Independent reports on NZX IT and cybersecurity completed

Independent reports on NZX IT and cybersecurity completed 4 December 2020 - NZX confirms completion of the independent reviews into the clearing and settlement incidents between March and April 2020, and the Distributed Denial of Service (DDoS) attacks that began in August 2020. It also confirms that key recommendations have already been implemented, or are being actively progressed. The incidents were confirmed as being completely separate from each other. NZX commissioned EY to do the first review report and InPhySec, an independent specialist cybersecurity company, to review NZX's DDoS attack response. NZX chief executive, Mr Mark Peterson, welcomed the reviews, saying the key findings were being shared privately with financial market regulators and senior market participants to outline the learnings and explain how these are being acted upon. NZX is also providing summarised findings and actions publicly through this market announcement. He noted that InPhySec had highlighted the risks of exacerbating attacks via media coverage, and said NZX was continuing to follow official advice on not disclosing details of an attack or its response. "We know the integrity and performance of our IT systems is vital to all market participants and the ongoing need to continually guard against rising demands and risks. "We commissioned these independent expert reviews following each set of incidents and have acted to implement their recommendations to ensure our IT and cybersecurity processes remain stable and secure," Mr Peterson said. Mr Peterson endorsed the wider collaboration and planning across the financial ecosystem recommended by both reviews, saying he believed that this will be a crucial step in strengthening NZX's, and the market's, ability to meet future threats. NZX Chair, Mr James Miller, commented that the independent cyber review highlighted the importance of cybersecurity being considered at a national level to ensure a coordinated approach to addressing these threats. He noted that NZX was committed to following through on the recommendations outlined in each of the independent reports and to engaging on any findings of the upcoming FMA review. System messaging issues through Covid-19 volatility The EY review noted record volume of trading occurred as New Zealand went into COVID-19 lockdown and similar trading volume challenges were encountered by other exchanges internationally. At their peak, NZX's trading volumes were six times above the average daily trades in 2019. This marked acceleration in the growth in trading activity exposed some stresses within specific elements of the market infrastructure, particularly on certain messaging components of NZX's clearing and settlement system - in part, due to historic IT system architecture decisions. We acknowledged at the time the strain these technical issues during March and April had placed on the operations and technology teams of NZX participants and their customers. The level of cooperation and understanding across the capital markets ecosystem was crucial to ensuring NZX successfully risk-managed, margined, cleared and settled the market every day. The independent EY review made several recommendations for wider market collaboration and engagement and further actions to meet future requirements via architectural changes and improvements in technology management and maintenance. These recommendations included reviewing legacy systems and approaches across the markets ecosystem. Mr Peterson said NZX was focussed on ensuring the learnings from these incidents were quickly applied. "In response to the March and April 2020 incidents, NZX set up a Technology Committee of the Board to focus on the incidents and the remediation programme. "I am pleased EY has endorsed new governance processes adopted by NZX following these incidents. The committee is responsible for overseeing the implementation of the recommendations from the two review reports and will formally report to the Board on progress", he said. Other actions being progressed include the establishment of an industry forum to ensure closer collaboration on IT matters that are market-based and the development of a 10 year forward looking industry IT plan. Cybersecurity review The cybersecurity report commented on the positive relationships NZX has with key customers and strategic partners including Service Providers, and how these relationships had been integral in helping NZX manage the cyber-attack incidents. InPhySec said the severity of the cyber-attacks went well beyond anything previously seen or that could have been reasonably forecast - "the volume, sophistication and persistence of the attacks were unprecedented in a New Zealand context, and are amongst the most severe we are aware of to have been experienced internationally." It said the attacks fundamentally changed expectations about this sort of attack for the industry. The cybersecurity review also noted the voluntary halt to NZX's trading occurred in the first phase of the attacks due to its website being treated as part of NZX's tier one system. Once contingency arrangements for the website were introduced, there were no further occasions for NZX Regulation to impose any market halt for these incidents. It said NZX had been assisted in managing the attacks by being well advanced with a significant network upgrade it had started in 2019. Work on this upgrade with Spark, "created a 'match-fit' team that meant NZX was able to respond quickly and effectively." The decision to engage Akamai, a leading global cybersecurity company, was also highlighted as being central to NZX responding to the threats. The independent cybersecurity review recommended several technical and process steps to further strengthen security, along with closer communications with the broader cybersecurity community, reviewing risk management processes and ongoing IT consolidation. ENDS For further information, please contact: Media - David Glendining 027 301 9248 Investors - Graham Law 029 494 2223 End CA:00364459 For:NZX Type:MKTUPDTE Time:2020-12-04 08:45:21