200 gigabytes of client data stolen – close to 10,000 individuals name, address, retirement details, are now on the dark web – and as you read this, it is in the hands of cyber criminals actively attempting to scam and defraud them out of their retirement savings.
This is one of five separate cyber incidents or ‘near misses’ laid out by ASIC in its filings to the supreme court, where it is saying Fortnum Wealth, one of Australia’s largest financial advice licensees – has breached its obligations as an Australian Financial Services License (AFSL) holder.
Fortnum CEO is on the defensive. In a media statement has stated that “Fortnum Private Wealth has a strong cyber policy and data protection controls that were in place before these incidents” and says they will “vigorously defend our position”.
The facts and timeline that ASIC has published in its court filings tell an interesting story – and while the truth may lie somewhere in the middle as this case unfolds, what’s clear is that ASIC is setting its sights on financial services industry and is making it clear that weakness in cybersecurity don’t require new laws – and that it believes the existing framework is sufficient to hold the industry to account.
This is not the first time that ASIC has sought to take action against AFSLs around poor cybersecurity. We saw this with RI Advice (2022), and with FIIG Securities (2025).
The Timeline of Incidents published in the Concise Statement
January 2021 – Authorised Representative (AR) of Fortnum (Prominent Financial Services) email compromise.
March-April 2021 – AR of Fortnum (Ford) employee email compromised by overseas IP address.
April 2021 – Fortnum launches “Cyber Security Policy Version 1.0”. They roll it out across the organisation and provide it to all their Authorised Representatives (Advice firms).
July 2021 – AR of Fortnum, RedThorn, hit by cyberattack where fraudulent emails were sent to clients appearing to be from one of its advisers
September 2021 – Policy compliance deadline passes. Only 44% of Fortnum AR practices complete the self-assessment and only 11% sign the attestation.
May 2022 – Fortnum suspends the policy for rewrite, leaving a 12-month control gap.
July 2022 – Authorised Representative of Fortnum Eureka suffers phishing attack, 1266 malicious emails sent from compromised account
September 2022 – Fortnum becomes aware of a breach from one of its Authorised Representatives, Wealthwise. 200 GB exfiltrated over fifteen days, 9828 clients affected, data published to dark-web forum.
May 2023 – Fortnum launches “Cyber Policy Version 2.1” after the 12-month gap.
July 2025 – ASIC files Supreme Court proceedings alleging systematic cybersecurity failures and breaches of core licensee obligations.
ASIC’s Legal Strategy
The financial services regulator is making it clear that it will not hesitate to act on cybersecurity weakness, and it sees this as clearly within its jurisdiction and existing power. No new legislation needed. ASIC believes Fortnum’s cyber failures breach at least three of the “ten commandments” in section 912A of the Corporations Act:
- s912A(1)(a) – services must be provided efficiently, honestly, fairly.
- s912A(1)(d) – licensee must maintain adequate financial, technological and human resources.
- s912A(1)(h) – licensee must have adequate risk-management systems.
ASIC is saying any AFSL with weak cyber controls now sits in the firing line.
Reality Checks
Reality Check 1: Five chances to learn – little changed
Five separate incidents hit various Fortnum authorised advice practices between January 2021 and July 2022. Four out of five were basic phishing and BECs (business email compromises) – basic security controls should prevent the majority of these attacks. Repeated email compromises should have triggered mandatory email security uplift across all its ARs – including mandatory training and phishing simulations. This doesn’t appear to have happened.
When conducting cyber audits, our team doesn’t judge organisations for getting breached – you can’t stop 100% of attacks. The real test is what you do AFTER. How did you learn? Did you find the REAL root-cause? What changed to prevent reoccurrence?
That’s where I think Fortnum failed catastrophically.
The Lesson:
- Every cyber incident should be treated as a wake–up–call and an opportunity to learn. The incident management process should not close once you contain – it should only close after you’ve implemented controls to stop it from happening again.
- Don’t just a cyber incident response plan. Test it! We test our fire plans with drills, when was the last time you tested your cyber incident response plan with a Cyber drill?
- BECs are the most common type cyber attack according the ACSC (Cyber report 2024). Most of these can be prevented with basic security controls (if implemented correctly) and training staff on phishing. When was the last time you reviewed your defence and response playbook on BECs?
Reality Check 2: Essential Eight labelled as “advanced” – seriously?
ASIC’s filings reveal something that made me chuckle. Fortnum’s April 2021 policy classified Essential Eight controls as “advanced cyber security strategy” and made compliance to them optional. Let me be clear, if it wasn’t already clear in the name, they are ESSENTIAL.
Time and time again we audit organisations and find they still lack basic security controls like MFA on emails and systems with tens of thousands of client records simply because its users find it “challenging” and “too complex”.
The Lesson:
- Essential Eight should be your baseline, not your aspiration. If you’re treating these as “advanced,” you’re already behind.
- Stop letting “user convenience” override basic security. Your clients’ data deserves better than weak passwords and hope.
- If your board does not understand why the essential eight should be mandatory, you need better risk governance and it means your risk framework is flawed and ineffective!
- Review your current Essential Eight maturity. If you haven’t conducted a maturity assessment before, that’s your first red flag.
Reality Check 3: Risk frameworks that ignore the biggest risk are worthless
ASIC found that Fortnum had comprehensive risk management systems for credit, market, and operational risks – but zero formal cyber risk assessment or management. This wasn’t an oversight. This was systematic exclusion of what the Australian Cyber Security Centre calls ‘the biggest risk facing Australian organisations’, and potentially their biggest operational risk.
ASIC is trying to make this clear for you. This isn’t just poor risk management – it’s a s912A(1)(h) breach. You can’t have adequate risk management systems while ignoring the risk most likely to destroy your business overnight.
The Lesson:
- Cyber risk must be formally integrated into your risk management system with defined appetite and tolerance levels.
- Stop treating cyber as “IT operational risk.” Cyber risk isn’t an afterthought – it should be a standing agenda in your risk committee and front of mind.
- If your risk committee can’t define your cyber risk appetite, your risk management system is fundamentally broken.
- Risk and audit committees should supplement internal reporting with independent cyber risk assessments. Validate and identify your real blind spots.
Reality Check 4: Nobody owns cyber – and it shows
ASIC found Fortnum had no employees with cybersecurity expertise. They didn’t engage qualified consultants when developing their cyber policy. They had no independent cyber risk assessment capability.
This reveals the common assumption from board that cyber is just an “IT problem”.
ASIC is now saying that AFSLs lacking cybersecurity expertise equals “inadequate resources” and a breach of s912A(1)(d). ASIC is not saying you need to have a massive Cyber team. It’s about having someone with subject matter expertise responsible and accountable for policy development, risk assessment, and board advice.
The Lesson:
- Assign clear ownership of cyber risk at board level. If you can’t name who’s accountable, you’re already failing governance.
- If you don’t have anyone internally – engage qualified cybersecurity expertise immediately.
- Get an independent risk assessment (i.e. from Gridware) to validate your own assessment of cyber risk and identify any blind spots.
Mo Khanji
Mo Khanji (FGIA) is Senior Consultant and Head of Risk at Gridware Cybersecurity. He is a Fellow of the Governance institute and has over 10 years experience in Financial Services Compliance.
