HireSecurityNow.com
Certificate of Insurance (COI) for Security Vendors: What to Require (2026)
Buying Guides

Certificate of Insurance (COI) for Security Vendors: What to Require (2026)

21 min read

HireSecurityNow.com Editorial Team

July 5, 2026 · 21 min read· Fact-checked

In this guide

Never hire a security company without a certificate of insurance. Here's the coverage to require, how to be named additional insured, and how to verify a COI is real.

Quick answer

Before any security vendor sets foot on your property, require a current Certificate of Insurance (COI) — almost always an ACORD 25 form — showing commercial general liability, workers' compensation, commercial auto, and (for larger jobs) umbrella/excess and professional liability. Insist on being named as an additional insured (both the ongoing-operations CG 20 10 and completed-operations CG 20 37) with a waiver of subrogation, and verify it is real by matching the legal entity, checking the dates, and calling the issuing agent using contact details you look up independently — not the ones printed on the certificate. Then put every requirement, plus a notice-of-cancellation clause, in the contract itself — because the certificate confers no rights and no longer obligates the insurer to warn you if the policy is cancelled.

Hiring a security company means putting armed or unarmed personnel, patrol vehicles, and use-of-force decisions onto your property and in front of your customers, tenants, or employees. If something goes wrong — a guard injures a visitor, a patrol vehicle causes a crash, a wrongful detention turns into a lawsuit — you do not want to discover that the vendor was uninsured and that the claim is now yours. The Certificate of Insurance is the single most important compliance document you will collect from a security vendor, and knowing how to read it separates buyers who are protected from buyers who merely feel protected. This guide walks through what to require and how to verify it before you sign. When you are ready to compare vetted providers, you can request quotes and make insurance evidence part of your first ask.

What a certificate of insurance is — and why it matters when hiring security

A Certificate of Insurance is a one-page summary that reports the insurance policies a business currently carries, with named coverage types, limits, policy numbers, carriers, and effective and expiration dates. In the United States the standard form is the ACORD 25, "Certificate of Liability Insurance," published and maintained by ACORD (the Association for Cooperative Operations Research and Development). You'll find the form number, "ACORD 25," printed in the lower-left corner, with the standard ACORD branding on the form.

The most important thing to understand about a COI is what it is not. A certificate is not a contract, and it does not create, amend, or extend any coverage — the ACORD 25 says so on its face, stating it "confers no rights upon the certificate holder" and does not "amend, extend or alter" the underlying policies. It only reports what those policies already say at the moment it was issued. That distinction matters enormously in a claim: if a guard company's actual policy excludes an activity, the certificate cannot fill the gap, no matter what box is checked. This is why the COI is a starting point for verification, not the finish line — and why your security services agreement must independently spell out the insurance the vendor is contractually obligated to maintain.

Requiring a COI matters more for security than for most vendors because the risk profile is unusually high. Security work involves physical contact, firearms in armed programs, detention and use-of-force decisions, night patrols, and access to your premises and people. Standard general liability policies frequently exclude assault and battery and firearms-related claims unless specifically endorsed — exactly the exposures that can bankrupt an underinsured contractor and leave you as the deep-pocket defendant.

The coverages to require

For a typical guarding contract, require evidence of the following. Treat limits as negotiable to the size of the job — a single lobby post is not a stadium. The last two rows matter mainly for larger, technology-heavy, or licensed programs; see the notes below on when each applies.

CoverageWhat it protects againstTypical minimum to requireBasis / notes
Commercial General Liability (CGL)Third-party bodily injury and property damage from the vendor's operations on your site$1M per occurrence / $2M aggregate; higher for large sitesOccurrence
Workers' Compensation & Employer's LiabilityMedical costs and lost wages when a guard is injured on duty — and it keeps their injury off your claimsStatutory limits; $1M employer's liabilityStatutory / occurrence
Commercial AutoAccidents involving patrol or company vehicles; include hired & non-owned auto if guards drive their own cars for the job$1M combined single limitOccurrence
Umbrella / Excess LiabilityExtra limits stacked over CGL, auto, and employer's liability for a large loss$1M–$10M depending on contract sizeFollows underlying
Professional Liability / E&ONegligence in the performance of security duties — missed breaches, wrongful detention, errors in judgment$500K–$2M where the program warrants it (see below)Usually claims-made
Cyber / Privacy LiabilityBreach or misuse of video, access-control, license-plate, or visitor data the vendor holds$1M+ for CCTV/access-control/enterprise programsUsually claims-made
State license / surety bondStatutory guarantee of lawful conduct; protects clients/public, not the vendorPer state (commonly $10K–$100K)Bond, not insurance

