Market watchdog FMA slams NZX over cybersecurity breaches, says critical gaps remain

A market watchdog has released a damning report on cyberattacks that hit the NZX over August and September last year, forcing it offline for several trading days, plus an earlier, volume-related glitch that forced it offline during April 2020.

The Financial Markets Authority said the NZX had been short on technology and people skills – and that the DDoS attack was forseeable but not planned for.

The FMA added that despite several steps taken by the exchange to beef up its security holes since September (see below) “there are some critical gaps remaining.”

The report comes amid a rash of online attacks at a time when our government has failed to follow Australia’s move to ramp up funding cybersecurity funding. The Reserve Bank is bracing for a review of its recent data breach, which followed internal warnings over underspending that were ignored.

The FMA’s review of NZX technology issues, released this morning, has found the stock exchange failed to meet its licensed market operator obligations due to insufficient technology resources.

As a licensed market operator, the NZX is required to meet certain obligations under the Financial Markets Conduct Act (FMC Act). One of those obligations is to have sufficient technology resources to operate its licensed markets properly, including arrangements to ensure market disclosures are made available, the recgulator said in a statement.

Scope of the problems

The FMA began a targeted review of NZX’s technology after it suffered trading volume-related system issues and outages in April 2020. The scope of the review was expanded following DDoS (Distributed Denial of Service) attacks on NZX in August 2020.

The FMA also had concerns that NZX’s trading system was unable to trade securities at zero or negative yields. The volume-related issues and DDoS event repeatedly halted or disrupted market activity.

Report's key findings

Overall, the FMA review found the NZX did not have adequate technology capability across its people, processes and platform to comply with market operator obligations and especially in the context of its systemic importance.

Additionally, the performance of NZX’s systems did not meet regulatory requirements or expectations for fair, orderly and transparent markets, the regulator found.

In respect of NZX’s trading volume-related issues, the FMA review concluded fundamental tools and practices were either lacking, insufficiently robust or not fully utilised, the report said.

NZX aware of limitations, not not accept responsibility

NZX was aware of the capacity limitations of its core back end processing system, particularly as daily trading volumes had increased in the last three years, the FMA said.

FMA chief executive Rob Everett said market participants gave feedback that NZX did not accept responsibility for known systemic issues and was slow to act:

“The feedback from market participants mirrors our own observations and is a major concern that needs to be addressed by the NZX board and executive, Everett said.

“The failure to properly consider the broader ecosystem in which the exchange operates, and to fully engage with industry feedback and concerns, were contributing factors to the volume-related issues.”

Insufficient crisis planning

The FMA review found NZX’s crisis management planning and procedures were basic.

While the NZX said the DDoS attack (where automated bots overwhelmed its servers) was on a huge scale and unforeseeable, the regulator disagreed, saying, “A DDoS attack was foreseeable.” The FMA review said an attack of sufficient magnitude to take down servers – and with them, the NZX’s market announcement platform – was at least possible and should have been planned for. NZX self-rated its IT security profile at a basic maturity level, indicating that a number of best practices had not been adopted.

Actions required

NZX is required to develop a formal action plan to address the issues raised by the FMA. The market regulator has met with the NZX Board to discuss its findings and received assurances that the NZX Board takes responsibility for making the necessary investment and to address the issues highlighted in the report.

Earlier (see below), NZX warned that bolstering its defences could lead to costs that have to be passed on to clients.

The FMA report said NZX had a “small” inhouse IT team – appropriate for a normal small-to-medium business, but not one running critical infrastructure.

It was consumed by day-to-day tasks and small incremental upgrades, lacking the capacity to address areas such as performance monitoring, continuous version management of software, failover planning and risk management.

The FMA said next steps need to nclude recruiting a chief risk officer, a head of network architecture and a head of IT security.

The exchanges chief information officer, David Godfrey, quit on September 28, the day after a daylight savings blunder that came on top of the earlier DDoS attack and clearing outages.

No reason was given for his departure. An NZX spokesman said Godfrey’s abrupt exit – before recruitment for a successor had begun – was not related to the various IT problems.

“We are confident that NZX understands our concerns,” said Everett said.

“We look forward to finalising NZX’s action plan and monitoring its progress over coming months.”

Toothless watchdog

Sanctions for a breach of NZX’s statutory obligations are limited, the NZX said in its report.

However, given the commitments received from the NZX and the actions plans already initiated by NZX following its internal and external reviews, the FMA considers the requirement to produce a detailed, time-bound action plan will be sufficient.

The FMA acknowledged NZX has already taken significant steps to improve its systems and processes.

But the watchdog also said it would closely engage with NZX on the action plan and continue increasing oversight on NZX’s technology until the regulator has confidence all issues have been addressed.

The FMA will publicly report on NZX’s progress in the annual NZX Obligations Review, to be released in June 2021.

NZX chief executive Mark Peterson said in statement soon after the FMA report was released, “NZX accepts that it did not meet the high standards it sets for itself in key areas of technology resources. We also agree that improvements are required and we are committed to delivering these improvements via an action plan that will be agreed with the FMA. We will work constructively with the FMA through that process and engage closely with the broader capital markets technology ecosystem.”

