Third Party IT Services

Third Party IT Services

Exposure overview

The Software as a Service (“SaaS”) industry has seen unprecedented growth over the last decade due to the agility and cost-effectiveness they can offer clients, in particular SME’s. There are thousands of SaaS platforms used across different industries but some of the most well-known are Stripe, Salesforce, Mailchimp, Hubspot, Shopify and Xero. Apart from SaaS, there are several other types of third-party IT platforms that organisations can use to enhance their operations, including security, backup and database management.

In addition, companies throughout Australia use Managed Service Providers to manage and maintain their IT systems, networks and security.

However, third party IT, and in particular SaaS platforms, carry significant cyber risk for their customers in the form of cyber-attacks that can breach their data and disrupt their business operations affecting revenue.

"We’re absolutely seeing a rise in third party suppliers being the source of data breaches"
Carly Kind - Australian Privacy Commissioner

The Law

The Privacy Act, including Notifiable Data Breach requirements, applies to private sector organisations with an annual turnover of $3 million or more, however there are certain types of businesses with less than $3 million in annual turnover that are not exempt from the Privacy Act. These include health service providers, businesses that hold tax file numbers and credit reporting bodies. Even though a cyber-attack may occur directly to their third party IT service provider, the responsibility for privacy data breach obligations may still rest with their customer due to:

• Technology providers contracting out of data breach/privacy obligations; and/or;

• Where more than one party is in a position to report a data breach (for example, both the IT service provider and their customer) the Office of the Australian Information Commissioner’s (“OAIC”) position is that the party closest to the end client (therefore, the customer) carries the notification obligations.

Scale of the problem

Third-party IT supply chain breaches are a significant concern in Australia. According to recent reports, 69% of large-scale breaches (affecting 5,000 or more Australians) were caused by cyber security incidents involving third-parties. Additionally, the OAIC has highlighted that the complexity and impact of data breaches are increasing due to the involvement of multiple parties, particularly cloud and software providers.

*Australian Government Annual Cyber Threat Report 2023 - 2024

69% Involving third-parties

69% of large-scale breaches (affecting 5,000 or more Australians) were caused by cyber security incidents involving third-parties.

9% Cyber supply chain related

In FY2023–24, cyber supply chain-related incidents comprised 9% of all cyber security incidents responded to by the Australian Signals Directorate.

Compromised assets

These incidents commonly involved compromised assets, networks and/or infrastructure (26%), compromised accounts and/or credentials (24%) or data breaches (20%).

Multi-party data breaches, involving third-parties is new trend

The OAIC highlighted that multi-party data breaches, involving third-party suppliers were a notable trend in 2024

Exposure Mitigation

To mitigate the cyber risk of third-party IT providers, organisations should consider implementation of the following in conjunction with their wider security programme and the advice received from their IT security adviser:

  • Determine that your cyber insurance policy provides cover in the event a third-party IT service provider suffers a cyber-attack;
  • Engage providers that have demonstrated robust security controls and appropriate personal information handling measures;
  • Define the scope of the personal information handling services to be provided;
  • Where possible, define contractual clauses on retention or destruction of data;
  • Ensure contractual arrangements specify accountabilities in the event of data breaches that involve multiple parties, such as the responsible party for assessing harm, providing information and notifying the data breach (generally, the OAIC is of the view that the entity with the most direct relationship with individuals affected by the data breach should notify them);
  • Ensure effective oversight of third-party providers.

Insurance Solution

Cover 1.b: Contingent Business interruption

Business Interruption causing Business Interruption Loss incurred during the Indemnity Period as a direct result of:

i. the total, partial or intermittent interruption or degradation in service of the Computer System operated by an Outsourced Service Provider, caused by a Security Breach or Administrative Error; or

ii. a Privacy Breach.

Cover 1.e: Incident Response Expenses

Incident Response Expenses incurred as a direct result of a Security Breach or Privacy Breach.

Related Third Party IT Services Content

Article

5 biggest risks of using third-party service providers

Article

Top 7 SaaS Security Risks (and How to Fix Them) | UpGuard

View All Insights
  • Home
  • Team
  • Product
  • Exposure Explorer
  • Incident Response
  • Insights
  • Contact
  • Terms & Conditions
  • Privacy Policy
  • Cookie Settings

    • Complaints & Disputes: PDF
    Family Violence & Supporting Vulnerable Customers Policy: PDF
    Financial Hardship: PDF

    © Sync Underwriting Pty Ltd, All rights reserved 2025.

    Sync Underwriting Pty Ltd, ABN 17 678 294 712
    distributes and administers cyber insurance
    on behalf of insurer
    Tokio Marine & Nichido Fire Insurance Co., Ltd.,
    ABN 80 000 438 291, AFS Licence No. 246548.
    Sync Underwriting is a Corporate Authorised Representative,
    CAR No. 1312389 of Halo Underwriting Pty Ltd,
    ABN 48 008 497 318, AFS Licence No. 237267.

    Platform by: www.shapeable.com

    Powered ByRhodian Logo