Third-Party Cyber Risk: The Governance Issue Hiding in Plain Sight

A recent Queensland Audit Office (QAO) report is a timely warning for councils, government-owned entities and public sector agencies: one of the most significant cyber risks may not sit inside your organisation at all, it may sit with your suppliers, vendors, consultants and service providers.

Modern organisations increasingly rely on third parties to deliver IT systems, digital services, software platforms and operational support. That creates efficiency, but it also creates exposure.

The QAO found that the audited entities were not effectively managing third-party cyber security risk, and that weaknesses in access controls, procurement practices and contracts created real vulnerabilities. In testing, the auditors were able to obtain passwords, access systems and extract sensitive information beyond what a third-party user should have been able to access. In two cases, they were able to gain administrator-level access.

That should be a wake-up call.

Importantly, these risks are no longer emerging or hypothetical. They are well understood, documented and repeatedly identified in public sector audits and guidance.

As a result, expectations on organisations, particularly councils and government entities, to identify, assess and actively manage third-party cyber risk are increasing. This is not just a technical issue, but one of governance, accountability and risk ownership.

This is not just an IT issue

Third-party cyber risk sits across:

• IT and cyber security
• procurement
• contract management
• risk and assurance
• governance and executive oversight

That is why it is often missed.

Many organisations focus on internal cyber controls, but far fewer are asking the harder questions:

• Which suppliers actually have access to our systems or sensitive data?
• Have we properly assessed the cyber risk during procurement?
• Do our contracts contain the right cyber obligations?
• Are we actively monitoring supplier risk after contract award?

Contracts are often the weak point

One of the most striking findings in the report was contractual weakness.

Of the 36 contracts reviewed:

• only 2 required third parties to report cyber incidents or vulnerabilities;
• very few included audit rights; and
• none included security requirements for the third party’s own suppliers.

That means many entities may be carrying supply chain cyber risk without any real contractual visibility or control.

What organisations should be doing now

The QAO’s better practice checklist is a useful starting point. In practical terms, organisations should be reviewing whether they are:

• properly identifying which third parties present cyber risk;
• conducting meaningful cyber due diligence during procurement;
• including clear cyber obligations in contracts;
• monitoring third-party risk throughout the contract lifecycle; and
• ensuring access controls, logging and monitoring are robust for third-party users.

The report also highlights the importance of moving beyond contracting to active contract management.

In practice, this may involve establishing a structured approach to managing third-party cyber risk across the contract lifecycle, including clearly documenting security expectations, conducting periodic supplier reviews or assurance checks, monitoring ongoing risk exposure, and ensuring there are internal processes and capability to respond to cyber incidents and evolving threats.

A practical next step may be to consider whether a more structured contract management approach is needed to manage third-party cyber risk.

This could include:

• clearly documenting security expectations for suppliers
• ensuring appropriate contractual obligations (e.g. incident reporting)
• ongoing monitoring of third-party cyber risks and controls
• ensuring staff capability to manage these risks
• periodic (e.g. annual) supplier reviews of IT security controls

The real takeaway

Third-party cyber risk is no longer a niche technical issue. It is now a procurement, contract, governance and operational resilience issue.

For councils and public entities, the real question is not whether this risk exists in your supply chain.

It is whether your organisation has the procurement settings, contract protections and governance discipline to manage it properly.

Organisations should now be actively testing whether their current frameworks are sufficient to manage this risk.

How Muscat Tanzer can help

We help councils and government entities build practical frameworks to manage these risks through procurement planning, cyber risk allocation, contract drafting, governance settings and contract management uplift.