The NZX has been slammed by the Financial Markets (FMA) watchdog in a scathing report that found our stock exchange has rudimentary cybersecurity protections.
A report published Thursday found that NZX should have been able to avoid a four-day downtime last year caused by a cyber attack.
"NZX rarely accepts fault, and is not upfront and open when things go wrong," the report said.
The series of cyberattacks, which began in August, took the website down for four days.
But FMA says it's no excuse.
"Our issue with the NZX is their plan B wasn't good enough - so they weren't able to stay open," Financial Markets Authority CEO Rob Everett told Newshub.
"And when you're the only stock exchange in New Zealand, you need to be able to stay open."
The FMA found our stock exchange's IT systems are similar to a small to medium-sized business, and it has poor risk and crisis management.
Stockbrokers Newshub spoke to wouldn't criticise the NZX publicly, but the FMA found an industry perception that it doesn't take responsibility for failings, doesn't accept fault and isn't upfront when things go wrong.
"You'd expect to see changes, you'd expect to see them accelerating certain things where there are issues and we just didn't see that," Everett said.
The NZX wouldn't be interviewed but issued a short statement which said it "agree[s] that improvements are required and [it's] committed to delivering [them] via an action plan that will be agreed with the FMA."
Cybersecurity experts say the NZX isn't an outlier - Kiwi businesses are vulnerable
"Especially those that operate critical infrastructure," InternetNZ Chief Security Officer Sam Sargeant said.
"It was a targeted attack. We expect to see these rise more and more as the years go on."
The FMA will now monitor NZX's upgrades and try to ensure it won't be taken down again.