Published on the 02/02/2021 | Written by Heather Wright
It’s a slam dunk of bad behaviour…
Businesses on both sides of the Tasman have been feeling the heat from increased data breaches and cyber-attacks. Now New Zealand’s NZX stock exchange has copped a serve for its failure to cope during DDoS attacks last year, while Australia’s OAIC has taken aim at companies playing down their data breaches.
The Financial Markets Authority report is highly critical of the NZX’s lack of preparedness and its technology resources and notes that despite efforts to address issues and mitigate potential risks some ‘critical gaps’ remain.
“NZX had limited capacity to address a large workload of required technological repairs.”
The searing report covers both the volume-related system issues and market outage in March and April 2020 as well as the August DDoS attacks which saw trading on the stock exchange halted for four days.
The post mortem found a litany of issues, including a lack of technology capability across people, processes and platforms, inadequate IT security processes and a ‘significant’ number of risks in the IT risk register remaining ‘in progress’, meaning progress on reducing IT risks was slow.
Fundamental tools and practices, including version management and upgrades and performance monitoring and alerting were either lacking, insufficiently robust or not fully utilised, and only ‘rudimentary’ crisis management planning and procedures in place.
“While the exact nature and extent of both the volume-related issues and DDoS attacks could not have been predicted with any certainty, significant volume increases and DDoS attacks were nonetheless well-known risks that NZX had not adequately prepared for,” the report says.
For the DDoS attacks in particular, adequate crisis planning would have minimised disruption to the market, the report says, with the FMA refuting NZX’s argument that it could not have foreseen such an attack, saying it considered that a DDoS attack was indeed foreseeable and that an attack of sufficient magnitude to take down the servers was at least possible and should have been planned for.
“Many other exchanges worldwide have experienced significant volume increases and DDoS attacks but we have not seen any that were disrupted as often or for such a long period.”
In fact, NZX was unable to defend against even the initial attacks which were at lower level.
“Further, while we acknowledge that the DDoS attacks were at times very significant, the need to halt the market could have been avoided if NZX had had adequate crisis management planning and procedures in place.”
The attacks saw trading suspended over four days, with the government ultimately ‘directing’ the Government Communications Security Bureau and National Cyber Security Centre ‘to help the NZX with this situation’.
Cultural issues, including a lack of willingness to accept fault or be upfront and open when things go wrong, are also highlighted as contributing to NZX’s ‘failure to meet its general obligations’.
It’s a damning report against an organisation that plays a key role in the New Zealand economy, finding that despite it’s critical role as New Zealand’s sole stock exchange, NZX’s internal IT capability was consistent with a small to medium-sized New Zealand corporate, but not of a standard expected for systemically important infrastructure.
Key roles, such as a head of IT security and a head of architecture, which would bring the IT security focus required from a technology-dependent organisation.
While a DDoS attack on NZX.com was included in the bloated IT risk register, its overall risk severity score, determined by likelihood and consequences, was ranked ‘lower than many residual risk items’.
“The ranking itself did not seem appropriate given the escalating frequency and severity of DDoS attacks globally, including attacks on international peer exchanges, and dependency on NZX.com.
“It also indicates NZX had limited capacity to address a large workload of required technological repairs.”
NZX, which has not accepted all the report findings, is required to develop a formal action plan to address the issues raised by the FMA.
The report comes less than three weeks after New Zealand’s Reserve Bank was hit by a data breach which saw ‘sensitive information’ accessed after an attack on third-party service, Accellion, a file transfer software application.
New Zealand updated its dated privacy laws last year, with the Privacy Act 2020 including the requirement for organisations to report serious data breaches immediately if there is a risk of harm.
In Australia, where a notifiable data breach scheme has been in force for nearly three years, the Office of the Australian Information Commissioner has bared its teeth at Australian companies failing to be upfront about the potential ramifications of breaches and the timeliness of the reporting.
The OAIC’s Notifiable Data Breaches report for July to December 2020 says there were multiple instances where entities notifications ‘were deficient’ resulting in the OAIC demanding they be revised and reissued.
“The OAIC has identified instances where entities have provided individuals affected by a data breach with relatively generic advice that their ‘personal details’ may have been exposed. In these instances, the entities did not clarify the kind or kinds of information involved in the data breaches, which included bank account details, credit card details, tax file numbers, Medicare numbers and identity numbers.”
Updated notifications to individuals were required in each instance, the OAIC says.
“In other instances, notifying entities did not provide affected individuals with sufficient information regarding the data breach to understand the risk arising from it.”
It cites the example of one organisation which notified the OAIC of a data breach caused by social engineering where a staff member of the entity was tricked into disclosing personal information about other individuals.
“The entity only advised individuals affected by the data breach that it involved a disclosure of their personal information to an ‘unintended recipient’. In response to the OAIC’s inquiries, the entity acknowledged that it had incorrectly paraphrased the description of the eligible data breach and reissued the notification to clarify that it involved a malicious actor.
“Examples such as these may not only fall short of reporting obligations but also adversely affect an individual’s ability to make an informed decision about how to best mitigate harm.”
It also took aim at those dragging their heels in assessing and notifying of breaches.
“Increasingly the OAIC is seeing instances of organisations taking much longer than 30 days to complete their assessments, with further significant delays before they notify affected individuals.
It acknowledges that some breaches are complex and may take ‘a significant amount of time’ to identify the full extent of the breach and all affected individuals, but says unnecessarily delayed notifications undermine the NDB scheme by denying affected individuals the ability to take timely steps to protect themselves.
Angelene Falk, Australian Information Commissioner and Privacy Commissioner, says after nearly three years of the NDB, Australian companies should have the systems in place to report breaches in line with legislative requirements.