Commercial general liability is the foundation. Confirm the policy actually contemplates security operations — and, for armed work, that assault and battery and firearms exposures are not excluded. If you are contracting an armed security detail, this is non-negotiable; a clean-looking $1M CGL that excludes firearms is worthless for that program. Understand the trade-offs first with a plain-English breakdown of armed versus unarmed security.

Workers' compensation is legally mandated for employers in nearly every state, with Texas the well-known exception where private employers may opt out (a handful of other states exempt very small employers below an employee-count threshold). This coverage does double duty for you: it pays an injured guard's medical bills and, critically, channels their injury claim into the vendor's workers' comp system rather than into a liability suit against you as the property owner. A security vendor with employees and no workers' comp is a bright red flag — walk away.

Commercial auto matters whenever vehicles are involved, which is most mobile patrol programs. If guards use personal vehicles for the job, look for hired and non-owned auto coverage; a personal auto policy will not respond to a business-use crash.

Umbrella or excess liability is how vendors reach the higher limits that schools, municipalities, hospitals, and enterprise property managers demand. An umbrella only helps if it actually sits over the policies that will be hit. The concrete failure mode: umbrellas frequently list CGL as scheduled underlying but leave employer's liability and/or hired-and-non-owned auto off the schedule — so a serious guard-injury or patrol-crash loss burns through the primary limit and finds nothing above it. Ask for the umbrella's schedule of underlying policies and confirm it expressly lists CGL, employer's liability, and auto. Don't accept "it follows form" on faith.

Professional liability / errors and omissions addresses the security-specific exposure of getting the judgment wrong — a guard who detains the wrong person, misses an obvious breach, or fails to follow post orders. Standard CGL often does not respond to pure professional negligence. But E&O is not something to demand reflexively: it is warranted for armed programs, roles with detention authority, alarm/monitoring or dispatch response, fire-watch, and similar high-judgment duties — not for a small unarmed lobby vendor who may not carry it at all. Demanding E&O from a vendor whose program doesn't need it contradicts the "match limits to the job" principle and can knock qualified small firms out of your search. Note that E&O is almost always written claims-made (see the explainer below), so a certificate showing it is not enough on its own — you need the retroactive date and tail terms right.

Cyber / privacy liability is increasingly a standard requirement for enterprise and property-manager buyers, and for good reason: a modern security vendor runs CCTV, access-control, license-plate readers, and visitor-management systems that continuously collect video and personally identifiable information about your tenants, staff, and visitors. A breach, leak, or misuse of that data is a real and growing exposure that standard CGL excludes. If the vendor holds your surveillance footage or badge/visitor records, require cyber/privacy coverage. Like E&O, it is usually claims-made.

State license / surety bond is a different instrument entirely, and it is covered in its own section below — but note it here so you don't mistake a bond for insurance or vice versa. Match all of these limits to what the engagement is actually worth; our security cost calculator and the guide to how much security costs help you size the contract before you dictate limits a small vendor genuinely cannot carry.

Claims-made vs. occurrence — the timing trap

Two coverage triggers exist, and the difference decides whether a certificate is worth anything after the contract ends. An occurrence policy covers an incident that happened during the policy period, no matter when the claim is filed — even years later. A claims-made policy only responds if the claim is first made and reported while the policy (or a tail) is active.

