Supply chain insecurity

Chair of the Australian Securities Investments Commission, Joe Longo, has specifically called out third-party risk, noting that: “none of us has control over the security of a third-party provider … If we rely solely on the security measures those providers have in place, we leave a wide opening for a data breach if those measures are compromised”.³

According to HSF Kramer’s Magdalena Blanch-de Wilt, Executive Counsel and APAC Cyber Risk Advisory Lead, “If you experience a third-party incident, it can often be no different to an incident impacting your organisation directly. The impact on your operations may be the same, as may be the need to muster an incident response team, and you mayneed to invest the same type of resources and effort to manage the issues”.

This sentiment is shared by Partner and corporate governance expert at HSF Kramer, Carolyn Pugsley, who said, in the event of a breach “the general population don’t really care if it was a third-party risk system failure that caused the incident”. “Reputationally you are carrying the can and reputationally the impact is the same as if it's your system … Contractually, you may well be protected, you may well be insured, but really that's not what keeps boards awake at night. It's reputational and brand damage and the impact on that for customers or clients,” Pugsley said.

It is surprising, therefore, that many companies are not investing in third-party risk management with the same focus as other activities. Despite significant concerns, addressing these risks was low on uplift priorities, ranking seventh in this year’s survey. Ultimately, when it comes to the views of respondents as they pertain to third-party risk, the message is clear – the risk is well understood, but managing the risk is proving challenging.

These results are not surprising, says Heather Kelly, Senior Associate in HSF Kramer’s cyber practice. “Demonstrating a return on investment can be a real pain point. Third-party risk is somewhat intangible, and there is currently little regulatory guidance on what ‘good’ looks like. When coupled with economic uncertainty, it is no wonder that data risk management investment proposals are losing out to other, more established activities, such IT security infrastructure upgrades,” Kelly said.

Blanch-de Wilt believes the dial might shift “when we see enforcement of a higher order”, for example meaningful action taken by the ASIC, including when an incident involves a third party.

To date, ASIC has only pursued Australian Financial Services Licence (AFSL) holders for breaches of licence obligations related to alleged failures to implement adequate cyber security measures. However, since late 2023, ASIC has emphasised it is actively investigating directors and executives for deficiencies in this area. We are yet to see anything come of this, but we know it remains a focus area for ASIC.

Footnotes

3. Address by ASIC Chair Joe Longo at the AFR Cyber Summit, ‘Marconi’s illusion: What a 120-year-old magician’s trick can teach us about cyber preparedness’ (18 September 2023).