The exchange won't comment on any impact to its FY2021 guidance until it delivers its FY2020 full-year report on February 17.
Today's statement comes after the completion of a series of independent reviews into clearing and settlement incidents over March and April this year, and a multi-day outage caused by a DDoS (distributed denial of service attack) over late August and early September.
Reviews carried out by EY and local security outfit InPhySec had already seen several steps taken to tighten security.
But the exchange said it was still in the process of agreeing a formal action plan for the months ahead with the Financial Markets Authority. Once it had done so, it would be in a position to detail costs.
This morning's statement indicates that major work is ahead.
"NZX recognises the need for further technology investment in 2021, particularly in the markets businesses, in order to enhance the stability and resilience of its technology framework," the exchange said.
"This includes enhancing the Securities IT team and cybersecurity counter-measures, with related pricing to market participants to be considered. NZX is well advanced, in conjunction with market ecosystem participants, for a major upgrade to its core trading system around the end of March 2021," it added.
"The board has not yet considered the consequences on pricing for NZX services, but some cost recovery process is likely."
The NZX also wants to implement a series of changes recommended by its new Technology sub-committee, created in November, including better crisis management, better communications "with the ecosystem" and "bolstering NZX's IT organisational structure with some specific specialist skill sets".
The exchanges chief information officer, David Godfrey, quit on September 28, the day after a daylight savings blunder that came on top of the earlier DDoS attack and clearing outages. No reason was given for his departure. A spokesman said it was not related to the various IT problems. NZX has yet to name a new CIO.
Although no costs were revealed today for the IT and cyber-security upgrades in train, the NZX gave a reference point for its last major upgrade, saying: "NZX initiated its technology infrastructure modernisation programme in 2017, with $12m invested over the four-year period to 2020, in projects that focused on clearing, infrastructure and trading system improvements, modernisation, and capacity improvements."
This morning, a spokesman said NZX has shared the full EY and InPhySec reports with law enforcement authorities and regulators, but would not be making them public because of security concerns, in line with GCSB advice.
A broad-brush summary released on December 4 offered no detail on various big-picture questions around the DDoS attack including whether the attacker was politically or commercially motivated, where they were located or what ransom if any, they demanded to stop smothering the exchange with automated bot attacks.
No more information was provided by the NZX on those fronts today, but GCSB director-general Andrew Hampton did say his agency believed the perpetrator was a criminal gang rather than a bad state actor.
Hampton noted that although his organisation had assisted the exchange -for part of the spy agency's brief is to protect economic security by shielding top companies and exporters - a DDoS attack only smothers a website with an over-load of connection requests, forcing it offline. There is not any risk that data will be stolen.
Although scant detail was offered in the December 4 summary of the EY and InPhySec reports, the exchange did say: "InPhySec said the severity of the cyber-attacks went well beyond anything previously seen or that could have been reasonably forecast - the volume, sophistication and persistence of the attacks were unprecedented in a New Zealand context, and are amongst the most severe we are aware of to have been experienced internationally. It said the attacks fundamentally changed expectations about this sort of attack for the industry."
It said NZX had been "assisted in managing the attacks by being well advanced with a significant network upgrade started in 2019". Work on this upgrade with Spark, "created a 'match-fit' team that meant NZX was able to respond quickly and effectively".
The decision "to engage Akamai, a leading global cybersecurity company, was also highlighted as being central to NZX responding to the threats", in the independent reports, according to the exchange's summary.
Content network delivery specialist Akamai last made headlines in NZ for its at-times rocky partnership with Spark during the 2019 Rugby World Cup.
The GCSB was also roped in to assist.
During the DDoS attack, NZX emphasised that only its website, not its trading systems, were under assault. However, it had to suspend trading for the first few days of the cyber-attack because, with its site down, continuous disclosure obligations were not being met.
The exchange switched to alternative ways to get information to market participants as the DDoS attack ground on.
On September 18, after the dust had settled, NZX launched an alternative site for market announcements, which could be accessed in the event its main site was taken offline by another DDoS attack - aping a tactic adopted years ago by MetService.
NZX Ltd shares were up 1 per cent to $1.98 in midday trading.
The stock is up 47 per cent for the year.
