The Australian Securities and Investments Commission (ASIC) has initiated legal proceedings against Fortnum Private Wealth Limited, alleging significant failures in adequately managing cybersecurity risks. The move signals ASIC’s intensified focus on ensuring financial services licensees protect sensitive client data in an increasingly digital landscape.

Proceedings filed in the New South Wales Supreme Court on July 21, 2025, contend that Fortnum Private Wealth, an Australian financial services (AFS) licensee, did not meet its obligations under the Corporations Act 2001 (Cth). ASIC alleges that between April 2021 and May 2023, Fortnum’s cybersecurity policies, frameworks, systems, and controls were inadequate, thereby exposing the company, its authorized representatives (ARs), and their clients to an “unacceptable level of risk of a cyber-attack or a cybersecurity incident.”

This alleged failure, according to ASIC, led to several cyber incidents affecting Fortnum’s ARs during the period. Crucially, one incident is reported to have resulted in a major data breach in September 2022, where the personal information of over 9,000 clients was reportedly exfiltrated and published on the dark web.

While Fortnum introduced a specific cybersecurity policy in April 2021, ASIC maintains that this policy was not a sufficient response to effectively manage cybersecurity risks, particularly given the highly sensitive nature of the data held by a financial services firm. The regulator notes that Fortnum revised its policy in May 2023, following these incidents.

ASIC allegations

ASIC’s allegations include that Fortnum:

• did not require its ARs to undertake a prescribed minimum amount of cybersecurity education or training;
• failed to adequately supervise or monitor its ARs’ cybersecurity risk management framework;
• lacked employees or external consultants with specialized expertise or experience in cybersecurity;
• did not have a comprehensive risk management system that addressed cybersecurity or policies, frameworks, systems, or controls for identifying and evaluating cybersecurity risks across its AR network.

ASIC is seeking a declaration from the court regarding Fortnum’s alleged contraventions and the imposition of a pecuniary penalty. The matter is scheduled for directions on August 4, 2025.

ASIC Chair, Joe Longo, emphasized the regulator’s stance, stating: “Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack.”

He added: “ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information. That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections.”

In a media statement, Fortnum Private Wealth’s CEO, Matt Brown, stated that the company “strongly refutes” ASIC’s allegations regarding its cybersecurity controls during the 2021-2022 period and will “vigorously defend our position.” He clarified that the main incident referenced by ASIC pertained to legacy data held by an authorized advisory practice for record-keeping purposes from a prior licensee and did not involve records where Fortnum Private Wealth had delivered the advice. As the matter is now before the courts, Fortnum is unable to provide further comment.

This action follows a similar case in March 2025, where ASIC took action against FIIG Securities Limited for alleged failures in cybersecurity measures that also resulted in a significant data breach.

Compliance lessons

The ASIC v Fortnum Private Wealth case serves as an important reminder for all Australian financial services licensees (AFSLs) of their fundamental obligations to maintain robust cybersecurity risk management.

Key compliance lessons:

• Cybersecurity as a core licensee obligation: ASIC views cybersecurity risk management not merely as an IT function, but as a critical component of an AFSL’s general obligations to act “efficiently, honestly, and fairly” under section 912A of the Corporations Act. This includes having adequate financial, technological, and human resources to manage cyber risks.
• Proactive and comprehensive risk management: Simply having a cybersecurity policy is insufficient. The policy must be adequate, comprehensive, and actively implemented across the entire business, including all authorized representatives.
• Supervision and training of Authorized Representatives (ARs): Licensees are accountable for the cybersecurity practices of their ARs.
• Expertise and resources: Organizations must demonstrate they have the necessary expertise, either in-house or through external consultants, to effectively develop, implement, and oversee their cybersecurity framework. This includes having individuals with specialized cybersecurity experience.
• Board and senior management oversight: Cybersecurity is a board-level issue. Directors and senior management must have a clear understanding of the organization’s cyber risk exposure, integrate cybersecurity into corporate governance, and ensure sufficient resources are allocated to cyber resilience. Regular briefings and assessments are vital.
• Data governance and legacy data: The case highlights the importance of managing all data, including legacy data, securely. Financial firms often hold vast amounts of sensitive client information, making them prime targets for cyberattacks. Robust data governance policies, including for historical data, are essential.

ASIC’s enforcement actions demonstrate its commitment to pursuing civil penalties against firms that fail to meet their cybersecurity obligations. Beyond financial penalties, regulatory action can severely damage reputation and client trust.