ASIC sues Fortnum Private Wealth

ASIC is suing Fortnum Private Wealth for allegedly failing to manage and comply with its cybersecurity obligations that exposed the information of its financial advisers and clients.

In the NSW Supreme Court, ASIC alleges Fortnum exposed its authorised representatives (ARs) and clients to an "unacceptable level of risk of a cyber-attack or a cybersecurity incident".

Fortnum introduced a specific cybersecurity policy from April 2021. ASIC said that the policy was not an adequate response to manage cybersecurity risk.

Between 2021 and 2022, ASIC found RedThorn, one of Fortnum's practices, being subject to a cyber-attack where emails were sent purporting to be from one of RedThorn's advisers.

Another was Eureka being the target of a phishing attack which resulted in an unknown threat actor gaining access to at least one employee's email account and sending 1266 emails containing phishing links from that employee's account, while Wealthwise experienced a major data breach.

When Fortnum revised its policy in May 2023, ASIC found several of its ARs experienced cyber incidents, one of which was a cyber-attack that allegedly led to a major breach and saw the data of more than 9000 clients published on the dark web.

Fortnum Private Wealth chief executive Matt Brown said: "We strongly refute ASIC's allegations that FPW failed to meet its obligations with regard to appropriate cyber controls over the period 2021-2022 and will vigorously defend our position."

Brown said that ASIC's claim references one main cyber-incident and four smaller occurrences in 2021-2022.

"The main incident related to legacy data held by a FPW authorised advisory practice for record keeping purposes, from a prior licensee for about 9828 clients. It did not include records where FPW had delivered the advice."

Brown went on to say that regulatory reporting of the incident and any client remediation was completed in a timely manner.

"There was no client financial loss detected; however, we sincerely regret the concern that those clients may have experienced, at that time. The other four incidents related to email phishing attacks that occurred within individual financial advisory practices authorised by FPW, rather than FPW itself. These matters were identified quickly, investigated and confirmed not to have led to any client loss," he said.

Overall, ASIC alleges the advice firm did not meet its AFSL obligations as it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks.

It also claims that Fortnum had a statutory obligation under the Corporations Act as a financial licensee, and a contractual obligation arising under its agreement with its ARs to provide them a prescribed minimum amount of cybersecurity education or training but did not.

Brown added that: "Our view is that FPW has a strong cyber policy and data protection controls that were in place before these incidents. FPW continues to develop these controls in line with evolving industry standards and the growing threat posed to all by cyber criminals."

"FPW also believes it has upheld its obligations under its licence. FPW takes the protection of client information seriously and we continue to invest in cyber resilience and data protection measures. We understand that we all have a role to play in the financial services industry to deter cyber criminals.

"As the matter is now before the Courts, FPW is unable to make further comment at this time."

ASIC chair Joe Longo said: "Fortnum's alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack."

"ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information," he said.