Due diligence should be based on the level of risk assigned to the vendor; that risk rating usually correlates with the inherent risks based on the product or service they provide. For example, suppose a vendor uses your customer data to provide verification for a loan. In that case, they are probably rated high-risk or critical, based on their access to PII. Therefore, you would want to ensure that the due diligence included reviews of the vendor's information security policies, procedures, independent third-party audits, etc.
Each organization has different rules that apply when purchasing additional products or services that you already utilize. But the general approach should be the same; you must objectively evaluate the inherent risk in the product or service you wish to purchase. You should consider the following:
Related to Cyber Insurance, it is highly advisable to require your vendors to carry Cyber Insurance when they provide products or services where they access, process, transfer, or store PII data. They should carry cyber insurance as a separate policy from general liability or professional liability insurances. You may wish to have the vendor add your organization as an additional insured entity in some cases. Remember that insurance coverage can be a highly complex issue. It is advisable to either consult your organization's legal team or insurance provider for more advice.
I hope you found this information helpful. I would love to see what other community members can add.