On 21 July 2025, the Australian Securities and Investments Commission (ASIC) filed proceedings in the Supreme Court of New South Wales alleging that between 20 April 2021 to 11 May 2023, Fortnum Private Wealth Limited (Fortnum) was not meeting its obligations as an Australian financial services licensee (AFS Licensee) because it had failed to have adequate policies, frameworks, systems and controls in place to deal with cyber security risks.
Fortnum introduced a specific cyber security policy from April 2021 although ASIC contends that this policy was not an adequate response to manage cyber security risk. Before the policy was revised in May 2023, several of Fortnum’s authorised representatives (ARs) experienced cyber incidents which included a cyber-attack that saw the data of more than 9,000 clients published on the dark web.
Among other things, ASIC alleges that Fortnum did not require its ARs to undertake a prescribed minimum amount of cyber security education or training and did not, or did not adequately supervise or monitor its ARs’ cyber security risk management framework.
ASIC is seeking a declaration and pecuniary penalty against Fortnum.
The proceeding is listed for directions on 4 August 2025.
This action is consistent with ASIC’s push for AFS Licensees to take appropriate steps to ensure they have adequate cyber risk management systems in place. In March 2025, ASIC brought an action against FIIG Securities Limited (FIIG) where it was alleged that FIIG failed to have adequate cyber security measures for more than four years which enabled the theft of approximately 385GB of confidential data with some 18,000 clients notified that their personal information may have been compromised.
ASIC has published ‘Cyber Resilience’ guidance on its website with helpful resources addressing matters such as ‘key questions for boards to ask about their firm’s cyber resilience’ and ‘good practice guidance to assist organisations operate adaptive and responsible cyber resilience processes’.