In a recent ASIC note on cyber resilience good practices it observed that as outsourcing and cloud-based services become more prevalent, the reliance on third-party service providers and partners has become essential to the provision of products and services for many organisations.

ASIC identified as a good practice for organisations to develop risk-based assessment methods and tools to ensure that third-party suppliers and partners are regularly assessed to guarantee compliance with required security standards. Some organisations are also using external service providers to carry out periodic assessments of partners and vendors.

Under the Privacy Amendment (Notifiable Data Breaches) Act 2017 which applies to incidents from 22 February 2018, where personal information is held by multiple entities, an eligible data breach of a supplier relating to personal information held for a customer is a data breach by the customer.

If you have not already done so you should insert provisions in your supply contracts which define the supplier’s responsibilities with respect to incidents relating to your information and your right to audit the supplier’s security.