Supply Chain Cyber Risk: Legal Obligations & Building a Defensible Third-Party Risk Programme

A half-day masterclass for GCs, in-house counsel and risk & compliance leaders

Description

When your vendor is breached, you're still accountable. 

The Canvas breach didn't just affect a technology company,it exposed thousands of universities, schools and institutions to legal, regulatory and reputational consequences they had no direct control over. This is the reality of supply chain risk: the breach sits with someone else, but the obligations sit with you. 
Join us for a half-day virtual masterclass designed specifically for general counsel, in-house legal teams, and risk and compliance leaders. This is not a technical cyber forum. It is a legal and governance masterclass focused on what your organisation is required to do, where liability concentrates when a third-party vendor fails, and how to demonstrate that you took reasonable steps before an incident occurs. 
Combining legal authority with real-world cyber expertise, your facilitators will take you from obligation to action across three structured sessions. 
 

Programme (session breakdown) 

Hour 1 — Understanding supply chain risk and your legal obligations 

Lisa Fitzgerald leads a structured session on the overlapping legal framework that applies when a third-party vendor is the source of a breach. Covers Privacy Act APP 11, SOCI Act critical infrastructure obligations, Corporations Act director duties, and the new Cyber Security Act — and how these obligations interact when your organisation did not cause the incident but is still exposed by it. Includes a practical walkthrough of where "reasonable steps" most commonly breaks down and what regulators focus on post-incident. 
 

Hour 2 — What happens when it goes wrong: case studies 

A structured examination of major supply chain incidents — Medibank, Latitude, Qantas, Canvas, Kaseya and others — viewed through both a legal and cyber lens. Lisa and Luke work through each case together: what the legal exposure was, what governance failures made it worse, and what the organisation's in-house team needed to have in place before the incident occurred. Delegates leave with a clear picture of how liability concentrates in practice, not just in theory. 
 

Hour 3 — Building a defensible third-party risk programme 

Luke Irwin leads a practical, framework-driven session on what a defensible third-party risk programmeactually looks like. Covers vendor due diligence processes, contractual protections, ongoing monitoring obligations, and how to document your programme in a way that would withstand regulatory scrutiny or litigation. Includes an honest assessment of industry certifications — what ISO 27001 does and doesn't tell you, and what additional steps are required. Delegates leave with a structured framework they can begin applying immediately. 
 

What you'll leave with 

  • A clear map of your organisation's legal obligations when a third-party supplier is breached 
  • An understanding of where director and organisational liability concentrates post-incident 
  • A framework for assessing and documenting vendor risk that meets the "reasonable steps" standard 
  • Practical guidance on vendor contracts, due diligence processes and ongoing monitoring 
  • Lessons from major Australian and global supply chain breaches — applied to your governance programme 
  • 3 CPD points (substantive) 

Who should attend 

This masterclass is designed for professionals responsible for legal oversight, governance and risk management, including: 
  • General counsel and deputy general counsel 
  • In-house legal teams with privacy, technology or contracts responsibilities 
  • Chief Risk Officers and senior risk and compliance leaders 
  • Company secretaries and governance professionals 
  • Legal practitioners advising on cyber, privacy or corporate governance 
 

Facilitators 

Lisa Fitzgerald — Partner, Norton Rose Fulbright 

Lisa is a partner in Norton Rose Fulbright's technology and innovation practice, advising clients on cyber security, data privacy and technology law. She brings deep experience in the legal obligations that arise when organisations face third-party vendor incidents, including regulatory response and litigation exposure. 
 

Luke Irwin — CEO & Principal Consultant, Aegis Cyber (ISSMP, CISSP, CISM) 

Luke specialises in translating complex cyber obligations into practical, workable governance programmes for legal and risk teams. A recognised commentator on major Australian cyber incidents, he has provided expert analysis on the Canvas, Medibank and Latitude breaches across national media including ABC National, ABC Brisbane, the Sydney Morning Herald, The Guardian and others. 
 
For any event enquiries email eventsanz@thomsonreuters.com