of NZX by the Financial Markets Authority (FMA), released today, has found the stock exchange failed to meet its licensed market operator obligations due to insufficient technology resources.
As a licensed market operator, NZX is required to meet certain obligations under the Financial Markets Conduct Act (FMC Act). One of those obligations is to have sufficient technology resources to operate its licensed markets properly, including arrangements to ensure market disclosures are made available.
Scope of the review – a series of issues through 2020
The FMA began a targeted review of NZX’s technology after it suffered trading volume-related system issues and outages in April 2020. The scope of the review was expanded following DDoS (Distributed Denial of Service) attacks on NZX in August 2020.
The FMA also had concerns that NZX’s trading system was unable to trade securities at zero or negative yields. The volume-related issues and DDoS event repeatedly halted or disrupted market activity.
Report’s key findings
Overall, the FMA review found NZX did not have adequate technology capability across its people, processes and platform to comply with market operator obligations and especially in the context of its systemic importance. Additionally, the performance of NZX’s systems did not meet regulatory requirements or expectations for fair, orderly and transparent markets.
In respect of NZX’s trading volume-related issues, the FMA review concluded fundamental tools and practices were either lacking, insufficiently robust or not fully utilised. NZX was aware of the capacity limitations of its core back end processing system, particularly as daily trading volumes had increased in the last three years.
FMA Chief Executive, Rob Everett, said market participants gave feedback that NZX did not accept responsibility for known systemic issues and was slow to act: “The feedback from market participants mirrors our own observations and is a major concern that needs to be addressed by the NZX Board and Executive. The failure to properly consider the broader ecosystem in which the exchange operates, and to fully engage with industry feedback and concerns, were contributing factors to the volume-related issues.”
In relation to the DDoS attacks, the FMA review found NZX’s crisis management planning and procedures were basic. A DDoS attack was foreseeable, the FMA review found, and an attack of sufficient magnitude to take down servers – and with them NZX’s market announcement platform – was at least possible and should have been planned for. NZX self-rated its IT security profile at a basic maturity level, indicating that a number of best practices had not been adopted.
NZX is required to develop a formal action plan to address the issues raised by the FMA. The market regulator has met with the NZX Board to discuss its findings and received assurances that the NZX Board takes responsibility for making the necessary investment and to address the issues highlighted in the report.
“We are confident that NZX understands our concerns,” said Mr Everett. “We look forward to finalising NZX’s action plan and monitoring its progress over coming months.”
Sanctions for a breach of NZX’s statutory obligations are limited. However, given the commitments received from the NZX and the actions plans already initiated by NZX following its internal and external reviews, the FMA considers the requirement to produce a detailed, time-bound action plan will be sufficient. The FMA acknowledges NZX has already taken significant steps to improve its systems and processes.
The FMA will closely engage with NZX on the action plan and continue increasing oversight on NZX’s technology until the regulator has confidence all issues have been addressed.
The FMA will publicly report on NZX’s progress in the annual NZX Obligations Review, to be released in June 2021.
Cybersecurity resilience critical for NZ financial services industry
Commenting on cybersecurity attacks, the FMA said the threat is growing rapidly, with attacks becoming more prevalent and difficult to defend against for all organisations.
“All entities, private and public, face this threat and need to evolve rapidly to counteract it. The pace of change is such that standing still or planning patiently for the future exposes organizations and the information they hold. For entities providing critical infrastructure the impact of attacks on their customers, suppliers or markets can be significant. This is a major challenge for all of us and has rapidly risen to the top of many organisations’ risk identification and crisis planning. NZX worked hard at both but failed to react quickly enough to changing threats or to plan for a failure to defend against them,” the report said.