A recent ASIC survey shows 44 per cent of organisations manage third-party risk poorly, which is a red flag for boards and directors. Boards need to ensure that supply chains do not provide threat actors easy access to their systems.
Directors need a clear understanding of the external threat landscape, according to Fabio Fratucello MAICD, Field CTO, International, at CrowdStrike. They need to not only be across global and regional trends, industry-specific risks and adversaries their organisation faces, but to evaluate the security posture of third-party vendors.
ASIC’s recent report, Spotlight on Cyber: Findings and Insights from the Cyber Pulse Survey 2023, shows 44 per cent of organisations surveyed do not manage third-party or supply chain risk — a red flag for boards and directors.
Equally concerning are the findings of the small organisations surveyed — 69 per cent of participants had “minimal or no capabilities in third party or supply chain risk management”. Almost six in 10 surveyed indicated they do not test cybersecurity incident responses of critical suppliers.
“Boards should ensure their organisations scrutinise whether third parties have modern security solutions in place,” says Fratucello.
Top Tips
- Monitor third-party vendors
- Ensure third parties have modern security solutions in place
- Embrace innovation, particularly AI in cybersecurity
- Push for details about third-party cybersecurity and compliance
- Follow-up on reviews and identify how to improve resilience
Robust management
This includes real-time threat detection that focuses on stopping breaches instead of stopping malware, identity threat protection, complete cloud protection, detection and response from the code to the cloud, and robust vulnerability management.
A critical question to ask, Fratucello says, is whether these partners can detect and respond to cyber threats effectively in 2025, given the increasing speed and sophistication of modern adversaries.
Boards must also encourage their organisations to embrace innovation, particularly AI as part of cybersecurity, he says. These technologies are already proving essential in detecting AI-driven cyberattacks and enhancing overall cyber defence capabilities.
“Ultimately, cybersecurity must be more than a surface-level boardroom discussion,” says Fratucello.
“It requires focused, strategic oversight that considers both technical and operational risks. By taking these steps, board directors can help their organisations think holistically about cybersecurity and reduce the risks posed by third parties.
Aggressive attacks
Adversaries and threat actors are becoming more aggressive and sophisticated, increasingly deploying generative AI for social engineering attacks. Some vishing (voice phishing) campaigns even mimic IT help desks to gain identity credentials.
According to the recently released 2025 Crowdstrike Global Threat Report, this activity surged 442 per cent between the first and second half of 2024, while targeted attacks in financial services, media, manufacturing and industrial sectors experienced 200–300 per cent increases in observed China-nexus intrusions compared to previous years.
The Office of the Australian Information Commissioner (OAIC) recorded 527 notifications of data breaches for January to June 2024, the highest number since July to December 2020 and a nine per cent increase from the previous six months. Data for the year to end-2024 showed a further increase, but the level of secondary breaches remained steady. These occur when a breach at the “primary” organisation impacts other organisations.
Broad vulnerabilities
Holding Redlich General Counsel Dan Pearce says the breadth of risk posed by third-party and supply chain vulnerabilities extends beyond technical failures.
“Breaches can arise from external hacks, insider actions, or human error. A failure by a third party to meet cybersecurity or privacy obligations can result in operational disruption, financial loss, reputational damage and legal liabilities.”
Monitor vendors
Gartner vice-president Luke Ellery adds that failure to monitor third-party vendors can give rise to stark outcomes for organisations. He compares two Australian companies that used third-party vendors and suffered outages.
One company, which suffered a systems outage, was able to restore lost data and resume operations the same day because they had sufficient back-ups in place. The other company lost six weeks’ data, which had to be manually re-entered into the system.
“One of the things from a practice perspective that needs to happen is the ongoing management of the vendors, to ensure there’s not just a focus on vendor performance and service levels, but on whether they’re meeting service levels — are they meeting their risk obligations?”
Increasing regulation
Holding Redlich General Counsel Dan Pearce notes ASIC Report 776: Spotlight on Cyber highlights increasing regulatory focus on third-party risk, emphasising the need for businesses to conduct third-party risk assessments, establish clear contractual obligations and proactively map critical business services and dependencies.
The National Cyber Security Strategy 2023–2030 reinforces this, shifting cyber from a technical issue to a whole-of-nation concern, underscoring the need for organisations to manage their supply chain risk.
Cybersecurity rules passed in March also extend to managing risk with third-party vendors and suppliers and form part of the Cyber Security Act 2024 passed in November last year.
Pearce notes the OAIC has flagged privacy risks arising from AI use in supply chains, particularly where personal data is used to train AI models without individuals’ knowledge or consent.
He says if an organisation’s third-party AI provider fails to comply with the Australian Privacy Principles (APPs), the organisation itself may be in breach.
Higher complexity, more risk
A proactive stance is critical to ensure regulatory compliance — with globalisation, outsourcing and the integration of AI in business operations adding layers of complexity and risk.
Establish robust metrics that include incident response testing, frequency of third‐party risk assessments, and compliance with contractual security obligations, Pearce says.
“Boards need to ensure every link in the supply chain meets due diligence on third parties and contractual obligations, and minimum cybersecurity and privacy standards, as failure to do so can expose organisations to enforcement action.”
Identifying risk
Gartner’s recent Board of Directors Survey shows only 20 per cent of board directors believe that board practices are sufficient to oversee AI. Ellery believes contracts can be a powerful risk control for directors. Reflecting on the 2016 CBA data breach, he says contracts must cover process controls.
“Sometimes when we look at all the different incidents in retrospect, it’s really obvious where all the gaps are,” he says. “From a board perspective, it’s important the risk program is effectively identifying, triaging and mitigating risks, but also that they’re doing an internal audit and review on a regular basis to ensure the practices are actually being followed and opportunities for improvement identified.
“From a control program perspective, they must ensure they’re covered by those obligations from a legal perspective. They must also make sure they’re notified [by their third-party supplier] in a reasonable time if something bad happens like a cyber incident.”
Practice resources — supporting good governance
AICD’s contemporary governance practice resources for members:
Cyber-security Governance
- AICD's Key Components of a Strategic Cybersecurity Approach
- Cyber Security Handbook for Small Business and Not-for-Profit Directors
- AI Fluency for Directors Course
Latest news
Already a member?
Login to view this content