The Australian Securities and Investments Commission (ASIC) is suing financial advice business Fortnum Private Wealth Limited alleging it failed to properly manage and mitigate cybersecurity risks.

In proceedings filed in the NSW Supreme Court, ASIC alleges Fortnum did not meet its obligations as an Australian financial services (AFS) licensee because it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks.

As a result, ASIC claims Fortnum exposed the company, its authorised representatives (ARs) and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident.

While Fortnum introduced a specific cybersecurity policy from April 2021, ASIC contends the policy was not an adequate response to manage cybersecurity risk.

Before Fortnum revised its policy in May 2023, several of its ARs experienced cyber incidents. One of these was a cyber attack that ASIC alleges led to a major breach and saw the data of more than 9,000 clients published on the dark web.

As part of the action, ASIC alleges Fortnum did not:

• require that its ARs undertake a prescribed minimum amount of cybersecurity education or training,
• adequately supervise or monitor the cybersecurity risk management framework of its ARs,
• have any employees with specialised expertise or experience in cybersecurity or engage a consultant with appropriate expertise to assist with the development of its cybersecurity policy, and
• have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs.

The regulator is seeking a declaration and pecuniary penalty against Fortnum.