top of page
Download white paper: An Enhanced Approach to Vendor Due-Diligence

In this white paper we describe, step-by-step, an additional kind of vendor due-diligence for third party data breach, which significantly enhances the current practice of reviewing cybersecurity controls. This new supplementary approach focuses on company size and staffing levels of people with specific certifications which have been found – empirically, to predict data breach with high accuracy. Combining approaches reduces the need for periodic review of Tier-1 vendors.


Related Material

David Hann is the director of the UK based DHann Consulting which partners with organisations to tackle diverse and complex challenges, from transforming processes and implementing systems, to assessing risk and helping drive organisational change. 


David has over twenty-six years of experience in risk, audit, and consulting within the UK and overseas. His experience is founded on a 12-year career focused on Technology Risk at PwC (UK), Deloitte (Australia), and KPMG (Australia), followed by 7-years at Lloyds Banking Group (UK) where he held several ‘Head of Audit’ roles including Retail Banking Technology, Digital Banking and Telephone Banking. David’s focus moved to concentrate on third-party risk and regulatory compliance. As a regional product director at IHS Markit, he helped to successfully launch one of the world’s first third-party risk management due diligence utilities. He subsequently went on to assist clients in implementing solutions to manage their third-party and outsourcing regulatory obligations. 


His most recent consulting successes include managing Third-Party Risk programmes, including delivering a global Cyber Security transformation, and implementing a global Third-Party Risk framework. Projects have also included managing part of a multimillion-pound post-merger integration programme in financial services and internal audit assessments at leading digital banks in the UK.


David holds a degree in Physics from the University of Southampton. David can be contacted at

About the Authors

Thomas Lee Ph.D. is the CEO of the Silicon Valley based VivoSecurity, a company focused on data collection, regression modeling and AI to quantify cyber security risk.


Thomas has spoken at the Richmond Fed research conference 2018, invited participant at Richmond Fed cyber security workshop 2019, invited speaker at O.R.X Toronto & Milan 2018, speaker at OpRisk North America 2018, ACAMS panelist 2019, PRMIA NYC & BCG 2018, multiple patents for quantifying cyber security risk.


Thomas holds degrees in Physics and Electrical Engineering from the University of Washington in Seattle, and an MS and PhD in Biophysics from the University of Chicago.

bottom of page