ASIC sues Fortnum over alleged cyber failures
The Australian Securities and Investments Commission (ASIC) has initiated legal action against Fortnum Private Wealth alleging it failed to properly manage and mitigate cyber security risks.
The regulator said it had filed proceedings in the NSW Supreme Court alleging Fortnum did not meet its obligations as an Australian financial services licensee because it failed to have adequate policies, frameworks, systems and control in place to deal with the cyber security risks.
“As a result, ASIC claims Fortnum exposed the company, its authorised representatives (ARs) and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident,” ASIC said.
“While Fortnum introduced a specific cybersecurity policy from April 2021, ASIC contends the policy was not an adequate response to manage cybersecurity risk. “
“Before Fortnum revised its policy in May 2023, several of its ARs experienced cyber incidents. One of these was a cyber attack that ASIC alleges led to a major breach and saw the data of more than 9,000 clients published on the dark web.”
ASIC Chair Joe Longo said, “Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack.”
“ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information.
“That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections,’ Mr Longo said.
As part of the action, ASIC alleges Fortnum did not:
- require that its ARs undertake a prescribed minimum amount of cybersecurity education or training,
- adequately supervise or monitor the cybersecurity risk management framework of its ARs,
- have any employees with specialised expertise or experience in cybersecurity or engage a consultant with appropriate expertise to assist with the development of its cybersecurity policy, and
- have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs.
ASIC is seeking a declaration and pecuniary penalty against Fortnum.
Fortnum acknowledged the ASIC action, with the company’s chief executive, Matt Brown issuing the following statement”
“Fortnum Private Wealth (FPW) was notified yesterday by the Australian Securities and Investments Commission (ASIC) that it has commenced legal proceedings in relation to alleged breaches of FPW’s general financial services licensee obligations under the Corporations Act 2001 (Cth) relating to cyber-security risk management.
ASIC’s claim references one main cyber incident and four smaller occurrences in 2021 – 2022. The main incident related to legacy data held by a FPW authorised advisory practice for record keeping purposes, from a prior licensee for about 9,828 clients. It did not include records where FPW had delivered the advice.
Regulatory reporting of the incident and any client remediation was completed in a timely manner. There was no client financial loss detected; however, we sincerely regret the concern that those clients may have experienced, at that time.
The other four incidents related to email phishing attacks that occurred within individual financial advisory practices authorised by FPW, rather than FPW itself. These matters were identified quickly, investigated and confirmed not to have led to any client loss.
Our view is that FPW has a strong cyber policy and data protection controls that were in place before these incidents. FPW continues to develop these controls in line with evolving industry standards and the growing threat posed to all by cyber criminals. FPW also believes it has upheld its obligations under its licence.
FPW takes the protection of client information seriously and we continue to invest in cyber resilience and data protection measures. We understand that we all have a role to play in the financial services industry to deter cyber criminals.
We strongly refute ASIC’s allegations that FPW failed to meet its obligations with regard to appropriate cyber controls over the period 2021 – 2022 and will vigorously defend our position.
As the matter is now before the Courts, FPW is unable to make further comment at this time.”
So government data bases get hacked and there’s no court action and no one is responsible but the private sector has to pay?
Fortnum is one of the biggest vertically integrated licensees for hire. It is an advice model that should not exist. This action by ASIC is a bit like going after Al Capone for tax avoidance.
You got any evidence to back this up?
Vertically integrated what? Only the likes of Dixon/Storm etc and other large product failures have these issues. Most licensees these days do not have their own product.
Almost all licensees have managed accounts they get a clip of the ticket on. biggest rort these days
So you think running and supervising managed accounts doesn’t cost anything? As you can see the regulator holds you accountable which is fair and reasonable as long as they don’t display double standards as they have in this case. As XTA says, still waiting for the court prosecutions of ASIC’s data breach.
Further, you think a business shouldn’t be able to charge for services? Karl Marx must be your hero. Either that or you too are suffering from the same hypocrisy that is afflicting ASIC.
Product companies have every right to recoup their costs and make a profit. There is absolutely nothing wrong with SMAs run by standalone product companies.
