ASIC Takes Action Against Fortnum Private Wealth Over Cybersecurity Failures

The Australian Securities and Investments Commission (‘ASIC’) has commenced legal proceedings against Fortnum Private Wealth Ltd (‘Fortnum’) in relation to alleged deficient cybersecurity measures, which ASIC contends breached Fortnum’s obligations as a financial services licensee under the Corporations Act 2001 (Cth) (‘Corporations Act’) .

As discussed in our article on ASIC’s 2025 enforcement priorities, the investigation and enforcement action taken by the regulator reflects ASIC’s focus on the cybersecurity measures taken by Australian Financial Services License (‘AFSL’) holders. The duties that AFSL holders have under section 912A of the Corporations Act extend to ensuring adequate cybersecurity, as it forms a “significant risk connected with the… provision of financial services.”

The proceedings against Fortnum reinforce our recommendation that AFSL holders should consider the adequacy of their cybersecurity systems and data privacy strategies. In particular, ASIC’s action emphasises the importance of proactive policies, education, and risk management for AFSL holders and financial service providers more broadly.

Background

ASIC alleges that between 20 April 2021 and 11 May 2023, Fortnum contravened the Corporations Act by failing:

• to ensure that financial services were provided efficiently, honestly and fairly by not implementing adequate cybersecurity policies to manage and mitigate risks;
• to provide adequate education or training to Authorised Representatives (‘ARs’) on cybersecurity;
• to implement adequate processes, systems or frameworks for oversight and monitoring of ARs regarding cybersecurity risk and cyber resilience; and
• to have adequate resources to provide financial services and carry out supervisory arrangements, nor did it ensure that ARs were adequately trained and competent to provide financial services.

ASIC claims that Fortnum acts and omissions with respect to cybersecurity exposed the company, its ARs, and clients to an unacceptable level of risk of a cybersecurity incident.

The proceedings commenced against a backdrop where there had been several cybersecurity incidents which affected Fortnum’s ARs, including phishing attacks, email account compromises, and a major data breach which saw the exfiltration and publication of more than 200 GB of data relating to almost 10,000 clients. Despite these incidents, Fortnum is alleged not to have implemented any measures to improve its cybersecurity policies, frameworks, systems, or controls.

ASIC is seeking a declaration that Fortnum contravened its obligations under the Corporations Act, as well as orders that could see Fortnum pay a pecuniary penalty to the Commonwealth and pay ASIC’s costs in bringing the proceedings. The maximum penalty which Fortnum could be liable for is the greatest of 50,000 penalty units ($16.5 million) or 10% of its annual turnover for the 12-month period ending April 2021.

Key Cybersecurity Failures

Despite the significant cybersecurity risks faced by financial services providers, Fortnum is alleged not to have adequate policies to manage and mitigate these risks prior to 11 May 2023.

The company's first cybersecurity policy was introduced on 20 April 2021. ASIC contends this policy was insufficient for the following reasons:

• The previous policy had not mandated that individual advisory firms in their employ (referred to as ‘Principal Practices’) consult with Fortnum when identifying cybersecurity gaps. It allowed Principal Practices to engage consultants without ensuring they had appropriate expertise. It also did not require Principal Practices to address identified cybersecurity weaknesses, and it made advanced cybersecurity strategies optional rather than mandatory;
• ASIC alleges that Fortnum failed to enforce compliance with its own cybersecurity policy. Only 44% of Principal Practices completed the required self-assessments, and just 11% completed attestations by their own deadline;
• Fortnum experienced significant delays in updating its policies. Despite recognising that its cybersecurity requirements were not sufficient in mid-2022, Fortnum delayed implementing updated policies until May 2023. This created a 12-month gap without adequate interim measures to address the identified deficiencies;
• Fortnum did not require its Authorised Representatives (ARs) to undertake any minimum amount of cybersecurity education or training;
• Fortnum lacked sufficient expertise in cybersecurity matters. The company did not employ staff with specialised cybersecurity expertise, nor did it engage appropriate consultants when developing its cybersecurity policies; and
• Despite statutory obligations, Fortnum lacked a comprehensive risk management system that adequately addressed cybersecurity risks.

Key Takeaways

This case serves as a stark reminder that financial services licensees must take cybersecurity seriously as part of their regulatory obligations. The action against Fortnum demonstrates ASIC's increasing focus on ensuring that licensees have robust cybersecurity frameworks in place to protect sensitive client information.

AFS licensees must ensure they take threat actors and cybersecurity vulnerabilities seriously. ASIC are focusing on this space, and it is important for businesses to take proactive steps to protect themselves and clients from cyber threats and reduce the risk of regulatory action.