Virtual Masterclass
Supply chain cyber risk:
Legal obligations & building a defensible third-party risk programme
A half-day CPD masterclass for GCs, in-house counsel and risk leaders. Three structured sessions: your legal obligations, lessons from real breaches, and how to build a programme that holds up when it counts.
Tuesday 29 July 2026 | 3 CPD points each session
Introducing the supply chain cyber risk masterclass
The Supply Chain Cyber Risk Masterclass is a half-day virtual session designed for in-house legal teams and risk leaders who need practical legal and governance tools, not technical cyber theory.
Taking place on Tuesday 29 July 2026, the masterclass brings together a Partner from Norton Rose Fulbright and a leading cyber governance specialist to take delegates from legal obligation through to defensible programme design.
The session is built around the real exposures facing in-house teams in 2026: the Canvas breach, the Medibank and Latitude incidents, and the overlapping framework of the Privacy Act, SOCI Act, Corporations Act and new Cyber Security Act. Delegates won't just hear about these challenges, they will leave with a structured framework for vendor risk governance they can begin applying immediately.
Date
Tuesday 29 July 2026
Time
11 am – 2 pm AEST
Location
Virtual
Standard
$499 excl. GST
CPD Points
3 CPD points (substantive) — completed in half a day
CPD breakdown
Field: Substantive Law
Sessions: All three hours
Points: 3 CPD points
Why attend
Because when a third party is breached, you still have to answer for it.
A legal framework, not a technical forum This session is built for lawyers and risk leaders, not IT teams. Every hour is structured around legal obligations, governance frameworks, and what regulators focus on post-incident.
Led by specialist practitioners Lisa Fitzgerald (NRF) brings legal authority. Luke Irwin (Aegis Cyber) translates cyber obligations into governance language. Between them, they cover the full picture.
Real cases, applied lessons Mediabank. Latitude. Canvas. Kaseya. An examination of what went wrong, where liability concentrated, and what in-house teams needed to have in place before the incident.
A framework you can use immediately Hour 3 produces a practical, documented third-party risk governance structure — vendor due diligence, contractual protections, monitoring obligations — ready to apply on Monday morning.
The ISO 27001 question answered Does certification equal security? We address the gap between vendor assurances and actual risk posture — and what additional steps are required.
3 CPD points in half a day Substantive CPD accreditation in a focused 3-hour format. No full-day commitment required.
Who should attend
Built for legal and risk professionals with governance accountability.
If your team is responsible for managing vendor relationships and you'd be accountable when one goes wrong, this masterclass is for you.
- General Counsel and Deputy General Counsel
- In-house legal teams with privacy, technology or contracts responsibilities
- Chief Risk Officers and senior risk and compliance leaders
- Company Secretaries and governance professionals
- Legal practitioners advising on cyber, privacy or corporate governance
What you'll leave with
- A clear map of your organisation's legal obligations when a third-party supplier is breached
- An understanding of where director and organisational liability concentrates post-incident
- A framework for assessing and documenting vendor risk that meets the 'reasonable steps' standard
- Practical guidance on vendor contracts, due diligence processes and ongoing monitoring
- Lessons from major Australian and global supply chain breaches — applied to your governance programme
- 3 CPD points (substantive)
“In a crisis, you do not rise to the occasion. You default to your level of training and preparation. If you have never trained or rehearsed, that level is effectively zero.”
Luke Irwin
Inside Small Business
Luke Irwin is one of only 1,300 professionals worldwide to hold the CISSP-ISSMP certification. He writes and speaks regularly on cyber governance for Australian business and legal audiences.
Facilitators
Lisa Fitzgerald
Partner, Norton Rose Fulbright
Lisa is a partner in Norton Rose Fulbright's technology and innovation practice, advising clients on cyber security, data privacy and technology law. She brings deep experience in the legal obligations that arise when organisations face third-party vendor incidents, including regulatory response and litigation exposure.
Luke Irwin
CEO & Principal Consultant, Aegis Cyber (ISSMP, CISSP, CISM)
Luke specialises in translating complex cyber obligations into practical, workable governance programmes for legal and risk teams. He is one of only 1,300 professionals worldwide to hold the CISSP-ISSMP, a high-level executive cybersecurity management certification, and has more than two decades of experience advising boards, executives and business owners on cybersecurity strategy. A recognised commentator on major Australian cyber incidents, Luke has provided expert analysis across national media including ABC National, ABC Brisbane, the Sydney Morning Herald, The Guardian and News.com.au — most recently as a key voice on the Canvas breach.
A structured half-day built for in-house legal and risk teams
Please note: Agenda subject to change
HOUR 1
Understanding supply chain risk and your legal obligations Led by Lisa Fitzgerald, Partner, Norton Rose Fulbright
A structured session on the overlapping legal framework that applies when a third-party vendor is the source of a breach.
Covers Privacy Act APP 11, SOCI Act critical infrastructure obligations, Corporations Act director duties, and the new Cyber Security Act, and how these obligations interact when your organisation did not cause the incident but is still exposed by it.
Includes a practical walkthrough of where 'reasonable steps' most commonly breaks down and what regulators focus on post-incident.
HOUR 2
When it goes wrong: case study analysis Lisa Fitzgerald & Luke Irwin, CEO & Principal Consultant, Aegis Cyber
A structured examination of major supply chain incidents such as Medibank, Latitude, Qantas, Canvas, Kaseya and others —viewed through both a legal and cyber lens.
Lisa and Luke work through each case together: what the legal exposure was, what governance failures made it worse, and what the organisation's in-house team needed to have in place before the incident occurred.
Delegates leave with a clear picture of how liability concentrates in practice, not just in theory.
HOUR 3
Building a defensible third-party risk programme Led by Luke Irwin, CEO & Principal Consultant, Aegis Cyber
A practical, framework-driven session on what a defensible third-party risk programme actually looks like. Covers vendor due diligence processes, contractual protections, ongoing monitoring obligations, and how to document your programme in a way that would withstand regulatory scrutiny or litigation.
Includes an honest assessment of industry certifications — what ISO 27001 does and doesn't tell you, and what additional steps are required. Delegates leave with a structured framework they can begin applying immediately.
Frequently asked questions
No. This is a legal and governance masterclass. It is designed for lawyers and risk leaders, not IT or security teams. Technical concepts are translated into legal and governance language throughout.
Please contact eventsanz@thomsonreuters.com for transfer and cancellation enquiries.
Contact the events team at eventsanz@thomsonreuters.com
Secure your spot
Register now for $499 excl. GST. 3 CPD points. Half a day. All online. When a vendor is breached, the obligations land with you. This masterclass gives you the legal framework, the lessons from real incidents, and a governance programme you can implement immediately.
Contact us
Attendee inquiries: eventsanz@thomsonreuters.com