Partnerships — Law Firms

Your Clients Need Cyber GRC.
You Don't Have to Provide It.

When a client faces a Privacy Act inquiry, a procurement question, or a Board request they can't answer — you refer. We assess. You receive a referral fee and your client gets a result. No overlap with your legal services.

Referral
Fixed fee per engagement
You refer the client. We conduct the assessment. You receive a fixed referral fee. No involvement required beyond the introduction.
Co-Advisory
Joint delivery
You advise on the legal and regulatory dimensions. We deliver the technical GRC assessment. The client receives one coordinated output.
White-Label
Your brand, our methodology
We produce the assessment. You deliver it under your firm's brand. The client sees one provider. No confusion, no conflict.
See an assessment example ↓

What the Assessment Found

Drawn from a combined GRC and passive OSINT engagement, anonymised. We assess the whole picture — governance, external exposure, controls — then rate each finding, map it to a framework, and hand back who should fix it. No systems are ever accessed.

Two abbreviated extracts from real 2026 engagements, anonymised — a healthcare provider and a supply-chain operator. Each is a selection of findings, not the full report, drawn through a combined GRC and passive OSINT lens. Every finding is rated, mapped to a framework, tied to a real precedent, and pointed at who owns the fix. No systems are ever accessed.

3 Critical 6 High 1 Medium
Engagement A

Healthcare Provider

Underinvestment in a high-sensitivity environment — legacy platforms kept alive on a tight budget, in a setting holding some of the most sensitive data there is.

Critical F1 · Legacy PlatformsEnd-of-life platforms, kept in service too long Essential Eight

What we found

The clinical environment ran on legacy software platforms kept in service well past their supported life. Vendor updates had stopped, and they had been kept running because replacing them was treated as a cost to defer rather than a risk to manage.

Why it matters

Once a vendor stops issuing updates, every newly discovered vulnerability stays open permanently. Essential Eight treats patching applications and operating systems as a baseline; an unsupported platform can never meet it.

Left unaddressed

The ASD’s ACSC found inadequate patching behind the majority of the significant incidents it responded to. In one Australian case, attackers exploited an unpatched Microsoft Exchange server and reached full encryption in four days. Unsupported legacy systems are the softest target on any network.

Where this gets owned

Sits with IT, but the call is the board’s. The direction here is to plan for replacing or retiring the platform — and, until then, to make sure someone owns it as a known risk rather than leaving it forgotten. Maps to Essential Eight (patching).

Critical F2 · Access ControlNo multi-factor authentication on the legacy systems Essential EightAPP 11

What we found

The same legacy systems — and the accounts reaching the client records on them — had no multi-factor authentication. A single username and password was the only barrier.

Why it matters

MFA is the control that stops a stolen password from becoming a breach. Without it, one leaked or guessed credential is enough. APP 11 requires reasonable steps to protect the clinical information held.

Left unaddressed

In the Medibank breach (2022): one stolen credential, no MFA, 9.7 million records. The gap was known and unremediated. The result was OAIC proceedings, a $250 million APRA capital add-on, and class actions.

Where this gets owned

A conversation for IT and whoever owns identity. The direction is to bring the systems that can support MFA into line, and to make a conscious decision about anything that cannot. Maps to Essential Eight (MFA) and APP 11.

Critical F3 · Credential ExposureStaff credentials found in breach and infostealer data APP 11

What we found

From public and licensed breach sources only — no systems accessed — valid staff credentials for the provider’s email and remote access were found in breach-corpus and infostealer data. Reused passwords meant one exposure could open several systems.

Why it matters

Exposed, still-valid credentials are the most common way in — attackers log in rather than break in. In a healthcare setting, what those credentials reach is high-harm data.

Left unaddressed

In HWL Ebsworth (2023), a compromised credential on a staff device led to 2.5 million documents stolen. The ASD’s 2024–25 report found compromised credentials the leading initial-access vector in encryption incidents — 42%, up from 23% — with 9,587 exposure notifications issued in a year.

Where this gets owned

One to raise with IT and identity. The direction is to treat the exposed accounts as no longer trustworthy, and to lean less on passwords alone as the only barrier. Maps to Essential Eight (MFA) and APP 11.

High F4 · Human Layer — PhysicalUnattended, unlocked devices in shared clinical areas APP 11

What we found

In shared reception and clinical areas, devices were left unattended and unlocked, with client information visible on screen. Auto-lock was not enforced and there was no clear-screen practice.

Why it matters

The information on those screens is among the most sensitive the organisation holds, and no network control covers a device left open in a waiting room.

Left unaddressed

No intrusion is needed — a patient, visitor, or contractor reads or photographs a screen. Human error is consistently among the leading causes of notifiable breaches reported to the OAIC, and in healthcare the harm is high. It is reportable regardless of how it happened.