Rule of thumb: CGL, commercial auto, and workers' compensation are written on an occurrence basis; professional liability/E&O and cyber are almost always claims-made. For any claims-made coverage you require, insist on two things in writing:

  • A retroactive date on or before your contract start date. A claims-made policy excludes wrongful acts that occurred before its retroactive date — so if the vendor's retro date is later than when their work for you began, an early error is uncovered even though the certificate looks clean.
  • Tail coverage (an extended reporting period) at termination. When the vendor switches carriers, lets the policy lapse, or the engagement ends, a claims-made policy stops responding to new claims. A suit filed months after the job wraps — common for detention, privacy, or missed-breach disputes — finds no coverage unless a tail was purchased. Require the vendor to maintain the coverage, with the retro date intact, for a set period after the contract ends (commonly 1–3 years), or to buy an extended reporting period.
Tip: A common and costly mistake is holding an E&O certificate that lapses the day the contract does. Because E&O is claims-made, that certificate provides no coverage for a suit filed the following week over work done while the vendor was on your site. Put the survival period in the contract, not just on the COI.

Additional insured and waiver of subrogation — what they do (and don't do) for you

Two endorsements convert the vendor's policy from "their protection" into "also your protection." Both are created only by endorsement to the underlying policy — the certificate can report them, but the certificate alone never grants them.

Additional insured status extends the vendor's commercial general liability policy to defend and indemnify you — but understand exactly how far, because the modern form is narrower than many buyers assume. Under the current ISO ongoing-operations endorsement, CG 20 10 04 13 (and the newer 12 19 edition), the vendor's insurer covers you only for bodily injury or property damage "caused, in whole or in part, by" the vendor's acts or omissions — not for the vendor's operations broadly, and not for your own sole negligence. Two further limits apply: coverage extends only "to the extent permitted by law," and the amount available to you is capped at the lesser of the limits your contract requires or the limits actually available under the policy (spelled out explicitly in the 12 19 edition). This is a decades-long narrowing from the pre-2004 "arising out of" forms, which did cover the additional insured's own negligence — so do not assume a 1985-style breadth from a current endorsement.

There is one more gap that trips buyers up: CG 20 10 covers ongoing operations only. Once the vendor's work is complete, claims that surface later fall under completed operations — and most security disputes (a detention, a data breach, a missed-breach negligence suit) surface after the shift or the contract has ended. To close that gap you must require the companion completed-operations endorsement, CG 20 37, alongside CG 20 10. On an ACORD 25, look for the check in the ADDL INSD column next to each coverage line, and require that copies of the actual endorsements — CG 20 10 and CG 20 37, on the edition your contract specifies — be attached. Being merely a "certificate holder" carries no rights under the policy at all.

Waiver of subrogation stops the vendor's insurer, after it pays a loss, from turning around and suing you to recover. Without it, your own insurer can be dragged into a recovery fight. On the ACORD 25 this appears as a check in the SUBR WVD column. Confirm the waiver applies to all the coverages your contract requires — vendors frequently provide it for general liability but omit workers' compensation and auto. There is a mechanical reason WC is the one that goes missing: a workers'-comp waiver requires a separate endorsement (WC 00 03 13, "Waiver of Our Right to Recover From Others") that the vendor must affirmatively request and that carries an additional premium — in the assigned-risk market, NCCI sets it at 5% of the manual premium developed for the job, subject to a minimum charge (often $250). Because it costs extra and must be asked for, it is simply left off by default. One caveat before you treat its absence as bad faith: several states restrict or prohibit workers'-comp waivers of subrogation, so if the vendor operates in one of those states, the gap may be a matter of law, not evasion. Ask; don't assume.

Tip: For higher-value contracts, also require the additional-insured coverage be "primary and non-contributory." That means the vendor's policy pays first and pays alone for a covered claim, without asking your insurance to chip in — protecting your limits and your loss history. Be aware of how this works mechanically: ISO's standard Primary And Noncontributory—Other Insurance Condition Endorsement (CG 20 01 04 13) only makes the coverage primary and non-contributory when a written contract actually requires it. Put the requirement in your services agreement — don't rely on a checked box on the certificate.

Watch the limits behind the limits: SIR and shared aggregates

A certificate reading "$1M per occurrence / $2M aggregate" can be far hollower than it looks, in two ways that never appear on the ACORD 25 face.

