AFS licensee sued for cybersecurity and licensee obligation failures

The Australian Securities and Investments Commission (ASIC) has commenced proceedings against Fortnum Private Wealth Ltd (Fortnum), alleging multiple breaches of its general licensee obligations under section 912A of the Corporations Act 2001 (Cth) (Corporations Act). The proceedings serve as a timely reminder of the evolving regulatory expectations around cybersecurity governance and the supervisory responsibilities of financial services licensees.

Summary of allegations

ASIC’s originating process asserts that Fortnum, a holder of an Australian financial services licence (AFSL), failed to satisfy key obligations under section 912A(1) and (5A) of the Corporations Act. The breaches alleged include:

  • 912A(1)(a) – Efficient, honest and fair provision of financial services
    Fortnum failed to implement adequate cybersecurity policies, education and oversight mechanisms, undermining the fair and secure delivery of financial advice services to retail clients.
  • 912A(1)(d) – Adequate resources (including human resources)
    Fortnum lacked staff with cybersecurity expertise and failed to engage qualified consultants, leading to insufficient internal capacity to manage cyber risk and supervise authorised representatives (ARs).
  • 912A(1)(f) – Competence and training of representatives
    ASIC alleges Fortnum did not ensure its ARs were adequately trained in cybersecurity, offering only limited training linked to outdated or optional policies.
  • 912A(1)(h) – Risk management systems
    The company is accused of having no meaningful risk management framework to address cybersecurity risks, including an absence of escalation and reporting protocols.
  • 912A(5A) – Failure to take reasonable steps to comply
    ASIC contends Fortnum failed to take reasonable steps to ensure compliance with the above obligations, compounding its liability under s 912A(5A).

The cybersecurity gap

Central to ASIC’s case is Fortnum’s inadequate response to well-known and growing cybersecurity threats. The proceedings highlight:

  • Fortnum’s issuance of a rudimentary cybersecurity policy in April 2021, with limited enforcement or oversight;
  • a subsequent 12-month delay in releasing an updated policy (May 2023), during which time Fortnum did not enforce existing protocols;
  • repeated cyber incidents affecting its ARs, including phishing attacks and data breaches involving thousands of clients; and
  • no systematic follow-up or mitigation measures taken in response to these incidents.

ASIC argues these failings significantly increased the risk of data breaches and financial harm to clients, contrary to the duties imposed by section 912A.

Regulatory Implications

These proceedings are part of a broader trend in ASIC’s enforcement strategy, where governance failings—particularly around operational risk and data security—are being scrutinised under the 912A regime. They reinforce several important messages:

  1. Cybersecurity is a licence obligation – Licensees must treat cyber risk as integral to their risk management and governance framework. Optional or aspirational measures are no longer sufficient.
  2. Oversight extends to ARs – Delegating services to ARs does not absolve a licensee from ensuring adequate training, supervision and compliance.
  3. Incidents require escalation and adaptation – Failing to respond to cyber incidents with updated systems, controls and practices may be viewed by ASIC as ongoing and compounding breaches.

Conclusion

ASIC v Fortnum Private Wealth is a cautionary tale for licensees who underestimate the compliance risks posed by cybersecurity. The case will likely clarify the Court’s interpretation of 912A obligations in the cyber context and reinforce the expectation that financial services providers implement fit-for-purpose frameworks aligned with modern threats.

Licensees would be well advised to review their cybersecurity posture, supervisory arrangements, and training programs—not only to avoid regulatory sanction but to meet growing client expectations of digital trust. If you require legal assistance reviewing your cybersecurity obligations, risk frameworks, or incident response readiness, please contact Chris Mee at cmee@cnmlegal.com.au or call 07 3211 4010.

You might also like
ASIC Targets Fund Issuer Over Failures to Comply with Design and Distribution Obligations
ASIC cancels AFS licence for key person compliance failures
Varying or Cancelling your AFSL
Macquarie Bank Faces Additional Licence Conditions Over Repeated Compliance Failures
ASIC cancels AFS licence of Thistle Financial Group Pty Ltd
ASIC sues online lender for unconscionable debt recovery processes
Financial Services Provider Penalised $11 Million Over Poor Advice and Conflicted Remuneration
ASIC alleges fund manager breached its duty of care by operating a compliance facade