Supply chain resilience and critical infrastructure reforms

Digital supply chains

While current challenges with fuel supply are dominating management and board attention, there is also a growing concern around digital supply chain risk. Directors have raised concerns with the AICD about the significant reliance on a small number of large international technology providers for critical digital services, such as cloud computing and workplace productivity software. The CrowdStrike outage in 2024 was a salient example of how a failure at a key provider can rapidly cascade.

These digital supply chain risks can be particularly difficult for individual organisations to mitigate in isolation, given limited alternative providers and reduced bargaining power to influence supplier resilience and risk controls.  

Board oversight of supply chains

Supply chain resilience has become a core strategic and governance issue for many boards.

There are a number of legal frameworks that requires some organisations to identify and mitigate supply chain risks, these include modern slavery obligations, APRA prudential requirements, and via the Security of Critical Infrastructure Act 2018 (SOCI Act), discussed further below.

More broadly a greater reliance on third parties to provide services or key underlying infrastructure to Australian organisations has created risks that can result in greater regulatory risk and liability. Common is a failure at a key provider that then results in a cyber or data breach at the customer with resulting impacts on operations, stakeholders, reputation and regulatory investigations and potential penalties.

Drawing from the AICD publications Cyber Security Governance Principles and Data Governance Foundations for Boards and guidance developed by the Australian Signals Directorate and APRA there are some steps that a board can oversee to understand and seek to mitigate supply chain risks and maintain business continuity:

• Develop a supplier classification matrix or map categorising suppliers based on criticality and type of service or product provided that informs board reporting and monitoring; 
• Where possible, embed key resilience specifications, standards and reporting in contractual arrangements (e.g. adherence to international cyber security standards); 
• Assess options for redundancy, alternative suppliers and backups; 
• Seek internal and external audit/assurance and testing of key third party supplier controls; and 
• Undertake with management scenario or simulation testing to prepare for critical supply events and to assist in identifying vulnerabilities.   

SOCI Act Independent Review

In late 2025 and early 2026, Dr Jill Slay AM, a leading cyber security academic, undertook a review of the SOCI Act with the final report published in March 2026.

The SOCI Act is a national framework intended to protect Australia’s critical infrastructure by imposing security, risk‑management and incident‑reporting obligations on organisations that own, operate or have direct interests in critical assets across 11 sectors. It requires responsible entities to identify and manage risks — including supply chain risks — and gives the government information‑gathering and intervention powers.

Since its introduction in 2018, the SOCI Act has undergone a number of revisions and has expanded its scope. Dr Slay’s review focused on whether it was achieving its intended objectives.

The review found that the SOCI Act has broadly lifted critical infrastructure risk practices and positioned Australia as a global leader in critical infrastructure security governance. However, it also identified that the regime is highly complex, overlaps with other regulatory frameworks, has weak enforcement mechanisms, and is not sufficiently responsive to emerging threats.

Dr Slay recommended a shift from a compliance driven approach to an outcomes focused framework aimed at delivering genuine security uplift. Recommendations included stronger enforcement, reduced duplication, and improved responsiveness to emerging technological risks, such as artificial intelligence and drones.

In relation to board oversight, Dr Slay found that while the Act has elevated awareness at the board level the current board risk attestation is treated as a compliance exercise rather than understanding the effectiveness of underlying controls. This is in part due to penalties and enforcement being seen as 'toothless'. She recommends the Government consider a greater role for independent external assurance in board sign offs and moving to the board being responsible for 'outcomes' not solely compliance.   

Home Affairs consultation

Accompanying the release of the review, the Department of Home Affairs has commenced two consultations on further amending the SOCI Act:  

1. Five proposed enhancements of the Ministerial Directions Powers under Part 3 of the SOCI Act, including that the Minister can impose conditions on an entity where ownership, control, or governance arrangements (e.g. board composition) creates a material risk to national security that cannot be sufficiently mitigated through existing regulatory obligations; and
2. Draft legalisation to enhance the existing critical infrastructure risk management program obligations, including supply chain vulnerability mapping and greater cyber security maturity.

In relation to the proposed Ministerial Directions Powers, Home Affairs has indicated particular concern about the potential for directors and executives to be compromised or subject to undue influence from foreign sources, including through coercion, conflicts of interest or other relationships. The Department has suggested this could result in individuals weakening controls or influencing procurement and operational decisions in ways that degrades the resilience of critical assets.  

Member feedback

We welcome member feedback on this issue, including experience with the SOCI Act, the review findings and recommendations and the Home Affairs consultation. Feedback can be provided at policy@aicd.com.au.