ASIC is suing financial advice business Fortnum Private Wealth Limited alleging it failed to properly manage and mitigate cybersecurity risks. (ASIC Media release 25-143MR)
In proceedings filed in the NSW Supreme Court, ASIC alleges Fortnum did not meet its obligations as an Australian financial services licensee because it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks.
As a result, ASIC claims Fortnum exposed the company, its authorised representatives (ARs) and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident.
While Fortnum introduced a specific cybersecurity policy from April 2021, ASIC contends the policy was not an adequate response to manage cybersecurity risk.
Before Fortnum revised its policy in May 2023, several of its ARs experienced cyber incidents. One of these was a cyber attack that ASIC alleges led to a major breach and saw the data of more than 9,000 clients published on the dark web.
As part of the action, ASIC alleges Fortnum did not:
- require that its ARs undertake a prescribed minimum amount of cybersecurity education or training,
- adequately supervise or monitor the cybersecurity risk management framework of its ARs,
- have any employees with specialised expertise or experience in cybersecurity or engage a consultant with appropriate expertise to assist with the development of its cybersecurity policy, and
- have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs.
ASIC is seeking a declaration and pecuniary penalty against Fortnum.
Cybersecurity risks
- It is alleged by ASIC that in the course of their business, Fortnum’s ARs electronically received, stored and accessed confidential and sensitive personal information and documents in relation to Retail Clients, including (among other things) copies of identification documents, tax file numbers, and financial information such as bank account and credit card details (Personal Information).
- It was necessary for the clients of Fortnum’s ARs to provide their Personal Information in order to receive Personal Advice.
- As a result of the nature and extent of the Personal Information collected and held in the course of providing financial services, Fortnum and each of its ARs were potential targets for cyber-related attacks and cybercrimes, the consequences of which could include serious harm and loss.
- It therefore was, and is, incumbent on Fortnum in discharging its duties and obligations as a licensee to identify and understand the cybersecurity risks that it and its ARs faced, and to have adequate policies, frameworks, systems and controls in place to appropriately manage and mitigate those risks
Alleged breaches of the Corporations Act
1) financial services were not provided efficiently, honestly and fairly, and thereby contravened s 912A(1)(a) by [Fortnum’s] failure to:
- implement any adequate cybersecurity policy to manage and mitigate cybersecurity risks for it and its authorised representatives (ARs);
- provide any adequate education or training to its ARs on cybersecurity; and
- iimplement any, or any adequate, processes, systems or frameworks for the oversight and monitoring of its ARs in terms of cybersecurity risk and cyber resilience.
2) failed to have available adequate resources (specifically human resources) to provide the financial services covered by the Licence and to carry out supervisory arrangements, and thereby contravened s 912A(1)(d)
3) failed to ensure that its ARs were adequately trained, and were competent to, provide the financial services covered by the Licence, and thereby contravened s 912A(1)(f) of the Corporations Act; and
4) failed to have adequate risk management systems, and thereby contravened s912A(1)(h) of the Corporations Act.
5) beaches of (1)-(4) are civil penalty provisions and therefore a breach of s912A(5A).
Learnings for General Insurance
APRA regulated insurers
It should be noted that the general obligations for licensees to have adequate resources (human, financial & technology) (s912A(1)(d)) and to have an adequate risk management system ( s912A(1)(h)) does not apply to APRA regulated insurers
Insurers must comply with APRA Prudential Standards, relevantly for cyber security:
- Risk Management CPS 220
- Operational Risk CPS 230
- Information Security CPS 234
Underwriting Agencies, TPAs and others acting on behalf of Insurers
In entering into binder agreements or claims management agreements with APRA regulated insurers; Underwriting agencies, TPAs and others may be categorised as Material Service Providers and are contractually bound in obligations owed to the insurer to, generally:
- have a risk management system that includes the management of cyber security risk;
- manage operational risk including compliance risk, technology risk and data risk and have a Business Continuity Plan to manage business disruptions within agreed tolerances; and
- adequately manage information assets defined as information and information technology, including software, hardware and data (both soft and hard copy).
Insurers, Brokers, MGAs, TPAs & other licencees providing general insurance products or services
In managing cyber security risk in general insurance there are some fundamentals that all firms must have, as reinforced by ASIC in the Fortnum proceedings:
- a risk management framework that includes the systematic managment of cyber security risk with adequate governance, roles & responsibilities, controls and reporting in place;
- a monitoring program covering employees, authorised representatives and service providers covering their compliance with and/or managment of cyber security risk requirements;
- a holistic approach to managing customers personal information covering insurer requirements (under Prudential Standards), AFSL obligations and Privacy laws;
- employees and other representatives must be adequately trained & educated on cyber security risk, such training to be recorded in the training register;
- the management of cyber security risk must be documented in fit-for-purpose policy and procedures;
- controls must be implemented, based on specialist IT/security advice that adequately manages cyber security risk within risk appetite and tolerance levels. Such controls must be subject to control testing;
- incident management must include the identification, raising and reporting of IT incidents;
- complaint data should be analysed for any break-down in controls designed to manage customers personal information;
- the firm has employees with specialised expertise or experience in cyber security (or outsources such expertise), who develop or sign-off on relevant frameworks, systems, controls and policies;
- the firms compensation arrangements under s912B Corporations Act (also see RG 126) (other than APRA regulated insurers) must be sufficient to compensate clients and customers/insureds for loss or damage suffered as a result of a cyber security incident.
Disclaimer: Reproduction of statements made in this article by media outlets, whether in full or in part, is strictly prohibited without the written express consent of the author. The views, opinions, and positions expressed within this article are those solely of the author and Compliance Advocacy Solutions Pty Ltd and not the views of other individuals, companies or organisations they may be affiliated with. The author and Compliance Advocacy Solutions Pty Ltd make no representations as to accuracy, completeness, currency, suitability, or validity of any information in this article and will not be liable for any errors or omissions or any loss or damage arising from its use or reliance. This article is intended for educational and informational purposes only and should not be relied upon as professional legal advice.