Watchdog rips into NZX for repeated tech fails

The New Zealand Financial Markets Authority (FMA) regulator has issued a damning review of the NZX share exchange following a spate of high-profile distributed denial of service attacks that saw the operator go offline for days on end in August last year.

NZX is a licensed market operator that is required to meet specific general obligations under the Financial Markets Conduct of 2013.

Among these are requirements to ensure a fair, orderly and transparent markets, and to have sufficient financial, technological and human resources to operate them.

The DDoS attacks on NZX were foreseeable, FMA found, noting NZ government cyber security agency warnings about such attacks were published as early as November 2019.

Despite this, FMA found that the NZX response to the DDoS attacks was inadequate and lacking at several levels, cataloguing a litany of shortcomings at the nation's only share market. 

"Crisis management planning appears to been rudimentary and entirely reliant on technology alternatives which may also be unavailable in the course of a DDoS attack or other cyber security breach," FMA said.

NZX was forced to hurriedly reorganise its network infrastructure, moving many externally accessible parts to Akamai, to handle the cyber attacks.

Inadequate IT security processes and disciplines introduced only in 2019 were sharply criticised by FMA.

"As a result, from an IT security perspective, there was suboptimal robustness of applications, poor network design, and unprotected infrastructure," FMA said.

Internal cultural factors also contributed to NZX's failure to have adequate technological resources, FMA said.

FMA criticised the exchange for not taking responsibility for known systemic and industry-wide issues, or for acting quickly enough to remediate concerns that were raised.

"NZX rarely accepts fault, and is not upfront and open when things go wrong," the FMA said.

On top of the August DDoS incident, FMA's review [pdf] included earlier technology failures in March and April 2020, when NZX ran short of capacity on its platform to support trading volumes experienced at the time.

The NZX trading system was also unable to handle zero or negative yields, a problem that surfaced as interest rates moved downwards last year.

In the FMA's view, NZX failed in its legal obligations.

"We view a situation where the market is unable to operate during its standard timeframes as a breach of that obligation," FMA wrote.

However, NZX disputed that view, saying that while the market was shut it is neither unfair, disorderly or lacking in transparency.

While the FMA has the right to revoke NZX's license, it is not clear if it will do so or ask for other sanctions to be applied.

In December last year, the International Monetary Fund cited the case of trading at the NZX being halted for days as having the potential to cause loss of confidence over market integrity concerns.

The trading halts could have spooked investors and depositors to demand return of funds, or to cancel their accounts, products and services used, the IMF said.