The Financial Markets Authority (FMA) has found the NZ stock exchange failed to meet its licensed market operator obligations due to insufficient technology resources during last year's DDoS attacks.
The FMA began a targeted review of NZX’s technology after it suffered trading volume-related system issues and outages in April 2020, however, the scope of the review was expanded following disruption caused by distributed denial of service (DDoS) attacks in August.
As a licensed market operator, the NZX was required to meet obligations under the Financial Markets Conduct Act, one of which was to have sufficient technology resources to operate its markets properly.
This included having arrangements to ensure market disclosures were made available.
An additional concern was that the NZX’s trading system was unable to trade securities at zero or negative yields.
The FMA's review found the share market did not have adequate technology capability across its people, processes and platform to comply, especially considering its systemic importance.
Additionally, the performance of NZX’s systems did not meet regulatory requirements or expectations for fair, orderly and transparent markets.
As to the NZX’s trading volume-related issues, the FMA concluded fundamental tools and practices were either lacking, insufficiently robust or not fully utilised.
NZX was aware of the capacity limitations of its core back-end processing system, particularly as daily trading volumes had increased over the last three years.
FMA chief executive Rob Everett said market participants gave feedback that NZX did not accept responsibility for known systemic issues and was slow to act.
“The feedback from market participants mirrors our own observations and is a major concern that needs to be addressed by the NZX board and executive," Everett said.
"The failure to properly consider the broader ecosystem in which the exchange operates, and to fully engage with industry feedback and concerns, were contributing factors to the volume-related issues.”
In relation to the DDoS attacks, the FMA review found NZX’s crisis management planning and procedures were "basic".
A DDoS attack was foreseeable, the review found, and an attack of sufficient magnitude to take down servers -- and with them NZX’s market announcement platform -- was at least possible and should have been planned for.
NZX self-rated its IT security profile at a basic maturity level, indicating that a number of best practices had not been adopted.
The NZX is now required to develop a formal action plan to address the issues.
The market regulator said it had received assurances that the NZX board took responsibility for making necessary investment and to address the issues highlighted.
“We are confident that NZX understands our concerns,” Everett said. “We look forward to finalising NZX’s action plan and monitoring its progress over coming months.”
Sanctions for a breach of NZX’s statutory obligations are limited, however, given the commitments received from the NZX and the actions plans already initiated, the FMA considers the requirement to produce a detailed, time-bound action plan will be sufficient.
The FMA acknowledged NZX has already taken significant steps to improve its systems and processes. The regulator will publicly report on NZX’s progress in June.
“All entities, private and public, face this threat and need to evolve rapidly to counteract it," the FMA's report said.
"The pace of change is such that standing still or planning patiently for the future exposes organisations and the information they hold. For entities providing critical infrastructure the impact of attacks on their customers, suppliers or markets can be significant. "
This was a major challenge that has rapidly risen to the top of many organisations’ risk identification and crisis planning.
"NZX worked hard at both but failed to react quickly enough to changing threats or to plan for a failure to defend against them,” the report said.
The report said that given the events of 2020 and the findings of its review, the FMA intended to continue increasing its focus on NZX’s technology until it had greater confidence that capability and culture issues had been addressed.