Notes on a trading scandal: What went wrong at Société Générale?
Société Générale disclosed
last week that unauthorized trading by one of its employees had cost it
$7.1 billion. Beyond the rogue trader, where does the blame for the scandal
lie?
French President Nicolas Sarkozy called the events at Société
Générale a "large-scale internal fraud", and Daniel
Bouton the Société Générale Chairman said the fraud
was a "one-off" and denied it was a trading or risk-management fault.
According to reports in the Wall
Street Journal, Mr. Kerviel "worked late into the night, essentially
burrowing into Société Générale's computers, as
he allegedly built a multilayered way to hide his trades by hacking into the
computer systems." The bank believes that "Mr. Kerviel spent many
hours of hacking to eliminate controls that would have blocked his super-sized
bets. Changes he is said to have made enabled him to eliminate credit and trade-size
controls, so the bank's risk managers couldn't see his giant trades on the direction
of indexes. Mr. Kerviel used the computer log-in and passwords of colleagues
both in the trading unit and the technology section."
If anyone had cared to pay any attention to what’s going on in business
globally they would have been aware that studies
by law enforcement agencies and Carnegie Mellon University’s Software Engineering
Institute CERT Program have proven that up to 90% of incidents in business relating
to the loss of assets results from staff that have privileged access to IT systems
and applications. It seems that the suspect trader had “in-depth knowledge
of the control procedures resulting from this former employment in the middle-office,"
and “in-depth knowledge of the control procedures” certainly means
privileged access to sensitive data.
Another interesting side note from the Carnegie Mellon study is that 57% of
those who were responsible for the fraud should not have had authorized system
access at the time of the attack. Many used privileged system access to take
technical steps to set up the attack before termination. It seems our Mr Kerviel
had knowledge from six years in Société Générale's
back office. Apparently he had to “breach five levels of controls to get
away with his trades” according
to a bank spokesman -- Piece of cake for anyone with privileged access!
Some other minor stats from the Carnegie Mellon report that I’m sure that
Société Générale would concur with today are that
81% of the organizations that are attacked experience a negative financial impact
as a result of insider activities; 75% of the organizations experience some
impact on their business operations, and 28% of the organizations experienced
pasmith
Kindle news: pricing, business models and ... source code?
mulderjoe
Cell phone gaming: In search of good mobile games
jfruh
The guts of the iPhone 3GS
Enter your caption for this week's cartoon! The winner will receive a $25 Amazon gift card. Go now!
Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!
The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!
