Australian Regulator Alleges Financial Firm Exposed Clients to Unacceptable Cyber Risks – Source: www.infosecurity-magazine.com

Australia’s financial regulator has launched legal action against financial services firm Fortnum Private Wealth for allegedly exposing its clients to unacceptable cybersecurity risks.

The Australian Securities and Investments Commission (ASIC) filed proceedings against the financial advisory company in the New South Wales (NSW) Supreme Court on July 21.

ASIC claims Fortnum Private Wealth failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks.

The Commission alleges these failings contributed to a number of Fortnum’s clients and authorized representatives (ARs) experiencing cyber incidents.

One incident resulted in a major breach of over 200GB of data relating to up to 9828 clients in September 2022. This confidential information was subsequently published on the dark web.

On numerous occasions, threat actor gained access to AR email accounts, which they used to send phishing emails to clients.

Most of these incidents occurred after Fortnum introduced a specific cybersecurity policy in April 2021. ASIC contends the policy was not an adequate response to manage cybersecurity risk, particularly for a financial services firm responsible for handling highly sensitive client data.

This policy was subsequently revised in May 2023.

The main cybersecurity failings highlighted in the proceedings were:

• Not requiring ARs to undertake a prescribed minimum amount of cybersecurity education or training
• Failing to supervise or monitor the cybersecurity risk management framework of its ARs
• Not having any employees with specialized expertise or experience in cybersecurity, and not engaging a specialist consultant to assist with the development of its cybersecurity policy
• Failing to have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs

ASIC Chair, Joe Longo, commented, “Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack.”

He added: “ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information.”

ASIC said it is seeking a declaration of Fortnum’s failings from the court and a financial penalty to be issued against the firm.

In a statement published by Financial Newswire, Fortnum CEO, Matt Brown, said the company “strongly refutes” ASIC’s allegation that it failed to apply appropriate cybersecurity controls.

“As the matter is now before the Courts, FPW is unable to make further comment at this time,” Brown added.