NZX has been acutely aware of the need to maintain a robust IT infrastructure for some time and had even beefed up cyber security in the past year.

The stock market operator was struck by a handful of outages on its trading platform in 2017 and 2018  and was to have upgraded the infrastructure in the second quarter of this year, had it not been for the covid-19 pandemic.

Another disruption last November had heightened scrutiny on the need to upgrade the trading platform, which aims to not only make it more robust, but to also improve functionality and market integrity.

That is of little comfort after a week where the stock market’s website, rather than its trading infrastructure, was hijacked by repeated foreign distributed denial of service attacks that prevented it from publishing market sensitive announcements, meaning it couldn’t allow trading in an environment where some investors were blind to important news.

What’s surprising is that a connectivity issue that halted trading in mid-December wasn’t more of a red flag.

A DDoS attack is a blunt assault on a website, overloading a network or server with too much traffic and ultimately taking it offline. Many financial institutions operate on cloud-based infrastructure able to scale up capacity in response to such traffic surges.

The big guns

Last week’s cyber attacks triggered the intervention of the Government Communications Security Bureau, which has been providing an intense level of support and advice to the stock market operator. The intelligence agency is also investigating the source of the attacks.

Andrew Little, the minister responsible for the GCSB, told BusinessDesk on Friday that work would continue through the weekend, with the next real test to come on Monday when trading opens at 10am.

Little said it’s a wake-up call for all operators of critical infrastructure to ensure they have robust IT security, but he’s concerned by the fact that NZX found itself in this position when many other organisations can withstand DDoS attacks without disruption.

“I’m obviously concerned the NZX IT architecture is in such a state that DDoS attacks like this have caused disruption four days in a row,” Little said.

And that’s even after NZX increased its focus on cyber security, explicitly hiring people last year for the job. It is due for a report back after commissioning an independent review of technical issues earlier this year when an almost six-fold increase in trading volumes during the covid-induced slump in March strained its systems.

Private responsibility

In the government's daily covid briefing last Friday, Finance Minister Grant Robertson was at pains to point out that NZX is a private company, while acknowledging that the GCSB was involved in the response and that the government was taking the attacks very seriously.

New Zealand’s 2019 cyber-security strategy notes that while protecting critical national infrastructure is a priority in resisting cyber threats, government can only support those organisations. They must ultimately take responsibility for their own security.

In June, the Financial Markets Authority said it was concerned by last year’s trading disruption, but was satisfied by the stock market operator’s response and found there wasn’t a systemic issue.

Still, the FMA said technology will be a major focus of next year’s review and it’s already started work on trying to understand the causes of last year’s disruptions. That includes how NZX strategically manages its technology and will consider the broader picture, such as future-proofing and assessing potential risks to the infrastructure.

The stock market operator spent $3.7 million on information technology in the first six months of 2020, up from $3.5 million a year earlier. That covers software licence fees, hardware support, maintenance fees, telecommunication and data costs, and IT services from third parties.

In calendar 2019, it spent $7 million on IT, down from $7.4 million in 2018. It said savings from rationalising its data hosting and other cost-cutting exercises were redirected into initiatives such as hiring new cyber security staff.

With additional reporting by Dan Brunskill