The Australian Securities & Investments Commission (ASIC) has commenced proceedings in the New South Wales Supreme Court against Fortnum Private Wealth Limited, alleging the financial advice firm failed to adequately manage and mitigate cybersecurity risks as an Australian financial services (AFS) licensee. ASIC alleges Fortnum did not have adequate policies, frameworks, systems and controls to deal with cybersecurity risks, exposing Fortnum, its authorised representatives (ARs) and the clients of its ARs to an unacceptable level of risk of cyber-attack or cybersecurity incident. ASIC contends that a cybersecurity policy introduced from April 2021 was not an adequate response, and that before Fortnum revised its policy in May 2023, several ARs experienced cyber incidents, including an alleged cyber attack that led to a major breach and the publication of data of more than 9,000 clients on the dark web. The claim alleges Fortnum did not require ARs to complete a prescribed minimum amount of cybersecurity education or training, did not adequately supervise or monitor ARs’ cybersecurity risk management frameworks, lacked specialised cybersecurity expertise internally or through an appropriately qualified consultant to develop its policy, and did not have a risk management system that addressed cybersecurity across ARs in a way that enabled identification and evaluation of cybersecurity risks. ASIC is seeking declarations and a pecuniary penalty against Fortnum.
Australian Securities & Investments Commission 2025-07-22
Australian Securities & Investments Commission sues Fortnum Private Wealth over alleged inadequate cybersecurity controls following a 9,000-client data breach
ASIC has sued Fortnum Private Wealth Limited in the NSW Supreme Court for inadequate cybersecurity management as a financial services licensee. Allegations include insufficient policies, a data breach affecting over 9,000 clients, inadequate training, and lack of expertise. ASIC seeks declarations and a penalty.