A recent Treasury report has raised a serious concern for government cyber security. Some agencies reported that vendors had moved services offshore without prior approval. That meant government data was being managed or held by unvetted third parties. The same Treasury material also recorded concerns about poor vendor security controls, unpatched software, and heavy dependence on a small group of suppliers.
This is not a minor procurement issue. It is a supply chain security issue and a governance issue.
The original reporting noted that New Zealand’s GCSB took well beyond the normal Official Information Act timeframe to respond to questions on the matter, and then declined to provide most of the requested operational details. Even without those details, the public signal is strong enough. If agencies do not have full control over who handles their data, where services are delivered, and how security obligations are enforced, the risk is already material.
The Problem is Bigger Than One Vendor
The Treasury findings point to a pattern, not a one-off failure. Agencies raised concerns about weak security practices in vendor products and services. They also flagged unapproved offshoring. On top of that, the report warned that low competition and poor service delivery had pushed many agencies toward the same few providers. That creates concentration risks. If one major supplier suffers from a cyber incident, the effect can spread across multiple agencies at once.
That is how third-party risk grows. It rarely starts with a dramatic breach. It starts with gaps in oversight, vague accountability, slow patching, weak contract control, and poor visibility into subcontractors.
In practical terms, agencies need to know:
- who has access to government data
- where that data is stored and processed
- whether services were offshored with approval
- how quickly vulnerabilities are patched
- what happens if a supplier fails or is compromised
If any of those answers are unclear, the organisation is already exposed.
How to manage cyber security risks in the public sector.
Why “Unvetted Third Parties” Should Concern Every Public Sector Leader
The phrase “unvetted third parties” should stand out to every board, executive team, procurement lead, and security adviser. Vetting is not a paperwork step. It is part of security assurance.
When an outside party touches sensitive systems or data, that party becomes part of the risk surface. If there is no proper review of its controls, access model, hosting arrangements, staff handling practices, or subcontractor chain, the organisation cannot honestly say it knows where its risk sits.
This matters even more to the government. Public sector agencies manage sensitive citizen information, operational systems, internal records, and service platforms that people rely on every day. A weakness in one vendor relationship can create privacy concerns, service disruption, legal exposure, and reputational damage.
That is why organisations should not wait for an incident before tightening assurance. They need stronger review before onboarding vendors, stronger oversight during delivery, and stronger testing when services change.
Procurement Alone Will Not Solve This
Many organisations assume vendor risk belongs only to procurement or legal teams. It does not. Procurement can set the commercial structure, but cyber assurance must sit alongside it.
A contract may say the right things. Real security depends on whether the vendor follows those requirements in practice. That means testing controls, checking architecture decisions, validating access paths, reviewing code where needed, and making sure changes do not introduce hidden risk.
This is where independent review matters. Strong assurance work often includes technical audits, architecture review, control validation, and, where relevant, a secure source code review. It helps identify insecure coding practices, logic flaws, hardcoded secrets, weak authentication handling, and other weaknesses before they lead to compromise. For public-facing platforms and critical internal systems, it can be a practical way to reduce avoidable risk early.
Essential Eight is Relevant Here Too
For Australian organisations, the lessons are especially relevant in the context of baseline cyber governance and resilience. Cybernetic Global Intelligence highlights services around the ACSC Essential Eight, information security audit, source code review, and broader cyber risk management. Those are not isolated services. Together, they support a more disciplined security posture across systems, users, vendors, and operational controls.
That is why Essential Eight security auditors matter in environments that depend on external suppliers as they can help organisations assess whether core controls are actually working, whether uplift activity is aligned to risk, and whether security basics are being treated as an ongoing discipline rather than a once-a-year exercise. In complex environments, they also help leadership see where policy says one thing, but operations show another.
What Agencies Should Do Now
The Treasury findings should push agencies to revisit vendor assurance with urgency.
First, review all critical vendors and subcontracting arrangements. Do not assume old approvals still reflect current delivery models.
Second, confirm where services are performed and where data is processed or stored. If offshoring has occurred, verify whether it was approved and whether controls match policy and contract terms.
Third, assess patch management, security control maturity, and incident response obligations across key suppliers.
Fourth, reduce concentration risk where possible. Heavy dependence on a few vendors may be commercially convenient, but it can increase operational fragility.
Fifth, use independent testing where needed. That may include architecture review, technical audits, secure source code review, and broader cyber risk assessments.
Finally, make security a standing part of investment and delivery planning. The Treasury reporting also pointed to broader issues around cyber security management, ageing systems, and the ongoing cost of keeping environments secure. Those are not side issues. They shape whether agencies can modernise safely.
What happens when a cyber issue halts your operations.
Contact Essential Eight Security Auditors
This story is not only about delayed responses or withheld details. It is about what the available facts already tell us. Government agencies raised concerns about poor controls, unpatched software, unapproved offshoring, and reliance on too few vendors. That is enough to justify stronger action.
Third-party risk is not abstract. It sits inside contracts, cloud arrangements, support models, codebases, and outsourced operations. If those areas are not reviewed properly, data can move beyond trusted boundaries before anyone realises the exposure.
That is why disciplined assurance matters with the right infrastructure. Get in touch with CGI – from Essential Eight security auditors to independent technical validation, we help organisations with clear evidence that your vendors are doing what they claim, and that their systems remain under control. Contact us today for a safer tomorrow.