Fortnum lawsuit highlights cyber security as ‘core compliance obligation’

Cyber security and the risks that go along with it are an increasing threat across every industry, but the financial services sector presents an enticing target for bad actors.

Narrowing it down even further to the financial advice space and the access to client financial details, coupled with smaller businesses that are potentially less equipped to deal with cyber attacks making up a significant proportion of the sector, puts a bull’s-eye on firms.

According to law firm Hall & Wilcox, the Australian Securities and Investments Commission’s (ASIC) latest action against Fortnum Private Wealth should serve as a “clear message to Australian Financial Services Licence (AFSL) holders that cyber risk is not just an IT issue, but a core compliance obligation”.

Last month, ASIC filed proceedings in the NSW Supreme Court that claim Fortnum Private Wealth failed to meet its obligations as an AFS licensee due to inadequate policies, frameworks, systems and controls in place to deal with cyber security risks.

According to ASIC chair Joe Longo, the alleged failure “to adequately manage cyber security risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber attack”.

The action relates to a number of cyber breaches dating back to 2021 and 2022, one of which ASIC referred to as a “major breach” that led to more than 9,000 clients’ data being published on the dark web.

“This is ASIC’s second cyber-related enforcement proceeding in 2025, and the third of its kind overall. This reflects a growing pattern of enforcement, underscoring ASIC’s expectation that licensees must proactively manage cyber threats or face serious legal consequences,” Hall & Wilcox said.

The firm added that the allegations ASIC has put forward largely focus on Fortnum failing to adequately manage cyber security risks by:

• Failing to implement adequate cyber security policies or frameworks to manage and mitigate cyber security risks for it and its ARs.
• Not requiring its ARs to undertake a prescribed minimum amount of cyber security training.
• Lacking oversight and monitoring systems for ARs’ cyber security practices.
• Not having adequate human resources or engage qualified cyber security consultants to provide financial services.
• Operating without a risk management system that addressed cyber security concerns.

“As part of their operations, the ARs handled personal information, including identification documents, tax file numbers and financial information,” Hall & Wilcox said.

“ASIC refers to Fortnum’s duties as a licensee to identify and understand the cyber security risks that it and its ARs faced and its requirement to have controls in place to appropriately manage those risks.

“Most of the cyber security incidents affecting Fortnum’s ARs allegedly occurred after the introduction of Fortnum’s cyber security policy. ASIC claims that Fortnum failed to implement measures to strengthen its cyber security policies, frameworks, systems and controls despite these incidents occurring.”

The other AFS licensee that ASIC has gone after this year is fixed income securities dealer FIIG Securities, which suffered a single prolonged breach involving 385 GB of client data theft that affected 18,000 clients.

While the nature of the attack and the areas of alleged failures were different to the Fortnum incidents, both resulted in the threat actor publishing the stolen data on the dark web.

In March, Longo noted that the lawsuit against FIIG aligned with ASIC’s strategic priority to advance “digital safety and resilience”.

“This matter should serve as a wake-up call to all companies on the dangers of neglecting your cyber security systems,” the chair said at the time.

“Cyber security isn’t a set and forget matter. All companies need to proactively and regularly check the adequacy of their cyber security measures and follow the advice of the ASD’s ACSC.”

Hall & Wilcox added that ASIC’s “enforcement trajectory” provides a number lessons for all AFSL holders and “reaffirms that cyber risk management is a non-negotiable part of AFSL compliance”.

Alongside the legal and compliance obligations, the law firm added that licensees need to ensure their resourcing matches the risk.

“This includes engaging cyber security personnel to assess, implement and maintain cyber framework. Generic or outdated policies without specialist input will not meet ASIC’s standards,” it said.

Licensees are also responsible not only for their own systems, Hall & Wilcox said, but also for the “cyber security posture of their ARs and must mandate ongoing cyber security training and education for staff and ARs”.

“Such training should evolve as novel cyber security threats emerge to avoid becoming outdated.”