A Council-Level Cyber Assurance Review delivered by Corvian partners. Independent of all vendors and panel arrangements. From $85,000.
A direct response from William O'Halloran, Executive Director of Corvian Partners, within 48 hours of enquiry.
The Instructure / Canvas incident affected 8,809 institutions globally. 122 in Australia. State education departments in five states. Eight named Australian universities and the Australian Catholic University publicly impacted. The acute incident phase is over. The Council accountability phase is just starting.
122 Australian institutions confirmed impacted. Eight Australian universities publicly named. The OAIC has directed complaint handling back to each affected institution.
The Office of the Australian Information Commissioner has directed complaint handling back to affected institutions. Notifiable Data Breaches scheme obligations sit with the institution, not the platform. Council Audit & Risk Committees across the sector are now asking a question they did not need to ask formally before: has the Committee had independent visibility on the institution's cyber posture, or is the Committee relying on what management has told it.
For institutions with internal cyber teams and established vendor relationships, the question is not whether the response was competent. It is whether Council has independent assurance of that competence — assurance that does not flow through the same management line that owns the underlying delivery.
This is the question being asked at Council Audit & Risk Committees across the sector this term. It is answerable. It requires assurance that is independent of management, independent of the institution's existing technology providers, and delivered in a form the Committee can defend.
Corvian Partners conducts a Council-Level Cyber Assurance Review as a single, scoped engagement commissioned directly by the Council or its Audit & Risk Committee. The engagement is delivered by Corvian partners — no junior delegation visible to the institution — and produces an audit-style independent assurance report addressed to the Committee that commissioned it.
Engagements run 6 to 10 weeks. Scope is set in consultation with the Committee chair and the Vice-Chancellor's office before commencement. The institution's CIO, CISO, and internal cyber team are engaged as collaborators in the review process — not as the source of the assurance. The deliverable comprises a Council paper, an executive summary, technical appendices, and a Council briefing session held by William O'Halloran.
Fees from $85,000. Engagements scoped per institution. Corvian Partners holds no panel arrangements with the institution's existing technology providers, sells no security products, and accepts no commissions.
Request a Council BriefingEach engagement covers five components, scoped per institution.
A direct review of the institution's response to the Canvas incident: the technical actions taken, the governance decisions made, the Notifiable Data Breaches scheme assessment, the communications to affected parties, and the documentation supporting Council reporting. Findings address whether the response was adequate and where gaps remain.
A review of the institution's broader vendor risk register and assurance arrangements. Cloud providers, learning management systems, financial systems, research collaboration platforms, student information systems. The framework, the controls, the visibility, the gaps.
A review of what cyber risk information reaches Council, in what form, at what cadence, and with what decision-rights. Identification of structural gaps in the institution's escalation and reporting lines. Recommendations on a forward-looking Council reporting protocol.
A live tabletop exercise with executive leadership, including communications protocols for staff, students, donors, research partners, government stakeholders, and media. Findings on the institution's actual — not documented — incident response posture.
A 12-month and 36-month posture roadmap, sized to inform the institution's next strategic plan and capital budget cycle. Recommendations are independent of any technology vendor, panel arrangement, or product procurement decision the institution may have under consideration.
The value of a Council-Level Cyber Assurance Review depends on the independence of the firm conducting it. A review delivered by a firm that simultaneously sells the institution security products, holds panel arrangements with the institution's existing technology providers, or earns commissions on adjacent procurement decisions is not an independent assurance instrument. It is a sales engagement with a deliverable attached.
Corvian Partners holds no panel arrangements with technology providers. The firm sells no security products. It accepts no commissions on adjacent procurement. Its review is loyal only to the Council that commissioned it. This independence is the central asset of the engagement and the reason its findings carry weight at Audit & Risk Committee level.
The institutions that derive the most value from a council-level assurance review are those whose existing technology arrangements are sufficiently complex that no incumbent firm can credibly assess them.
