Why M&A Insurance Due Diligence Is
Riskier Than Your Deal Team Knows

The Documents Hidden in Plain Sight

Every M&A virtual data room — the secure online repository where a seller deposits thousands of confidential documents for buyer review — has the same folder structure. Financial Statements. Material Contracts. Intellectual Property. Litigation. Regulatory. And Insurance.

The Insurance folder is rarely the first one opened. It is almost never the one that gets the most hours. But it consistently contains the highest density of unread data points per page of any folder in the deal room. A certificate of insurance is a single-page form — typically an ACORD 25, 27, or 28 — that summarizes the existence, limits, and carrier of an insurance policy. For a mid-market target company with 300 to 800 employees and operations across multiple states, the Insurance folder contains between 200 and 500 of them. General liability. Umbrella and excess. Directors and officers. Cyber. Employment practices. Auto. Workers' compensation. Environmental. Professional liability. Product liability. Key man life. Each one on a different carrier's form, from a different agency, generated by a different agency management system with a slightly different layout.

The certificate is not the policy. It is evidence that a policy exists — a summary prepared by an agent, not the carrier. The underlying policy document, with its actual terms, exclusions, and endorsements, sits elsewhere. But the certificate is what the review team sees first, and what the review team must extract data from to build the coverage matrix — a spreadsheet mapping every policy, every limit, every deductible, every expiration date — before the real analysis can begin. COI extraction is the prerequisite step for everything that follows.

The problem is not that lawyers can't read a COI. It's that reading one COI is easy. Reading 300 is a data-processing problem disguised as a legal review task. And the legal profession's tools for data processing — a PDF viewer, a spreadsheet, and a junior associate's billable hours — were built for a different century.

The Economics of Data Entry at $450 an Hour

A certificate of insurance contains roughly 15 fields that matter for M&A due diligence: named insured, producer or agency, each carrier name and NAIC number, policy type, policy number, effective date, expiration date, per-occurrence limit, aggregate limit, deductible or self-insured retention (SIR), additional insured status, waiver of subrogation, certificate holder, and notice of cancellation terms. For umbrella and excess policies, the same limit structure repeats with different numbers. For a detailed breakdown of which fields matter and why, see our guide to COI extraction for M&A due diligence.

At three minutes per certificate for extraction alone — and that is an optimistic pace that assumes a clean ACORD 25 with no layout surprises, no scanned copies rotated at odd angles, no handwritten margin notes — 300 certificates consume 15 hours of pure data entry. No analysis. No coverage assessment. No gap identification. Just transcription.

At a mid-level associate billable rate of $350 to $500 per hour — rates consistent with the Cravath scale that sets compensation benchmarks across AmLaw 200 firms — those 15 hours cost $5,250 to $7,500 in billable time. For one deal. For the work product of moving text from a PDF into a spreadsheet.

And that is only the entry cost. The analysis — comparing coverage against industry benchmarks, identifying expiration dates that fall inside the deal timeline, flagging carriers with AM Best ratings below the buyer's risk tolerance — consumes another 25 to 45 hours. The extraction step is a toll booth between the reviewer and the work the client is actually paying for. Every hour spent transcribing COI fields is an hour not spent on the risk assessment that feeds into the purchase agreement's representations and warranties.

The billable-hour framing makes this deceptively easy to ignore. The associate enters the time. The client pays the invoice. The deal closes. The system appears to work. But when a law firm's competitive advantage is supposed to be expertise — the ability to spot risks a non-lawyer would miss — a workflow where a third of the review time is consumed by data entry is not a functioning system. It is a structural subsidy: the client pays for legal judgment and receives, for a substantial portion of the hours billed, data processing performed by someone whose training is in contract interpretation, not transcription accuracy.

Why Every Deal Starts from Scratch

Construction firms have the same COI tracking problem, and they solved the reuse question years ago. When a general contractor reviews the insurance certificates for its subcontractors, it builds a vendor database. The same subcontractors appear deal after deal. The same carriers, the same policy types, the same coverage patterns. Once a subcontractor is in the system, the next renewal certificate is an update, not a cold read. This is why construction COI tracking software — which automates compliance checks against contract requirements — works. The problem is repetitive across a stable vendor set. We explored the limits of this model, and even in construction, manual spreadsheets break at about 50 subcontractors.

