The NZ Stock Exchange is recognising the need for further investment to improve the stability and resilience of its technology.
The share market operator said it had has considered the recommendations and potential cost impacts following independent reviews after massive denial of service attacks in August.
"NZX accepts that it did not meet its own high standards in certain areas of its technology systems," it told investors this morning.
Investment will include enhancing the securities IT team and cybersecurity counter-measures, with "related pricing to market participants" — that is, cost recovery — to be considered.
NZX said it was well advanced towards a major upgrade to its core trading system around the end of March.
The board said the investment required to deliver on the recommendations of the EY and InPhySec reports would have an impact on technology costs so some cost recovery process was likely.
The recommendations included formalising the technology sub-committee of the NZX board, enhancing its working relationship and communications with the ecosystem, a range of technical hygiene improvements including extending crisis management planning and bolstering NZX's IT organisational structure with some specialist skill-sets.
Peterson said NZX initiated its technology infrastructure modernisation programme in 2017, with $12 million invested over the four-year period to 2020, in projects that focused on clearing, infrastructure and trading system improvements, modernisation, and capacity improvements.
Since the technology disruptions in March and April, NZX had made additional changes to increase the resilience and stability of its systems, he said. It also strengthened its distributed denial of service (DDoS) defences following the cyber-attacks.
The market operator had shared the independent reports with regulator the Financial Markets Authority (FMA), as part of the FMA's review of NZX’s compliance with market operator obligations.
The FMA was expected to publish its own report in January and the NZX expected it would have to agree to a formal action plan in response.
Once a formal action plan has been agreed with FMA, NZX would be in a position to quantify likely incremental technology costs in addition to the new costs that already implemented.
NZX said there was no impact on the 2020 earnings guidance update released to the market on 2 December.