'Blunt' review of NZX failings in line with its importance: FMA
Thursday, 28 January 2021
A scathing review of the New Zealand stock exchange's technology issues last year reflects the fact it is such a critical part of the economy, the head of the financial markets watchdog says.
Rob Everett, chief executive of the Financial Markets Authority, agreed the watchdog had been pretty blunt but that reflected the exchange's position as the country's only sharemarket.
And while the Reserve Bank and even the Pentagon had not been immune to cyber attacks recently, the DDoS (distributed denial of service) attack that put the NZX out of action for virtually four days last August might have been better handled with more planning, he said.
Had the authority felt the NZX been properly prepared, ''we could have gone a lot easier on them,'' Everett said.
''But to be honest, we felt they had been caught short and they are too critical to be caught short.''
**READ MORE:
* Heavy trading on NZX sparks inquiry into technical problems
* NZX accepts its standards were not met following review into cyberattacks
* NZX resumes trading after second cyber attack
**
The FMA review of the NZX's technology issues, released on Thursday, began in March and April last year, when its trading platforms were overwhelmed at times by an unprecedented volume of shares being bought and sold.
This was during the sharp slide and quick recovery of shares that followed Covid-19 initially shocking world markets, resulting in at least one outage.
A contributing factor had been communication issues with the wider broking community, the report said.
Market participants told the authority that trading volumes had been going up for three years, but the company had been slow to act or acknowledge problems.
Although the NZX was only a small exchange compared to others internationally, in this case it did not have adequate people or systems in place to meet its obligations, Everett said.
''What they need to do needs to be tailored to what they can achieve, what they can afford. But there are minimum standards that nonetheless they have to reach.
‘’We do feel the events of last year suggest they weren't operationally robust to a standard we would be comfortable with. And they’ve taken that on the chin, they’ve already done quite a lot of work since the trading volume issues… so I’m confident they are going to up their game.''
During August’s aggressive cyber attack on the NZX, the report said the exchange remained largely operational but could not trade because the website which makes crucial public announcements was down.
Trading resumed not because the attacks stopped but because the announcements were sent through manually to the brokers and trading platforms, who put them up for their customers.
Everett said the issue in August was less about stopping the attack as foreseeing the risk.
No organisation could stand still on cyber security and all faced the same challenges, which was to anticipate the worst.
The London stock exchange's backup plan was to send company announcements to two national newspapers to publish online.
''If you can't do your job when your website's down, then you need a Plan B – whether that's a backup website, a backup server, or a manual workaround. [The NZX] just didn't have it.’’
The authority decided not to punish the NZX, saying sanctions were limited, and given steps were already under way, it was satisfied with the work being done.
NZX said it was making the necessary investment and would be presenting it with an action plan in the coming months.
“NZX accepts that it did not meet the high standards it sets for itself in key areas of technology resources,’’ the exchange's chief executive, Mark Peterson, said.
The FMA will report on progress in the exchange’s annual obligations review in June.