Cyber enforcement in the spotlight again as ASIC pursues Fortnum Private Wealth

ASIC’s message is clear: cyber risk is compliance risk 5 min read

ASIC has commenced civil penalty proceedings against AFS licensee Fortnum Private Wealth Limited (Fortnum), alleging it failed to adequately manage cybersecurity risks across its network of authorised representatives. It marks ASIC's third cybersecurity enforcement action, and second this year, and reflects the regulator's growing emphasis on cybersecurity as a core component of the obligations on financial services licensees.

In this Insight, we examine the Fortnum proceedings, outline what financial services licensees and their boards need to know about ASIC’s evolving cyber enforcement strategy and draw out the implications for future enforcement and governance expectations.

Background: the case against Fortnum

ASIC has commenced proceedings against Fortnum in the Supreme Court of NSW, seeking declarations that Fortnum failed to comply with its licencee obligations under section 912A of the Corporations Act 2001 (Cth) and a pecuniary penalty in respect of Fortnum's contraventions.

Fortnum provides financial product advice to retail clients through a network of authorised representatives (ARs), and is the holder of an Australian Financial Services Licence.

In the course of advising clients, Fortnum's ARs received, stored and accessed Fortnum's clients' personal information. ASIC alleges that the nature and extent of that information made Fortnum and each of its ARs potential targets for cyberattacks and informed the nature of Fortnum's obligations as a licensee.

ASIC's claim centres on three key factual allegations. That:

• prior to May 2023, Fortnum did not have adequate policies in place designed to manage and mitigate the cybersecurity risks faced by it or its ARs;
• Fortnum's policies, frameworks, systems and controls were inadequate, including because it did not: provide cybersecurity-focused education, training and supervision of its ARs; have any employees or external consultants with specialised expertise or experience in cybersecurity; or have an adequate risk management system; and
• Fortnum's ARs experienced several cybersecurity incidents in 2021 and 2022, including a data breach that resulted in the exfiltration and publication of over 200 gigabytes of data relating to over 9000 clients.

ASIC alleges that Fortnum breached its obligations under s912A by failing to:

• provide financial services efficiently, honestly and fairly;
• have adequate resources (specifically human resources) to ensure its cybersecurity arrangements were in compliance with its legal obligations;
• ensure its ARs were adequately trained; and
• have adequate risk management systems,

in contravention of ss912A(1)(a), (d), (f) and (h), and s912A(5A).  

The originating process and concise statement filed by ASIC have both been made publicly available.

Key takeaways

Cyber enforcement a real risk

This is ASIC's third cybersecurity-related enforcement action, following proceedings against RI Advice and FIIG Securities (commenced in March this year). ASIC is now treating cybersecurity as an essential element of a licensee's obligations.

The three cases also highlight ASIC's continuing reliance on s912A in its cybersecurity enforcement approach. In each case, ASIC has used licensee obligations under s912A as a standalone pathway to civil penalties (rather than to suspend, revoke or impose conditions on the licence) to force uplift in an organisation's information security practices.

Governance failures vs technical measures

Unlike its case against FIIG Securities (or the allegations made by the applicants in the class action proceedings against Optus and Medibank), ASIC has not made any allegations about Fortnum's or its ARs' technical cybersecurity settings. Instead, ASIC's case is focused on the adequacy of the licensee's policies, ineffective frameworks and systems, and weak internal controls. The case against Fortnum is likely to explore licensees' cybersecurity obligations under s912A from a perspective focused on governance, human capital and systems, rather than prescriptive technical measures.

Our comparison of security measures that class action plaintiffs and regulators have alleged are required in these proceedings is available here.

No director liability

Despite making statements that it is actively investigating directors in connection with their responses to cyber incidents, ASIC has again elected not to bring proceedings against any directors. This continues the approach taken in both RI Advice and FIIG Securities. Notwithstanding this, the risks for directors remain real, with regulators repeatedly emphasising the criticality of board-level oversight on cybersecurity.

Training, expertise and supervision

ASIC alleges Fortnum failed to provide adequate training and education on cybersecurity to its ARs, and to employ or retain individuals with specialised expertise in cybersecurity. Like the FIIG Securities claim, ASIC's claim against Fortnum reinforces its expectation that licensees will employ or outsource to people with necessary skills and experience to maintain robust cybersecurity standards.

Third-party service provider risk?

ASIC's case against Fortnum seeks to hold a licensee responsible for the conduct and failings of its ARs. It is not difficult to see how ASIC might build upon this to formulate a future case against a licensee based on failings of a third-party service provider involved in the licensee's cyber supply chain. Licensees remain responsible for complying with their obligations even where functions related to the licence are outsourced, underscoring the importance of having robust cyber supply chain risk management measures in place.

Next steps

Unless a statement of agreed facts and admissions is made by the parties, the likely next step will be for ASIC to formalise its pleading in a detailed statement of claim, followed by a defence from Fortnum. Either of those steps will provide more detailed guidance on what ASIC considers to be adequate cybersecurity policies and frameworks. What is clear for now is that ASIC is actively pursuing its cybersecurity enforcement priorities, and licensees should consider both their detailed technical cybersecurity measures and their overarching policies and frameworks as central components of their licence obligations.