Charlie looks at the recent cyber incident involving New Zealand’s Stock Exchange, and marks their response out of 100.
I thought this week I would write about an incident which I have been following for the last month, the Distributed Denial of Service (DDoS) attack on the New Zealand stock exchange, which took place at the end of August 2020. The attack was one of the largest seen and peaked at over 1 terabit per second (Tbps). One of the interesting factors of this cyber-attack is that the main company website was taken down by the attack and I find it interesting that a month later, as of 25th September 2020, their website is still down – see Figure 1.
Figure 1 NZX.com website as of 25th September 2020
The cyber-attack happened over four days, starting on the 26th August, and has persisted for three weeks. NZX suspended trading on the basis that while the attack did not target its trading platform, this was provided and hosted by a third party, it did overwhelm its website, leaving it with no avenue to fulfil its continuous-disclosure obligations. It has been able to resume trading but has had to find a different way through the use of another domain (Figure 2) to fulfil its continuous-disclosure obligations.
It was also interesting that this attack was against Spark the stock exchange’s hosting provider, rather than the stock exchange itself. This resulted in a number of Spark’s customers’ websites being down as well.
Figure 2 Use of anouncements.nzx.com to fulfil continuous-disclosure obligations
Below is my assessment of the New Zealand’s Stock Exchange response to their cyber incident:
New Zealand’s Stock Exchange did better than easyJet who scored 58, which featured in a previous bulletin. I think in their response there were some basics missing in terms of communication and with better planning their response could be much improved.