Understanding your supply chains is now a critical part of every financial services business that outsources functions, particularly in relation to information security, service levels, business continuity and customer privacy.

Even if you have done due diligence on your contractor, how do you know whether they have subcontracted their services to a fourth party and whether they comply with the same standards?

And how will you know whether they have made a ransomware payment in response to a cybersecurity incident once the ransomware reporting obligation commences on 30 May 2025?

If you are an APRA-regulated entity you must have a supplier register to track your contracts and identify which service providers are “material” once CPS 230 commences on 1 July 2025.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.