up to 65% versus manual tracking and help agencies retain commercial accounts at a 23% higher rate.

Ready to build a vendor risk management insurance program for your commercial clients? Explore COI Manager

Written by Javier Sanz, Founder of BrokerageAudit. Last updated April 2026.