Bulletin / Marks out of...

Marks out of 100 for the NZ Stock Exchange Cyber Incident Response

Author: Charlie Maclean-Bristol, Training Director, FBCI, FEPS

Charlie looks at the recent cyber incident involving New Zealand's Stock Exchange, and marks their response out of 100.

I thought this week I would write about an incident which I have been following for the last month, the Distributed Denial of Service (DDoS) attack on the New Zealand stock exchange, which took place at the end of August 2020. The attack was one of the largest seen and peaked at over 1 terabit per second (Tbps). One of the interesting factors of this cyber-attack is that the main company website was taken down by the attack and I find it interesting that a month later, as of 25th September 2020, their website is still down - see Figure 1.


Figure 1 NZX.com website as of 25th September 2020

The cyber-attack happened over four days, starting on the 26th August, and has persisted for three weeks. NZX suspended trading on the basis that while the attack did not target its trading platform, this was provided and hosted by a third party, it did overwhelm its website, leaving it with no avenue to fulfil its continuous-disclosure obligations. It has been able to resume trading but has had to find a different way through the use of another domain (Figure 2) to fulfil its continuous-disclosure obligations.

It was also interesting that this attack was against Spark the stock exchange's hosting provider, rather than the stock exchange itself. This resulted in a number of Spark’s customers’ websites being down as well.


Figure 2 Use of anouncements.nzx.com to fulfil continuous-disclosure obligations

Below is my assessment of the New Zealand’s Stock Exchange response to their cyber incident:


Screenshot-2020-09-25-at-14.05.25.png#asset:6960Screenshot-2020-09-25-at-14.05.40.png#asset:6961New Zealand's Stock Exchange did better than easyJet who scored 58, which featured in a previous bulletin. I think in their response there were some basics missing in terms of communication and with better planning their response could be much improved.

You might be interested in the following stories

Marks out of 100 for Easyjet’s Cyber Incident Response

Building an Incident Team Competency Framework

Dominic Cummings – A crisis management case study

You may be interested in the following course

NCSC Certified Managing & Preparing for Cyber Incidents course

Sign-up to our weekly bulletin

Twitter feed

Once COVID-19 is over, should we have a written pandemic plan? – A debate

Should you have a pandemic plan in place? Join the debate.

22 January 2021

“Really good course for an introduction.”

Venkatesh Mugunthan
View further testimonials