Insight The glitch that brought down NSE The recent NSE outage was caused by a software error, says a preliminary SEBI investigation—a reminder that we may be taking basic availability for granted By CIO&<strong>Leader</strong> 36 CIO&LEADER | <strong>July</strong> <strong>2017</strong>
Insight Atechnical glitch shut down India’s largest stock exchange, the National Stock Exchange, for more than three hours on June 10, <strong>2017</strong> as the system failed to boot in its opening time: 9 am. The cash and derivative transactions were held up, though NSE halted the futures and options (F&O) operations too at around 10 am. After two failed attempts at 10.45 am and 11.15 am, normal trading could only be resumed at 12.30 pm. This happened in a day where BSE Sensex saw a record high and also gained in volumes because many traders switched to BSE because of the NSE glitch. This outage comes exactly three years after the <strong>July</strong> 2014 outage at Bombay Stock Exchange (BSE) which had lasted for three hours. The NSE outage impacted trading for a longer period. Two previous cases of trading halts at BSE have been because of connectivity issues. NSE too had experienced a glitch in October 2012 but trading was impacted for less than fifteen minutes. In August 2013, the US bourse NASDAQ, on which the NSE is modeled, had stopped functioning for more than three hours, due to a glitch. Even the New York Stock Exchange (NYSE), the largest exchange in the world, had stopped trading for almost four hours exactly two years back, on 9 <strong>July</strong> 2015. “The matter is being examined by the internal technical team and external vendors, to analyze and identify the cause which led to the issue and to suggest solutions to prevent recurrence,” NSE said in a press statement. Lack of Backup? Three hours is a very long time from trading point of view and many traders were unhappy that NSE did not switch to a backup system. NSE has been quoted as saying that it did not invoke its Business Continuity Plan (BCP) because the plan was meant to provide continuity in case of natural disasters, hardware failures and connectivity-related issues only. The stock exchange regulator, Securities and Exchange Board of India (SEBI), which was directed by the Indian Ministry of Finance to investigate the issue and submit a report by the day end, clarified that the glitch was a software issue. This outage comes exactly three years after the <strong>July</strong> 2014 outage at Bombay Stock Exchange (BSE) which had lasted for three hours. The NSE outage impacted trading for a longer period “On preliminary analysis, the technical problem apparently is related to software,” SEBI said in a statement. The regulator also ruled out the possibility of cyber attacks. “It does not seem to be related to any cyber security related compromise,” it clarified in the same statement. SEBI has directed NSE to submit a detailed report on the matter. The regulator has also asked NSE to have a review of their Business Continuity Plans and to submit a detailed plan as to what measures are going to be taken to avoid such recurrences. What to make out of the glitch? At the lack of any detailed public report, it is difficult to analyze what caused the delay. However, based on the information known so far, certain things are clear. 1. It was not a cyber attack; it was a system error 2. NSE did not switch to its BCP because that was reserved for natural disasters or hardware failures, meaning it has not taken into account situations like this where the business continuity was severely compromised, for its BCP This just means that even for mission critical applications such as stock market trading, there is serious gap in business continuity planning. In the last few months, a series of outages in airlines, such as Delta, United and British Airways had brought into limelight the gaps that remain in the resilience plans of these airlines, the NSE outage has once again highlighted that issue. In none of these cases, any external attack was involved. While a stock market outage may not have seen as much social media outrage as an Airlines outage, the potential impact in business terms could be much bigger. Are we ignoring the basic reliability and resilience plans while readying ourselves for tackling possible external actors? <strong>July</strong> <strong>2017</strong> | CIO&LEADER 37