Where this gets owned

Sits with clinical or office management, alongside HR. The direction is a simple, consistent habit for shared areas — devices that lock themselves, screens that clear — supported by regular, documented awareness training. Maps to APP 11.

High F5 · Resilience — DR OwnershipNo one owned the recovery plan or the patchwork Essential EightASD

What we found

Governance for disaster recovery had no owner. A recovery plan and a patchwork of backups existed, but no single role was accountable for them, no recovery-time objective was set, and the plan had never been tested end to end.

Why it matters

This was the finding both engagements shared — a healthcare provider and a supply-chain operator, entirely different in every other respect, with the identical governance blind spot. If either were breached, it would be recovering with no one accountable for how. That is a GRC failure, not a technical one.

Left unaddressed

After the HWL Ebsworth breach, review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery turns a contained incident into a prolonged crisis, and boards are held to account for resilience they cannot demonstrate.

Where this gets owned

The first fix is ownership itself: someone — business continuity or operations, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. The direction matters more than the tooling. Maps to Essential Eight (backups) and ASD resilience guidance.

The Healthcare risk profile

Underinvestment concentrates exposure in the top-right — legacy, unpatched, unmonitored. Indicative only: each point is a plausible path to compromise, not a prediction.

High
impact
5
123
Medium
impact
4
Low
impact
Low
Medium
High
Plausibility of exposure →
F1 Legacy end-of-life platforms
F2 No MFA on legacy systems
F3 Staff credentials exposed
F4 Unlocked devices in clinical areas
F5 DR ownership — no owner
Engagement B

Supply-Chain Operator

Operational-technology sprawl — a web of scanners, SaaS integrations, IoT monitoring and fleet telemetry, with more moving parts than anyone had fully mapped.

High F6 · Integration TrustScanner and SaaS integrations with unmanaged trust Essential Eight

What we found

The operation ran on a web of connected systems — barcode and scanner technology feeding a chain of SaaS platform integrations. Trust between those systems was largely unmanaged: credentials and API connections were long-lived, broadly scoped, and rarely reviewed.

Why it matters

Every integration is a doorway. When systems trust each other automatically and no one reviews that trust, a compromise of one platform can move laterally into the rest — and the more integrations, the larger the unseen attack surface.

Left unaddressed

The ASD’s ACSC lists supply-chain and trusted-relationship compromise among the hardest risks to detect, precisely because the access looks legitimate. An over-trusted integration is an open door no alarm treats as suspicious.

Where this gets owned

A conversation for IT and whoever manages the platform relationships. The direction is to know every integration that exists, keep each to only the access it needs, and review them rather than set-and-forget. Maps to Essential Eight (application hardening).

High F7 · Connected Devices / IoTUnaccounted IoT monitoring devices of unverified origin ASDEssential Eight

What we found

Networked IoT monitoring devices — essential to operations but unaccounted for — were connected to the environment and absent from the asset inventory. Several were of unverified overseas origin, unmanaged, and not receiving updates.

Why it matters

A device you have not inventoried is an attack surface you cannot see, and unverified provenance adds a supply-chain and sovereignty question on top. Hardware of unknown origin can behave in ways no one has assessed, on a network carrying operational data.

Left unaddressed

ASD’s ACSC repeatedly warns that edge and operational devices are a favoured route for attackers, and that supply-chain compromise is among the hardest to detect. An unmonitored device of unknown provenance is exactly that blind spot.

Where this gets owned

Sits with IT and operations, alongside procurement. The direction is to know what is actually connected, keep anything unmanaged or of unclear origin at arm’s length from the rest, and confirm provenance before it stays. Maps to Essential Eight (asset visibility) and ASD edge / supply-chain guidance.

Medium F8 · Operational TelemetryFleet GPS and fuel data with unclear ownership APP 11APP 8

What we found

Fleet systems generated a continuous stream of operational and location data — GPS tracking of trucks, fuel and route telemetry, driver activity — with unclear ownership of that data and no defined controls over who could access it or where it was stored.

Why it matters

Location and driver data is personal information, and continuous tracking of employees carries privacy obligations. Data no one owns is data no one protects — and telemetry often flows through third-party platforms without that being assessed.

Left unaddressed

Unowned, unprotected personal data is exactly what the OAIC’s enforcement priorities target. At a breach, the question is not only what was taken, but whether the organisation could even say who was responsible for it. “No one owned it” is not a defence.

Where this gets owned

One for operations and the privacy function together. The direction is to decide who owns the fleet and telemetry data, what may be collected, and where it lives — so it is no longer data that no one is responsible for. Maps to APP 11 and APP 8.

High F9 · Third-Party & SovereigntyOffshore and third-party handling across the chain APP 8

What we found

Across the integration chain, sensitive operational and personal data flowed to third-party platforms — some hosted or controlled offshore — without assessment of their security or the cross-border accountability APP 8 requires. One vendor’s hosting jurisdiction could not be confirmed.

