The New Zealand stock exchange (NZX) halted trading operations for the final hour of trading on Tuesday, and then most of the trading day Wednesday, Thursday and again Friday morning due to distributed denial of service (DDoS) attacks which ‘impacted network connectivity’. The exchange reported that the attacks came ‘from offshore via its network service provider’, and it is unclear when trading operations will return to normal.
An alert had been issued last November by New Zealand based cybersecurity firm CertNZ that financial firms had received emails threatening them with DDoS attacks if they did not pay a ransom.
The fact that trading operations were interrupted due to a relatively unsophisticated DDOS attack, and that disruptions continue into a fourth day indicates potentially more serious underlying problems within NZX’s infrastructure. Stock Exchanges are critical financial infrastructure, and as such operational disruptions can have serious negative consequences for a huge number of clients. While the NZX is a comparatively small regional operation and does not carry the same global risk implications that would come from a trading disruption to a major exchange in New York, London, Chicago, Singapore, or Tokyo, it is always a concern when critical infrastructure gets breached.
It is also notable that this attack reportedly vectored through a third party—its ‘network service provider’. As we have previously discussed, the cyber governance of third-party cloud and managed service providers is just as important as a company’s internal cyber security, and is often the weak link that attackers exploit.
As the disruption enters a fourth day, questions are rightly being asked about NZX’s governance, including what standards are being applied and what resources have been deployed to adequately protect its digital assets? These are basic questions any company, let alone critical infrastructure operator, must be able to answer.