By Fraser Jack, Cyber Collective
In July 2025, ASIC initiated enforcement proceedings against Fortnum Private Wealth Ltd, which has since sent ripples through the Australian financial services sector. The allegations, brought in the Supreme Court of NSW, serve as a timely reminder of the critical importance of robust compliance frameworks—particularly in areas such as cybersecurity governance, AFSL compliance, and oversight of authorised representatives (ARs).
This article distils the core compliance learnings and regulatory expectations emerging from ASIC’s action, and highlights their practical implications for boards, compliance leaders, risk managers, and all AFSL holders.
Background to the ASIC Proceedings
ASIC’s case against Fortnum centres on alleged breaches of obligations under the Corporations Act 2001 (Cth). The regulator’s focus was on whether Fortnum, as an Australian Financial Services Licensee, maintained adequate systems and controls over cybersecurity, authorised representative management, compliance training, and broader risk governance.
The essence of ASIC’s allegations is that Fortnum failed to:
- Ensure effective cybersecurity oversight and protection of client data;
- Implement and maintain robust management of ARs, including ongoing monitoring and competence assessments;
- Deliver compliant and effective training regimes for staff and ARs;
- Develop and embed comprehensive risk frameworks and governance practices aligned with AFSL obligations.
Key Expectations from ASIC
The proceedings reinforce ASIC’s expectations of licensees, including that cybersecurity must be embedded in broader AFSL compliance obligations, rather than being treated separately or reactively.
Below is a checklist of ASIC’s implicit and explicit expectations based on this case.
Compliance Expectations Checklist
Governance and Risk Management
- Maintain an up-to-date, fit-for-purpose cybersecurity policy covering both the licensee and all authorised representatives (ARs).
- Develop and maintain a cyber-specific risk management system that:
- Identifies and evaluates cyber risks across the licensee and AR network.
- Documents defined roles and responsibilities.
- Enables escalation and reporting of cyber issues from ARs to the licensee.
- Include cybersecurity in enterprise-wide risk discussions and the board’s risk appetite framework.
Oversight of Authorised Representatives
- Implement formal systems to monitor AR compliance with cybersecurity policies.
- Ensure third-party consultants used by ARs (e.g., IT support).
- Extend existing AR audit, supervision, and due diligence frameworks to include cyber risk and resilience explicitly.
Training and Awareness
- Deliver mandatory, ongoing cybersecurity training for ARs and staff.
- Ensure training goes beyond policy awareness, focusing on practical security behaviours.
- Track participation and completion of training and ensure it is periodically updated.
Resources and Internal Capability
- Ensure adequate human resources are available to fulfil AFSL obligations, including cyber oversight.
- Appoint or engage individuals with cybersecurity expertise, either internally or through reputable external providers.
- Reassess capability annually and in response to incident trends.
Policy Implementation and Assurance
- Actively monitor compliance with issued policies (e.g. cyber self-assessments, attestations).
- Follow up with non-compliant ARs and document remedial actions.
- Avoid “policy gaps” by ensuring interim controls are in place when updating or reviewing formal policies.
Incident Response and Continuous Improvement
- After any cybersecurity incident, investigate and implement corrective actions across the AR network.
- Review whether the incident highlights gaps in current frameworks or training.
- Log and track all incidents and related remediation actions, with oversight from the Compliance Committee.
Recommendations
The Board and Compliance Committee are asked to consider the following actions:
- Gap Assessment – Conduct an internal review against the checklist provided in Section 4.
- Cyber Risk Governance – Ensure board-level cyber risk ownership is defined and reviewed quarterly.
- AR Supervision – Review whether current supervision frameworks adequately cover AR cyber controls.
- Training & Resources – Validate the availability of cyber capability and upskilling across compliance and tech support teams.
- Incident Preparedness – Confirm incident response plans are in place and tested for AR-related incidents.
Regulatory References
Fortnum is alleged to have contravened the following sections of the Corporations Act:
| Provision | Obligation |
| s 912A(1)(a) | Efficient, honest, and fair provision of services |
| s 912A(1)(d) | Adequate resources |
| s 912A(1)(f) | Training and competence of ARs |
| s 912A(1)(h) | Risk management systems |
| s 912A(5A) | Licensee must take reasonable steps to ensure AR compliance |
ASIC v Fortnum Originating Process and Concise Statement (2025) https://download.asic.gov.au/media/yb2l41iu/25-143mr-originating-process-and-concise-statement.pdf
Call to Action:
Whether you’re navigating complex compliance requirements or seeking greater peace of mind, investing in internal audit coaching or engaging an independent auditor can be a strategic advantage, not just a regulatory compliance measure. If your business is ready to strengthen its audit processes, uncover hidden risks, or validate your internal controls with an expert second opinion, now is the time to act.
Contact our compliance team today to explore tailored internal audit support or consultation with an experienced independent auditor at [email protected] or Fraser Jack at the Cyber Collective [email protected].