Security upgrade costs could be passed-on

In a December 21 update, NZX said it will continue to bolster its IT and cybersecurity systems over the coming months – and that related costs are “likely” to be passed on to its clients.

This comes after another year that has seen several hot local IPO prospects, including Laybuy and Aroa Biosurgery, ultimately opting to list across the Tasman.

The exchange said: “NZX accepts that it did not meet its own high standards in certain areas of its technology systems,” after suffering a sustained cyberattack over August and September, and problems with its clearing system earlier in the year.

In a statement, the exchange did not put a figure on the ongoing security upgrade, but did offer that “there is no impact on the FY2020 earnings guidance”.

In a December 2 update, NZX said it expected ebitda for its 2020 financial year (which coincides with the calendar year) to be “around the top of the guidance range of $30 million to $33.5 million”.

The exchange won’t comment on any impact to its FY2021 guidance until it delivers its FY2020 full-year report on February 17.

Read More

  • Year of the hacker: Why now, and why is NZ seen as a soft touch?
  • Who was behind the NZX attacks? A broad outline emerges

Today’s statement comes after the completion of a series of independent reviews into clearing and settlement incidents over March and April this year, and a multi-day outage caused by a DDoS (distributed denial of service attack) over late August and early September.

Reviews carried out by EY and local security outfit InPhySec had already seen several steps taken to tighten security.

But the exchange said it was still in the process of agreeing a formal action plan for the months ahead with the Financial Markets Authority. Once it had done so, it would be in a position to detail costs.

The statement indicated major work is ahead.

“NZX recognises the need for further technology investment in 2021, particularly in the markets businesses, in order to enhance the stability and resilience of its technology framework,” the exchange said.

“This includes enhancing the Securities IT team and cybersecurity counter-measures, with related pricing to market participants to be considered. NZX is well advanced, in conjunction with market ecosystem participants, for a major upgrade to its core trading system around the end of March 2021,” it added.

“The board has not yet considered the consequences on pricing for NZX services, but some cost recovery process is likely.”

The NZX also wants to implement a series of changes recommended by its new Technology sub-committee, created in November, including better crisis management, better communications “with the ecosystem” and “bolstering NZX’s IT organisational structure with some specific specialist skill sets”.

Read More

  • Some Spark Xtra Mail users collateral damage in war on DDoS attacks
  • Cyberattacks: Should you pay up? And what does NZ law say?

Although no costs were revealed today for the IT and cyber-security upgrades in train, the NZX gave a reference point for its last major upgrade, saying: “NZX initiated its technology infrastructure modernisation programme in 2017, with $12m invested over the four-year period to 2020, in projects that focused on clearing, infrastructure and trading system improvements, modernisation, and capacity improvements.”

A spokesman said NZX has shared the full EY and InPhySec reports with law enforcement authorities and regulators, but would not be making them public because of security concerns, in line with GCSB advice.

A broad-brush summary released on December 4 offered no detail on various big-picture questions around the DDoS attack including whether the attacker was politically or commercially motivated, where they were located or what ransom if any, they demanded to stop smothering the exchange with automated bot attacks.

No more information was provided by the NZX on those fronts today, but GCSB director-general Andrew Hampton did say his agency believed the perpetrator was a criminal gang rather than a bad state actor.

Hampton noted that although his organisation had assisted the exchange -for part of the spy agency’s brief is to protect economic security by shielding top companies and exporters – a DDoS attack only smothers a website with an over-load of connection requests, forcing it offline. There is not any risk that data will be stolen.

Although scant detail was offered in the December 4 summary of the EY and InPhySec reports, the exchange did say: “InPhySec said the severity of the cyber-attacks went well beyond anything previously seen or that could have been reasonably forecast – the volume, sophistication and persistence of the attacks were unprecedented in a New Zealand context, and are amongst the most severe we are aware of to have been experienced internationally. It said the attacks fundamentally changed expectations about this sort of attack for the industry.”

It said NZX had been “assisted in managing the attacks by being well advanced with a significant network upgrade started in 2019”. Work on this upgrade with Spark, “created a ‘match-fit’ team that meant NZX was able to respond quickly and effectively”.

The decision “to engage Akamai, a leading global cybersecurity company, was also highlighted as being central to NZX responding to the threats”, in the independent reports, according to the exchange’s summary.

Content network delivery specialist Akamai last made headlines in NZ for its at-times rocky partnership with Spark during the 2019 Rugby World Cup.

The GCSB was also roped in to assist.

During the DDoS attack, NZX emphasised that only its website, not its trading systems, were under assault. However, it had to suspend trading for the first few days of the cyber-attack because, with its site down, continuous disclosure obligations were not being met.

The exchange switched to alternative ways to get information to market participants as the DDoS attack ground on.

On September 18, after the dust had settled, NZX launched an alternative site for market announcements, which could be accessed in the event its main site was taken offline by another DDoS attack – aping a tactic adopted years ago by MetService.

NZX Ltd shares closed at $2.12 yesterday.

The stock is up 55 per cent over the past 12 months.

Source: Read Full Article