An independent review into the series of attacks that plagued the New Zealand stock exchange operator has confirmed the scale was beyond anything previously seen or that could have been reasonably forecast.
The NZX commissioned InPhySec, an independent specialist cybersecurity company, to review its DDoS attack response.
The series of attacks, which began in August, disrupted the website and announcements board and the operator decided to cease trading for a number of days.
In its report, InPhySec said the attacks fundamentally changed expectations about this sort of attack for the industry.
“The volume, sophistication and persistence of the attacks were unprecedented in a New Zealand context, and are amongst the most severe we are aware of to have been experienced internationally.”
It said NZX had been assisted in managing the attacks by being well-advanced with a significant network upgrade it had started in 2019.
The decision to engage Akamai, a leading global cybersecurity company, was also highlighted as being central to NZX responding to the threats.
The review recommended several technical and process steps to further strengthen security, along with closer communications with the broader cybersecurity community, reviewing risk management processes and ongoing IT consolidation.
The NZX also undertook a review of system issues it experienced in March and April 2020.
It was found this was to do with the high volume of trading that was being done during this time.
At its peak, trading volumes were six times above the average daily trades in 2019.
The independent EY review made several recommendations which included reviewing legacy systems and approaches across the markets ecosystem.
The two incidents were not connected in any way.
The findings of both reviews would be shared privately with financial market regulators and senior market participants.