ASIC Sues Fortnum Private Wealth Over Alleged Cybersecurity Failures

Key Takeaways

• ASIC Takes Fortnum to Court: The Australian Securities and Investments Commission has filed a civil lawsuit against Fortnum Private Wealth for allegedly failing to meet its cybersecurity obligations as a financial services licensee.
• Thousands of Clients Exposed: ASIC alleges that a cyberattack on one of Fortnum’s representatives led to a breach involving more than 9,000 client records, which were later published on the dark web.
• Lack of Cyber Expertise and Oversight: The firm allegedly had no cybersecurity-trained staff, no external consultants, and failed to monitor or train its network of authorised representatives on cyber risk.
• Policy Gaps Cited: While Fortnum introduced a cybersecurity policy in 2021, ASIC claims it was inadequate until revisions were made in 2023, after multiple incidents had already occurred.

Deep Dive

Australia’s financial markets watchdog has launched civil proceedings against Fortnum Private Wealth, accusing the advice firm of neglecting basic cybersecurity obligations and exposing thousands of clients to significant data risks, including one breach that allegedly saw sensitive client information surface on the dark web.

In a lawsuit filed with the Supreme Court of New South Wales, the Australian Securities and Investments Commission (ASIC) alleges that Fortnum failed to meet its legal duties as an Australian financial services licensee by not having adequate systems, expertise, or oversight in place to manage cybersecurity risks across its business and its network of authorized representatives (ARs).

ASIC’s case centers on claims that Fortnum lacked any meaningful cyber governance for years. The firm reportedly had no employees with cybersecurity expertise, didn’t hire external specialists to support cyber risk policy, and failed to require its representatives to undertake basic cyber training. It also allegedly didn’t monitor or supervise the cybersecurity controls used by its ARs, despite the fact that these representatives held large volumes of personal data on Australian consumers.

While Fortnum introduced a cybersecurity policy in 2021, ASIC contends the policy was insufficient and failed to address systemic weaknesses. According to the regulator, prior to a 2023 policy update, several representatives experienced cybersecurity incidents, including a major attack that led to the exposure of data belonging to over 9,000 clients.

“Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack,” said ASIC Chair Joe Longo. He added that financial services licensees “hold a range of sensitive and confidential information” and warned that enforcement action would follow where firms fail to implement adequate protections.

As part of the action, ASIC is seeking a declaration from the court and financial penalties against Fortnum. The lawsuit marks another example of ASIC’s sharpened focus on cybersecurity failings, particularly in financial services where the regulator has said poor cyber governance can translate directly into harm to investors and consumers.

The firm has not yet issued a public response to the allegations. The case is ongoing.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.