Managing third-party and cloud dependency risks - strategies for stronger resilience

The recent global AWS outage was a timely reminder of a truth many organisations quietly acknowledge but rarely address head-on: our digital resilience often depends on just a handful of cloud providers. 

What started as a technical issue in one region quickly rippled across industries and geographies, disrupting critical applications, customer services, and operational processes. For many, the outage didn’t just test incident response; it exposed how dependent organisations have become on the uninterrupted availability of a single platform. 

The new systemic risk - cloud concentration 

Over the past decade, organisations have embraced cloud at scale, consolidating systems and data onto platforms like AWS, Microsoft Azure, and Google Cloud. This has brought speed, innovation, and scalability, but it has also created concentration risk. 

A growing dependency on a small number of hyperscalers means that a single outage can cascade globally, disrupting not only direct customers but also third-party services embedded throughout supply chains. Recognising this risk, Australian regulators have elevated cloud and third-party resilience to a board-level priority: 

• APRA’s CPS 230 places operational resilience and third-party dependency management squarely on the board agenda - a priority further explored in our CPS 230 report 
• ASIC’s cyber resilience guidance urges directors to understand reliance on key providers and the cascading impacts of service disruptions 
• CISC’s Overview of Cyber Security Obligations for Corporate Leaders reinforces the role of Boards and executives in shaping organisational resilience, particularly for critical infrastructure. 

Cloud concentration risk is no longer just a technology concern; it is a strategic and governance issue. 

Indirect dependencies - the hidden exposure 

Many organisations significantly underestimate their indirect exposure. Even when critical systems are not hosted directly on major cloud platforms, third-party vendors and SaaS providers often are. A single cloud outage can therefore disrupt essential business processes in unexpected ways, from payroll and collaboration tools to operational technologies. 

BDO-sponsored IDC Security Survey findings identified third-party and supply chain risk management as one of the most common weaknesses in cyber security programs. While supply chain threats are consistently rated among the top risks, they remain low on executive prioritisation agendas, creating an awareness–execution gap. When a shared platform or key vendor is compromised, that gap turns into real-time operational exposure. 

Oversight practices also lag behind the threat landscape. Vendor risk management is often fragmented across IT, security, operations, and procurement, relying on static onboarding questionnaires rather than continuous, intelligence-led monitoring. According to our global research, 42 per cent of leaders say their organisation lacks the infrastructure and skills needed to effectively manage such disruptions. As recent global outages have shown, many organisations only discover their exposure during a crisis, struggling to maintain critical operations. 

Regulators are increasingly directing attention to this very issue. 

• The ASD/ACSC Cloud Computing Security Considerations guidance calls for organisations to identify and manage both direct and indirect dependencies 
• CISC’s Overview of Cyber Security Obligations for Corporate Leaders align with SOCI Act requirements, making third-party resilience a clear leadership responsibility 
• APRA’s CPS 230 requires mapping critical dependencies, testing disruption scenarios and actively managing third-party risk. 

Indirect dependencies are no longer a secondary concern; they are a strategic resilience gap that boards, audit and risk committees, and executives must address through integrated oversight, continuous monitoring, and scenario testing rather than reactive crisis management. 

Moving beyond ‘Are we impacted?’ 

Traditional incident response often starts with a narrow question: Are we impacted? 

But in today’s environment, the more important questions are: 

• How exposed are we - directly and indirectly? 
• How well can we recover if our primary cloud platform fails? 
• How prepared are we if one of our critical third-party providers becomes unavailable? 
• And how can we reduce concentration risk across our critical business services? 

ASIC’s board guidance on cyber resilience underscores the importance of these questions, while CISC’s obligations framework makes clear that boards and directors must actively oversee how their organisations prepare for and respond to major incidents to avoid instances of passively receiving updates after the fact. 

Building strategic resilience - what good looks like 

Many organisations assume that resilience is something their cloud provider or critical vendor will take care of. In reality, resilience can’t be outsourced. It must be intentionally designed, tested, and governed. 

Our global research shows that while most organisations have already migrated to cloud, many have ‘lifted and shifted’ legacy systems rather than redesigning them for resilience. This approach often amplifies concentration and third-party risks instead of reducing them. In parallel, third-party risk management remains one of the weakest areas of cyber programs, leaving organisations exposed when a key provider fails or is disrupted. 

Strategic resilience requires deliberate design choices and governance. This includes: 

• Mapping critical dependencies across infrastructure, applications, and third-party services to identify single points of failure 
• Scenario testing, including hyperscaler outages or critical vendor failure exercises, to validate recovery capabilities and decision-making pathways 
• Diversification strategies, such as multi-cloud or hybrid models, where appropriate 
• Robust contractual frameworks that clearly define service levels, incident communications, and recovery timelines 
• Integration with business continuity and crisis management plans, ensuring disruptions are treated as enterprise-wide risks, not just IT incidents 
• Embedding third-party risk management throughout the vendor lifecycle - from onboarding and contracting to continuous monitoring and secure exit strategies. 

Building strategic resilience requires more than relying on cloud providers to ensure continuity. It demands proactive design, rigorous testing, and strong governance to anticipate and withstand disruption. Organisations that invest in resilience today will be better positioned to sustain critical operations and recover effectively when major incidents occur. 

Questions for boards and audit and risk committees to ask 

Boards and audit and risk committees play a critical role in ensuring their organisations are prepared for cloud or third-party disruptions. Key areas to probe include: 

1. Exposure and dependencies 

• Which critical services depend directly or indirectly on a single cloud provider? 
• How well do we understand our critical third-party and supply chain dependencies, and how often do we review them? 
• Do we have an up-to-date dependency map that identifies single points of failure? 

2. Preparedness and response 

• How frequently do we test outage scenarios involving major cloud providers or critical third parties? 
• How quickly could we restore critical services or switch to fallback modes? 
• Do we have clear escalation pathways for vendor or supply chain failures? 

3. Governance and accountability 

• Who is accountable for cloud and third-party resilience at the executive level? 
• How are cloud concentration and third-party risk reflected in our risk register and reporting? 
• Do we have clear communication and escalation protocols for third-party incidents? 

4. Risk mitigation and strategy 

• Are we actively evaluating multi-cloud or hybrid strategies where appropriate? 
• How do our insurance, regulatory, and contractual obligations respond to large-scale provider or supply chain outages? 
• What mechanisms are in place to continuously assess and monitor third-party risk — beyond onboarding due diligence? 

Future-proofing organisational resilience 

Cloud adoption and third-party dependencies have transformed how organisations operate, but they’ve also created new points of systemic vulnerability. Recent global outages have shown how quickly a single disruption can cascade across supply chains, halting critical services and exposing resilience gaps. 

Organisations that adopt a ‘prepare, not just react’ mindset supported by structured governance, dependency mapping, and continuous monitoring will be better positioned to withstand future disruptions. As the operating environment evolves, it’s essential to: 

• Set clear resilience objectives aligned with business strategy and risk appetite 
• Continuously monitor dependencies and risk indicators, including those tied to critical cloud and third-party providers 
• Align with evolving regulatory expectations to ensure operational resilience and compliance remain in step 
• Test and refine response capabilities through scenario exercises and crisis simulations. 

By embedding these principles into their resilience strategy, organisations can strengthen their ability to anticipate, absorb and recover from disruptions, turning systemic dependency risk into a strategic advantage rather than an operational weakness. 

How BDO can help 

This Cyber Awareness Month, take a proactive step toward strengthening your organisation’s cyber resilience. Our cyber security team supports organisations to design and implement robust AI governance strategies, helping you manage risk, meet regulatory obligations, and future-proof your AI adoption.