The Federal Court has found financial services company RI Advice Group breached its licence by failing to have adequate systems to manage cybersecurity risk.
There were nine cybersecurity incidents where company representatives electronically received, stored and accessed confidential and sensitive personal information and documents in relation to retail clients between June 2014 and May 2020, Justice Helen Rofe said in a judgment handed down on Thursday.
They include five clients receiving a fraudulent email urging the transfer of funds - and one client transferring $50,000 - after a representative's email account was hacked.
In another incident an authorised representative's server was "hacked by brute force through a remote access port" which resulted in the information of 220 clients being held for ransom and ultimately not recoverable.
Justice Rofe also referred to an incident where an unknown malicious agent gained access to a server for months between December 2017 and April the following year.
"This event compromised the personal information of several thousand clients, a number of which reported unauthorised use of the personal information," she added.
The Australian Securities and Investments Commission (ASIC) - which described the ruling as an Australian first - started court action against RI Advice in August 2020, but the matter was settled before a final hearing on Wednesday.
Since reforms were introduced in March 2019 as a result of the Financial Services Royal Commission, financial services licensees may be penalised if they fail to comply with obligations like how cyber risks are addressed.
RI Advice has since taken steps to address cybersecurity risk, but has been ordered by the court to engage an expert to identify and implement any further necessary measures.
Cybersecurity risk has increased as financial services are increasingly conducted using digital and computer technology, Justice Rofe said.
"Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services," she added.
"It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level."
She said the declarations will serve to record the court's disapproval of the conduct and deter others from contravening provisions by similar conduct or omissions.
RI Advice has been ordered to pay $750,000 towards ASIC's costs.
The finding came after RI Advice was ordered by the Federal Court in February to pay a $6 million penalty for "inappropriately advising clients".
The Federal Court ruled RI Advice did not have the internal mechanisms to ensure that its representative John Doyle was recommending approved products or was acting in the best interests of clients.
ASIC had alleged RI Advice had failed to prevent and penalise former financial adviser Doyle while he was advising on investments in complex financial products.
The $6 million fine was half the penalty RI Advice was facing after ASIC alleged 12 contraventions of the law, each carrying a $1 million penalty.
RI Advice was one of a number of ANZ financial advice licensees until 2018, when it was acquired by Insignia Financial Ltd.