Skip to content

Why Cybersecurity Lip Service Is No Longer Enough: Lessons from the Fortnum Case

ASIC doubles down on alleged cyber security failings Fortnum

In financial services, many firms continue to rely primarily on policies, frameworks, and governance statements to demonstrate cybersecurity compliance. However, the recent legal action by the Australian Securities and Investments Commission (ASIC) against Fortnum Private Wealth highlights that this approach is no longer sufficient. ASIC alleges that Fortnum failed to effectively manage cybersecurity risks, underscoring a critical shift in regulatory expectations. Today, regulators demand measurable, technical safeguards that actively protect customer data, not just documented intentions.

About the Fortnum Case

On 28 July 2025, ASIC commenced proceedings against Fortnum Financial Advisers, alleging failures to implement adequate cybersecurity measures despite being aware of the risks. ASIC claims Fortnum breached obligations under section 912A(1) of the Corporations Act, including the duty to provide services efficiently, honestly, and fairly.

Specifically, ASIC alleges Fortnum:

  • Did not provide cybersecurity training to its representatives.

  • Lacked cybersecurity policies to mitigate, manage, and control risks for the business and its authorized representatives (ARs).

  • Failed to adequately monitor ARs to ensure appropriate cybersecurity protections were in place.

ASIC argues that because Fortnum and its ARs collected and stored clients’ personal information, they were clear targets for cyberattacks. As the licence holder, Fortnum was legally required to implement systems and controls proportionate to this risk. ASIC Chair Joe Longo stated the alleged failures “exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack.

This case is more than a single company’s compliance issue; it serves as a warning for the entire financial services industry.

Policy to Practice Is Often the Weakest Link in Cybersecurity

Many financial services organizations maintain risk registers, adopt formal security frameworks, provide staff training, and present cybersecurity strategies to their boards. While these governance steps are necessary, they are insufficient on their own. Without effective operational and technical controls, breaches remain a significant risk.

According to ASIC, many authorised representatives handling sensitive client data experienced multiple cybersecurity incidents during 2021 and 2022. Most notably, a major data breach in September 2022 allegedly exposed over 200 GB of client data from nearly 10,000 individuals on the dark web.

Despite introducing a cybersecurity policy, Fortnum allegedly failed to strengthen its controls following these incidents. This highlights a common industry problem: recognizing risks is not enough without enforceable, effective cybersecurity measures that protect sensitive data in practice.

What Regulators Expect Now

Regulators in Australia and globally are moving beyond reviewing policy documents alone. Their focus is now on whether security measures are actively deployed and functioning in real environments. In other words, a strong cybersecurity strategy on paper is no longer sufficient; it must be operational, measurable, and demonstrable.

Moving From Policy to Enforceable Technical Controls

ASIC’s allegations against Fortnum reveal foundational failings: lack of prescribed cybersecurity training for authorized representatives, inadequate supervision and monitoring of ARs’ cybersecurity practices, absence of in-house cybersecurity expertise, and reliance on an outdated and insufficient cybersecurity policy until after serious incidents occurred.

These governance gaps create vulnerabilities that no policy alone can fix. Technical safeguards are a critical next step, the concrete tools and controls that bring policies and training to life and reduce cyber risk.

Examples of essential technical safeguards include:

  • End-to-end encryption for sensitive data at rest, in transit, and in use.

  • Field-level tokenization to keep sensitive data stored locally.

  • Access controls and granular user activity monitoring.

  • Comprehensive audit logging and forensic readiness to support investigations and prove compliance.

  • Anomaly detection to identify and mitigate threats early.

Technical controls could operationalize protections across Fortnum's network, providing measurable evidence that risks are controlled effectively.

The Risk of Inaction

Financial penalties for non-compliance can be significant, but the larger risk is reputational. In financial services, client trust is critical. A single high-profile incident can erode years of hard earned credibility and client confidence.

The Fortnum case highlights the cost of relying too heavily on compliance policy without ensuring the underlying technical protections are effective and enforced.

How to Close the Gap with StratoKey

Financial services firms can significantly reduce cyber risk by implementing robust controls and oversight across their entire advisory network, including authorized representatives. StratoKey’s Cloud Data Protection (CDP) Platform helps close this gap by providing:

  • Upstream Encryption and Tokenization: StratoKey enables organisations to encrypt and tokenize sensitive data at field-level before it enters cloud or SaaS platforms, ensuring exclusive control over data access and reducing the attack surface.

  • Continuous Access Monitoring: StratoKey provides granular user activity monitoring and real-time detection of security policy violations, enabling early identification of suspicious behaviour or unauthorized access before it develops into a breach.

  • Comprehensive Audit Logging and Forensic Readiness: StratoKey captures detailed audit trails and supports forensic investigations, helping firms demonstrate compliance and respond effectively to incidents.

StratoKey can assist organizations to bridge the gap between cybersecurity intention and effective protection.

Conclusion

The ASIC action against Fortnum should serve as a clear signal to all financial services providers. Cybersecurity must move beyond documented policies to demonstrable, operational technical controls that are tested, monitored, and effective.

Organizations that close the gap between intention and execution will not only meet compliance requirements but also build the client trust essential for long-term success.

Learn more about how StratoKey's CDP Platform can assist financial services organizations in securing their data.