"However fast you're moving, you're probably not moving fast enough," says FMA chief executive Rob Everett as companies battle escalating cyber-threats. Photo / File
"However fast you're moving, you're probably not moving fast enough," Financial Markets Authority chief executive Rob Everett told the Herald this morning, soon after his agency released its damning report into NZX's response to cyberattacks over August and September last year.
The FMA found under-investment in technology, skills-gapsin an understaffed IT department, a secretive culture where faults weren't admitted to or shared with partners, and too little planning or war-gaming at the stock exchange among other issues - many of which have still to be resolved.
The FMA said it was pleased with NZX's cooperation, and its progress so far, but it added "there are some critical gaps remaining".
Key positions, including a chief risk officer, a head of IT and a network architecture had to be created and filled, among other measures.
The exchange's chief information officer, David Godfrey, quit on September 28, the day after a daylight savings blunder that came on top of the earlier distributed denial of service (DDoS) attack and overloading issues in April 2020, which were also the subject of the FMA's report.
Should someone higher up the foodchain walk the plank?
"In my opinion, no," says NZ Shareholders Association (NZSA) chief executive Oliver Mander.
"The current leadership team and board are in the best position to fix the problems they've unwittingly created."
The NZSA boss said the key elements for restoring trust were to include market participants in the process of creating the NZX's plan to beef up its technology and other systems, and to issue regular public updates.
As things stand, the FMA has promised an update when it issues its annual report on the exchange in June. Mander says quarterly updates would be better.
"An annual review is not sufficient when you're talking about something as significant as this."
NZSA head's three takeaways
The NZSA boss says three things struck him about the FMA report.
"The first was the cultural aspect; the criticism of the attitude of the NZX," he said.
The FMA's report said, "We consider there are internal cultural factors that have contributed to NZX's failure to have adequate technological resources. NZX rarely accepts fault and is not upfront and open when things go wrong."
The regulator said there was a lack of awareness about how NZX issues affected partners downstream.
"The critical feedback received from [market] participants is a major concern and needs to be considered and addressed," the FMA's report said.
There was "the real risk of distrustful and tense relationships," it added, before recommending NZX add a relationships manager to is recruitment to-do list.
Mander said although there had clearly been a breakdown in communication, it was a two-way street and finger-pointing wouldn't help.
Better communication was needed throughout the ecosystem - and a larger ecosystem: "Improved competition for investment for banking services that would encourage more market participants".
The second aspect that struck Mander was the revelation in the report that the FMA had been sniffing around NZX since April last year, after what it called "volume-related" issues with the exchange's trading systems in March and April 2020.
The third was the "lack of foresight in anticipating the DDoS attack" and the apparent lack of disaster planning.
NZX emphasised it went offline for several days because its website was overwhelmed by the distributed denial of service assaults over August and September - meaning it couldn't fulfil its continuous disclosure obligations and was obliged to halt trading even though its core systems were shut. But it did not manage to stand up an alternative site for market announcements until September 17 - a contrast with Metservice, which had an alternative site ready to go and active within hours of a DDoS attack that also occurred the same month.
"It does not look like they've kept up with technology options over the past few years," Mander said. "And if you have a legacy technology environment, then standing up defences is difficult."
You could be next
Talking to the Herald soon after the NZX report's release, FMA chief executive Rob Everett stressed that New Zealand organisations faced escalating cyber-threat risks.
"The pace of change in the past 18 months has been dramatic. This is not temporary. And it's not going to get any easier. People need to skill-up and people need to plan for the worst," Everett said.
"However fast you're moving, you're probably not moving fast enough."
Crown agency CERT NZ tracked a 33 per cent increase in cyber-attacks last year. Targets included Fisher & Paykel Appliances, Lion and Toll Group. The New Year started with the Reserve Bank admitting a security breach after it had clung to a two-decade old file-sharing service despite advice from the vendor and strong warnings in an internal report.
Everett said the bank is outside the FMA's remit, but he is keeping close tabs on events.
Businesses need to wake up to law change
Aura Information Security general manager Peter Bailey compared the rising cybersecurity threat to a couple of recent "wake-up call" moments for NZ business - particularly in the context of the revamped Privacy Act that came into force on December 1, 2020.
The updated legislation makes data breach disclosure mandatory and threatens fines for those who fail.
"When the Health and Safety Act was overhauled and local directors were saddled with personal liability, skin in the game meant those laws suddenly got a lot more attention," he said.
"This is like New Zealand's alcohol laws where duty managers are directly liable for selling to minors. With top-down responsibility, suddenly the highest levels of an organisation make it a priority to play by the rules," Bailey told the Herald.
"The NZX DDoS attack was sustained and so massive, that there was likely very little to nothing NZX could have done to prevent it," he added.
"Instead, this attack showed that while being proactive is essential, the agility to move reactively is always going to play a vital part in any security strategy."
Will the NZX, whose woes started this discussion, be able to react nimbly to its next attack?
Everett said the exchange had taken his agency's investigation seriously and he saw a board and management committed to implementing the FMA's recommendations.
If NZX does, "I'm confident they'll emerge in decent shape," Everett said.
"When?" is the $64,000 question, however. Everett said his agency has yet to hash out a timeline with NZX.
NZX responds
NZX chief executive Mark Peterson said soon after the FMA report was released that the exchange accepted it did not meet its own high standards in terms of technology.
"We also agree that improvements are required and we are committed to delivering these improvements via an action plan that will be agreed with the FMA.
"We will work constructively with the FMA through that process and engage closely with the broader capital markets technology ecosystem."
Earlier, Peterson said NZX had already taken several measures after reviews by EY and InPhySec.
The CEO said he could not detail full costs until agreeing to a formal action plan and timeline with the FMA - but that it was "likely" that some would have to be passed on to clients.
In a December 2 update, NZX said it expected ebitda for its 2020 financial year (which coincides with the calendar year) to be "around the top of the guidance range of $30 million to $33.5 million".
Its December update detailed a four-year, $12m upgrade programme that began in 2017 in projects that focused on clearing, infrastructure and trading system improvements, modernisation and capacity improvements.
Everett told the Herald that NZX's investment would have been at a good level for a small-to-medium business but it was not good enough for a company hosting critical infrastructure.
His agency's report said increasing cybercrime "is a major challenge for all of us and has rapidly risen to the top of many organisations' risk identification and crisis planning. NZX worked hard at both but failed to react quickly enough to changing threats or to plan for a failure to defend against them."
NZX Ltd shares were down 2.8 per cent to $2.06 in mid-afternoon trading, but the stock is still up 56 per cent over the past 12 months after a recent run-up.