Why physical and supply chain security can’t fall behind

For several years, executive attention has been focused on the digital threat landscape and the challenges of cyber crime. Investment in physical and personnel security and supply chain security is increasingly playing catchup. However, a more coordinated and integrated approach to enterprise security risk will be required in the year ahead. Organisations must understand the broader security landscape in addition to their own physical environments and actively manage supply chain exposure. Those that do will be prepared for future disruptions and regulatory scrutiny.

Reframing duty of care in a complex environment

Recent events, at home and abroad, have prompted a shift in how organisations protect their people and assets.

Physical environments, workforce related risks, and third-party exposure in complex ecosystems such as our critical infrastructure environment, will sit at the centre of this change.

Organisations are also reassessing their duty of care obligations. Boards will expect assurance that sites, events, and facilities are designed for modern threat scenarios that require rapid escalation capability, awareness of shifting crowd dynamics, and coordinated incident and crisis response.

Traditional static assessments are no longer sufficient; more frequent reviews and scenario testing will become the norm.

Supply chain resilience will be tested

Organisations will be held responsible for the actions and failures of their critical suppliers, contractors, and service providers. This translates into a need for better visibility of critical suppliers and dependencies, greater contractual clarity around incident notification and response, and due diligence that extends beyond first tier relationships. McGrathNicol’s third annual Risk and Security Report found 70% of organisations are failing to conduct due diligence on key suppliers and 71% are not considering their suppliers’ own security as a key metric of performance and supplier evaluations.

With heightened global risk and regulatory scrutiny, there is increasing emphasis on data sovereignty, operational resilience and cross-border data risk. Prudential expectations, including under APRA standards, require regulated entities to maintain effective oversight of offshore service providers and to ensure continued access, control and auditability of critical data and systems. Similarly, amendments to the Security of Critical Infrastructure (SOCI) Act have expanded the range of entities subject to security and cyber obligations. This reinforces the need for organisations to identify where business-critical data is stored or processed, including offshore, and to assess risks associated with foreign jurisdictional access, supply chain dependencies and service disruption. Organisations that previously fell outside the definition of “critical infrastructure” may be subject to these heightened requirements.

Broadening regulatory scrutiny

Regulatory activity over the next 12 months will prioritise governance, transparency, and demonstrable control. Regulators will focus on practical risk management—including how decisions are made, how risks are owned, and how actions are recorded. Boards and executives should expect closer scrutiny of the assignment of security accountabilities and documentation of decision-making during an incident, as well as clear links between risk assessments and operational actions.

For Australian businesses in 2026, this means risk management programs must be tested to remain compliant, ensuring timely incident reporting and embedding proactive security measures across all cyber, physical, and supply chain operations.

Key actions to take

• Appoint a responsible person – nominate an experienced executive accountable for all traditional security domains

• Invest in crisis simulation training – ensure staff preparedness and implement clear command and escalation structures across your organisation

• Understand your supply chain – develop a supplier criticality framework and guidelines to better understand and maintain appropriate oversight of critical suppliers

• Consider broad SOCI requirements – regardless of whether you are captured under the SOCI Act, these standards should be applied as ‘best practice’ for organisational Enterprise Security Risk Management