A 21-day, board-ready review of your school's cyber posture. Independent advisory. Plain language. No vendor agenda.
The Instructure / Canvas incident affected 8,809 institutions globally. 122 in Australia. State education departments in five states. Independent schools and major Australian universities publicly named.
122 Australian institutions confirmed impacted. The OAIC has directed complaint handling back to the schools themselves. Each school's Notifiable Data Breaches scheme assessment is its own to make.
The acute IT phase is over. The governance phase is not. The Office of the Australian Information Commissioner has directed complaint handling back to the schools themselves. Each school's Notifiable Data Breaches scheme assessment is its own to make – Instructure being the breached entity does not discharge the obligation.
Boards across the country are deciding this month what they did, what they are doing, and what they will say if asked. The schools that handle this well will not be the ones with the most technical controls. They will be the ones with the cleanest governance answer.
The questions now sit at governance level. The schools that handle this term well will not be those with the most technical controls. They will be those whose answers are clean.
These are answerable. They require a board-grade view of the school's posture, written for governors, not for IT staff.
Three engagement structures, designed for the decisions a board needs to make. Each is delivered by Corvian principal-level advisors. Each produces a board-grade report written for governors. Each can begin within ten business days of signing.
Cyber posture for a school sits across seven domains. Corvian assesses all seven in every engagement.
The technical perimeter — segmentation, monitoring, patching, configuration baselines, third-party network access. Assessed by Corvian's advisors against current sector benchmarks.
Who has access to what, on whose authority, and what happens when someone leaves. Single sign-on configuration. Privileged account hygiene. Multi-factor enforcement.
The platforms the school relies on. Learning management systems. Finance and HR. Communications and parent portals. Payment processors. Each is a potential ingress.
What student data is held, where, by whom, and under what retention rules. Disclosure pathways. Parent and student access rights. Cross-border transfers.
What happens in the first 24 hours of an incident. Escalation lines. Decision authority. Vendor coordination. Communications protocol. Tested or untested.
Who owns cyber risk at the school. How it is reported to the board. Frequency, format, and decision rights. Whether the right questions are being asked at the right level.
The cultural and procedural layer. Phishing resilience. Acceptable use. Onboarding and offboarding. Parent and student-facing communications protocols.
Corvian Partners is an independent strategic advisory firm. The firm advises boards and executive leadership on dispute resolution, regulatory strategy, crisis advisory, strategic negotiation, and reputation strategy. The firm holds no vendor relationships, accepts no commissions, and sells no products. Its advice is loyal only to the client.
The schools cyber programme is delivered by Corvian's principal-level advisors. Engagements are staffed by partners. There is no visible delegation to junior staff. The board briefing is led by the same individual who scoped the engagement.
William advises boards and private principals on complex regulatory, governance, and reputational matters across dispute resolution, crisis advisory, regulatory strategy, and strategic negotiation. His operating philosophy: rights and risk frameworks must be defined with clarity before crisis defines them at the highest possible cost.
His work on online safety, image-based abuse, and platform governance includes engagement with StopNCII.org and the National Center for Missing & Exploited Children, and a submission to the Joint Select Committee on Social Media and Australian Society. In 2024 he joined a Kaspersky-convened panel to discuss intimate image abuse in hyper-connected digital relationships.
William leads Corvian's schools cyber programme directly. The board briefing in every engagement is delivered by him personally.
Alexander leads Corvian's delivery practice. He oversees engagement scoping, delivery quality, and the firm's day-to-day operations. For the schools cyber programme, Alexander coordinates engagement workflow, manages the firm's third-party advisor network, and runs the operational interface with the school during delivery.
Engagement quality at Corvian sits with him. Every deliverable that reaches a client passes through his review. The firm's commitment to partner-staffed engagements is operationalised by him.
He completed his Bachelor of Laws (Honours) at Griffith University in 2026.
Corvian Partners is independent of all education technology vendors, IT service providers, and software platforms.
A direct conversation with William. You describe the school's profile and the board-level questions in front of you. He responds with what Corvian is seeing across the sector and what a board-ready posture answer for a school like yours looks like. No proposal, no sell.
If the engagement makes sense, Corvian sends a single-page proposal within 48 hours. Scope, fee, timeline, named delivery lead. No fine print.
Once signed, the engagement begins within ten business days. The first site visit is in Week 1. The board report is delivered in Week 3 or Week 4.
Your IT provider handles delivery. Corvian sits at the governance layer above – independent of any vendor, focused on the board-grade questions a delivery provider is not positioned to answer. The two roles complement each other. Corvian's report often informs the next conversation with the school's existing IT provider, not replaces it.
A penetration test attacks the technical perimeter to find specific vulnerabilities. The Board-Ready Cyber Posture Assessment is broader – it covers technical posture, governance, accountability, incident response, and third-party exposure together. The output is a board document, not a technical findings register. A penetration test sits inside a broader cyber programme. This assessment is the programme.
The report is delivered to the head of school and board chair only, in the form they authorise. Corvian Partners holds the engagement under standard professional confidentiality. No findings are shared, published, or referenced externally. The engagement letter sets this out explicitly.
Yes. Most engagements are funded from risk, governance, or board reserve budgets rather than IT operating budgets. The assessment is a governance instrument, not an IT spend. Corvian provides supporting documentation for budget approval where needed.
Only to the extent you choose. The assessment does not require disclosure of prior incidents. Where the school does share that history, it is treated under engagement confidentiality and informs scoping only.
Selectively, yes. Corvian's engagement model is built around the procurement cadence of independent and Catholic schools. State school engagements are accepted on a case-by-case basis where the school has decision authority and budget within the published pricing. System-level engagements with state departments or regional offices are evaluated separately.
The conversation that informs your next board paper. Direct with William. No obligation.
Book the briefing