ASIC sues Fortnum over alleged cyber failures | Australian Markets

The Australian Securities and Investments Commission (ASIC) has initiated legal motion in opposition to Fortnum Private Wealth alleging it didn’t correctly handle and mitigate cyber security dangers.

The regulator stated it had filed proceedings within the NSW Supreme Court alleging Fortnum didn’t meet its obligations as an Australian financial providers licensee as a result of it didn’t have ample insurance policies, frameworks, systems and control in place to deal with the cyber security dangers.

“As a result, ASIC claims Fortnum exposed the company, its authorised representatives (ARs) and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident,” ASIC stated.

“While Fortnum launched a particular cybersecurity coverage from April 2021, ASIC contends the coverage was not an ample response to handle cybersecurity risk. “

“Before Fortnum revised its policy in May 2023, several of its ARs experienced cyber incidents. One of these was a cyber attack that ASIC alleges led to a major breach and saw the data of more than 9,000 clients published on the dark web.”

ASIC Chair Joe Longo stated, “Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack.”

“ASIC has been highlighting the cybersecurity tasks of firms. Australian financial providers licensees, specifically, maintain a vary of delicate and confidential data.

“That is why it’s one of our enforcement priorities to behave the place we see licensees fail to have ample protections,’ Mr Longo stated.

As half of the motion, ASIC alleges Fortnum didn’t:

• require that its ARs undertake a prescribed minimal quantity of cybersecurity schooling or coaching,
• adequately supervise or monitor the cybersecurity risk management framework of its ARs,
• have any workers with specialised experience or expertise in cybersecurity or have interaction a marketing consultant with applicable experience to help with the development of its cybersecurity coverage, and
• have a risk management system which addressed cybersecurity or insurance policies, frameworks, systems or controls which enabled the identification and analysis of cybersecurity dangers throughout its ARs.

ASIC is in search of a declaration and pecuniary penalty in opposition to Fortnum.

Fortnum acknowledged the ASIC motion, with the company’s chief govt, Matt Brown issuing the next assertion”

“Fortnum Private Wealth (FPW) was notified yesterday by the Australian Securities and Investments Commission (ASIC) that it has commenced legal proceedings in relation to alleged breaches of FPW’s common financial providers licensee obligations underneath the Corporations Act 2001 (Cth) regarding cyber-security risk management.

ASIC’s declare references one principal cyber incident and 4 smaller occurrences in 2021 – 2022. The principal incident associated to legacy knowledge held by a FPW authorised advisory observe for document holding functions, from a prior licensee for about 9,828 shoppers. It didn’t embody information the place FPW had delivered the advice.

Regulatory reporting of the incident and any shopper remediation was accomplished in a well timed method. There was no shopper financial loss detected; nevertheless, we sincerely remorse the priority that these shoppers could have skilled, at that time.

The different 4 incidents associated to e-mail phishing assaults that occurred within particular person financial advisory practices authorised by FPW, relatively than FPW itself. These issues had been recognized rapidly, investigated and confirmed to not have led to any shopper loss.

Our view is that FPW has a sturdy cyber coverage and knowledge safety controls that had been in place earlier than these incidents. FPW continues to develop these controls in keeping with evolving industry requirements and the growing menace posed to all by cyber criminals. FPW additionally believes it has upheld its obligations underneath its licence.

FPW takes the safety of shopper data significantly and we proceed to invest in cyber resilience and knowledge safety measures. We perceive that all of us have a position to play within the financial providers industry to discourage cyber criminals.

We strongly refute ASIC’s allegations that FPW failed to satisfy its obligations with regard to applicable cyber controls over the period 2021 – 2022 and can vigorously defend our place.

As the matter is now earlier than the Courts, FPW is unable to make additional remark at this time.”