ASIC has filed proceedings in the NSW Supreme Court that claim Fortnum Private Wealth failed to meet its obligations as an Australian financial services licensee due to inadequate policies, frameworks, systems and controls in place to deal with cyber security risks.
According to ASIC chair Joe Longo, the alleged failures exposed “to adequately manage cyber security risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber attack”.
The action relates to a number of cyber breaches dating back to 2021 and 2022, one of which ASIC referred to as a “major breach” that led to more than 9,000 clients’ data being published on the dark web.
While ASIC acknowledged that Fortnum had introduced a specific cyber security policy from April 2021, the regulator said it “was not an adequate response to manage cybersecurity risk”.
Fortnum, a subsidiary of Entireti, revised its policy in May 2023 following the prior incidents.
“ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information,” Longo said.
“That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections.”
Fortnum chief executive Matt Brown, however, said the firm “strongly refutes” the allegations and will “vigorously defend our position”.
“Fortnum Private Wealth (FPW) was notified yesterday by the ASIC that it has commenced legal proceedings in relation to alleged breaches of FPW’s general financial services licensee obligations under the Corporations Act 2001 (Cth) relating to cyber-security risk management,” Brown said.
“ASIC’s claim references one main cyber incident and four smaller occurrences in 2021 – 2022. The main incident related to legacy data held by a FPW authorised advisory practice for record keeping purposes, from a prior licensee for about 9,828 clients. It did not include records where FPW had delivered the advice.
“Regulatory reporting of the incident and any client remediation was completed in a timely manner. There was no client financial loss detected; however, we sincerely regret the concern that those clients may have experienced, at that time.”
According to the chief executive, the other matters were related to email phishing attacks against individual advice firms that Fortnum authorised, again noting investigations confirmed there were no client losses.
“Our view is that FPW has a strong cyber policy and data protection controls that were in place before these incidents. FPW continues to develop these controls in line with evolving industry standards and the growing threat posed to all by cyber criminals. FPW also believes it has upheld its obligations under its licence,” Brown added.
“FPW takes the protection of client information seriously and we continue to invest in cyber resilience and data protection measures. We understand that we all have a role to play in the financial services industry to deter cyber criminals.”
ASIC’s allegations against Fortnum include that the firm did not:
- Require that its ARs undertake a prescribed minimum amount of cyber security education or training.
- Adequately supervise or monitor the cyber security risk management framework of its ARs.
- Have any employees with specialised expertise or experience in cyber security, or engage a consultant with appropriate expertise to assist with the development of its cyber security policy.
- Have a risk management system which addressed cyber security or policies, frameworks, systems or controls which enabled the identification and evaluation of cyber security risks across its ARs.
The regulator said it is seeking a declaration and pecuniary penalty against Fortnum.
Could ASIC be any more inconsistent? Are they after change and action from AFSLs or they just chasing after entities that can pay fines. Has our regulator lost its way?
Senate Committee fodder aplenty – let’s see some consistency and accountability.
Do trust there will be action against industry super funds who had member data stolen and accounts gutted.
Australia feels like a very two-tiered system.
What about the bigger more recent industry fund breaches those are afsl too?? Disgusting double standards
You get hacked, basically some criminals come and rob you. And ASIC and the rest of the government is too hopeless to catch the criminals, so they instead sue the person who got robbed.
Go ASIC!
Get robbed twice
Missing the point i think. A business takes on the responsibility of collecting valuable information with the promise that they are looking after it. ASIC are pointing out that when you make that promise to your clients by collecting their data, you need to actually be protecting it, and many firms are not. ASIC are making a case for everyone to pay more attention and do the right thing. Cybersecurity is expensive and time consuming and difficult for the average c-suite team to understand, so many firms are cutting corners. When a cyber breach occurs, you get to see whether they were doing the right thing. its like swimming in the ocean – its only when the tide goes out that you get to see who was swimming naked.
In other news Massive data breaches have occurred at HESTA and other industry funds, with clients actually losing money yet there have been no fines, no lawsuits, and no real accountability. In HESTA’s case, members had no access to their accounts for eight weeks no withdrawals, no switching, nothing yet advisers continue to be hounded, even when they self-report and there’s no client loss. You honestly couldn’t make this up.
ASIC how about focusing your efforts on the real issues like the countless property scams ripping off everyday Australians?
ASIC is supposed to be regulating managed investment schemes, yet time and time again we see failures and instead of holding product issuers accountable, the dirctors, accountants and lawyers they simply shift all the blame onto advisers. Even when the investment didn’t deliver what was promised, it’s the adviser who’s left to carry the can.