But when SMA providers use licensing or ownership to coerce advisers into recommending their SMA, that is conflicted vertical integration. It is an abuse of the financial adviser’s role as a fiduciary. It’s what most large licensees and “equity partners” are now doing, since the banks and AMP fled the advice scene.
100% well said. It’s increasingly common. The brainwashing by the licencee to use a “poor performing SMA/MDA” especially in larger licencee.
Are you sure?
Even if what you were saying were true, what does that tell you about a single product offering APL with advice?
That a rort as well?
Has to be.
The only difference “these days” is that vertical integration is better hidden through SMAs and associated investment management companies. Looks like they may have deceived you Wildcat, but regulators are well aware of it.
Nope. I run my own
Fair enough if it’s just a mechanism to implement your own advice for your own clients. But as soon as you take on ARs and expect them to use it as well, while you collect a FUM based fee from their clients, that’s conflicted vertical integration.
Nope, assertions incorrect again, no FUM based fees on Managed Account. In fact no change in client charges from us or any related entity.
So if I internally manage an SMA, you’re saying that if I charge a FUM based fee for the advice that this is conflicted vertical integration?
I would say you are incorrect, as almost all SMA’s are a mixture of at arms length managed funds, etfs and direct equities.
Where is the conflict if that is the case?
I’d suggest that before you run around talking about conflicted vertical integration on SMA’s you might want to take a look at single product APL, trustee delivered ‘advice’ and explain how that isn’t conflicted first.
If you take a fee recommending one but not for another that is inherently a conflict. not that hard to understand
You’ve lost me Phil, I really don’t know what you are talking about here.
No problem if you as an adviser manage the SMA, and fully disclose the SMA fee to your clients as an additional cost on top of your advice fee, and recommend it to your clients because it’s in their best interests in spite of the additional fee layer. Similarly if the SMA is managed by an unrelated third party.
It becomes conflicted vertical integration when a licensee or related entity manages the SMA, and coerces the ARs or equity partners under their control to recommend it to their clients, and pockets the FUM based fee from the SMA. (And sometimes additional fees from managed funds under their control that have been included in the SMA).
This is the Fortnum/Entireti model, and the model now used by most other large licensees and equity partners that have filled the void left by old school vertical integrators like AMP and MLC. It is legally grey, but ethically black. That’s why ASIC is going hard at them for the slightest slip up in any other area (eg cybersecurity).
I’m within the Entireti model and have no such pressure whatsoever.
Your talking about Hesta and Australian Super right?
Was action taken against the industry super funds that had data breaches and had member money stolen?
If not, why not?
This is smelling a bit two-tiered…
Did the industry funds have adequate controls and policies in place is the question. I am sure ASIC are working through that now but expect the determination many years from now… given how long it has taken them to file action against FPW.
As you can read, a lot of the people who post in this chat are deeply skeptical of ASIC.
It’s not unreasonable, in my opinion, to think that some Licensees and Trustees get an easier ride than others.
Also Dangermouse, if it has taken this many years to get here, what does that tell you about the regulators ability to act in a timely fashion?
Has ASIC started legal action against all the industry super funds yet?
Has ASIC started legal action on themselves for when they were hacked a few years ago?
Keen to see more details of this case – it seems absurd that ASIC is chasing a small fry over data security given all the high-profile data failures – Optus, Medibank, Latitude
Optus has paid $1.5m in fines so far, Medibank zero fine only has to hold more capital. Only Latitude has faced real consequences – and mostly because it lost 14m customers details, with most having government issued IDs lost as well.
Then there are the times government gets hacked, like Services NSW in 2020 – as you can imagine, the government just does a quiet review here and considers what they should do differently with no punishment received by any parties.
Over 600,000 Australians lose money to scammers each year and ASIC are going hard on this.
The reputational risk and loss of earnings on the four advice businesses would be devasting alone.
Last week ASIC are charging an Adviser $31,500 because they missed a box tick when authorising, licencing and registring an Adviser. This week they’re taking an AFSL to court. And in 2025 they do nothing against Super funds for the poor admin systems, years to pay death benefits, not paying TPD claims… disgusting ASIC.
The $31,500 fine was ridiculous and very telling of ASIC’s stance on financial advisers.
Flat track bullies, happy to smash a small practice around in the name of compliance, meanwhile…..
Institution is a basket case.