sb-nz logo
Story image

Financial watchdog slams NZX as being ill-prepared in face of DDoS attacks

The Financial Markets Authority (FMA) has delivered a scathing assessment of the NZX, accusing it of being ill-prepared in the face of the notorious cyber-attacks and outages last year.

The stock exchange failed to meet its licensed market operator obligations, according to an FMA review released today in the wake of several failures of the stock exchange last year. 

‘Insufficient technology resources’ was credited by the financial watchdog as the primary culprit, a conclusion reached in an investigation launched after the NZX suffered trading volume-related system issues and outages in April 2020. The investigation was broadened considerably following the DDoS attacks on the stock exchange in August.

In its report, the FMA stresses NZX’s requirement, as a licenced market operator, to meet certain commitments under the Financial Markets Conduct Act — a crucial obligation being the ability to combat issues with sufficient technology resources.

This obligation was not met, the FMA says in its report: “NZX did not have adequate technology capability across its people, processes and platform to comply with market operator obligations and especially in the context of its systemic importance.”

Specifically referring to last year’s DDoS attacks, the watchdog accused NZX’s crisis management planning and procedures of being ‘basic’.

“A DDoS attack was foreseeable, and an attack of sufficient magnitude to take down servers — and with them NZX’s market announcement platform — was at least possible and should have been planned for,” the FMA says in its review. 

As part of its review, the financial watchdog has ordered the NZX to develop a ‘formal action plan’ to address the issues raised by the FMA. 

The NZX has already initiated action plans following its own internal review, and the FMA says it expects the stock exchange to produce a detailed plan in response to its own report. The watchdog also committed to increasing oversight on NZX’s technology until it is assured that all issues have been addressed.

“We are confident that NZX understands our concerns,” says FMA chief executive Rob Everett. “We look forward to finalising NZX’s action plan and monitoring its progress over coming months.”

The FMA also issued a warning to all organisations in Aotearoa to be prepared for further cyber-attacks in the coming year.

“All entities, private and public, face this threat and need to evolve rapidly to counteract it,” the report says.

“The pace of change is such that standing still or planning patiently for the future exposes organisations and the information they hold. For entities providing critical infrastructure, the impact of attacks on their customers, suppliers or markets can be significant. 

“This is a major challenge for all of us and has rapidly risen to the top of many organisations’ risk identification and crisis planning. NZX worked hard at both but failed to react quickly enough to changing threats or to plan for a failure to defend against them.”

The FMA will publicly report on NZX’s progress in the annual NZX Obligations Review, to be released in June 2021.