ASIC Sues Fortnum Over Major Data Breach
Australia's corporate regulator has filed court proceedings against financial advice business Fortnum Private Wealth Limited, alleging the company failed to adequately manage cybersecurity risks that exposed thousands of clients to potential cyber attacks.
The Australian Securities and Investments Commission (ASIC) filed the case in the NSW Supreme Court, claiming Fortnum did not meet its obligations as an Australian financial services licensee by failing to establish adequate policies, frameworks, systems and controls to address cybersecurity threats.
The alleged failures resulted in Fortnum exposing the company, its authorised representatives and their clients to what ASIC described as "an unacceptable level of risk" from cyber attacks and cybersecurity incidents.
While Fortnum implemented a cybersecurity policy in April 2021, ASIC argues this was insufficient to properly manage cybersecurity risks. Before the company revised its policy in May 2023, several of its authorised representatives experienced cyber incidents, including one major attack that allegedly led to the personal data of more than 9,000 clients being published on the dark web.
"Fortnum's alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack," said ASIC Chair Joe Longo.
"ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information. That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections."
The legal action comes as cybersecurity incidents continue to plague the financial services sector, with companies increasingly targeted by cybercriminals seeking to access valuable client data and financial information. Recent high-profile data breaches across various industries have highlighted the critical importance of robust cybersecurity frameworks.
ASIC alleges Fortnum specifically failed to require its authorised representatives to undertake minimum cybersecurity education or training, adequately supervise cybersecurity risk management frameworks, employ staff with cybersecurity expertise or engage appropriate consultants, and establish risk management systems to identify and evaluate cybersecurity risks across its operations.
The regulator is seeking a declaration and pecuniary penalty against Fortnum Private Wealth.