ASIC is suing financial advice business Fortnum Private Wealth alleging it failed to properly manage and mitigate cybersecurity risks.
The commission says that in proceedings filed in the NSW Supreme Court, it alleges Fortnum did not meet its obligations as an Australian financial services licensee because it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks.
“As a result, ASIC claims Fortnum exposed the company, its authorised representatives and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident.”
As part of the action, ASIC alleges Fortnum did not:
- Require that its ARs undertake a prescribed minimum amount of cybersecurity education or training
- Adequately supervise or monitor the cybersecurity risk management framework of its ARs
- Have any employees with specialised expertise or experience in cybersecurity or engage a consultant with appropriate expertise to assist with the development of its cybersecurity policy
- Have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs
ASIC says that while Fortnum introduced a specific cybersecurity policy from April 2021, ASIC contends the policy was not an adequate response to manage cybersecurity risk.
“Before Fortnum revised its policy in May 2023, several of its ARs experienced cyber incidents. One of these was a cyber attack that ASIC alleges led to a major breach and saw the data of more than 9,000 clients published on the dark web,” the regulator states.
ASIC Chair Joe Longo says: “Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack.
…Australian financial services licensees, in particular, hold a range of sensitive and confidential information…
“ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information,” he says.
“That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections.”
ASIC is seeking a declaration and pecuniary penalty against Fortnum.
Fortnum Private Wealth Response
In a media statement Fortnum Private Wealth Chief Executive Officer, Matt Brown, says the firm strongly refutes ASIC’s allegations that FPW failed to meet its obligations with regard to appropriate cyber controls over the period 2021–2022 and will vigorously defend its position.
He says the firm was notified yesterday by ASIC that it has commenced legal proceedings in relation to alleged breaches of FPW’s general financial services licensee obligations relating to cyber-security risk management.
He notes ASIC’s claim references one main cyber incident and four smaller occurrences in 2021-2022.
“The main incident related to legacy data held by a FPW authorised advisory practice for record keeping purposes, from a prior licensee for about 9,828 clients. It did not include records where FPW had delivered the advice,” Brown says.
“Regulatory reporting of the incident and any client remediation was completed in a timely manner. There was no client financial loss detected; however, we sincerely regret the concern that those clients may have experienced, at that time.”
Brown says the other four incidents “…related to email phishing attacks that occurred within individual financial advisory practices authorised by FPW, rather than FPW itself. These matters were identified quickly, investigated and confirmed not to have led to any client loss.”
…Our view is that FPW has a strong cyber policy and data protection controls that were in place before these incidents…
He says: “Our view is that FPW has a strong cyber policy and data protection controls that were in place before these incidents. FPW continues to develop these controls in line with evolving industry standards and the growing threat posed to all by cyber criminals. FPW also believes it has upheld its obligations under its licence.”
Brown says the firm “…takes the protection of client information seriously and we continue to invest in cyber resilience and data protection measures. We understand that we all have a role to play in the financial services industry to deter cyber criminals.”
