The corporate regulator has warned industry that inadequate cybersecurity is among its enforcement priorities.

Financial services licensees hold sensitive and confidential information, making them potential targets for cybercriminals, the Australian Securities and Investments Commission says.

The regulator has previously acted against investment adviser FIIG and IOOF-owned RI Advice Group, and this week it lodged NSW Supreme Court action against Sydney advice firm Fortnum Private Wealth after several of its authorised representatives experienced cyber breaches.

“Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyberattack,” ASIC chair Joe Longo said. “ASIC has been highlighting the cybersecurity responsibilities of companies.”

Fortnum’s ARs stored information from retail clients including identification, tax file numbers, and bank account and credit card details.

Cyber incidents included an attack in which the data of almost 10,000 clients was published on the dark web. ASIC says Fortnum did not implement new cybersecurity policies, frameworks, systems and controls in response.

The company did not require its ARs to undertake training, had no employees with expertise in cybersecurity and did not use a consultant to help, the regulator alleges. Recommended measures in a self-assessment tool Fortnum issued in 2021 were not specific or stringent enough, and after six months only 44% of principal practices had completed it.

“Fortnum’s frameworks did not enable it to oversee or monitor whether ARs were complying,” the regulator said.