M&A insurance due diligence has the opposite structure. Every deal involves a different target company with a different set of carriers, a different insurance broker, and a different history of claims, lapses, and renewals. The law firm representing the buyer may have done 47 deals in the last three years. But for insurance purposes, deal 48 is starting from zero. The coverage matrix from deal 47 is useless. The carrier ratings the team memorized during deal 47 are irrelevant. The junior associate who transcribed 300 certificates for deal 46 left for an in-house position 18 months ago, and the associate who replaced her has never opened an Insurance folder.

This is not a failure of organization. It is a structural property of M&A: each target is a unique risk profile. But the task — extracting 15 fields from a COI and populating a spreadsheet — is identical across deals. The document type is the same. The data structure is the same. The output format is the same. What changes is the content of each field, not the act of locating and transcribing it. And because law firms have no mechanism for carrying extraction intelligence across transactions, every deal pays the same entry cost from the same starting line.

The cost of this reset is not just the 15 hours of transcription. It is the absence of institutional knowledge about carrier behavior. A law firm that has reviewed 2,000 certificates across 14 deals has, buried in its billing records and deal files, a database of which carriers consistently provide clean ACORD forms and which ones consistently issue non-standard certificates with limits buried in paragraph text. That knowledge, if surfaced, would let the next deal team prioritize the hard certificates and process the clean ones quickly. Instead, every associate discovers the same carriers are a problem, on the same types of deals, entirely from scratch.

No law firm would structure its contract review process this way — reading every supply agreement as if it were the first one the firm had ever seen. But insurance review, because it falls outside the traditional legal knowledge management framework, operates exactly like that.

The Orphan Hour — When Insurance Review Gets 48 Hours Before Closing

M&A due diligence follows a hierarchy that everyone in the deal room understands but nobody puts in writing. Financial due diligence comes first — the buyer needs to verify that the revenue and EBITDA supporting the valuation are real. Legal due diligence follows — the corporate structure, material contracts, IP assignments, and litigation exposure. Tax, regulatory, environmental, and HR due diligence run in parallel, each with their own specialist teams and their own deadlines.

Insurance due diligence occupies the bottom of this stack. It is almost never staffed at the start of the exclusivity period. It is typically assigned after the financial and legal workstreams have already consumed two-thirds of the diligence timeline. By the time the reviewer opens the Insurance folder, the deal team is often running on three or four weeks of accumulated fatigue, the closing date is visible on the calendar, and the question shifts from "what does this portfolio tell us about the target's risk profile?" to "is there anything in here that will blow up the deal?"

This timing problem is not an accident of poor project management. It is built into how M&A workstreams are valued. Financial due diligence produces a deliverable that directly affects the purchase price. Legal due diligence produces a deliverable that directly affects the representations and warranties. Insurance due diligence produces a deliverable — the coverage matrix — that is an input to someone else's deliverable. Its visibility inside the deal team is low until its output is missing, at which point the senior partner asks why the insurance review isn't done and the associate explains that the folder had 400 certificates and she got it three days ago.

The ABA's 2025 Private Target M&A Deal Points Study reports that 63% of private transactions now use representations and warranties insurance, up from 55% in 2023 and 29% in 2016. This rise means insurance due diligence quality now has a direct commercial consequence it didn't have a decade ago: the RWI underwriter reviews the buyer's diligence process and can exclude coverage for risks the buyer's review should have found. If the buyer's insurance team reviewed 40 certificates out of 400 because they ran out of time, the underwriter can reasonably conclude that the buyer did not conduct adequate insurance due diligence — and exclude insurance-related losses from RWI coverage entirely. (IBA Legal Due Diligence Handbook)

The structural result is that the workstream with the least time allocated is also the workstream whose quality most directly determines whether the insurance the buyer bought will actually pay out. It is a diligence Catch-22: the less time you spend on insurance review, the more you need RWI to catch what you missed — but the less time you spend, the more likely RWI is to exclude exactly those losses.

What Happens When a Coverage Gap Survives Closing

Post-closing insurance disputes follow a predictable cascade, and it almost always starts with something the certificate review should have flagged.

The gap. The most common discovery is an expiration date that falls between signing and closing — a coverage window the buyer inherited without realizing the policy lapsed before the deal was done. Aon's transaction advisory practice identifies this as one of the most frequent findings in post-close insurance audits. Other common gaps: a carrier whose AM Best financial strength rating — the insurance industry's equivalent of a credit rating, ranging from A++ (Superior) to D (In Default) — falls below the buyer's risk tolerance; a claims-made D&O policy with no tail coverage provision, meaning claims from pre-closing conduct reported after closing have no insurance at all; and deductibles or self-insured retentions large enough to constitute material uninsured balance-sheet exposure that the financial due diligence model didn't capture.

