Risk without reward

How fraud at Societe Generale bank underscores the business need to control internal IT threats


BearingPoint's Reagan observes that in the case of Societe Generale, "their activities deal with high volume, high velocity and quick tempo trading of stock," and it's likely business leaders "wouldn't put up with" security measures that would slow them down. For example, Societe Generale employed single-factor authentication (using one method, such as passwords, to grant access to its systems) rather than stronger dual-factor authentication (requiring that individuals employ two methods of identifying themselves to gain access).

"The security team needs to explain the risk exposure and the possibility of losing billions in fraudulent trades if security is not adequately addressed," Reagan says. "But most security guys aren't well enough in tune with the business to be able to articulate a business case like that."

That disconnect can be enormously destructive, as the Societe Generale incident shows. "The Societe Generale case brings to the fore the fact that business risk can be directly exposed through IT," Crawford says. "Kerviel allegedly manipulated the IT controls on the business systems based on his midoffice experience and back-office [IT] knowledge and expertise."

Between Jan. 18 and Jan. 20, the bank discovered that Kerviel had established trading positions-bets that the price of securities and warrants would move in a particular direction-that were worth more than the bank itself. He bet wrongly, and unwinding those positions over the following three days cost the bank about $7.2 billion as it sold the stocks into a falling market.

As an arbitrage trader, Kerviel should have been making transactions in pairs, buying and selling similar assets to exploit the minute and fleeting differences in prices that exist in markets. Arbitrage trading is considered less glamorous than the one-way bets he secretly made from time to time by faking one half of a pair of transactions.

A preliminary internal investigation by Societe Generale noted that Kerviel had previously worked in the bank's IT department, and so had in-depth knowledge of its systems and procedures. Staff mostly followed those procedures, the investigating committee found, but the procedures were not in themselves sufficient to identify the fraud before Jan. 18, partly because of the effort Kerviel made to avoid detection, and partly because staff did not systematically conduct in-depth investigations when warning flags were raised.

Among the tricks Kerviel used to hide his activities, the bank's investigation highlighted the use of fake e-mail messages to justify missing trades, and the borrowing of colleagues' log-in credentials to conduct trades in their name.Investigators identified at least seven occasions on which Kerviel faked messages between April 2007 and Jan. 18, four of them referencing trades that never existed. The deception was uncovered when they could find no trace of Kerviel receiving the purported messages in the bank's e-mail archival system, Zantaz.

Between July 2006 and September 2007, internal control systems raised 24 alerts when the value of Kerviel's trades exceeded authorized limits, the General Inspection department reported. At the time, the bank's risk monitoring unit put the anomalies down to recurrent problems with the way the trading software recorded operations, and asked Kerviel's superiors to make sure he didn't exceed limits again.

The special committee made a number of recommendations, including the use of stronger, biometric authentication systems to prevent traders from accessing one another's accounts, and the improvement of alert procedures so warnings reach the appropriate managers. In addition, it suggests the tightening of trading controls, which do not cover cancelled or modified transactions-two of the tricks Kerviel used to conceal his bets.

Auditors are still looking for suspect trades to make sure all have been uncovered, and investigators have yet to review Kerviel's use of an instant-messaging service for evidence of his activities, the special committee said. It will present a final report to shareholders at the annual general meeting on May 27.

Meanwhile, on April 1, at a conference sponsored by Morgan Stanley, Oudea said the bank had tightened its IT security and access to its information systems, among other measures to improve its operational controls.Lessons for I.T.