In July 2025, ASIC commenced civil penalty proceedings against Fortnum Private Wealth, alleging the company failed to properly manage and mitigate cybersecurity risks across its network of authorised representatives. Reading the Originating Process, two things stood out.
The penalty exposure
ASIC has used the civil pecuniary penalties approach, which under their November 2024 guidance is the greater of $16.5 million, three times the benefit the organisation obtained or avoided paying, or 10% of annual turnover. For Fortnum, with an annual turnover reportedly around $5.4 million (though with $30 billion in funds under advice), the penalty calculation is modest relative to the scale of the alleged failures.
The defendant is the company, again
Once again, ASIC has chosen to pursue the company rather than its directors or AFS licensees individually. This is despite consistent messaging from ASIC warning that they would be "looking for the right case where company directors and boards failed to take reasonable steps."
So here we are again. RI Advice in 2022, FIIG Securities, and now Fortnum Private Wealth. Three APRA-regulated financial service providers that ASIC has found the resources to prosecute, but not one of them has warranted holding directors or licensees personally to account.
The enforcement trajectory
The pattern across ASIC's three cyber enforcement actions tells a story:
RI Advice (2022) resulted in remediation and cost orders but no pecuniary penalty. FIIG Securities (February 2026) became the first case where the Federal Court actually imposed civil penalties for cyber security failures under general AFS licensee obligations, ordering $2.5 million in penalties plus $500,000 in costs and a mandatory compliance programme. Fortnum (commenced July 2025) remains before the courts, with a directions hearing listed for July 2026.
The trajectory is clearly escalating. Penalties are getting real. But the fundamental question remains: when will ASIC pursue a director personally?
The cost-of-compliance paradox
As someone who works extensively in cyber governance, I have seen the tangible and intangible benefits that organisations across many industries have gained from good governance and management of cyber risk. I have also watched our regulators message this exact principle with increasing volume.
But when organisations miss the mark, the cost of the fine has consistently fallen short of the cost of compliance. Even the FIIG penalty of $2.5 million, while symbolically significant as the first of its kind, is modest relative to the $3-4 billion in client assets FIIG held during the period of non-compliance.
This creates a troubling calculus. If the financial consequences of inadequate cyber governance remain substantially less than the cost of doing it properly, the regulatory signal is contradictory. The messaging says "this is a board-level priority" while the enforcement says "the consequences are manageable."
I would not advocate that a company missing a reasonable threshold should be punished into destruction. But the pendulum feels significantly off at the moment.
Or is this the strategy?
Perhaps there is an alternative reading. Shout loudly, demand compliance, build the case law incrementally, but hold back from the full weight of enforcement because cyber governance genuinely is complex and expensive. If that is the strategy, it may ultimately work, but only if the trajectory continues to steepen. The FIIG penalty suggests it is heading that direction. The Fortnum outcome will be the next data point.
For directors, the practical takeaway is clear regardless of where you sit on the enforcement debate. Markets are punishing cyber failures far more severely than regulators are. The Ryan et al. research shows 7-14% market value destruction from a major incident. No fine ASIC has imposed comes close to that. The business case for investing in cyber governance does not depend on regulatory enforcement; it depends on protecting the value of the organisation.
The Fortnum proceedings (ASIC media release 25-143MR) and FIIG Securities decision (ASIC media release 26-021MR) are publicly available on the ASIC website.