You can outsource a service, but you cannot outsource the fiduciary risk. This is the central governance challenge for Australian boards overseeing complex digital supply chains.
By 2026, this challenge becomes a direct liability. The commencement of the Cyber Security Act 2024 on March 4, 2026, alongside heightened scrutiny from ASIC and APRA on supply chain resilience, means that defensible oversight of third-party risk is no longer optional. It is a core component of a director’s duty of care and diligence under the Corporations Act 2001.
The Fiduciary Gap in Third-Party Cyber Risk
Third-party cyber risk governance is the board’s framework for ensuring vendors, suppliers, and partners do not compromise the organisation’s security, resilience, or reputation. It is fundamentally different from third-party risk management. Management is the operational task of assessing and mitigating vendor risks, a function typically delegated to procurement and IT teams. Governance is the board’s non-delegable duty to direct and control how that management occurs.
The "Outsource Paradox" is a critical concept for every director to understand. Engaging a third party to handle data, run critical software, or manage infrastructure often increases the board’s oversight burden. The organisation remains accountable for any breach, but its direct control is diminished. This gap between accountability and control is where director liability resides. Regulators like ASIC are explicit in their expectation that boards must actively oversee material service providers, as outlined in their guidance on cyber resilience.
Regulatory Scrutiny and Director Liability
The standard of care for directors is not static. It evolves with the risk environment. Today, an inability to demonstrate active and informed oversight of your digital supply chain is a clear failure of that duty. Professional bodies like the Australian Institute of Company Directors (AICD) expect directors to be conversant with these risks. A defence of ignorance or over-reliance on management reports is insufficient.
Defensible oversight is the only effective shield against regulatory action. It is the documented evidence that the board asked the right questions, challenged assumptions, and applied appropriate resources to understand and govern its third-party dependencies. Without this, a board is exposed following a significant supply chain incident.
From the Boardroom
I recall a board meeting where the Audit and Risk Committee reviewed our key technology suppliers. The report from management was a sea of green traffic lights. All vendors were certified, all contracts were in place. Yet, I asked a simple question: "If our primary cloud provider goes offline for 48 hours, which specific senior executive at their organisation is contractually obligated to speak to our CEO within the first hour?"
The silence was revealing. The technical and procurement teams had done their job, but the governance link was missing. We had a contract, but no relationship of accountability at the right level. The dashboard showed compliance, but the reality was we had no priority access or executive-level recourse during a crisis. We immediately tasked management with rectifying this, ensuring our most critical vendors had escalation paths that reached our executive team directly. It was a clear lesson that governance is not about technical reports; it is about ensuring accountability flows from our suppliers directly to our leadership.
Establishing a Defensible Procurement Framework
Effective governance of third-party risk begins at procurement. Viewing technology procurement as a strategic governance function, rather than a cost-saving exercise, is the first and most important shift a board must make. Every new vendor contract is an opportunity to embed resilience and accountability into your supply chain.
A governance-ready procurement framework has three core components:
- Risk Tiering: The board must ensure management has a clear methodology for classifying vendors based on their criticality to the business. A supplier of office stationery or interior furnishings from Living Chic does not require the same level of scrutiny as the provider of your core financial platform.
- Contractual Mandates: Contracts must contain specific, unambiguous clauses regarding security standards, breach notification timelines, and the organisation’s right to audit the vendor’s security controls. These are non-negotiable for critical suppliers.
- Direct Alignment with Risk Appetite: The security controls and performance standards required of a vendor must map directly to the board’s approved risk appetite statement. This ensures the board’s strategic risk tolerance is translated into operational reality.
Procurement governance is the first line of defence in supply chain resilience. It provides the structural foundation upon which all other oversight activities are built.
The Procurement Governance Checklist
As a director, you must be prepared to challenge the procurement process for any critical new technology vendor. Your questions should move beyond price and features to focus on risk and accountability.
- Who on our executive team owns the risk associated with this new supplier relationship?
- Does the contract explicitly detail the vendor's liability and notification duties in the event of a breach affecting our data?