Why it matters

Under APP 8 you remain accountable for what an overseas recipient does with the data. In a sprawling integration chain that accountability is easy to lose track of — and impossible to demonstrate if it was never mapped.

Left unaddressed

In the 2Apply / IRE determination (OAIC, 2026), a third-party platform’s handling of personal data drew a landmark ruling — remedied by a mandated independent review. Independent assurance of third parties is now the outcome regulators impose.

Where this gets owned

Sits with procurement and the privacy function. The direction is to map where the data actually goes, confirm accountability for each recipient, and revisit anything whose location cannot be assured. Maps to APP 8 and APP 11.

High F10 · Resilience — DR OwnershipNo one owned the recovery plan or the patchwork Essential EightASD

What we found

Governance for disaster recovery had no owner. A recovery plan and a patchwork of backups existed, but no single role was accountable for them, no recovery-time objective was set, and the plan had never been tested end to end.

Why it matters

This was the finding both engagements shared — a healthcare provider and a supply-chain operator, entirely different in every other respect, with the identical governance blind spot. If either were breached, it would be recovering with no one accountable for how. That is a GRC failure, not a technical one.

Left unaddressed

After the HWL Ebsworth breach, review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery turns a contained incident into a prolonged crisis, and boards are held to account for resilience they cannot demonstrate.

Where this gets owned

The first fix is ownership itself: someone — business continuity or operations, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. The direction matters more than the tooling. Maps to Essential Eight (backups) and ASD resilience guidance.

The Supply-Chain risk profile

Sprawl spreads exposure across the estate — many moving parts, high impact, harder to see. Indicative only: each point is a plausible path to compromise, not a prediction.

High
impact
710
Medium
impact
69
Low
impact
8
Low
Medium
High
Plausibility of exposure →
F6 Scanner / SaaS integration trust
F7 Unmanaged IoT, unverified origin
F8 Fleet GPS / fuel telemetry
F9 Third-party / offshore handling
F10 DR ownership — no owner

Governance, risk and compliance is the scaffolding that forces an organisation to know what it owns, who owns each risk, and whether its controls can be demonstrated. A documented policy does not stop an intrusion — knowing what is externally exposed, before an attacker does, is what turns an assessment into a defence.

The precedents, on the record

Every consequence cited above is drawn from public regulatory, court, or government records. The findings themselves are anonymised and illustrative of real 2026 engagements.

Risk ratings are indicative assessments of plausible exposure, not predictions of a certain outcome. No client is named or identifiable.

Law Firms That Advise, Not Assess

Your practice covers governance, regulation, and compliance — but not the technical assessment that sits underneath it. That's where we come in.

Privacy & Data Protection

Your client is responding to an OAIC inquiry or preparing for the 2024 Privacy Act amendments. They need an evidence-based assessment of what's actually exposed — not an opinion.

Corporate & M&A

Pre-acquisition due diligence increasingly includes cyber posture. A passive OSINT assessment gives your client a clear picture of the target's external exposure without alerting the market.

Board Advisory

Directors need to demonstrate they've exercised due care on cyber risk. A Board-ready GRC assessment gives them documented evidence of the organisation's external posture.

Regulatory Response

When APRA, the OAIC, or a sector regulator asks questions, your client needs evidence — not assurances. Our assessments provide sourced, framework-mapped findings.

Procurement & Tenders

Government and enterprise procurement increasingly requires GRC evidence. A structured assessment with framework mapping satisfies the requirements your client can't produce internally.

Incident Response Support

After a breach, your client needs to understand what was visible before the incident. A passive assessment reconstructs the external picture without interfering with forensics.

You Refer. We Deliver.

No technical expertise required from your side. No client confusion. No overlap with your legal services.

  • You identify the client need — privacy inquiry, Board request, procurement question
  • You introduce us or we engage directly under your instruction
  • We conduct the passive OSINT assessment — no systems accessed, no client disruption
  • We deliver the report — risk register, framework mapping, Board-level summary
  • You receive a fixed referral fee per engagement
  • Your client gets a result they can take to their Board, their regulator, or their insurer
Scenario

Your client's insurer asks for a cyber posture assessment before renewal

The client calls you. You don't provide cyber assessments — and you shouldn't have to. You refer them to BlackFlag Advisory. We deliver a passive OSINT assessment within 7 days. The client gets the evidence their insurer needs. You receive a referral fee. No scope creep, no technical involvement, no conflict.

Scenario

The Board wants evidence of cyber governance for the annual report

Directors need to demonstrate due care. Your client has no internal cyber assessment capability. You refer them to us. We produce a Board-ready report — framework-mapped, risk-registered, plain English. The directors have documented evidence. You've added value without stepping outside your practice.

Work with us. Not around us.

No lock-in. No minimum commitment. Structured to complement your practice, not compete with it.

Discuss a Partnership →