Corvian Partners is an independent strategic advisory firm. The firm advises boards and executive leadership on dispute resolution, regulatory strategy, crisis advisory, strategic negotiation, and reputation strategy. The firm holds no vendor relationships, accepts no commissions, and sells no products. Its advice is loyal only to the client.
The Council-Level Cyber Assurance Review is delivered by Corvian partners. Engagements are staffed by partners. There is no visible delegation to junior staff. The Council briefing is led by the same individual who scoped the engagement.
William is a solicitor and the founder of Corvian Partners. He advises boards and private principals on complex regulatory, governance, and reputational matters across dispute resolution, crisis advisory, regulatory strategy, and strategic negotiation. His operating philosophy: rights and risk frameworks must be defined with clarity before crisis defines them at the highest possible cost.
His work on online safety, image-based abuse, and platform governance includes engagement with StopNCII.org and the National Center for Missing & Exploited Children, and a submission to the Joint Select Committee on Social Media and Australian Society. In October 2024 he joined a Kaspersky-convened panel with David Emm (Kaspersky), Frances Ridout (Queen Mary University of London), and Izzy Petherick to discuss intimate image abuse in hyper-connected digital relationships.
William leads Corvian's Council-Level Cyber Assurance Reviews directly. The Council briefing in every engagement is delivered by him personally.
Alexander leads Corvian's delivery practice. He oversees engagement scoping, delivery quality, and the firm's day-to-day operations. For the Council-Level Cyber Assurance Review programme, Alexander coordinates engagement workflow, manages the firm's third-party advisor network, and runs the operational interface with the institution during delivery.
Engagement quality at Corvian sits with him. Every deliverable that reaches a client passes through his review. The firm's commitment to partner-staffed engagements — no junior delegation visible to the client — is operationalised by him.
He completes his Bachelor of Laws (Honours) at Griffith University in [CONFIRM: month] 2026.
Corvian Partners is independent of all education technology vendors, IT service providers, and software platforms.
The Council-Level Cyber Assurance Review does not replace the institution's internal cyber function. It provides Council with independent assurance — assurance that does not flow through the management line that owns delivery. The internal team is engaged as collaborators in the review, not as the source of the assurance. The two roles are complementary. Most institutions commission this work because their internal team is competent, not because it is not.
In four ways. Engagements are partner-led throughout — there is no visible junior delegation. Corvian holds no panel arrangements with the institution's existing technology providers and sells no security products, so the firm's findings cannot be biased by adjacent commercial relationships. Delivery runs in weeks rather than quarters. The deliverable is addressed directly to the Audit & Risk Committee, not filtered through management.
The deliverable comprises an audit-style independent assurance report, a Council paper, an executive summary, technical appendices, and a Council briefing session delivered by William O'Halloran. The report is addressed to the Council Audit & Risk Committee (or equivalent body) that commissioned the engagement. Distribution and confidentiality protocols are set by the Committee.
Corvian Partners does not seek panel placements. The firm's value proposition depends on declining the procurement-panel relationships that other firms accept. Engagements are commissioned directly by Council, the Vice-Chancellor's office, or the Audit & Risk Committee, under the institution's standard professional services arrangements outside of cyber-vendor panels.
Corvian Partners declares its position on every engagement: no security product sales, no panel arrangements with the institution's existing technology providers, no commissions on adjacent procurement, no white-label or reseller relationships. The engagement letter sets this out as a contractual term. Where the institution requests, Corvian provides a written declaration of independence to accompany the Council paper.
Six to ten weeks from engagement commencement to final Council briefing. Scoping takes 1–2 weeks before commencement. Council and executive briefings are coordinated with the institution's existing meeting cadence.
A direct response from William O'Halloran, Executive Director of Corvian Partners, within 48 hours of enquiry. The briefing itself is held by Proton Meet, 30 minutes, scheduled at the institution's convenience.
