Who proactively asks their software stack providers about security?

Great point fraser-jack something I know we need to be more diligent about gathering, I would think less than 10% would have any evidence on file, hopefully I'm wrong.

Good question and I'd agree with JennyB

Fraser, we have an external IT guy who has ensured that we have all the necessary programs in place for cyber security, he also provides us with due diligence on any providers doesn't mean he is always happy with the answers he gets, however having someone external is a good thing for us as we would not be looking at this all the time.

Foe those who are not aware, the Iress Community now has a self serve section in the Trust Centre Knowledge Base.

This is a great first port of call for locating any of the standard Due Diligence documentation regarding Xplan and Iress.

I'm glad ASIC is keeping cybersecurity top of mind. Regarding supply chain risk, my guess is fewer than 20% of firms have proactively vetted their software vendors' security. Many see it as the vendor's responsibility. But we must take ownership too. If we don't ask the tough questions, we may be caught unaware. I think framing security reviews as collaborative partnerships, not interrogations, can open doors. Protecting client data is a shared priority.