Cyber risks linked to third-party systems are spiking in NSW. Recent data shows just how quickly supply chain vulnerabilities are becoming a core security concern for Australian organisations.

Sharp Rise in Third-Party Incidents

Figures obtained under NSW's Government Information Public Access Act (GIPA) reveal that incidents involving third-party systems have more than quadrupled in just two years. In the 2023-24 financial year, 17 incidents were logged, more than double the 8 incidents in FY 2022-23, and over four times the number in FY 2021-22, which had only 4 such incidents.

These figures reflect systems owned or managed by external vendors or service providers being compromised and impacting government operations. The sharp increase comes alongside better reporting and classification: Cyber Security NWS adopted a structured framework around 2021 that enabled more consistent identification of third party incidents. 

Total Incident Load and Investment

While those third-party incidents make headlines, the overall incident count is also notable, with over 200 cyber incidents being responded to by Cyber Security NSW in FY 2023-24.

To address this, the NSW government has allocated A$87.7 million over four years to bolster Cyber Security NSW and mitigate risks across the state, including those stemming from vendor or third-party systems. That follows an investment of A$20.3 million in the previous year.

What this Means for Organisations

These figures aren't just numbers, they carry implications for how businesses, integrators and service providers work in Australia:

• Vendor contracts and risk assessments are now central: Government policy mandates more robust vendor assessments and embedding cybersecurity clauses in agreements.
• Reporting frameworks matter: Because incident reporting was less structured before 2021, many third-party compromises may have gone unnoticed. Now, better visibility is revealing latent risk.
• Operational & reputational risk: Even one vendor breach can disrupt services, expose data, and erode public or customer trust.

Immediate Actions And Resilience

Given the scale and pace of increase, here are actions organisations should prioritise:

• Embed stringent cybersecurity requirements into vendor contracts.
• Institute regular vendor audits and oversight.
• Ensure incident reporting includes third-party systems and that incidents are disclosed in a timely manner.
• Allocate budget for monitoring, response, and staff training, especially around phishing and vendor risk.
  
  

These developments in NSW show a clear trend: third-party cybersecurity risks are rising sharply, and they're being recognised at state level with both policy and funding. For organisations involved in contracts, integration, supply chain or government services, this is a moment to reassess risk and resilience.