NZX found noncompliant not being prepared for cyberattacks
AUCKLAND: A market watchdog has released a damning report on preparedness for cyberattacks that hit the NZX in August and September last year, forcing it offline for several days, plus an earlier, volumerelated glitch that forced it offline during April 2020.
The Financial Markets Authority said the NZX had been short on technology and people skills and that the DDoS attack was foreseeable but not planned for.
The FMA added that despite several steps taken by the exchange to beef up its security holes since September, ‘‘there are some critical gaps remaining’’.
The FMA’s review of NZX technology issues has found the stock exchange failed to meet its licensed market operator obligations due to insufficient technology resources.
As a licensed market operator, the NZX is required to meet certain obligations under the Financial Markets Conduct Act (FMC Act). One of those obligations is to have sufficient technology resources to operate its licensed markets properly, including arrangements to ensure market disclosures are made available, the regulator said.
The FMA began a targeted review of NZX’s technology after it suffered trading volumerelated system issues and outages in April 2020. The scope of the review was expanded following DDoS attacks (distributed denial of service, where automated bots overwhelmed its servers) on NZX in August 2020.
The FMA also had concerns that NZX’s trading system was unable to trade securities at zero or negative yields. The volumerelated issues and DDoS event repeatedly halted or disrupted market activity.
The review found the NZX did not have adequate technology capability across its people, processes and platform to comply with market operator obligations and especially in the context of its systemic importance.
Additionally, the performance of NZX’s systems did not meet regulatory requirements or expectations for fair, orderly and transparent markets, the regulator found.
In respect of NZX’s trading volumerelated issues, the FMA review concluded fundamental tools and practices were either lacking, insufficiently robust or not fully utilised, the report said.
NZX was aware of the capacity limitations of its core back end processing system, particularly as daily trading volumes had increased in the past three years, the FMA said.
FMA chief executive Rob Everett said market participants gave feedback that NZX did not accept responsibility for known systemic issues and was slow to act:
‘‘The feedback from market participants mirrors our own observations and is a major concern that needs to be addressed by the NZX board and executive,’’ Mr Everett said.
‘‘The failure to properly consider the broader ecosystem in which the exchange operates, and to fully engage with industry feedback and concerns, were contributing factors to the volumerelated issues.’’
The FMA review found NZX’s crisis management planning and procedures were basic.
While the NZX said the DDoS attack was on a huge scale and unforeseeable, the regulator said, ‘‘A DDoS attack was foreseeable’’. The FMA review said an attack of sufficient magnitude to take down servers — and with them, the NZX’s market announcement platform — was possible and should have been planned for.
NZX is required to develop a formal action plan to address the issues raised by the FMA. The market regulator has met the NZX Board to discuss its findings and received assurances the board takes responsibility for making the necessary investment and to address the issues highlighted in the report. — The New Zealand Herald