This story was updated in the May 1, 2008 issue of CIO magazine to include new reporting. Read the latest version of this story here.
It’s a lethal combination of process oversights and system failures that is the stuff of CIO nightmares: An investigation into rogue trader Jerome Kerviel’s fraudulent actions at Societe Generale bank uncovered an apparent break down in financial and internal IT controls subverted by an employee with IT know-how and authorized systems access.
MORE ON CIO.com
Compliance, Convergence and How IT Fits
How IT Should and Should Not Monitor Users
CSOonline: What Went Wrong at Societe Generale?
The well-known tale of Kerviel’s exploits, which led to more than $7 billion in losses for the bank, is serving as a wake-up call to businesses everywhere. “It’s started the conversation around these issues,” says Scott Crawford, a security expert and research director at Enterprise Management Associates. (EMA)
And executives, he says, are now asking themselves, What can we do to ensure that the risk exposure of the business itself is managed effectively, in addition to what role IT should play?
Answering that question, however, isn’t so easy. First, many executives don’t have a good enough understanding of where their risks actually are, Crawford says, and therefore don’t know where they need more robust controls.
This is compounded by that fact that some executives might not want to be made aware of their company’s risks. “Once you know what your exposure is, you are no longer ignorant,” Crawford says. “And if you choose not to mitigate a known risk or at least not address it, then the issue potentially becomes one of negligence.” (Which is precisely why regulations like Sarbanes-Oxley require top execs to put their names on their company’s financial documents.)
As a previous CIO article on the Societe Generale scandal notes, several former risk-control executives quoted in a Wall Street Journal article said that financial institutions of all types are notorious for weakening risk-management procedures when times are good and profits are flowing fast. The Journal article cites the “months of misery” endured at top U.S. banks and securities firms, which are being clobbered by the mortgage crisis, as evidence of such lax risk controls come to fruition.
In addition, even if executives are made aware of the risks, they have a tough time balancing the potential gains from a risky endeavor versus the potential losses, Crawford says. “There’s always this delicate balancing act between taking advantage of opportunities and doing an effective job of IT risk management,” he notes. “This notion of business risk exposure in IT still is a challenge particularly for the CIO but for the business as a whole.”
One of Societe Generale’s primary business lines is derivatives, Crawford notes, which is a financial instrument that allows traders to make contracts on a wide range of assets (such as equities, bonds or commodities) and attempts to reduce (or hedge) the financial risk for one party in the deal. Trading derivatives, however, necessitates some aggressiveness and can be fraught with risk. (The infamous story of Nick Leeson, a former derivatives trader whose unauthorized speculative trading led to the collapse of the United Kingdom’s Barings Bank, has been cited often.)
This could have been a stumbling block for Societe Generale. “Were they really as aware of the actual level of exposure as they should have been?” Crawford asks.
Lastly, up until very recently there’s been “limited interaction” between business risk managers and IT risk managers, Crawford says. “The perception is that one doesn’t really get the other,” he says. “The business risk managers feel that IT is speaking a different language, and IT feels business managers don’t really understand the amount of IT-related exposure.”
How IT Hurts and Helps
That disconnect can be enormously destructive, as the Societe Generale incident shows. “The Societe Generale case brings to the fore the fact that business risk can be directly exposed through IT,” Crawford says. “Kerviel allegedly manipulated the IT controls on the business systems based on his mid-office experience and back-office [IT] knowledge and expertise.”
An internal Societe Generale investigation on the incident found at least 75 red flags raised by accountants, and risk-control and compliance officers over a two-year span. These alerts included “transactions that appeared to settle on a Saturday or trades where the counterparty was either not named or listed as ‘pending’—from June 2006 to January 2008,” according to The New York Times. “The [Societe Generale] report said these transactions should have alerted managers to Mr. Kerviels activities.”
A detailed graphical representation of Kerviel’s exploits and Societe Generale’s missteps put together by risk-management vendor SailPoint Technologies (with the help of EMA’s Crawford) shows just how and where controls should have stopped Kerviel’s activities. (The document “Avoiding a Billion-Dollar Blind Spot” (pdf) can be found here.)
For example, Kerviel was able to subvert systems access and privilege controls, allowing him to misappropriate names and passwords of his colleagues and mask his fraud, according to the SailPoint document. “If at the top of an organization there really is not adequate division between those who use and manage IT controls and those who are responsible for their supervision and ensuring they’re not exploited, then controls may be ineffective,” Crawford says.
Consequently, the SailPoint document states that due to its “weak access controls and activity monitoring, Societe Generale [was] left to rely upon external events to reveal the ongoing fraud rather than their own controls.”
What IT Should Do
If there is anything good that can come out of Kerviel’s alleged deviance and Societe Generale’s apparent blindness to it is that the incident will spur executives to talk about risk management and IT controls inside their businesses.
That conversation can start off with something as simple as asking a series of what-if questions, Crawford says. These include:
• Would you be able to recognize anomalies that would indicate you may have more risk exposure than you realize? Are there events taking place and are detectable in IT that would indicate you might be subject to an event of this nature? If so, what kind of anomalies would you be looking for?
• Are entitlements and privileges for high-level and high-risk employees too broad? Do individual roles or individual users have entitlements that would basically negate adequate separation of duties? Is there adequate insight into that kind of activity? And how effective are the controls assuring that the separation of duties could be enforced?
• What are the behavior anomalies that would suggest you may be facing greater exposure? What is the risk that your control systems or indicators themselves may be subject to subversion? And what are ways you can enforce more effective controls and still be able to capitalize on new business opportunities?
“There are limits to what people can do, and there are limits to what technology can do,” Crawford notes. However, there are many things businesses should look at right now, such as the sharing of access privileges by high-level employees.
“The issue of the highly skilled professional who is familiar with [system] architecture and particularly how to infiltrate it is one the biggest risks highlighted in the Societe Generale case,” he says.
In the end, it’s critical that companies understand the tradeoffs they’re making and how much risk they’re willing to allow in their companies.
“Businesses are just now beginning to awaken to the controls within the IT environment,” Crawford says. “If you’re betting the farm and strategy on the IT controls, it behooves the organization to ensure that those controls are reasonably resistant to subversion.”