ASIC has commenced proceedings against Fortnum Private Wealth Limited (Fortnum) in the Supreme Court of NSW alleging Fortnum contravened s912A of the Corporations Act for failing to have adequate resources to ensure cybersecurity arrangements were adequate.
It is the third action of its kind by ASIC and second in 2025 since taking enforcement against FIIG Securities in March.
ASIC has sought a pecuniary penalty and declarations of the contravention from Fortnum. The underlying facts are not dissimilar to what occurred in the lead up to AFSL RI Advice that was subject to near identical proceedings brought against it by ASIC in 2021.
The facts
Fortnum had a number of authorised representatives (ARs), which included firms who operated financial advice businesses (Principal Practices) as well as individual advisers. In the course of its business it received and stored confidential and sensitive personal information and documents in relation to retail clients, including (among other things) copies of identification documents, tax file numbers, and financial information such as bank account numbers and credit card details.
In April 2021 Fortnum issued a policy to its ARs entitled “Cyber Security Policy Version 1.0” (April 2021 Policy). The April 2021 Policy was the first policy implemented by Fortnum which was specifically directed at cybersecurity. Summarily, the policy required the Principal Practices to:
- Complete an online self-assessment tool to assess their cyber security adequacy;
- Engage with either Fortnum or any other IT consultant regarding those questions in the self-assessment to which the Principal Practice responded “no” or “unsure”; and
- Complete a form confirming the cybersecurity measures that had been implemented.
Only 44 per cent of the Principal Practices completed the self-assessment and only 11 per cent of ARs completed the final form.
Cyber incidents
Between 2021 and 2023, 5 separate cyber incidents occurred affecting various practices within the Fortnum AR network. One such incident led to the exfiltration and publication of over 200GB of data relating to up to 9,828 clients.
ASIC’s allegations
ASIC alleges Fortnum breached its statutory obligations under s912A of the Act because it failed to:
- Implement any adequate cybersecurity policy to manage and mitigate cybersecurity risks for it and its ARs.
- Ensure that its ARs were adequately trained.
- Provide any adequate education or training to its ARs on cybersecurity.
- Implement frameworks for the oversight and monitoring of its ARs in terms of cybersecurity risk and cyber resilience.
ASIC’s originating statement and concise statement can be found here.
Cyber risk transfer & compliance
ASIC’s actions against Fortnum come as little surprise after its announcement that part of their 2025 enforcement priorities were to target licensee failures in respect of adequate cyber-security protections.
Licensees must treat cyber security risk as a key priority without delay. While cyber incidents leading to the loss of personally identifiable information occur regularly, regulators will take to task those who fail to treat cyber risk as a matter of corporate governance and compliance.
Bellrock’s approach to addressing our clients’ cyber risk maturity involves the use of third party experts who assist our clients in understanding and developing their cyber maturity. This process is initiated with a Cyber Risk Assessment which identifies the cyber risks facing your business and its requirement to obtain insurance. Our guide to Cyber Liability Insurance can be found here. For further information, or to obtain a quote, please contact a Bellrock Advisor to discuss your requirements.
