Independent reports on NZX IT and cybersecurity completed

Independent reports on NZX IT and cybersecurity completed
4 December 2020 –
NZX confirms completion of the independent reviews into the clearing and
settlement incidents between March and April 2020, and the Distributed Denial of Service (DDoS) attacks
that began in August 2020. It also confirms that key recommendations have already been implemented,
or are being actively progressed. The incidents were confirmed as being completely separate from each
other.
NZX commissioned EY to do the first review report and InPhySec, an independent specialist
cybersecurity company, to review NZX’s DDoS attack response.
NZX chief executive, Mr Mark Peterson, welcomed the reviews, saying the key findings were being
shared privately with financial market regulators and senior market participants to outline the learnings
and explain how these are being acted upon. NZX is also providing summarised findings and actions
publicly through this market announcement.
He noted that InPhySec had highlighted the risks of exacerbating attacks via media coverage, and said
NZX was continuing to follow official advice on not disclosing details of an attack or its response.
“We know the integrity and performance of our IT systems is vital to all market participants and the
ongoing need to continually guard against rising demands and risks.
“We commissioned these independent expert reviews following each set of incidents and have acted to
implement their recommendations to ensure our IT and cybersecurity processes remain stable and
secure,” Mr Peterson said.
Mr Peterson endorsed the wider collaboration and planning across the financial ecosystem recommended
by both reviews, saying he believed that this will be a crucial step in strengthening NZX’s, and the
market’s, ability to meet future threats.
NZX Chair, Mr James Miller, commented that the independent cyber review highlighted the importance of
cybersecurity being considered at a national level to ensure a coordinated approach to addressing these
threats. He noted that NZX was committed to following through on the recommendations outlined in each
of the independent reports and to engaging on any findings of the upcoming FMA review.
System messaging issues through Covid-19 volatility
The EY review noted record volume of trading occurred as New Zealand went into COVID-19 lockdown
and similar trading volume challenges were encountered by other exchanges internationally. At their
peak, NZX’s trading volumes were six times above the average daily trades in 2019.
This marked acceleration in the growth in trading activity exposed some stresses within specific elements
of the market infrastructure, particularly on certain messaging components of NZX’s clearing and
settlement system – in part, due to historic IT system architecture decisions. We acknowledged at the
time the strain these technical issues during March and April had placed on the operations and
technology teams of NZX participants and their customers. The level of cooperation and understanding
across the capital markets ecosystem was crucial to ensuring NZX successfully risk-managed, margined,
cleared and settled the market every day.
The independent EY review made several recommendations for wider market collaboration and
engagement and further actions to meet future requirements via architectural changes and improvements
in technology management and maintenance. These recommendations included reviewing legacy
systems and approaches across the markets ecosystem.
Mr Peterson said NZX was focussed on ensuring the learnings from these incidents were quickly applied.
“In response to the March and April 2020 incidents, NZX set up a Technology Committee of the Board to
focus on the incidents and the remediation programme.

“I am pleased EY has endorsed new governance processes adopted by NZX following these incidents.
The committee is responsible for overseeing the implementation of the recommendations from the two
review reports and will formally report to the Board on progress”, he said.
Other actions being progressed include the establishment of an industry forum to ensure closer
collaboration on IT matters that are market-based and the development of a 10 year forward looking
industry IT plan.
Cybersecurity review
The cybersecurity report commented on the positive relationships NZX has with key customers and
strategic partners including Service Providers, and how these relationships had been integral in helping
NZX manage the cyber-attack incidents.
InPhySec said the severity of the cyber-attacks went well beyond anything previously seen or that could
have been reasonably forecast - “the volume, sophistication and persistence of the attacks were
unprecedented in a New Zealand context, and are amongst the most severe we are aware of to have
been experienced internationally.” It said the attacks fundamentally changed expectations about this sort
of attack for the industry.
The cybersecurity review also noted the voluntary halt to NZX’s trading occurred in the first phase of the
attacks due to its website being treated as part of NZX’s tier one system. Once contingency
arrangements for the website were introduced, there were no further occasions for NZX Regulation to
impose any market halt for these incidents.
It said NZX had been assisted in managing the attacks by being well advanced with a significant network
upgrade it had started in 2019. Work on this upgrade with Spark, “created a ‘match-fit’ team that meant
NZX was able to respond quickly and effectively.”
The decision to engage Akamai, a leading global cybersecurity company, was also highlighted as being
central to NZX responding to the threats.
The independent cybersecurity review recommended several technical and process steps to further
strengthen security, along with closer communications with the broader cybersecurity community,
reviewing risk management processes and ongoing IT consolidation.
ENDS
For further information, please contact:
Media – David Glendining 027 301 9248
Investors – Graham Law 029 494 2223
About NZX:

For more than 150 years we have been creating opportunities for Kiwis to grow their personal wealth and
helping businesses prosper. As New Zealand’s Exchange, we are proud of our record in supporting the
growth and global ambitions of local companies.

NZX operates New Zealand's equity, debt, funds, derivatives and energy markets. To support the growth
of our markets, we provide trading, clearing, settlement, depository and data services for our customers.
We also own Smartshares, New Zealand's only issuer of listed Exchange Traded Funds (ETFs), and
KiwiSaver provider SuperLife. Our NZX Wealth Technologies subsidiary is an online asset management
platform. Learn more about us at: www.nzx.com