Australian boards risk missing critical technology and supply chain vulnerabilities due to limited visibility over third-party and sub-tier digital dependencies, according to a new white paper from law firm Clayton Utz.
The paper, titled Closing the digital blind spot: managing third-party risk, argues that there is a growing gap between how risk is documented and how outsourced and interconnected digital services perform during disruption. It warns that this disconnect can expose organisations to operational outages, regulatory action and reputational harm.
Clayton Utz points to World Economic Forum figures stating that 68% of global organisations reported an increase in digital supply chain disruptions in 2026, while 78% of CEOs in highly resilient firms identified third-party dependencies as the main barrier to digital resilience.
The report says many boards focus on direct, “headline” suppliers while underestimating fourth- and fifth-party dependencies embedded in digital services. It cites the 2024 CrowdStrike outage as an example of cascading impact, estimating the incident cost Australian businesses $1 billion.
Simon Newcomb, Head of AI at Clayton Utz, said boards should not rely solely on standard contractual protections. “Digital risk often lies well below the headline supplier, hidden deep within the layered dependencies that keep services running,” he said.
“In addition to understanding who an organisation contracts with, it is important to understand how the service is actually put together and delivered. If boards and executives do not have a clear view of those dependencies, the cost of discovering them in the middle of a major disruption or security incident will be far greater than the cost of proactive, coordinated oversight,” Newcomb said.
The white paper also raises concerns for public sector agencies and critical infrastructure operators, arguing that contractual arrangements can create an “accountability illusion” if organisations assume risk has been transferred to vendors.
Angie Freeman, Public Sector Partner and Co-Head of Digital at Clayton Utz, said downstream breaches remain the responsibility of the contracting entity. “A cyber breach occurring deep in your supply chain is still your breach,” she said. “Government agencies can outsource digital services, but they remain accountable for the outcome.”
Freeman added that for organisations regulated under the Security of Critical Infrastructure (SOCI) Act or financial frameworks such as APRA’s CPS 230, outages triggered by sub-tier suppliers can have broader consequences. “A failure in a fourth-party provider can disable a piece of critical infrastructure. For SOCI-regulated entities, resilience is not just about compliance, it can be a matter of national security,” she said.
On AI adoption, the report argues that after widespread uptake of productivity tools in 2025, 2026 will test the operational and governance risks of rapid deployment, including increased dependency on “agentic AI” and associated decision and outage risks. It notes World Economic Forum data indicating that only 64% of organisations have processes to assess the security of AI tools before deployment.
The paper also flags a potential “key person risk” created by replacing or reducing human capability with AI systems, warning that an AI outage could leave businesses without the skills required to maintain core operations.
Clayton Utz recommends using procurement and vendor governance as a central risk control point, and argues that frameworks such as CPS 230 and the SOCI Act should be treated as baselines for resilience rather than compliance checklists.
The white paper includes an eight-part “Digital Resilience Toolkit” covering risk tolerance, value-chain mapping, use-case based assessment, procurement controls, selection frameworks, post-execution contract mechanisms, ongoing contract management and outage preparation.
You can read the full report here.
