Investment banks have been advised to strengthen
controls over staff use of automated trading systems following the
massive fraud at French bankSociété
Général.
Firms in the sector should involve senior business managers with
all changes to trading control systems, and implement and enforce
password management to manage staff access to technology, industry
experts said.
The warning came after SocGen revealed losses of £3.6bn as a
result of a rogue trader operating outside his authorisation.
SocGen trader Jerome Kerviel allegedly used his knowledge of his
employer's back-office systems and built-in checks and balances to
evade detection of his trading acivities, accumulating massive
losses in the process.
The case has parallels with notorious rogue trader
Nick Leeson, who in 1995 lost Barings Bank over £800m through
unauthorised trading. Like Kerviel, Leeson had back-office
expertise and used his knowledge to avoid checks and balances.
The Kerviel case highlights the failure of SocGen's anti-fraud
systems and procedures, putting at risk billions of pounds and the
bank's reputation.
Investment banks typically use exception profiling software to
identify anomalies in trading behaviour. But TowerGroup analyst
Ralph Silva said it was common for traders to adjust systems
manually to allow trades that would normally be blocked.
"The traders sometimes ask IT to change the boundaries of the
systems and IT usually do it because they think traders are
important," added Silva. "There needs to be a separation between IT
and the traders and they should not even be friends."
Senior managers from the business should have to approve any
changes to the systems, he said.
This is the practice at internet bank Admertec. John Bertrand,
director, said every change made to trading systems was
cross-checked by people in the business. "You need somebody to
check who has no interest."
He added where lax password management for legacy systems was
often the cause of security breaches.
SocGen alleges that Kerviel used the passwords of other
individuals to commit his fraud. "He misappropriated the IT access
codes belonging to operators in order to cancel certain
operations," claimed the bank.
Calum Macleod, European director at security supplier Cyber-ark,
said the bank's failure to put an effective policy for password
management in place had left it open to fraud. He added that
financial organisations had trouble managing passwords because of
the high number of applications and authorised workers.
"The rogue trader would not have to be an IT expert to get the
passwords because they are not regularly changed and often use the
default passwords set by the application suppliers," said
Macleod.
One investment banking source said it was not uncommon to find
passwords stuck to the wall next to machines for general
use.
Silva said firms should use biometrics, such as fingerprints,
instead of passwords.
David Clark, director and fellow at the
Institute of Operational
Risk (IOR), said financial service organisations would look at
different ways of using technology post-SocGen. "There is not a
magic piece of kit out there, it is about how you use
technology."
Clark said linking middle office and senior management was
essential to ensure that IT can manage access in line with business
requirements and compliance.
Recommendations for financial services
firms
- Regularly change passwords for systems.
- Ensure passwords are not shared.
- Cross-check security system changes with senior business.
- Ensure that access to systems is only given to the people who
need it.
- Use
biometrics to verify identities.
- Make sure
monitoring software is up to date
10 deadly sins of information security management >>
David
Lacy's IT security blog >>