The NZ Stock Exchange is keeping an independent review of the massive denial of service attacks that took the market down in August under wraps.
Elements of the report by Wellington consultancy InPhySec released today largely appeared to endorse the NZX's approach to upgrading its technology before the attacks and its response.
The report commented on the positive relationships NZX has with key customers and strategic partners including service providers, and how these had been integral in helping it to manage the cyber-attack.
InPhySec said the severity of the cyber-attacks went well beyond anything previously seen or that could have been reasonably forecast.
"The volume, sophistication and persistence of the attacks were unprecedented in a New Zealand context, and are amongst the most severe we are aware of to have been experienced internationally,” it said.
The incident also fundamentally changed expectations about this sort of attack for the industry.
The review noted the voluntary halt to NZX’s trading occurred in the first phase of the attacks due to its website being treated as part of NZX’s tier-one system. Once contingency arrangements for the website were introduced, there were no further occasions for NZX Regulation to impose any market halt.
InPhySec said NZX had been assisted in managing the attacks by being well advanced with a significant network upgrade with Spark started in 2019.
Work on that created a "match-fit" team that meant NZX was able to respond quickly and effectively.
The decision to engage Akamai was also highlighted as being central to the NZX's response to the threats.
"The independent cybersecurity review recommended several technical and process steps to further strengthen security, along with closer communications with the broader cybersecurity community, reviewing risk management processes and ongoing IT consolidation," the NZX said today.
Key recommendations have already been implemented or are being actively progressed, the sharemarket operator said.
NZX chief executive Mark Peterson welcomed the reviews, saying the key findings were being shared privately with financial market regulators and senior market participants.
He noted that InPhySec had highlighted the risks of exacerbating attacks via media coverage, and said NZX was continuing to follow official advice on not disclosing details of an attack or its response.
“We know the integrity and performance of our IT systems is vital to all market participants and the ongoing need to continually guard against rising demands and risks," Peterson said.
NZX also commissioned EY to review market platform failures earlier in the year.
That review noted record volume of trading occurred as New Zealand went into COVID-19 lockdown and similar trading volume challenges were encountered by other exchanges internationally.
At their peak, NZX’s trading volumes were six times above the average daily trades in 2019.
This exposed some stresses within elements of the market infrastructure, particularly on certain messaging components of NZX’s clearing and settlement system – in part, due to historic IT system architecture decisions.
The review made several recommendations for wider market collaboration and engagement and further actions to meet future requirements through architectural changes and improvements in technology management and maintenance.
These recommendations included reviewing legacy systems and approaches across the markets ecosystem.
Peterson said NZX was focussed on ensuring the learnings from these incidents were quickly applied.
“In response to the March and April 2020 incidents, NZX set up a technology committee of the board to focus on the incidents and the remediation programme," he said.
The committee is responsible for overseeing the implementation of the recommendations from the two review reports and will formally report to the board on progress.