The corporate watchdog has filed proceedings in the NSW Supreme Court against Fortnum Private Wealth (FPW) alleging the financial advice company failed to adequately manage cybersecurity risks, leading to the release of data from 9,828 clients to the dark web.
The Australian Securities and Investments Commission (ASIC) alleges that in failing to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks, Fortnum did not meet its obligations as an Australian financial services licensee.
ASIC claims that prior to 11 May 2023 Fortnum did not have any adequate policies in place designed to manage and mitigate the cybersecurity risks faced by either the company or its authorised representatives (ARs).
A concise statement from the regulator notes that by September 2021 Fortnum's principal practices were required to fill out a self-assessment tool around their cybersecurity and IT set-ups, only 44 per cent had completed the forms and just 11 per cent had completed an attestation that cybersecurity measures had been implemented.
ASIC points to several cybersecurity incidents across the network, starting with the compromise of an email of one of its principal practices, Prominent Financial Services, in January 2021, and an incident in April of that year where the email of an employee at Fortnum's Ford practice was hacked and accessed by an overseas IP address.
This was followed by another incident in July 2021 whereby another practice RedThorn was subject to a cyberattack where emails were sent purporting to be from one of its advisers.
In July 2022, another practice Eureka was the subject of a phishing attack which resulted in an unknown threat actor gaining access to at least one employee’s email account and sending 1,266 emails containing phishing links from that employee’s account.
The final incident referenced by the regulator, and involving the largest amount of data breached, was in September 2022 when an attack on Fortnum practice Wealthwise led to the exfiltration and publication of over 200 gigabytes of data relating to up to 9,828 clients.
Most of those incidents occurred after the introduction of Fortnum's April 2021 cybersecurity policy, and ASIC argues the group "did not implement any measures in light of those incidents in respect of its cybersecurity policies, frameworks, systems and controls".
ASIC is seeking a declaration and pecuniary penalty against the group.
"Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack," says ASIC chair Joe Longo.
"ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information.
"That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections."
ASIC's statement does not specify the type of data that was released, but in its course of business Fortnum's authorised partners electronically received, stored and accessed confidential and sensitive personal information and documents relating to clients, such as copies of identification documents, tax file numbers, and financial information such as bank account and credit card details.
However, Fortnum Private Wealth chief executive officer Matt Brown clarifies the largest data leak referenced by the regulator does not relate to such data collected from giving advice.
In a response given to Business News Australia, Brown says the main incident referenced by ASIC relates to legacy data held by a FPW authorised advisory practice for record keeping purposes, from a prior licensee for about 9,828 clients.
"It did not include records where FPW had delivered the advice," Brown says.
"Regulatory reporting of the incident and any client remediation was completed in a timely manner. There was no client financial loss detected; however, we sincerely regret the concern that those clients may have experienced, at that time.
"The other four incidents related to email phishing attacks that occurred within individual financial advisory practices authorised by FPW, rather than FPW itself. These matters were identified quickly, investigated and confirmed not to have led to any client loss."
He says the group's view is that "FPW has a strong cyber policy and data protection controls that were in place before these incidents".
"FPW continues to develop these controls in line with evolving industry standards and the growing threat posed to all by cyber criminals. FPW also believes it has upheld its obligations under its licence," he says.
"FPW takes the protection of client information seriously and we continue to invest in cyber resilience and data protection measures. We understand that we all have a role to play in the financial services industry to deter cyber criminals.
"We strongly refute ASIC’s allegations that FPW failed to meet its obligations with regard to appropriate cyber controls over the period 2021-2022 and will vigorously defend our position."
Help us deliver quality journalism to you.
As a free and independent news site providing daily updates
during a period of unprecedented challenges for businesses everywhere
we call on your support