On Thursday, January 24, a leading French Bank announced that it had uncovered $7.2 billion in losses that officials attributed to the actions of a 31-year-old “rogue trader.” The trader, named Jérôme Kerviel, had “managed to evade multiple layers of computer controls and audits for as long as a year, stacking up 4.9 billion euros in losses for the bank,” The New York Times reported.
Executives called Kerviel’s actions “pure fraud.” The loss is believed to be the biggest in history by a trader. Société Générale executives said that Kerviel had an “intimate and perverse” knowledge of the bank’s auditing capabilities and back-office operations that enabled him to cover up his unauthorized trades. A French banking governor commented that Kerviel was a “computer genius” and had been able to breach “five levels of controls” at the bank.
Of course, the most pressing and interesting questions—how was he able to evade any detection by other employees or Société Générale’s trading and auditing systems? if there were controls in place, how is it possible he could have done it alone, as the bank claims? and why did it take the bank so long to discover the fraud?—remain unanswered right now.
Christophe Mianné, the newly installed head of global equities and derivatives at Société Générale, told Risk magazine on Thursday that Kerviel “was very clever, but that’s not an excuse, because we have to be more clever.” He also notes that Société Générale executives are still “puzzled” by Kerviel’s deceit. “We are almost 100 percent sure he didn’t benefit [financially] at all,” Mianné says.
For those in the financial services industry, this latest incident draws comparisons to the 1995 case in which Nick Leeson, a Singapore-based trader, ran up $1.4 billion in losses on more than $27 billion bad bets in the Japanese financial markets.
For what it’s worth, Société Générale is no Mom-and-Pop bank. It’s a highly respected institution that was founded in 1864 and has 120,000 employees and 22.5 million customers. Which makes the incident even more vexing and reprehensible: Where was the oversight? Where were the checks and balances? Where were the risk controls?
But it’s not just the financial services industry that has had info-security and risk management problems (though with trillions of dollars in play every day, it’s bound to bring out the best and brightest crooks). It seems that in today’s interconnected world, it doesn’t matter if the culprit is on the inside or outside, or if a company has the minimum or maximum level of controls—people are too devious and too clever and too resourceful, and they will always find ways to outsmart their computing counterparts.
To put together a short list of recent examples in which all types of corporate controls were lacking isn’t that difficult to assemble: TJX’s customer data breach, which ranks as the largest ever; HP’s spying and pretexting scandal; a Transportation Security Administration hard drive containing 100,000 names, Social Security numbers, dates of birth and bank account data of current and former employees (including federal air marshals) that was stolen; a vengeful Florida woman intentionally deleting $2.5 million worth of files off her company’s computer server.
I could go on. I won’t. The point is that where there’s a will, there’s a way, and not even the most ardent, expensive and well-thought-out info-security systems, auditing controls or encryption schemes can stop dangerous and highly capable minds.
Bruce Schneier, a cryptography and security expert, writes in his 2000 book Secrets and Lies about the fallacies of digital security mechanisms, such as encryption. He reasons that while the mathematical principles and algorithms behind 128-bit key and public-key infrastructure schemes are indeed perfect, the tools “don’t exist in a vacuum.” They exist in the real world. And the weak points in security have “nothing to do with mathematics,” he writes. “They [are] in the hardware, the software, the networks, and the people. Beautiful pieces of mathematics [are] made irrelevant through bad programming, a lousy operating system or someone’s bad password choice.”
In a cruel and ironic twist (or perhaps something akin to the Sports Illustrated cover jinx), Société Générale had been given an award in January by Risk magazine that praised its ability to manage its financial risks.
So what role should IT play? In “How to Monitor Workers’ Use of IT Without Becoming Big Brother,” I wrote about the inherent difficulties and legal landmines for IT staffers who are tasked with identifying and thwarting employees who violate company policies and procedures.
It’s not an easy role to play. There can be a lot of pressure on the “IT cops” who have to watch over all of the digital moves—both good and bad—that companies and their employers make every hour of every day. And then they have to act on them.
As the Société Générale story continues to unfold, those in the financial services industry are likely to see tighter risk-management procedures. According to former risk-control executives quoted in a The Wall Street Journal article, financial institutions of all types are notorious for weakening risk-management procedures when times are good and profits are flowing fast. The article cites the “months of misery” endured at top U.S. banks and securities firms, which are being clobbered by the mortgage crisis, as evidence of such lax risk controls come to fruition.
Given the state of global affairs, it’s quite conceivable that there might be more months of misery to come.