Australia’s financial services regulator is suing Fortnum Private Wealth, alleging the financial advice firm exposed clients to “an unacceptable level" of cybersecurity risk over several incidents, including a data breach which allegedly saw customer information end up on the dark web.
The Australian Securities and Investments Commission (ASIC) filed legal proceedings against Fortnum in the New South Wales Supreme Court on Monday.
In a statement to the court, ASIC said Fortnum’s authorised representatives — which provided financial advice on its behalf — had experienced at least five cybersecurity incidents prior to 11 May, 2023.
The most significant was a “major data breach” of one of Fortnum’s principal practices, Wealthwise, in September 2022 which “resulted in the exfiltration and publication of over 200 gigabytes of data relating to up to 9,828 clients”, according to ASIC.
The incident was preceded by phishing email attacks after accounts from at least four other principal practices were allegedly hacked by cybercriminals.
While ASIC said most of the incidents occurred after Fortnum introduced a specific cybersecurity policy in April 2021, the regulator argued that policy “was not an adequate response to manage cybersecurity risk”.
It also alleged Fortnum “did not implement any measures in light of those incidents in respect of its cybersecurity policies, frameworks, systems and controls”, but said the company revised the policy in May 2023.
Fortnum “did not meet its obligations as an Australian financial services licensee because it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks”, ASIC alleged.
“It was incumbent on Fortnum as licensee to ensure that it supervised its authorised representatives’ conduct”, said the regulator, which accused the company of not doing so when it came to cybersecurity practices.
ASIC has sought a declaration and a pecuniary penalty against Fortnum Private Wealth.
Fortnum ‘strongly refute’ ASIC allegations
Fortnum Private Wealth’s chief executive officer, Matt Brown, confirmed in a statement to Information Age that the company had been notified of ASIC’s legal proceedings, but distanced the firm from the cyber incidents raised by the regulator and said the company would “vigorously defend” its position.
The 2022 data breach related to “legacy data held by a Fortnum Private Wealth authorised advisory practice for record keeping purposes”, Brown said, which “did not include records where Fortnum Private Wealth had delivered the advice”.
“Regulatory reporting of the incident and any client remediation was completed in a timely manner,” he said.
“There was no client financial loss detected; however, we sincerely regret the concern that those clients may have experienced, at that time.”
The other four incidents involving email phishing attacks also involved authorised advisory practices, Brown said, and were “identified quickly, investigated and confirmed not to have led to any client loss”.
“Our view is that Fortnum Private Wealth has a strong cyber policy and data protection controls that were in place before these incidents,” he said.
“… We strongly refute ASIC’s allegations that Fortnum Private Wealth failed to meet its obligations with regard to appropriate cyber controls over the period 2021 – 2022 and will vigorously defend our position.”
Employee training, risk management called into question
Among ASIC’s allegations against Fortnum was that the company did not require its authorised representatives to “undertake a prescribed minimum amount of cybersecurity education or training”.
The firm did not have any employees with “specialised expertise or experience in cybersecurity” and did not engage a consultant with the right knowledge when it developed its cybersecurity policy, ASIC alleged.
Fortnum also did not have a risk management system which accounted for cybersecurity concerns, and did not adequately “supervise or monitor the cybersecurity risk management framework" of its authorised representatives, the regulator said.
ASIC chair Joe Longo said the organisation would continue to hold companies to account over their cybersecurity responsibilities.
“Australian financial services licensees, in particular, hold a range of sensitive and confidential information,” he said.
“That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections."
ASIC’s case against Fortnum Private Wealth is set to be heard at the Supreme Court in Sydney on 4 August.
Fortnum Private Wealth formed a new parent company with Professional Financial Services in 2024, called Entireti.
