Risk without reward

How fraud at Societe Generale bank underscores the business need to control internal IT threats


It's a lethal combination of process oversights and system failures that is the stuff of CIO nightmares: An investigation into rogue trader JerĂ´me Kerviel's allegedly fraudulent actions at Societe Generale bank uncovered an apparent breakdown in financial and internal IT controls subverted by an employee with IT know-how and authorized systems access.

The tale of Kerviel's exploits, which led to $7.2 billion in losses for one of France's largest banks, continues to unfold as French police probe the 31-year-old trader's transactions. On April 18, Societe Generale named its former CFO, Frederic Oudea, as CEO, replacing Daniel Bouton, who remains the bank's chairman. The company is also rumored to be a takeover target.

Meanwhile, IT experts say, the case should serve as a warning that businesses can do better to manage IT-related risk.

"Much time is spent on protecting the external threat," says J.R. Reagan, managing director and global solution leader for risk, compliance and security at BearingPoint. "But the internal threat can be even larger in terms of risk to the company." In the case of Societe Generale, not only were IT security controls insufficient, but the bank's staff did not fully investigate red flags that arose. Recent research by the Ponemon Institute concludes that "insider threats represent one of the most significant information security risks." In a survey of 700 IT practitioners published by the group in February, 78 percent said they believe individuals have too much access to information that isn't pertinent to their jobs, while 59 percent said such access presents business risks. What's more, IT professionals see a disconnect with business leaders: 74 percent said senior management does not view governance of access to information as a strategic issue.

Many business executives don't know what their risks are and, even if they do, they may have a tough time balancing potential losses against potential gains, says Scott Crawford, a security expert and research director at Enterprise Management Associates. "There's always this delicate balancing act between taking advantage of opportunities and doing an effective job of IT risk management," he notes. "This notion of business risk exposure in IT still is a challenge particularly for the CIO but for the business as a whole."

The Societe Generale case offers lessons for IT leaders in how to manage access-related risks.

Exploiting a Risky Business

One of Societe Generale's primary business lines is derivatives-financial instruments that allow traders to make contracts on a wide range of assets (such as equities, bonds or commodities) and attempts to reduce (or hedge) the financial risk for one party in the deal. Trading derivatives, however, necessitates some aggressiveness and can be fraught with risk. (Think of the infamous story of Nick Leeson, a former derivatives trader whose unauthorized speculative trading led to the collapse of the United Kingdom's Barings Bank in 1995.)

The French bank isn't the only company recently to suffer from risky behavior by employees. Bear Stearns, rocked by losses from its investments in subprime mortgages, was acquired by J.P. Morgan Chase for $2 a share in March when clients lost confidence that the firm could pay its debts. In February, Credit Suisse reported an unexpected write-down of $2.8 billion that CEO Brady Dougan attributed to "mismarkings and pricing errors by a small number of traders in certain positions" in the company's structured credit business. Kareem Serageldin, Credit Suisse's recently appointed global head of collateralized debt obligations, was among employees suspended after an internal review uncovered the errors.

Dougan told analysts looking for reassurance that even with the announcement, "we feel we have actually managed our risk fairly well," but that the company still needed to "continue to focus on improving its risk management practices and procedures."

This content continues onto the next page...