ASIC's enforcement action against Fortnum Private Wealth Ltd (Fortnum), its third cybersecurity enforcement action, is yet another reminder for licensees that they must implement robust measures to reduce cybersecurity risk.
The Fortnum Case
ASIC alleged that Fortnum failed to comply with a variety of its obligations under section 912A(1) of the Corporations Act, including the obligation to provide services efficiently, honestly and fairly.
Specifically, ASIC alleged Fortnum did not:
- provide cybersecurity training to its representatives;
- implement any cybersecurity policies in order to mitigate, manage and control the cybersecurity risks faced by the business and its authorised representatives (ARs);
- adequately monitor its ARs to ensure they had appropriate cybersecurity measures in place.
Importantly, in this case, ASIC states that as a result of the provision of a client's personal information to Fortnum in order for the client to receive the financial services which Fortnum offered, Fortnum (and its ARs) became targets for cyber-related attacks. Given this risk, ASIC's position is that Fortnum, as the licence holder, is required by law to implement systems and controls which are adequate to address the risk faced. ASIC Chair Joe Longo said,
"Fortnum's alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack."
What does this case tell licensees?
Cybersecurity is an important obligation: ASIC's action under section 912A(1)(a) of the Corporations Act - the efficiently, honestly and fairly provision - indicates that ASIC considers the implementation of cybersecurity frameworks and management procedures a part of this obligation.
Cybersecurity policies should be specific and stringent: whilst Fortnum required its ARs to conduct a self-assessment in relation cybersecurity and IT procedures, ASIC alleged that Fortnum's policies in relation to cyber security did not specify what ARs should do where they answered "No" or "Unsure" to a question in the self-assessment. The policy did not include requirements to speak with a Fortnum director or manager or engage an external IT service provider.
Ensure IT service providers have sufficient skills and experience: whilst Fortnum's cybersecurity self-assessment for ARs allowed ARs to appoint responsibility for certain cybersecurity obligations to an external IT service provider, Fortnum maintained no policy which specified the qualifications, skills or experience to be held by that provider.
Ensure your cybersecurity policy is tailored to your business: ASIC noted in its Originating Process and Concise Statement that Fortnum's cybersecurity policies only included mitigation strategies such as those set out in the Australian Cyber Security Centre's Essential Eight Maturity Model.
Provide any ARs with training: if you have authorised representatives on your licence, you have a statutory obligation (and possibly also a contractual obligation) to ensure they are properly trained. This includes cybersecurity training.
Monitoring any ARs: ASIC noted that whilst Fortnum did have procedures in place to monitor its ARs, there were no monitoring procedures in respect of cybersecurity. Licensees are responsible for ensuring their ARs implement cybersecurity frameworks which effectively manage the cybersecurity risk faced by the AR. Where licensees have a cybersecurity policy they should
Further Reading
ASIC Originating Process and Concise Statement
Protecting your Business from Cyber Attack, Essential to maintaining your AFSL or ACL
It is Now Time to Adopt an Enhanced Cyber Security Posture
ASIC sues Fortnum Private Wealth for allegedly failing to adequately manage cybersecurity risks
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
