ASIC is suing financial advice business Fortnum Private Wealth (Fortnum), alleging that it failed to “properly manage and mitigate” cybersecurity risks.
In proceedings filed in the NSW Supreme Court, ASIC alleged several of Fortnum’s authorised representatives (ARs) experienced cyber incidents, including an attack that ASIC alleged led to the data of more than 9,000 clients published on the dark web.
Fortnum’s ARs included firms that operated financial advice businesses, and individual advisers, which provided financial product advice, including personal advice to retail clients on Fortnum’s behalf.
The ARs received, stored and accessed confidential and sensitive personal information and documents in relation to retail clients, including copies of identification documents, tax file numbers, and financial information such as bank account and credit card details, according to ASIC.
ASIC claimed Fortnum exposed the company, its ARs and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident.
The business watchdog alleged that Fortnum did not meet its obligations as an Australian financial services licensee because it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks.
According to ASIC, Fortnum introduced a “specific cybersecurity policy from April 2021”, which the watchdog contended was “not an adequate response to manage cybersecurity risk.”
Before Fortnum revised its policy in May 2023, several of its ARs experienced cyber incidents, according to ASIC.
Those incidents allegedly included email addresses being compromised or “hacked”, and a phishing attack which resulted in emails containing phishing links being sent from the compromised email account.
ASIC alleged Fortnum did not require that its ARs undertake a prescribed minimum amount of cybersecurity education or training, or adequately supervise or monitor the cybersecurity risk management framework of its ARs.
It also alleged Fortnum did not have any employees with “specialised expertise or experience in cybersecurity or engage a consultant with appropriate expertise to assist with the development of its cybersecurity policy”.
ASIC also alleged Fortnum did not have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs.
It also alleged that Fortnum failed to have available “adequate resources (specifically human resources)” to provide the financial services covered by its Australian financial services licence.
The corporate watchdog is seeking a declaration by the court against Fortnum, as well as monetary penalties, due to the company allegedly breaching its obligations as a financial services licensee and allegedly contravening parts of the Corporations Act.
The case will be heard at Supreme Court Sydney on 4 August 2025 at 10am.
techpartner.news has contacted Fortnum for comment.
Earlier this year, ASIC sued investment firm FIIG, alleging it failed to have adequate cybersecurity measures for more than four years.
.ai.png&w=100&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
.jpg&h=237&w=349&c=1&s=1)
