ASIC sues Fortnum Private Wealth over alleged cyber security breach

ASIC has filed proceedings in the NSW Supreme Court that claim Fortnum Private Wealth failed to meet its AFSL obligations due to inadequate policies, frameworks, systems and controls in place to deal with cyber security risks.  

According to ASIC chair Joe Longo, the alleged failures to adequately manage cyber security risks “exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber attack”.

The action relates to a number of cyber breaches dating back to 2021 and 2022, one of which ASIC referred to as a “major breach” that led to more than 9,000 clients’ data being published on the dark web.

While ASIC acknowledged that Fortnum had introduced a specific cyber security policy from April 2021, the regulator said it “was not an adequate response to manage cyber security risk”. 

Fortnum, which is a subsidiary of Entireti, revised its policy in May 2023 following the prior incidents.

“ASIC has been highlighting the cyber security responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information,” Longo said. “That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections.” 

Fortnum chief executive Matt Brown, however, said the firm “strongly refute” the allegations and will “vigorously defend our position”.

“Fortnum Private Wealth (FPW) was notified yesterday by the ASIC that it has commenced legal proceedings in relation to alleged breaches of FPW’s general financial services licensee obligations under the Corporations Act 2001 (Cth) relating to cyber security risk management,” Brown explained.

“ASIC’s claim references one main cyber incident and four smaller occurrences in 2021–2022. The main incident related to legacy data held by a FPW authorised advisory practice for record keeping purposes, from a prior licensee for about 9,828 clients. It did not include records where FPW had delivered the advice.

“Regulatory reporting of the incident and any client remediation was completed in a timely manner. There was no client financial loss detected; however, we sincerely regret the concern that those clients may have experienced, at that time.”

According to the CEO, the other matters were related to email phishing attacks against individual advice firms that Fortnum authorised, again noting investigations confirmed there were no client losses.

“Our view is that FPW has a strong cyber policy and data protection controls that were in place before these incidents. FPW continues to develop these controls in line with evolving industry standards and the growing threat posed to all by cyber criminals. FPW also believes it has upheld its obligations under its licence,” Brown added.

“FPW takes the protection of client information seriously and we continue to invest in cyber resilience and data protection measures. We understand that we all have a role to play in the financial services industry to deter cyber criminals.”

ASIC’s allegations against Fortnum include that the firm did not: 

• Require that its ARs undertake a prescribed minimum amount of cyber security education or training.
• Adequately supervise or monitor the cyber security risk management framework of its ARs.
• Have any employees with specialised expertise or experience in cyber security or engage a consultant with appropriate expertise to assist with the development of its cyber security policy. 
• Have a risk management system which addressed cyber security or policies, frameworks, systems or controls that enabled the identification and evaluation of cyber security risks across its ARs. 

The regulator said it is seeking a declaration and pecuniary penalty against Fortnum.