Ongoing due diligence is the process, once intake is completed and the vendor relationship is active, for how vendors are continually risk‐assessed and the due diligence effort determined. As presented, KC Enterprises continues its high‐, moderate‐, and low‐risk approaches to how ongoing due diligence is performed. The common taxonomy across the due diligence efforts ensures that no “translation” effort is ever needed when discussing the levels. In addition, because the risk levels are based on quantitative numbers, anyone can then understand the dollar amounts (in rough order of magnitude). It's a yardstick used in the cybersecurity organization on vendor risk that traces its way through intake to reporting and analytics.

All vendors who fit the KC criteria (data with the top three classifications or a connection to their network) have continual due diligence in some form. As the vendors complete Intake and are assigned their risk level, the software used to store vendor Cybersecurity Third‐Party Risk data provides guidance on the required due diligence. There is some management discretion built into the system. For example, perhaps a low‐risk vendor comes to management's attention as a ransomware target on the Dark Web. At that point, due to the that heightened risk of a ransomware event, the vendor could be moved from low‐risk to moderate‐risk.

Several forms of ongoing security assessments of vendors exist. First is the remote assessment, where ...