The Australian Securities and Investments Commission (ASIC) is suing Fortnum Private Wealth (FPW) Limited for allegedly failing to properly manage and mitigate cybersecurity risks in what could be one of the first actions of this nature.
“Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyberattack,” ASIC chair Joe Longo noted.
FPW introduced a specific cybersecurity policy from April 2021, but the corporate regulator contends the policy was not an adequate response to manage cybersecurity risk and it did not have adequate policies, frameworks, systems and controls in place to deal with those risks.
In particular, ASIC alleged FPW did not ensure its authorised representatives undertook a minimum level of cybersecurity training, adequately monitor or supervise the cybersecurity risk management framework of its authorised representatives, involve individuals with the requisite expertise to assist with the development of its cybersecurity policy and have an adequate system to properly evaluate the cybersecurity practices of its authorised representatives.
“ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information,” Longo said.
Prior to a revision of its policy in May 2023, the regulator said several of Fortnum’s authorised representatives experienced cyber-incidents. One of these was a cyberattack that ASIC alleged led to a major breach and saw the data of more than 9000 clients published on the dark web.
“That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections,” Longo explained.
Some of ASIC’s allegations centre on Fortnum’s alleged failure to train its authorised representatives around cybersecurity risk or monitor their authorised representatives’ cybersecurity risk management framework.
FPW strongly refuted the regulator’s allegations and detailed the nature of the main incident in question and the action it has taken in relation to it.
“ASIC’s claim references one main cyber-incident and four smaller occurrences in 2021-2022. The main incident related to legacy data held by a FPW authorised advisory practice for record-keeping purposes from a prior licensee for about 9828 clients. It did not include records where FPW had delivered the advice,” FPW chief executive Matt Brown said.
“Regulatory reporting of the incident and any client remediation was completed in a timely manner. There was no client financial loss detected, however, we sincerely regret the concern that those clients may have experienced at that time.
“FPW takes the protection of client information seriously and we continue to invest in cyber-resilience and data protection measures. We understand that we all have a role to play in the financial services industry to deter cybercriminals.”
