Entireti will defend allegations from the regulator that it failed to have sufficient cybersecurity protocols in place to protect client data.
ASIC is suing Fortnum Private Wealth, which is owned by Entireti, and alleging it failed to properly manage and mitigate cybersecurity risks.
The regulator alleges Fortnum did not meet its obligations as an Australian financial services licensee because it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks.
ASIC claims Fortnum exposed the company, its authorised representatives (ARs) and clients to an “unacceptable level of risk” of a cybersecurity incident.
However, Entireti will counter ASIC’s allegations, arguing it pursued the highest level of due diligence in its cyber policies.
FPW chief executive Matt Brown said the cyberbreach was isolated to one authorised financial advisory practice in the Fortnum Group, involved legacy data held for record keeping purposes and did not include records where Fortnum had delivered the advice.
“We strongly refute ASIC’s allegations and will vigorously defend them,” Brown said in a statement.
Professional Planner understands much of Entireti’s contention is that the self-owned practice licensed to FPW relied on its own chosen managed service provider (MSP) which gave the firm the tick of approval that its cyber security was up to standard.
Fortnum introduced a specific cybersecurity policy from April 2021, but ASIC will contend in court that the policy was not an adequate response to manage cybersecurity risk.
ASIC claims that several Fortnum ARs experienced cyber incidents in 2021 to 2022 before the licensee revised its policy in May 2023.
The main claim was a cyberattack that allegedly led to a major breach and saw the data of 9828 clients published on the dark web.
Entireti contends the main incident related to legacy data held by a FPW authorised advisory practice for record keeping purposes and did not include records where FPW had delivered the advice.
Brown said all appropriate regulatory reporting of the incident and client remediation was completed in a timely manner.
“There was no client financial loss detected; however, we sincerely regret the concern that those clients may have experienced, at that time,” Brown said.
Brown said the other four incidents related to email phishing attacks that occurred within individual financial advisory practices authorised by FPW, rather than in FPW itself.
“These matters were identified quickly, investigated and confirmed not to have led to any client loss,” Brown said.
“Our view is that FPW has a strong cyber policy and data protection controls that were in place before these incidents.”
Brown said FPW believes it has upheld its obligations under its licence and will “vigorously defend” themselves in court.
“FPW continues to develop these controls in line with evolving industry standards and the growing threat posed to all by cyber criminals,” Brown said.
“FPW takes the protection of client information seriously and we continue to invest in cyber resilience and data protection measures. We understand that we all have a role to play in the financial services industry to deter cyber criminals.”
As part of the action filed in the NSW Supreme Court, ASIC alleged Fortnum didn’t require ARs undertake a prescribed minimum amount of cybersecurity education or training, adequately supervise or monitor the cybersecurity risk management framework of its ARs, or have any employees with specialised expertise or experience in cybersecurity or engage a consultant with appropriate expertise to assist with the development of its cybersecurity policy.
Additionally, it is alleged Fortnum didn’t have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs.
Because the matter is now before the courts, Entireti would not make further comment.
ASIC chair Joe Longo said a key enforcement priority for the regulator is to act where they believe licensees have failed to have adequate protections in place.
“Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack,” Longo said.
Brown joined Fortnum in late 2023 after the firm acquired Australian Unity’s advice business Personal Financial Services.
The group later re-branded to Entireti and has since acquired AMP’s advice arm last year, becoming the largest licensee in the country based on total registered advisers.
Neil Younger led the Fortnum licensees at the time and has since become group CEO and managing director of the overarching business.
The proceedings against Entireti will be the first major case since ASIC acted against RI Advice in 2022 which led to a $750,000 fine.
In an “Australian first”, the court found RI Advice breached its license obligations by failing to have adequate risk management systems to manage its cybersecurity risks after a practice in its network was hit with a cyberattack.
