Supply Chain Cyber Risk Is Now a Board Governance Obligation. Here Is What That Means in Practice.
The Australian Signals Directorate (ASD) and the Australian Institute of Company Directors (AICD) have jointly published their cyber security priorities for boards in 2025-26. Of the four priority areas identified, cyber supply chain risk sits alongside event logging, legacy IT management, and post-quantum cryptography as issues that Australian boards are expected to actively oversee, not delegate and forget.
The guidance is direct. Every supplier, manufacturer, distributor, or retailer connected to your organisation presents a cyber supply chain risk. And you present that same risk to your customers. This is no longer a background IT concern. It is a governance obligation, and boards are being asked to answer for it.
The questions boards are being asked
The ASD and AICD guidance sets out threshold questions that directors should be putting to management right now:
- Have we developed a cyber supply chain risk management policy?
- Have we identified all suppliers with access to our systems and data?
- Have we categorised our suppliers by criticality and risk exposure?
- Do our contracts and service level agreements include cyber security requirements?
For large enterprises with dedicated procurement and legal functions, these questions are challenging. For most Australian small and medium businesses, they are confronting. The honest answer to all four is frequently no.
Why traditional approaches are no longer sufficient
For years, organisations have managed supplier cyber risk through questionnaires and self-attestation. A supplier fills out a form declaring they have appropriate controls in place. The enterprise files it and moves on. Boards, insurers, and regulators are no longer satisfied with this approach, and for good reason.
Self-declared assurances are unverifiable. A supplier can attest to controls that do not exist, or that existed at the time of completion but have since lapsed. There is no independent check, no evidence standard, and no consistency between suppliers. When a breach occurs through a third party, the paper trail provides legal exposure rather than genuine protection.
The shift underway is from assurance by declaration to assurance by evidence. Boards need a consistent, defensible basis for supply chain oversight. The question is what that looks like in practice.
What Australian Cyber Essentials was built to do
Australian Cyber Essentials (ACE) is Australia’s first independently certified, evidence-based cyber security assurance framework designed specifically for supply chain risk management.
Rather than asking suppliers to self-assess, ACE provides a structured pathway through which suppliers demonstrate their security posture against a defined standard. That assessment is then independently certified by Bureau Veritas, one of the world’s leading testing, inspection, and certification organisations. The result is a credible, auditable position that enterprises can rely on when making procurement decisions, satisfying insurer requirements, or answering to their boards.
You will not be left to fend for yourself, you will be actively supported through the process by Cyber Audit Team who will conduct 12 workshops to provide guidance on collecting your required evidence demonstrating you have security controls in place and operating. Once all the evidence has been completed, Bureau Veritas will complete their independent review and issue the certification.
What this means for suppliers
If your organisation is a supplier to enterprise customers, the pressure is coming. Procurement teams are beginning to include cyber security requirements in contracts. Insurers are asking questions about third-party risk management. The organisations that can demonstrate a certified, evidence-based security posture will have a clear advantage over those that cannot.
ACE gives suppliers a structured, achievable pathway to that certification. It is not designed for large enterprise IT teams. It is designed for the small and medium businesses that make up the majority of Australian supply chains, and that are increasingly being asked to prove they can be trusted.
For boards: what a defensible position looks like
If you are a director asking your management team whether your supply chain risk management is adequate, the answer you want is not “we send questionnaires.” The answer you want is a programme that identifies your critical suppliers, applies a consistent assessment standard, and produces independently verified evidence that security controls are in place. That is what ACE delivers, both for the enterprises that require it of their suppliers, and for the suppliers that need to demonstrate it.
The ASD and AICD have made clear that supply chain cyber risk is a board-level priority for 2025-26. ACE makes meeting that priority practical.
Read the ASD/AICD guidance: Cyber Security Priorities for Boards in 2025-26
