The most expensive words in security are often: ‘We thought someone must have checked that.’ Due diligence is a phrase that appears constantly in ethical frameworks, contracts, audits, procurement documents and compliance discussions, but most people are unsure what it means in practice. Unfortunately just asking a few hard questions and having them appear in minutes is not sufficient.
Due diligence is not ‘one size fits all’
If a business stores client information with a cloud provider, due diligence might mean understanding where the data is stored, who can access it and what protections exist if something goes wrong. If a practice adopts an AI note-taking platform, it might mean reviewing how recordings are processed, whether information leaves Australia and what the provider does with retained data. If a company engages an external IT contractor, it might simply mean clarifying how access will be managed and revoked.
Failing to take due diligence can be expensive
Australian regulators have increasingly signalled that organisations cannot simply outsource responsibility for security and privacy risks. A widely discussed example was Australian Securities and Investments Commission v RI Advice Group Pty Ltd, where the court found that inadequate cybersecurity practices exposed the organisation to foreseeable risks, despite many of the issues arising across authorised representatives and external environments. The case reinforced an important point: organisations are expected to take reasonable steps to understand and manage the systems and providers they rely upon.
In our experience, organisations rarely fail because they ignored risk completely. More often, they move quickly, assume common platforms must already be safe, or rely on verbal assurances without properly understanding the operational realities underneath them.
Due diligence is not ‘one and done’
Good due diligence is not about eliminating all risk. That is impossible. It is about demonstrating that reasonable steps were taken to understand the risks, make informed decisions and maintain appropriate oversight over systems handling sensitive information.
And importantly, due diligence is not a one-off exercise. Systems evolve, suppliers change, staff move on and technology that looked sensible three years ago may no longer reflect current expectations around privacy, security or governance. The organisations that manage risk best are usually not the most paranoid. They are the ones that maintain visibility over how their systems actually operate as they grow.
