ASIC sues Fortnum over alleged cyber failures

Mike Taylor

Managing Editor and Publisher

22 July 2025

The Australian Securities and Investments Commission (ASIC) has initiated legal action against Fortnum Private Wealth alleging it failed to properly manage and mitigate cyber security risks.

The regulator said it had filed proceedings in the NSW Supreme Court alleging Fortnum did not meet its obligations as an Australian financial services licensee because it failed to have adequate policies, frameworks, systems and control in place to deal with the cyber security risks.

“As a result, ASIC claims Fortnum exposed the company, its authorised representatives (ARs) and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident,” ASIC said.

“While Fortnum introduced a specific cybersecurity policy from April 2021, ASIC contends the policy was not an adequate response to manage cybersecurity risk. “

“Before Fortnum revised its policy in May 2023, several of its ARs experienced cyber incidents. One of these was a cyber attack that ASIC alleges led to a major breach and saw the data of more than 9,000 clients published on the dark web.”

ASIC Chair Joe Longo said, “Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack.”

“ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information.

“That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections,’ Mr Longo said.

As part of the action, ASIC alleges Fortnum did not:

• require that its ARs undertake a prescribed minimum amount of cybersecurity education or training,
• adequately supervise or monitor the cybersecurity risk management framework of its ARs,
• have any employees with specialised expertise or experience in cybersecurity or engage a consultant with appropriate expertise to assist with the development of its cybersecurity policy, and
• have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs.

ASIC is seeking a declaration and pecuniary penalty against Fortnum.

Fortnum acknowledged the ASIC action, with the company’s chief executive, Matt Brown issuing the following statement”

“Fortnum Private Wealth (FPW) was notified yesterday by the Australian Securities and Investments Commission (ASIC) that it has commenced legal proceedings in relation to alleged breaches of FPW’s general financial services licensee obligations under the Corporations Act 2001 (Cth) relating to cyber-security risk management.

ASIC’s claim references one main cyber incident and four smaller occurrences in 2021 – 2022. The main incident related to legacy data held by a FPW authorised advisory practice for record keeping purposes, from a prior licensee for about 9,828 clients. It did not include records where FPW had delivered the advice.

Regulatory reporting of the incident and any client remediation was completed in a timely manner. There was no client financial loss detected; however, we sincerely regret the concern that those clients may have experienced, at that time.

The other four incidents related to email phishing attacks that occurred within individual financial advisory practices authorised by FPW, rather than FPW itself. These matters were identified quickly, investigated and confirmed not to have led to any client loss.

Our view is that FPW has a strong cyber policy and data protection controls that were in place before these incidents. FPW continues to develop these controls in line with evolving industry standards and the growing threat posed to all by cyber criminals. FPW also believes it has upheld its obligations under its licence.

FPW takes the protection of client information seriously and we continue to invest in cyber resilience and data protection measures. We understand that we all have a role to play in the financial services industry to deter cyber criminals.

We strongly refute ASIC’s allegations that FPW failed to meet its obligations with regard to appropriate cyber controls over the period 2021 – 2022 and will vigorously defend our position.

As the matter is now before the Courts, FPW is unable to make further comment at this time.”