Regulator Blasts NZ’s Stock Exchange Over DDoS MeltdownNZX Was Unprepared for a Known Threat, Financial Markets Authority Says
New Zealand’s financial regulator has issued a searing report about IT security failures at NZX, the country’s stock exchange, that contributed to a disruptive DDoS attack.
The Financial Markets Authority says in a new report that NZX lacked sufficient technology resources and had inadequate IT security, including poor network design and unprotected infrastructure.
The stock market also suffered from cultural problems, including “a lack of willingness to accept fault,” the authority says. NZX officials couldn’t immediately be reached for comment on the regulator's findings.
NZX was hit with a series of volumetric distributed denial-of-service attacks in August 2020 as part of an extortion attempt. The stock exchange also faced other technology-related problems last year, including trading volume issues that caused outages in March and April and an inability to accommodate trades of debt securities in August.
While the DDoS attacks did not directly affect its trading engines or clearing systems, NZX’s main website, including its Market Announcements Platform, were affected. NZX shut down trading after it could not publish those announcements.
The website outage was intermittent for four days while NZX worked with its ISP, Spark, to deflect the attacks (see: New Zealand Stock Exchange Trades Again After DDoS).
Although the Financial Markets Authority described the DDoS attack as “sophisticated, sustained and of very significant size,” the regulator refuted NZX’s position that it could not have foreseen that it would come under such an attack.
“We consider a DDoS attack was foreseeable and that an attack of sufficient magnitude to take down the servers was at least possible and should have been planned for,” the authority says in its report. “DDoS attacks are not new, and, globally, have been increasing in intensity over time.”
NZX was unable to deflect even the initial DDoS strikes, which were at lower levels, the authority writes. New Zealand's government cybersecurity agency, CERT NZ, had warned in November 2019 that financial services firms were being targeted by DDoS blackmail campaigns.
No Head of IT Security
The Financial Markets Authority conducted an extensive post-mortem into NZX’s cyber resiliency, risk forecasting and staffing. The findings laid bare holes within New Zealand’s only stock exchange.
The authority says that NZX has a small, in-house IT team that's also responsible for managing security, and it has been missing “certain key roles." For example, NZX didn’t have a head of IT security, head of architecture or chief risk officer. It also didn’t have formal crisis management plans and procedures, according to the authority's report.
“Crisis management planning appears to have been rudimentary and entirely reliant on technology alternatives, which may also be unavailable in the course of a DDoS attack or other cybersecurity breach,” the authority notes.
NZX was aware of the risk of a DDoS attack on its website, the authority says, but its “overall risk severity score (determined by likelihood and consequences) was ranked lower than many other residual risk items.”
The authority's report didn’t dig into the technical issues of the DDoS attack. But at the time, outside observer Daniel Ayers noticed configuration issues that could have contributed to the extensive downtime (see: New Zealand Exchange's Massive DDoS Attack: What Went Wrong?).
Before the attacks started, NZX had only two Domain Name System servers sitting within Spark’s IP address space in Auckland and Wellington, says Ayers, an IT security and cloud consultant. Those servers lacked adequate DDoS protection, making them easy for attackers to cripple, he says.
The Financial Markets Authority writes that NZX did not accept all of its findings, but it did pledge to make improvements.
The exchange acknowledged that it had breached “its market operator obligation” by having inadequate technology resources. The authority says its report will be used as a basis to create a formal action plan for NZX.
NZX acknowledged it needs to improve its crisis management planning and procedures, the authority says. The exchange has already taken action to improve its cyber resiliency. That includes creating a cloud-based alternative and failover site for its Market Announcement Platform, whose failure necessitated halting trading. NZX has also hired Akamai to provide DDoS defenses for both its front- and back-end infrastructure.
NZX has also completed IT security reviews, improved its website capability and capacity, added protection for legacy external connections and improved its security monitoring tools, the authority writes.
“The actions subsequently taken by NZX go some way to addressing the issues and mitigating potential risks,” the regulator says. “However, there are some critical gaps remaining.”
The authority recommended that NZX hire a chief risk officer, head of IT security and head of architecture.