sign uplog in
Want to go ad-free? Find out how, here.

Financial Markets Authority says NZX did not accept responsibility for known systemic issues and was slow to act

Financial Markets Authority says NZX did not accept responsibility for known systemic issues and was slow to act

Market regulator the Financial Markets Authority has issued a damning report on the NZX in the wake of a series of technical issues on New Zealand's sharemarket last year, culminating in the whole system crashing in the face of an offshore cyber attack.

The FMA, which has a regulatory oversight role for the NZX, began an inquiry into technical issues with NZ's sharemarket operator after a number of glitches in April 2020 as NZX failed to handle vastly increased volumes of trading and then the FMA widened the scope of the inquiry following the cyber attack and associated major problems in August 2020.

The FMA said its review found NZX did not have adequate technology capability across its people, processes and platform to comply with market operator obligations and especially in the context of its systemic importance. Review can be read here.

"Additionally, the performance of NZX’s systems did not meet regulatory requirements or expectations for fair, orderly and transparent markets."

FMA Chief Executive, Rob Everett, said market participants gave feedback that NZX did not accept responsibility for known systemic issues and was slow to act.

"The feedback from market participants mirrors our own observations and is a major concern that needs to be addressed by the NZX Board and Executive. The failure to properly consider the broader ecosystem in which the exchange operates, and to fully engage with industry feedback and concerns, were contributing factors to the volume-related issues.”

In relation to the DDoS attacks (the cyber attacks), the FMA review found NZX’s crisis management planning and procedures were "basic".

A DDoS attack was "foreseeable", the FMA review found, and an attack of sufficient magnitude to take down servers - and with them NZX’s market announcement platform - "was at least possible and should have been planned for".

NZX self-rated its IT security profile at a basic maturity level, indicating that a number of best practices had not been adopted, the FMA said.

The market regulator is now requiring NZX to develop a formal action plan to address the issues raised by the FMA. The market regulator has met with the NZX Board to discuss its findings and received assurances that the NZX Board takes responsibility for making the necessary investment and to address the issues highlighted in the report.

“We are confident that NZX understands our concerns,” Everett said.

“We look forward to finalising NZX’s action plan and monitoring its progress over coming months.”

The FMA said sanctions for a breach of NZX’s statutory obligations are "limited".

"However, given the commitments received from the NZX and the actions plans already initiated by NZX following its internal and external reviews, the FMA considers the requirement to produce a detailed, time-bound action plan will be sufficient. The FMA acknowledges NZX has already taken significant steps to improve its systems and processes."

The FMA will closely engage with NZX on the action plan and continue increasing oversight on NZX’s technology until the regulator has confidence all issues have been addressed.

The FMA will publicly report on NZX’s progress in the annual NZX Obligations Review, to be released in June 2021.

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.


Not much love there. Tut tut.


"NZX self-rated its IT security profile at a basic maturity level"

Wow, that's telling. NZX certainly have egg on their face, big changes required!

Welcome to security practices from 1990.

Whoa, is someone trying to point they finger at the demigod system admins? You can't do that, they're above everyone and everything!

The FMA are correct, DoS attacks are routine operational incidents. I'm quite surprised the NZX were so unprepared, sounds like another reason to list on the ASX.

Yeah, nah, she’ll be right.....