ASIC Sues Fortnum Wealth Over Cybersecurity Failures

ASIC

ASIC is suing financial advice business Fortnum Private Wealth Limited alleging it failed to properly manage and mitigate cybersecurity risks.

In proceedings filed in the NSW Supreme Court, ASIC alleges Fortnum did not meet its obligations as an Australian financial services licensee because it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks.

As a result, ASIC claims Fortnum exposed the company, its authorised representatives (ARs) and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident.

While Fortnum introduced a specific cybersecurity policy from April 2021, ASIC contends the policy was not an adequate response to manage cybersecurity risk.

Before Fortnum revised its policy in May 2023, several of its ARs experienced cyber incidents. One of these was a cyber attack that ASIC alleges led to a major breach and saw the data of more than 9,000 clients published on the dark web.

ASIC Chair Joe Longo said, 'Fortnum's alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack.'

'ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information.

'That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections,' Mr Longo said.

As part of the action, ASIC alleges Fortnum did not:

  • require that its ARs undertake a prescribed minimum amount of cybersecurity education or training,
  • adequately supervise or monitor the cybersecurity risk management framework of its ARs,
  • have any employees with specialised expertise or experience in cybersecurity or engage a consultant with appropriate expertise to assist with the development of its cybersecurity policy, and
  • have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs.

ASIC is seeking a declaration and pecuniary penalty against Fortnum.

/Public Release. This material from the originating organization/author(s) might be of the point-in-time nature, and edited for clarity, style and length. Mirage.News does not take institutional positions or sides, and all views, positions, and conclusions expressed herein are solely those of the author(s).View in full here.