- Self-attestation from suppliers is no longer a defensible position for Australian boards, as regulators and insurers now expect independent verification of cyber security controls, not declarations.
- The Cyber Security Act 2024, SOCI Act, Privacy Act, and APRA’s CPS 234 create real legal obligations for boards with third-party exposure, and ASIC has signalled that directors who cannot demonstrate reasonable steps may face personal exposure.
- Australian Cyber Essentials (ACE), certified by Bureau Veritas, provides an evidence-based framework that shifts the question from what a supplier claims about its security to what it can demonstrate.
- RedeMont advises boards and executive teams on supplier contract frameworks, third-party risk governance, and legal exposure under current Australian law.
Supply chain cyber security is one of the more underexamined governance risks on Australian boardroom agendas right now. Most organisations have relied on supplier questionnaires and self-declared assurances for years. Those arrangements can look adequate on paper. The real test comes after an incident, when boards, insurers, and regulators ask whether those controls were ever independently verified.
For many, that scrutiny reveals a gap between what was assumed and what can be demonstrated.
Guy Cosgrove, Partner and Grace Georgilopoulos, Lawyer will join the panel discussions throughout Australia, hosted by Bureau Veritas and Cyber Audit Team. These are introducing Australian Cyber Essentials (ACE) and exploring what it means for boards managing third-party exposure. This article sets out the legal and governance questions every board should be asking.
Self-attestation is no longer a defensible position
A supplier completes a questionnaire, declares their controls are in place, and the procuring organisation files the response and moves on. The problem is not that suppliers are necessarily dishonest. The problem is that self-declared claims are structurally unreliable. Policies may be documented without ever being practised. Controls that were in place at the time of assessment may have lapsed.
Australia’s regulatory environment now requires organisations to demonstrate reasonable, risk-based cyber security controls through credible evidence. The Cyber Security Act 2024, the SOCI Act, the Privacy Act and the Notifiable Data Breaches scheme, and APRA’s CPS 234 all point in the same direction: boards with third-party exposure are expected to show they have verified their suppliers’ controls, not merely asked about them. ASIC has reinforced that directors who cannot demonstrate reasonable steps may face personal exposure.
What independent assurance changes
Australian Cyber Essentials (ACE), developed by Cyber Audit Team and certified by Bureau Veritas, addresses this gap directly. It is a three-level, evidence-based assurance framework that requires independently reviewed documentation, not self-declared claims. Certification is issued by Bureau Veritas only when submitted evidence meets the requirements.
For boards, a supply chain that includes independently certified suppliers is materially easier to defend to regulators, insurers, and auditors. The question shifts from what a supplier claims about its security to what it can demonstrate.
Questions for your next board agenda
- Which of our suppliers have access to sensitive data or critical systems, and what cyber assurance do we hold for each?
- Is that assurance self-declared, or has it been independently reviewed and when was it last updated?
- If a supplier suffered a significant cyber incident today, could we demonstrate we had taken reasonable steps to verify their security posture?
- Do our procurement contracts include minimum cyber security requirements, audit rights, and notification obligations?
How we can help
RedeMont advises boards, in-house counsel, and executive teams on governance obligations across privacy, cyber security, regulatory compliance, and procurement. We work with organisations to review their supplier contract frameworks, assess their third-party risk arrangements, and understand their exposure under current Australian law.
If supply chain cyber risk is a topic your board needs to get across, contact Guy or Grace directly.
