Ecommerce Business Insurance Audit: A CFO's Annual Checklist (2026)

Most renewal advice tells you to start shopping carriers. Do that without an ecommerce business insurance audit first and you lock last year’s coverage gaps in for another 12 months. This audit runs 90-120 days before renewal, covers six checkpoints, and produces three deliverables before any quoting starts.

At $1M-$100M revenue scale, the quote-shopping approach hands the broker the calendar, the deliverables, and the narrative. A genuine annual review of business insurance flips that: the CFO drives the process and hands the broker a finished package.

When to start the ecommerce business insurance audit (90-120 days before renewal)

Start the audit 90-120 days before renewal. Programs at scale need 60 days of broker work plus 30 days of carrier underwriting, and anything tighter than 90 days forces a one-quote renewal because there isn't time to market the program to alternate carriers.

The broker's 60 days splits into three roughly 20-day stages: exposure refresh and application prep, then market strategy and target carrier selection, then submission packaging. The 30 days of underwriting covers carrier review, follow-up questions, and final quote release. Compressing either side reduces the count of viable carriers by roughly the same proportion.

Anchor the calendar to the policy expiration date. A renewal effective on November 1 means the audit kicks off no later than August 1 and the broker receives the deliverables by September 1. What happens when a business insurance program lapses explains what a lapsed program costs when the calendar slips.

Refresh exposure data: revenue, payroll, COGS, 3PL footprint

The first step in the ecommerce insurance checklist is refreshing the five exposure inputs that underwriters use to price the risk: trailing twelve-month revenue, payroll by role, cost of goods sold, 3PL and warehouse footprint, and SKU count by product category.

Stale exposure data is the most common cause of a mid-cycle premium adjustment. That's the bill the carrier sends when it discovers your actual exposure was larger than the application said. If your application said $5M revenue and you actually did $12M, the carrier sends a bill for the difference.

Where to pull each input from

Pull the data from the source systems, not from last year's application. Revenue should come straight out of the accounting system as a TTM split across DTC (direct-to-consumer), marketplace, and wholesale channels. Pull payroll from the HR system by role, because warehouse and customer service hours price differently from corporate hours.

COGS lives in the inventory system, ideally broken out by country of origin. That detail matters because manufacturer changes trigger product liability re-underwriting. The most underreported input is the 3PL footprint: location count, square footage, and peak inventory value all feed property and stock throughput limits.

SKU count by product category flags new categories carriers consider high-risk (children's products, ingestibles, electronics with batteries). Tag any new category clearly so the broker can flag it on the submission rather than letting it surface in the underwriter's questions. How carriers classify ecommerce risk categories breaks down which categories carriers flag.

Reconcile the schedule of insureds against current legal entities

New holding companies, dissolved subsidiaries, and acquired brands routinely fall off the schedule of named insureds. Those entities then operate without coverage on a policy the rest of the group relies on. The insurance program review reconciles that schedule against the current legal entity chart. Pull the entity list from the cap table or operating agreement, not from the broker's records.

Walk every policy line by line: general liability, product liability, property, cyber, D&O, EPLI, and any specialty coverage. Each entity doing business under its own name needs to appear on the schedule, and so does every DBA and assumed name. Schedule-of-insureds reconciliation is the most commonly skipped checkpoint in ecommerce programs, and newly formed IP-holding entities and acquired brands are the two patterns that surface most often.

Where the schedule typically breaks

Two failure modes show up most often:

• A recently formed IP-holding entity owns trademarks but never made it onto the GL schedule. That leaves the entity exposed in any IP-related counterclaim.
• A brand acquired during the year whose own commercial program was canceled at close, on the assumption that the parent program covered the new entity. It usually doesn't until the schedule is updated.

Dissolved entities also need to come off the schedule. Carrying coverage on a dissolved entity wastes premium and can complicate any historical claim that surfaces later.

Pull limits against the benchmarks

A limit is right-sized in the ecommerce insurance checklist when three reference points agree: the current limit schedule, the contractual minimums from every marketplace, retail account, and lender, and the typical range for the brand's revenue band. Where they don't agree, flag the gap and hand it to the broker.

Walk those three lists side by side. Any line where the current limit sits below a contractual demand is a breach the moment the policy term changes. Hand the gap list to the broker for the new program design, and point the broker at when to raise insurance limits as the brand scales for the trigger framework.

For the cost ranges at each revenue band, see what ecommerce insurance typically costs at $1M-$100M revenue.

5-year loss-run review for the ecommerce insurance audit

What does the last five years of claims tell the next carrier about this program? Pull the 5-year loss run from each in-force carrier for the commercial insurance renewal preparation. The audit looks for three things on every line:

• Any single claim that consumed more than 25% of a per-occurrence limit (severity flag).
• Any pattern of repeated claim type, like multiple slip-and-fall incidents at one 3PL location (frequency flag).
• Any open claim still on reserve that will follow the program into the new term (carry-forward flag).