- Have we included "escalation triggers" that require the vendor to notify our board or a board sub-committee directly under specific incident scenarios?
- How will we independently verify the security claims made by this vendor before contract signing and on an ongoing basis?
Moving Beyond the Dashboard: Active Board Oversight
Relying solely on management-produced dashboards is one of the most common governance failures. These reports often present technical metrics that can mask underlying systemic risks. A "100% compliant" vendor may still represent a significant concentration risk if they are a single point of failure in your operations. Effective cyber governance for boards requires active interrogation, not passive acceptance.
The role of a director is to probe and question. The "Director’s Question" framework helps non-technical leaders uncover the reality behind the reports. These are simple, governance-focused queries:
- "Show me the section of the contract that gives us the right to conduct an independent security assessment of this vendor."
- "Which of our critical third parties have participated in our incident response simulations in the last 12 months?"
- "If this vendor fails, what is our plan, and how quickly can we execute it?"
Answering these questions often requires input beyond the internal IT team. This is where independent, board-level advisory becomes essential. An independent advisor works for the board, not management, and can provide an unvarnished assessment of whether management's reports align with governance realities.
The Accountability Matrix
Clear accountability is paramount. The board should maintain a simple matrix that assigns ownership for critical third-party risks to specific committees. For example, the Audit and Risk Committee might oversee the financial viability and SOC 2 compliance of a fintech partner, while a dedicated Technology Committee assesses the operational resilience and data governance of a cloud provider. This ensures no critical dependency is left without focused board-level ownership. This process is a key part of effective cyber risk reporting to the board.
Testing Resilience Through Simulation
The ultimate test of third-party governance is how it performs under pressure. Boards must insist that key third-party vendors are included in annual incident response simulations. A theoretical plan is not enough. A simulation tests the contractual clauses, communication protocols, and escalation paths in a controlled environment. The insights gained from a realistic simulation involving your most critical supplier are invaluable and form a powerful record of the board’s due diligence.
Frequently Asked Questions
How should a board distinguish between third-party risk management and governance?
Management is the operational "doing" performed by your teams: assessing vendors, negotiating contracts, and monitoring performance. Governance is the board’s oversight role: setting the risk appetite, demanding clear accountability, and ensuring the management framework is effective and fit for purpose.
Can a board be held legally liable for a cyber breach at a third-party vendor?
Yes. Under the Corporations Act 2001, directors have a duty of care and diligence. If a breach at a critical third party causes significant harm to the company, and the board cannot demonstrate it had a reasonable governance framework in place to oversee that risk, directors may be found to have breached their duties.
How often should an Australian board receive reports on third-party cyber risk?
For the most critical vendors, the relevant board committee should receive a detailed update at every meeting. A consolidated report on the entire critical third-party ecosystem should be presented to the full board at least quarterly. The frequency should be dictated by the level of risk, not a generic reporting calendar.
What are the most critical questions to ask about IT procurement?
Beyond cost and features, the most critical questions focus on accountability and resilience. "Who owns the risk?", "How do we get out of this contract if they fail?", "How will we verify their security?", and "What are the contractual escalation paths during a crisis?".
If this resonates, I would welcome a conversation. Cyber Governance Deep Review
Article by
Andrew Roberts
Founder and Principal Advisor at Andrew Roberts Advisory. I work directly with Australian boards and non-executive directors on cyber governance, AI governance, and IT general controls and strategy, translating complex regulatory terrain into clear, defensible oversight frameworks that directors can own and act on.
I have founded and exited two technology companies. I founded Field Solutions Group, served as Group CEO for a decade, and led the ASX listing in 2017. During that time I held direct board accountability for cyber risk, ISO 27001 certification, and governance at the listed company level. I have also served as Deputy Chairman of a federally funded Cooperative Research Centre.
I am a Member of the Australian Institute of Company Directors (AICD) and the Australian Computer Society (ACS), holding the ACS designation MACS (Snr) CP (Cyber), and am a Member of ISACA.
aradvice.com.au
