The Financial Markets Authority has completed a review of the NZX’s technology capabilities and found it has complied with its obligations.
After the share market operator suffered a highly disruptive denial of service attack in 2020 the regulator found it had failed to meet its licensed market operator obligations due to insufficient technology resources.
The attack was described as "foreseeable" while the NZX's crisis management planning and procedures were described as "basic".
The market regulator undertook a review of the NZX's technology capabilities across its people, processes, and platforms and the NZX subsequently developed and worked through an action plan to address the findings of that review.
The FMA reported today it had met with and received reporting from the NZX during the latest review period regarding its continued technology uplift since the initial action plan was completed.
"At that time, it was communicated to NZX that we considered the uplift in its technology capability as a continuing journey that did not end once the initial action plan elements had been completed," the regulator said in a report released today.
"We noted that in order to meet its obligation to have sufficient technology resources to operate its markets, NZX should follow an approach of continuous improvement and uplift in its technology capability in 2022 and onwards."
The reporting received from NZX during the latest review period demonstrated ongoing progress in various areas of technology capability, including governance, conformance standards, testing, cyber security, disaster recovery, risk management, and incident response.
The FMA also met with management during the period to discuss key initiatives and progress in this space.
"We consider that NZX has continued to mature its technology capability to support compliance with its market operator obligations, and has not taken a ‘set-and-forget’ approach following completion of the action plan," it reported.
In particular there had been continued engagement with industry throughout the period to ensure the wider capital markets ecosystem was brought on the journey.
Investment continued to be made into uplifting technology capability, particularly in the areas of architecture governance and testing.
Cyber security continued to be embedded as a business-as-usual activity, building new capability on a continuous basis and including international threat scanning.
Further areas for ongoing development and uplift were being identified and prioritised appropriately by NZX, the FMA concluded.