The claim. A loss event occurs post-closing — a product liability claim, an employment practice lawsuit, a data breach — and the buyer discovers that the policy it thought covered the exposure had either expired, been cancelled, or carried a retention so large the carrier paid nothing. The buyer notifies the seller of a breach of the insurance representation in the purchase agreement.

The RWI denial. The buyer files a claim under its RWI policy. The RWI underwriter examines the buyer's due diligence records and finds that the insurance review covered a fraction of the certificates in the data room, or that the coverage matrix the review team produced contained errors — wrong policy numbers, transposed limits, dates off by a month — that would have been caught with a full-population review. The underwriter denies coverage, citing the policy's exclusion for losses arising from inadequate diligence. RWI claim denial rates are not publicly reported by individual carriers, but the Lowenstein Sandler RWI Claims Report found that across the study population, the most frequently cited grounds for claim disputes involved the scope of the buyer's pre-closing diligence.

The malpractice exposure. With no seller indemnity (because the RWI deal structure capped seller liability at the retention amount — typically 0.25% to 0.50% of transaction value on RWI deals, per the ABA 2025 study) and no RWI recovery, the buyer's loss is uninsured. The buyer's next call is to its own counsel: did the firm conduct adequate insurance due diligence? Did the coverage matrix the firm produced accurately reflect the certificates in the data room? If a single missed expiration date or misread deductible materially affected the buyer's understanding of the target's insurance position, the question shifts from "what did the seller fail to disclose?" to "what did our lawyers fail to find?"

The case of American Forest Holdings v. Marsh — while arising from a broker relationship rather than legal counsel — illustrates the magnitude of what a missed insurance provision can cost. A change-in-control clause in a D&O policy went unaddressed during a merger, terminating coverage for post-close events and creating a $20 million coverage gap that was discovered only when a large loss was incurred. The underlying principle applies to any professional services firm conducting insurance due diligence: missing a coverage trigger can turn a fully insured exposure into an uninsured liability whose cost dwarfs the fees earned on the transaction.

The malpractice risk in M&A insurance due diligence is not that a lawyer misreads a policy term. It is that the volume of data forces the review from inspection to triage, and triage at scale produces gaps that look like negligence when viewed through the lens of a single missed field.

The Path Out — Why This Workflow Has a Better Ending

The structural problems outlined above — the billable-hour absurdity, the deal-to-deal reset, the last-48-hours squeeze, the cascading liability — all trace back to the same bottleneck: the act of manually transcribing data from a certificate into a spreadsheet is the task that starves the analysis of time. Solve that bottleneck, and the rest of the workflow rebalances.

Newer AI-based extraction tools approach COI reading differently from the position-based OCR that traditional template systems use. Template OCR memorizes where each field sits on the page — "Policy Number" at coordinates (x=340, y=280) — and fails quietly when a different agency's certificate places it elsewhere. Semantic extraction — where the AI reads the document by understanding what each piece of text means rather than where it sits — identifies a policy number regardless of whether it appears on the left, right, or middle of the page. Because semantic extraction does not depend on field coordinates, it handles the format diversity of a deal-room Insurance folder — 40 different agencies producing certificates in 40 different layouts — without per-agency setup. For the foundational explanation of how this works, see our step-by-step M&A COI extraction guide.

What removes the hours from the workflow is batch processing — the ability to upload all 300 certificates at once and receive one coverage matrix as output. At 5 to 10 seconds per certificate, a full extraction run completes in approximately 25 to 50 minutes — 15 hours of transcription compressed into less than an hour of machine time. The reviewer still needs to verify output, interpret coverage adequacy, and translate gaps into deal terms. But the reviewer is now practicing law from the start — analyzing risk, not transcribing data. The same analysis that previously consumed 40 to 60 hours of combined transcription and review time can now begin within the first hour of the reviewer opening the Insurance folder.

This changes the timing equation that drives the entire problem. When insurance review can start producing analysis on day one of the diligence period instead of day 28, it becomes a parallel workstream instead of a last-minute fire drill. The RWI underwriter sees a full-population coverage matrix, not a sample from the 40 certificates the reviewer had time to open. And the law firm — while it still cannot reuse the matrix from a previous deal — can at least run the extraction on the current deal without burning billable hours that belong on analysis, not data entry.