Self-insured retention (SIR) or a large deductible. Some vendors carry a six-figure SIR, meaning they must self-fund the first slice of every claim before the insurer pays a dollar. A financially thin guard company may be unable to satisfy a $100,000 or $250,000 retention — and if they can't, the coverage above it may never trigger. For larger jobs, ask the size of any SIR or deductible, and weigh it against the vendor's balance sheet.

A shared, eroding aggregate. That $2M general aggregate is not dedicated to your site — it is the total the policy will pay across all of the vendor's clients for the policy year, and payments to any additional insured erode the same pool. A couple of large losses at other accounts can leave little or nothing for yours, mid-term, with no notice to you. Buyers of larger or higher-risk sites should require a per-project or per-location aggregate endorsement — CG 25 03 (designated construction project) or CG 25 04 (designated location) — which sets a separate aggregate limit for your engagement so another client's claims can't drain your protection. Note these endorsements apply to ongoing-operations aggregate only and must schedule your site specifically.

Cancellation and renewal — the biggest post-signing gap

Here is the trap that catches even careful buyers: the ACORD 25 no longer obligates the insurer to tell you if the policy is cancelled. Older certificates carried an "endeavor to mail ___ days written notice" line, but after state attorney-general litigation exposed it as largely illusory, ACORD stripped it (effective with the 2009/09 edition; mandatory by October 2010). The current form simply says notice "will be delivered in accordance with the policy provisions" — and because there is no contract between the insurer and a mere certificate holder, you have no legal right to notice of cancellation at all. A vendor's policy can lapse or be cancelled mid-term and the first you'd hear of it is after a loss.

Close the notice gap in the contract. The certificate won't protect you here, so your services agreement must. Require the vendor (and, ideally, its broker) to give you written notice of cancellation or non-renewal — commonly 30 days, or 10 days for non-payment of premium — of any required policy, and to deliver a renewal COI before each policy's expiration. Make continued coverage an ongoing contractual obligation, not a one-time proof at signing. Where available, also ask the broker whether a notification-of-cancellation endorsement can be added to the underlying policy in your favor.

How to read and verify a COI

Do not treat a certificate as verified simply because a PDF landed in your inbox. Run this checklist:

  • Confirm it is a genuine ACORD 25. "ACORD 25" should be printed in the bottom-left corner, with the standard ACORD branding on the form. Coverage fields should be filled by a professional — blanks where there is no coverage rather than stray "$0" or "N/A" marks, and the business name (not an individual's name) in the insured box.
  • Check the dates. Every policy's effective and expiration dates must be current, and coverage should not lapse mid-contract. Set a calendar reminder to collect a fresh certificate at each renewal.
  • Match the legal entity. The named insured must be the exact legal entity you are contracting with — the same name that will appear on your services agreement and invoices, spelled correctly. A mismatched or "d/b/a" name can void your protection in a claim.
  • Confirm the endorsements are attached, not just checked. The ADDL INSD and SUBR WVD boxes are self-reported. Require the actual endorsement pages — CG 20 10 and CG 20 37 for additional insured, the applicable waiver forms — and check the edition dates against what your contract specifies.
  • Confirm the carriers are real and rated. Verify each insurer through the NAIC (National Association of Insurance Commissioners) directory and check that it is licensed in your state; many buyers also require an AM Best financial strength rating of "A-" or better.
  • Validate with the issuing agent. The most decisive step: call the agent or broker named on the certificate to confirm the policies, limits, dates, and endorsements are actually in force — but look up their phone number independently from the carrier's or agency's official website rather than trusting the number printed on the document. Fraudsters sometimes list a confederate's number. Where possible, accept certificates directly from the agent rather than from the vendor.

Red flags: the fraud and forgery tells

The verification checklist above catches coverage gaps. This list is narrower: the signs a certificate has been doctored or is being used to paper over something. Treat any of these as a reason to slow down and confirm with the agent directly.

