PlanB Consulting

Marks out of 100 for the NZ Stock Exchange Cyber Incident Response

This week I look at at the recent cyber incident involving New Zealand’s Stock Exchange and marks their response out of 100.

I thought this week I would write about an incident which I have been following for the last month, the Distributed Denial of Service (DDoS) attack on the New Zealand stock exchange, which took place at the end of August 2020. The attack was one of the largest seen and peaked at over 1 terabit per second (Tbps). One of the interesting factors of this cyber-attack is that the main company website was taken down by the attack and I find it interesting that a month later, as of 25th September 2020, their website is still down – see Figure 1.

Figure 1 website as of 25th September 2020

The cyber-attack happened over four days, starting on the 26th August, and has persisted for three weeks. NZX suspended trading on the basis that while the attack did not target its trading platform, this was provided and hosted by a third party, it did overwhelm its website, leaving it with no avenue to fulfil its continuous-disclosure obligations. It has been able to resume trading but has had to find a different way through the use of another domain (Figure 2) to fulfil its continuous-disclosure obligations.

It was also interesting that this attack was against Spark the stock exchange’s hosting provider, rather than the stock exchange itself. This resulted in a number of Spark’s customers’ websites being down as well.

Figure 2 Use of to fulfil continuous-disclosure obligations

Below is my assessment of the New Zealand’s Stock Exchange response to their cyber incident:

New Zealand’s Stock Exchange did better than easyJet who scored 58, which featured in a previous bulletin. I think in their response there were some basics missing in terms of communication and with better planning their response could be much improved.

About Charlie Maclean-Bristol

Charlie Maclean-Bristol is one of the Founders and Directors of PlanB Consulting. He is also the Training Director of Business Continuity Training Ltd., a UK-based training provider accredited by the Business Continuity Institute. Charlie is a former Business Continuity Institute board member and one of the very few Fellows of both the Emergency Planning Society and the Business Continuity Institute.

A former Infantry Captain in the British Army, Charlie held several emergency planning, business continuity and crisis management positions within the energy and utility industry before founding PlanB Consulting in 2007. Over the past twelve years, Charlie has delivered business continuity consultancy in 6 of the worlds 7 continents, frequently providing full business continuity roll-outs to organisations of all sizes and in all sectors.

Scroll to Top