ASIC doubles down on alleged cyber security failings – second AFSL holder to face enforcement action in 2025
The Australian Securities and Investments Commission (ASIC) has sharpened its regulatory focus on cyber security in 2025, sending a clear message to Australian Financial Services Licence (AFSL) holders that cyber risk is not just an IT issue, but a core compliance obligation.
We previously reported on ASIC’s first and second enforcement proceedings concerning alleged cyber security failings by an AFSL holder. ASIC has now issued Supreme Court of New South Wales proceedings against Fortnum Private Wealth (Fortnum). This is ASIC’s second cyber-related enforcement proceeding in 2025, and the third of its kind overall. This reflects a growing pattern of enforcement, underscoring ASIC’s expectation that licensees must proactively manage cyber threats or face serious legal consequences.
In this article, we consider ASIC’s latest enforcement action against Fortnum and what this means for AFSL holders generally.
Background
Fortnum, now a subsidiary of Entireti, is an AFSL holder. At all material times, Fortnum had a number of authorised representatives (ARs) which provided financial advice on its behalf. This included firms who operated financial advice businesses (Principal Practices) and individual advisers employed by the Principal Practices (Authorised Advisers).
ASIC’s Concise Statement alleges that, in the period prior to 11 May 2023, several of Fortnum’s ARs experienced cyber security incidents. Those included:
- the compromise of an Authorised Adviser's email account;
- the hacking and access of an employee’s email by an unauthorised party operating from an overseas IP address;
- a business email compromise event where emails were sent purporting to be from an Authorised Adviser;
- a phishing attack that resulted in an unknown third party gaining access to at least one employee’s email account and sending 1266 emails containing phishing links from that employee’s account; and
- a major data breach that resulted in the exfiltration and publication on the dark web of more than 200 gigabytes of data relating to up to 9828 clients.
ASIC contends that Fortnum’s cybersecurity policy, which was introduced in April 2021, was insufficient and that Fortnum did not take adequate steps to strengthen its cybersecurity framework even after previous breaches. ASIC Chair Joe Longo describes these alleged failings to have exposed Fortnum, its ARs and clients of its ARs to an 'unacceptable level of risk'.
ASIC's case and the proceedings
ASIC alleges that Fortnum failed to adequately manage cybersecurity risk and breached multiple provisions of section 912A of the Corporations Act 2001 (Cth) between 20 April 2021 and 11 May 2023. Section 912A of the Corporations Act requires AFSL holders to, among other things:
- do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly (section 912A(1)(a)); and
- have adequate risk management systems (section 912A(1)(h)).
ASIC’s case focuses on Fortnum’s alleged failure to manage cybersecurity risks by:
- failing to implement adequate cybersecurity policies or frameworks to manage and mitigate cybersecurity risks for it and its ARs;
- not require its ARs to undertake a prescribed minimum amount of cybersecurity training;
- lacking oversight and monitoring systems for ARs’ cybersecurity practices;
- not having adequate human resources or engage qualified cybersecurity consultants to provide financial services; and
- operating without a risk management system that addressed cybersecurity concerns.
As part of their operations, the ARs handled personal information including identification documents, tax file numbers and financial information.
ASIC refers to Fortnum’s duties as a licensee to identify and understand the cybersecurity risks that it and its ARs faced and its requirement to have controls in place to appropriately manage those risks.
Most of the cybersecurity incidents affecting Fortnum’s ARs allegedly occurred after the introduction of Fortnum’s cybersecurity policy. ASIC claims that Fortnum failed to implement measures to strengthen its cybersecurity policies, frameworks, systems and controls despite these incidents occurring.
ASIC seeks from the court a declaration in relation to Fortnum’s contravention of the Corporations Act and pecuniary penalty.
The proceedings align with ASIC’s broader enforcement priorities, which include holding licensees accountable for cyber risk management failures – including where breaches occur at the AR level.
We will provide a further update on the proceeding in due course.
Key differences between the three enforcement actions
There have now been three similar proceedings commenced by ASIC against AFSL holders since 2020, which all allege breaches of section 912A of the Corporations Act.
The below table provides some information on the differences and similarities between the three proceedings.
Category | Fortnum Private Wealth | FIIG Securities | RI Advice Group |
|---|---|---|---|
| Nature of entity | Financial advice firm and AFSL holder | Fixed income securities dealer and AFSL holder | Financial advice firm and AFSL holder |
| Date proceedings issued by ASIC | 21 July 2025 | 12 March 2025 | 21 August 2020 |
| Alleged timeframe of failures | April 2021 – May 2023 | March 2019 – June 2023 | June 2014 – May 2020 |
| Nature of incidents | Five incidents, including phishing and a major data breach involving 200GB of legacy data from an AR, which resulted in publication of personal information of 9828 clients on the dark web. | One prolonged breach involving 385GB of client data theft and 18,000 clients affected. The threat actor promptly published the stolen data on the dark web. | Nine incidents over a six-year period, including ransomware, hacking and phishing incidents. |
| ASIC factual allegations against AFSL holder | Inadequate policies, failure to supervise ARs, lack of cyber expertise and no adequate risk system. | No multi-factor authentication, no patching, weak access controls, no staff training and inadequate human and financial resourcing. | Failure to implement adequate controls and respond to repeated incidents. |
| Remedy sought (or obtained) by ASIC | Seeking declaration of contraventions, pecuniary penalty, and costs. | Seeking declaration, penalty, compliance review with expert oversight. | Obtained declaration and $750,000 in costs from entity. No penalty imposed. |
| Overarching enforcement message | Licensees responsible for ARs and firm-wide cyber readiness. | Basic controls like MFA and patching are mandatory. | Cybersecurity is a legal duty and must be actively managed. |
Key takeaways
ASIC’s enforcement trajectory offers several critical lessons for all AFSL holders and reaffirms that cyber risk management is a non-negotiable part of AFSL compliance.
The key takeaways include:
- Cybersecurity is a legal and compliance obligation: ASIC considers cybersecurity a core part of a licensee’s duty to provide services efficiently, honestly and fairly under section 912A of the Corporations Act. To comply, AFSL holders must ensure robust cybersecurity frameworks are in place and actively monitored.
- Resourcing must match risk: Licensees must allocate sufficient financial, technological, and human resources to cyber security. This includes engaging cybersecurity personnel to assess, implement and maintain cyber framework. Generic or outdated policies without specialist input will not meet ASIC’s standards.
- Oversight and accountability: Licensees are responsible not only for their own systems, but also for the cybersecurity posture of their ARs and must mandate ongoing cybersecurity training and education for staff and ARs. Such training should evolve as novel cybersecurity threats emerge to avoid becoming outdated.
Hall & Wilcox's cyber and financial services experts can assist your organisation with regulatory compliance and cyber risk management. To discuss whether you have the right cyber risk mitigation strategies in place, or what to do if a cyber incident occurs, please do not hesitate to contact our team.
Contact