None of this eliminates the need for legal judgment. Determining whether a $2 million general liability limit is adequate for a chemical manufacturer — as opposed to a software company — requires industry knowledge extraction software does not have. Interpreting whether an additional insured endorsement on a COI corresponds to a CG 20 10 (ongoing operations only), a CG 20 37 (completed operations), or a CG 20 33 (automatic for contractually required parties) requires reading the underlying policy language that isn't on the certificate. Translating a coverage gap into a specific contractual protection — a pre-closing covenant requiring tail coverage, a special indemnity for an underinsured exposure — is the deal lawyer's irreplaceable skill.

What changes is that none of those judgment tasks need to wait for 15 hours of data entry to be completed first. The extraction step that used to be the toll booth becomes a five-minute setup. The analysis starts when the reviewer is fresh, not when the reviewer is exhausted from transcribing her 200th certificate at 11 PM on the Thursday before closing. The same extraction approach that transforms logistics COI tracking works in the M&A context — the document type is the same, only the stakes are higher.

FAQ: Insurance Due Diligence Risk in M&A

Does RWI eliminate the need for thorough insurance due diligence?

No — RWI increases the need for thorough insurance due diligence. RWI underwriters review the buyer's diligence process and can exclude losses from coverage if the buyer's review was insufficient. In the 2025 ABA Deal Points Study, 63% of private transactions used RWI, and the standard underwriter questionnaire specifically asks whether the buyer conducted full-population review of the target's insurance portfolio. Sampling 40 certificates out of 400 because the team ran out of time is exactly the kind of diligence gap that can void RWI coverage for insurance-related claims.

How many certificates does a deal-room Insurance folder actually contain?

For a mid-market target with 300 to 800 employees and multi-state operations, 200 to 500 certificates is typical. This includes primary-layer policies, each umbrella and excess layer, state-specific filings where the target is qualified in multiple jurisdictions, and ancillary coverage lines like cyber, crime, and employment practices. Targets in regulated industries (healthcare, financial services, energy) or with international subsidiaries routinely exceed 1,000 certificates once foreign local policies are included.

How often do manual COI reviews contain errors?

Academic research on manual data entry accuracy in document-intensive workflows has found that after roughly 100 repetitions of the same extraction task, field-level error rates climb from approximately 2% to over 8%. At 300 certificates and 15 fields each, that is 4,500 individual data points — and an 8% error rate means roughly 360 fields are wrong. A single transposed expiration date or missed deductible figure can create a material coverage gap. The error is not caused by the reviewer's incompetence — it is caused by the task design, which demands consistent precision at a volume that human attention was not built to sustain.

Can AI extraction handle non-standard COI formats from regional agencies?

Yes, because semantic extraction reads by field meaning rather than field position. Whether the certificate is a standard ACORD 25, a legacy ACORD 27, a proprietary form from a surplus-lines broker, or a scanned policy declarations page being treated as a certificate by the target's agent, the AI identifies fields by their semantic role — "this is a policy number," "this is an expiration date" — rather than by memorized coordinates on a specific form layout. There is no template to build and no training data to supply per agency. This format-independence is why the same extraction tool can process 300 certificates from 40 different agencies without per-agency configuration.

What does extraction software still not replace?

Three things: coverage adequacy assessment (is a $2 million per-occurrence limit enough for this industry?), endorsement interpretation (the certificate says "additional insured — yes," but the underlying endorsement form — CG 20 10, 20 37, or 20 33 — determines the scope of that coverage), and gap-to-rep translation (a gap in D&O tail coverage becomes a pre-closing covenant in the purchase agreement — that legal judgment is irreplaceable). Extraction produces the data that reveals the gap. The deal lawyer produces the contractual protection that closes it.

The Risk That Doesn't Show Up on the Invoice

The most dangerous part of manual COI review in M&A is not the $7,500 in billable hours the client pays for transcription. It is that the bill gets paid, the deal closes, and everybody walks away believing the insurance review was complete — because the associate entered her time, the partner reviewed the coverage matrix, and the purchase agreement contains the standard insurance representations. The gap that wasn't found — the policy that expired between signing and closing, the carrier whose rating fell below investment grade six months before the deal, the self-insured retention buried in paragraph four of an umbrella endorsement that the reviewer didn't have time to reach — surfaces 11 months later as an uncovered claim, long after the closing dinner is a memory. At that point, the question is not whether the deal was good. It is whether the diligence was adequate. And for the law firm whose associate transcribed 300 certificates at $450 an hour and still missed the expiration date on certificate 217, that question is answered in deposition — not in a spreadsheet.

Test the extraction on your own deal-room certificates. See whether the 300-certificate problem can become the 25-minute solution before the next deal clock starts ticking.