Published on the 29/07/2025 | Written by Heather Wright
Sues Fortnum; cyber risk is a compliance issue…
Australian financial and corporate regulator ASIC has sued financial advice business Fortnum Private Wealth for allegedly failing to properly manage and mitigate cybersecurity risks, as it ups the pressure on financial services licensees around cybersecurity.
ASIC filed proceedings in the NSW Supreme Court alleging Fortnum did not meet its obligations as an Australian financial services licensee because if failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks, exposing clients to an ‘unacceptable’ level of risk of a cyberattack or cybersecurity incident.
“Fortnum did not implement any measures in light of those incidents in respect of its cybersecurity policies, frameworks, systems and controls.”
Joe Longo, ASIC chair, says Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to unacceptable risk.
The action is the third cybersecurity enforcement action by ASIC and the second this year, as the regulator sets its sights on weak cybersecurity – it has flagged targeting licensee cybersecurity failures as an enforcement priority for 2025.
“ASIC has been highlighting the cybersecurity responsibilities of companies,” Longo says.
Australian financial services licensees, in particular, hold a wealth of sensitive and confidential information.
In its statement to the court, ASIC says prior to 11 May 2023, Fortnum did not have any adequate policies in place – despite several of the company’s authorised representatives having experienced cyber incidents, five of which are outlined in the court documents.
Included in those incidents was a ‘major data breach’ of Wealthwise, one of Fornum’s principal practices, which resulted in the exfiltration of over 200Gb of data relating to up to 9,828 clients, with data published on the dark web.
It was proceeded by phishing attacks where attackers compromised accounts at at least four other businesses, including one which resulted in 1,266 emails containing phishing links being sent from an employee account at one of Fortnum’s principal practices, Eureka.
Most of the incidents occurred after the introduction of an April 2021 cybersecurity policy, which is criticised in the document for measures which were not specific or stringent enough and which was not followed through on with no steps taken to ensure principal practices completed the self-assessment and attestation. A second policy was developed in 2022 because ‘it was thought that the minimum requirements under the April 2021 Policy were not stringent enough’, but was not introduced until May 2023.
“Fortnum did not implement any measures in light of those [cybersecurity] incidents in respect of its cybersecurity policies, frameworks, systems and controls.”
ASIC also alleges Fortnum did not require its authorised representatives to take a prescribed minimum amount of cybersecurity training and that it didn’t itself have any employees with specialised expertise or experience in cybersecurity, or engage a consultant with the appropriate expertise, to assist in the development of the cybersecurity policy.
ASIC is also alleging that Fortnum did not have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across the authorised representatives and that it did not adequately supervise or monitor the cybersecurity risk management framework of the authorised representatives.
Fortnum has said publicly that it refutes the allegations and will ‘vigorously defend’ its position.
“ASIC’s claim references one main cyber incident and four smaller occurrences in 2021-2022,” Fortnum chief executive Matt Brown says in a statement.
“The main incident related to legacy data held by a FPW authorised advisory practice for record keeping purposes, from a prior licensee for about 9,828 clients. It did not include records where FPW had delivered the advice.”
Brown goes on to say regulatory reporting of the incident and any client remediation was completed in a timely manner.
“There was no client financial loss detected; however, we sincerely regret the concern that those clients may have experienced, at that time.”
He says the other four incidents related to email phishing attacks within individual financial advisory practices authorised by Fortnum, rather than Fortnum itself, with the matters ‘identified quickly, investigated and confirmed not to have led to any client loss’.
“Our view is that FPW has a strong cyber policy and data protection controls that were in place before these incidents,” Brown says, adding that Fortnum continues to develop the controls in line with evolving industry standards and the growing threat posed by cyber criminals.
In March, ASIC took action against FIIG Securities for alleged ‘systemic and prolonged cybersecurity failures’ which enabled the theft of around 385Gb of confidential data. That theft saw 18,000 clients notified that their personal information may have been compromised.
In May 2022, the Federal Court found RI Advice, which was a wholly owned subsidiary of ANZ until October 2018, had breached license obligations through its failure to have adequate risk management systems to manage cybersecurity risks. ASIC had taken action against the company after a ‘significant’ number of cyber incidents at authorised representatives between June 2014 and May 2020.
RI Advice was ordered to pay $750,000.
ASIC has cyber security guidance available on its website, including advice for boards about what to ask about their organisation’s cyber resilience, and says Australia has a broad regulatory framework which places obligations on businesses, and the people that run them, to properly manage cyber risk.