Picture a $40M revenue brand carrying a $1M per-occurrence GL limit. A single $300K product liability claim eats a quarter of that limit, which flags severity. Meanwhile, three slip-and-fall claims at the same 3PL surface as a frequency pattern even though each settled under $25K. Together those two findings build the underwriting narrative, and the broker needs to frame them before the underwriter assembles the picture independently.

Briefing the broker on the loss narrative

Request loss runs 30 days before the audit window opens. Most carriers turn them around inside one to two weeks. The audit uses the loss run for risk classification on the next submission, not for learning how to read the document. For the step-by-step mechanics, see how to read a loss run report.

Use the audit findings to brief the broker on the underwriting narrative. A pattern the broker can frame proactively tells a different story than one the underwriter discovers on their own. Most renewal timelines I've seen are too compressed for this step, which is exactly why the loss run request should go out early.

The loss run also feeds the broker performance review, because claims advocacy is one of the things that review scores. What drives premium changes at renewal digs into the loss-ratio math.

Vendor and marketplace contract requirements check

The ecommerce insurance checklist must verify every contract that requires the business to maintain coverage. Marketplaces, retail accounts, 3PLs, lenders, and landlords all impose limit and additional insured requirements. An additional insured is a third party named on your policy who receives coverage for liabilities arising out of your operations.

If a customer sues your retail buyer over a product you supplied, the buyer can tender that claim to your GL policy as an additional insured. A single missed requirement becomes a contractual breach the moment the policy term changes.

Amazon, Walmart, and most vertical-specific channels publish requirements on a seller policy page. Those pages update mid-year. The changes rarely trigger a broker notification. Sort the rest of the contract list by type:

• Retail account requirements live inside the master vendor agreement plus any addendum. Costco and Target are the usual benchmarks; regional retailers vary widely.
• 3PL agreements specify warehouse legal liability minimums, often with cargo and bailee coverage flow-through requirements.
• Lender covenants include insurance maintenance with named additional insured language, typically buried in a schedule to the credit agreement. The NAIC publishes model cancellation and non-renewal notice standards that affect how quickly a lender learns of a policy change.
• Landlord leases require building coverage for any fitout, plus additional insured wording on the GL.

Each contract can demand a limit, additional insured wording, a notice-of-cancellation clause, or certificate-holder distribution. Compare those demands against the current program and flag any mismatch for the broker.

Most contract partners accept the standard ACORD certificate. Flag any certificate the current broker had to build by hand last year. That manual process repeats at the next term and slows compliance delivery.

Broker performance review

The annual review of business insurance isn't complete without scoring the broker. Most brokers treat this step as a formality, which is exactly why the CFO should own it. Score on three axes:

• Which carriers were approached, who declined, and why.
• Response times on claims, quality of claims advocacy, and certificate turnaround speed.
• Fee or commission disclosure, and whether the broker provided net-of-commission quotes without being asked.

Score each axis against last year's renewal outcome. Market access scores well when the broker brought multiple competitive quotes from carriers that fit the program.

For service, the question is concrete: did claims get triaged within 48 hours, and did certificates reach contract holders without a chase email? On economics, the bar is whether the broker volunteered the compensation breakdown unprompted.

Document the score in the renewal strategy memo. A deliberately documented score sets the tone for the renewal conversation, and the broker reads it as a peer review.

If the score triggers a broker change, run the RFP in parallel with the renewal, not after. A flat-fee broker model removes the carrier-steering incentive that biases the very review the CFO is trying to run. For the full scoring framework, see the 12 pre-renewal questions to ask your broker.

The mechanics of switching brokers without disrupting the renewal calendar are in when to switch your broker, and how.

Outputs: marked-up application, coverage gap list, renewal strategy memo

The ecommerce business insurance audit produces three deliverables before any quote request goes out.

The first is a marked-up insurance application. The data from the exposure refresh goes into the standard ACORD format, and every field gets a fresh number from the source systems.

The second is a coverage gap list ranked by severity. Each gap names its contractual driver and a remediation cost estimate. The board sees trade-offs in business terms, not insurance jargon.

The third is a one-to-two-page renewal strategy memo. It names target carriers (incumbent and alternates), sets the premium ceiling and the broker's action dates, and defines success criteria.

How the audit plays out in practice

A $35M revenue DTC brand ran this audit 100 days before their third renewal. The exposure refresh surfaced a problem: revenue had grown 60% since the last application, but the broker hadn't updated the inputs. The schedule-of-insureds reconciliation found two recently formed IP-holding entities that were missing. And the limits check flagged that the per-occurrence GL limit sat below a new retail account's contractual minimum.

The CFO handed the marked-up application, gap list, and strategy memo to the broker at day 90. The renewal came back with corrected limits, three carrier quotes instead of one, and a documented audit trail the lender's compliance file picked up at the next quarterly review.

Hand-off and timing

The hand-off kicks off the broker's clock: 60 days of market work, then 30 days of carrier underwriting. The broker confirms receipt and returns a preliminary market strategy within two weeks.

Coverwatch runs this 90-120 day audit alongside scaling ecommerce brands and produces all three documents in shared folders. The program goes out to 35+ carriers on a flat-fee basis, so carrier selection isn't biased by commission. For more on how that works, see ecommerce insurance for scaling brands.