  • Dates, limits, or names that sit off-center or in a different font from the rest of the form — the classic tell that an old certificate was altered in a PDF editor.
  • "$0," "N/A," or "None" typed into a coverage amount where a professional would leave the field blank — a sign the certificate was filled out by the vendor, not the agent.
  • Conditional weasel-wording such as "additional insured if required," "waiver may apply," or "coverage subject to policy terms" in the description box — language that quietly negates the endorsement it appears to grant.
  • Contact details that route to the vendor rather than to a real, independently verifiable insurance office — or an agent who is evasive, defers to the vendor, or can't confirm the endorsements when you call.
  • A certificate that arrives only from the vendor and never from the agent, especially paired with pressure to start before you've verified.
Tip: Don't reject a certificate over a single cosmetic typo from a reputable broker — treat visual irregularities as a prompt for deeper verification, not automatic disqualification. The goal is a confirmed policy, not a perfect PDF.

Subcontracted and staffing-agency guards

If your vendor subcontracts guards or fills posts through a staffing agency, the certificate you're holding may not respond to the people actually on your site. The vendor's own CGL typically covers the vendor's employees and operations — not the acts of an independent subcontractor's personnel, who carry (or lack) their own coverage. A wrongful-detention or assault claim involving a subcontracted guard can fall straight through the gap between the two policies.

Protect yourself two ways in the contract: require the vendor to warrant that all personnel placed on your site — employees and subcontractors alike — are covered under acceptable insurance, and require the vendor to flow down equivalent insurance, additional-insured, and waiver requirements to any subcontractor and to collect and hold those subs' certificates. Then ask, plainly, whether any guards on your account are subcontracted, and get certificates for those firms too.

Surety and license bonds are not insurance

Many states require a licensed guard company to post a surety bond as a condition of licensure — commonly in the $10,000 range, though amounts run from about $2,500 to $100,000 depending on the state and whether the program is armed. It is easy to see a bond referenced and assume the compliance box is ticked, but a bond and a liability policy are fundamentally different instruments:

  • A surety bond is a three-party guarantee (the vendor, the state, and the surety) that the vendor will operate lawfully and honestly; it protects the public and clients from misconduct or theft. Crucially, when the surety pays a claim, the vendor must reimburse it — the vendor remains ultimately on the hook.
  • Liability insurance protects the business itself against covered losses, and the insurer generally does not seek repayment.

A bond is therefore not a substitute for a COI, and a COI is not proof of bonding. A handful of states (Virginia, for example) let a company satisfy the licensing requirement with a bond or liability insurance, which is exactly why you should verify both independently rather than infer one from the other. Confirm the vendor's state license and bond status through the licensing body directly — start with how to verify a security company license.

How this fits your security contract

The COI proves coverage today; your contract is what obligates the vendor to keep it and to protect you if it lapses. A well-drafted security services agreement should specify the required coverages and limits, name you as additional insured (CG 20 10 and CG 20 37) on a primary and non-contributory basis with waiver of subrogation, require workers' comp, obligate the vendor to deliver renewal certificates before each expiration and give notice of cancellation, and add an indemnification clause that survives independent of the insurance. The article-length advice to "put it in the contract" is only useful if you know roughly what that language looks like — so here is a compact model to adapt with your counsel:

Sample contractual insurance clause (adapt with counsel)

Required coverage. Vendor shall, at its own expense, maintain throughout the term and any survival period: (a) Commercial General Liability, $1,000,000 per occurrence / $2,000,000 aggregate, without exclusion for security operations, assault and battery, or firearms (for armed programs); (b) Workers' Compensation at statutory limits and Employer's Liability of $1,000,000; (c) Commercial Automobile Liability, $1,000,000 combined single limit, including hired and non-owned auto; (d) Umbrella/Excess Liability of $[amount], scheduling the CGL, Employer's Liability, and Auto policies as underlying; and (e) where applicable, Professional Liability/E&O and Cyber/Privacy Liability of $[amount] on a claims-made basis, with a retroactive date on or before the Effective Date, maintained (or with an extended reporting period) for [3] years after termination.

