Australian business leaders urged to close supply chain & cyber gaps

A new report indicates that while Australian business leaders are increasingly aware of supply chain and cyber security risks, significant gaps remain in organisational preparedness and risk management.

McGrathNicol, in partnership with YouGov, surveyed over 300 C-Suite executives and Board-level directors from Australian companies with more than 50 employees to understand their views and strategies regarding the evolving risk landscape.

Geopolitical uncertainties

The research revealed that 80 percent of Australian executives anticipate that geopolitical issues will present operational challenges for their businesses in the coming 12 months, up from 66 percent the previous year. This rising concern reflects how swiftly international developments can impact domestic business environments, especially as global tensions and trade disruptions continue to influence local supply chains and operational security.

The report underscores a growing need for businesses to build sophisticated frameworks that address how global issues can cascade into local disruptions. Executives reportedly recognise the importance of proactive monitoring, yet the depth of their supply chain assessments has not kept pace with risks.

Supply chain vulnerabilities

Despite increased confidence in managing internal supply chains, the survey found that 82 percent of organisations do not conduct risk assessments beyond their first-tier suppliers. This suggests that many businesses overlook counterparty risks that could threaten operations if issues emerge deeper within supply chains.

Financial services organisations are under particular scrutiny following the introduction of Australian Prudential Regulation Authority's (APRA) CPS 230 standard, which requires identification of all material service providers domestically and internationally, including those critical to operational resilience.

"Robust due diligence, ongoing monitoring and enhanced contractual safeguards are required so that business leaders can better understand their supply chains and who they are doing business with," commented Matt Fehon, Head of Advisory, McGrathNicol.

"Executives are expected to understand the connection between cyber, geopolitical, data, and insider risk, and carefully manage the third parties they are dealing with. The courts and regulators increasingly view these risks not as a costly business failure, but as a failure of good corporate governance with disastrous flow-on effects for others along the global supply chain."

Cyber security remains a top concern

Cited as both the leading risk and a key challenge for the future, cyber threats are expected by 49 percent of organisations to increase over the next year. While many businesses have introduced risk management measures, the report warns that vulnerabilities persist. Specifically, 70 percent of organisations surveyed fail to conduct due diligence on key suppliers related to cyber security measures, and 71 percent do not factor supplier security management into regular performance evaluations.

According to the survey, 82 percent of respondents claim to have implemented a holistic security risk management plan, attributed in part to pressure from regulatory changes. Additionally, a significant majority (90 percent) have appointed a single authority to oversee organisational security risk management.

Room for improvement in preparedness

The findings suggest ongoing work is required to foster board-level and executive engagement with resilience-building efforts. Business Continuity Plans are not consistently updated or tested, with 30 percent of respondents indicating that key executives are either too busy or do not recognise the necessity of this activity. The report notes a need to adapt best practice frameworks common in the financial services sector, such as those introduced by APRA and referenced in the Security of Critical Infrastructure (SOCI) Act.

Artificial intelligence: challenges and opportunities

The uptake of artificial intelligence is seen as both an opportunity and a challenge. While AI-driven cyber defences and automated processes could strengthen business responses to mounting risks, the emergence of new ethical, governance, regulatory, and data privacy concerns requires careful management. The report details that forward-looking organisations are adopting AI tools for incident response and continuous monitoring, but emphasises the importance of comprehensive, organisation-wide risk frameworks that feature ethical guidelines and staff training for responsible AI use.

Regulatory landscape and governance obligations

"APRA's CPS 230 is only the latest in a series of broader regulatory shifts. Whether it is obligations under the Privacy Act, changing APRA standards, or updates to Security of Critical Infrastructure legislation, accountability cannot be outsourced. Organisations must focus on risks beyond their own backyard," added Matt Fehon.

The research methodology was conducted by YouGov via an online panel comprising C-suite and Board-level directors and managers from Australian organisations with at least 50 employees. The survey included 335 respondents and the results were weighted by industry and location.