Additional insured & primary/non-contributory. Client and its [affiliates/owners/managers] shall be named as additional insureds on the CGL for both ongoing operations (ISO CG 20 10 or equivalent) and completed operations (ISO CG 20 37 or equivalent), on a primary and non-contributory basis (ISO CG 20 01 or equivalent).

Waiver of subrogation. Vendor shall obtain a waiver of subrogation in Client's favor on the General Liability, Automobile, and, where permitted by law, Workers' Compensation (WC 00 03 13 or equivalent) policies.

Notice of cancellation. Vendor shall provide Client at least thirty (30) days' written notice (ten (10) days for non-payment of premium) of cancellation, non-renewal, or material reduction of any required policy, and shall deliver renewal certificates and endorsements before each expiration.

Subcontractors. Vendor warrants that all personnel placed at Client's premises are covered by the required insurance and shall flow down equivalent insurance, additional-insured, and waiver obligations to any subcontractor or staffing agency.

Survival of indemnity. Vendor's indemnification obligations survive termination and are independent of, and not limited by, the insurance required above.

Read the COI and the contract together — deeper guidance lives in our overview of security guard contracts and insurance and the step-by-step guide to how to hire a security guard company.

Insurance is one leg of vendor due diligence, not the whole stool. Also confirm the company and its officers hold the right state license and bond — start with how to verify a security company license and, for armed work, the armed guard requirements in your state. When you have your requirements set, browse vetted security companies and ask every finalist for a current ACORD 25 up front — the ones that produce a clean, verifiable certificate without friction are usually the ones you want guarding your property.

Frequently asked questions

Does being named as an additional insured cover me for my own negligence?+
No. The modern ISO endorsement most vendors carry — CG 20 10 04 13 (and the 12 19 edition) — covers you only for injury or damage 'caused, in whole or in part, by' the vendor's acts or omissions, and only 'to the extent permitted by law.' It does not cover your own sole negligence, and the amount available to you is capped at the lesser of the limits your contract requires or the limits actually on the policy. It's real protection, but narrower than the pre-2004 'arising out of' forms — so don't assume broad coverage.
Why do I need both CG 20 10 and CG 20 37 endorsements?+
CG 20 10 makes you an additional insured for the vendor's ONGOING operations only. Once the work is done, later claims fall under completed operations, which CG 20 10 no longer covers. Because most security disputes — a detention, a data breach, a missed-breach negligence suit — surface after the shift or contract ends, you need the companion completed-operations endorsement, CG 20 37, alongside it. Requiring only CG 20 10 leaves post-engagement claims uncovered.
The ACORD 25 says notice of cancellation is 'in accordance with policy provisions' — will I be warned if the vendor's coverage lapses?+
Not by the certificate. After state litigation, ACORD stripped the old 'endeavor to mail 30 days notice' language (effective 2009/09, mandatory October 2010). As a mere certificate holder you have no contractual right to cancellation notice from the insurer. The only reliable fix is to require notice contractually: have the vendor (and ideally its broker) agree to give you 30 days' written notice of cancellation or non-renewal — 10 days for non-payment — and to deliver renewal certificates before each expiration.
When should I actually require professional liability (E&O) from a security vendor?+
When the program involves real judgment or authority — armed guards, detention authority, alarm/monitoring or dispatch response, or fire-watch. A small unarmed lobby vendor often doesn't carry E&O, and demanding it can knock qualified firms out of your search for no benefit. When you do require it, remember E&O is almost always claims-made: insist on a retroactive date on or before your contract start and tail/extended-reporting coverage after it ends, or a lapsed certificate will provide no coverage for a later suit.
Is a surety bond the same as the vendor's liability insurance?+
No — they're different instruments and one doesn't substitute for the other. Many states require licensed guard companies to post a surety bond (commonly around $10,000, ranging roughly $2,500–$100,000) as a condition of licensure. A bond is a three-party guarantee of lawful conduct that protects the public, and the vendor must reimburse the surety for any claim paid. Liability insurance protects the business itself and isn't repaid. Verify both independently — a clean COI is not proof of bonding, and a bond is not proof of insurance.

Share this guide

Need to hire a security company?

Get free quotes from licensed security companies in your area.

Get free quotes