It is still too early to offer a definitive opinion on
what went wrong at Société Générale and how to prevent it in
future, but given the rumours swirling around, let's focus instead
on the established facts, says Kenneth Paterson of the
information security group atRoyal Holloway,
University of London.
Société Générale’s own interim report is a veritable goldmine
of information. At 27 pages, it’s not an easy document to digest,
but it makes for fascinating reading. It explains that the trader
at the centre of the storm, Jerome Kerviel, was able to disguise
extreme trading positions by creating false trades in the reverse
direction, using undetermined, internal or even non-existent
counterparties.
Slew of alerts
The report also reveals that a total of 75 separate internal
alerts were raised on Kerviel’s trading activities between 2005 and
2008, but that none led to a robust internal investigation. Several
externally generated alarms seem to have been ignored too.
The interim report indicates that Kerviel was not
some new breed of super-hacker, and did not appear to have
accomplices in other parts of the bank. Instead, he understood how
to create layers of obfuscation to disguise his trading activities,
and how to throw internal investigations off the scent.
It may be that the time Kerviel spent in the bank’s back-office
gave him an insight into exactly how to achieve this. Sometimes,
his techniques were laughably simple: bamboozling colleagues in the
middle- and back-offices with phoney explanations for odd-looking
trades, and even sending spoof-forwarded e-mails from alleged
counterparties to persuade internal auditors that all was well.
The interim report shows Kerviel made a profit of 1.5 billion
euros for Société Générale from these kinds of activities in 2007,
and was apparently an overnight star performer. But Kerviel’s luck
could not last, and in early 2008 his activities were uncovered.
But only just.
The first sign came on 2 January, when a daily report passed to
Société Générale's group risk department failed because it did not
contain up-to-date information on eight of Kerviel's transactions.
When Kerviel supplied the missing data, the risk team's
calculations revealed an unacceptably high level of risk associated
with "Bank E"', the counterparty to these trades.
It then took the best part of three weeks of to-ing and fro-ing
between various Société Générale departments before the full
picture emerged. Société Générale discovered it had an exposure of
around 49 billion euros on index futures that was offset only by
fictitious trades in the reverse direction. Société Générale was
then forced to unwind Kerviel's positions under unfavourable market
conditions, resulting in a loss of 6.4 billion euros.
Lessons to be learned
A key issue is whether Société Générale's internal controls were
sufficiently robust to detect Kerviel's trading patterns. It is
surprising that the bank's trading platform allowed Kerviel to
initiate trades with bogus and non-existent counterparties. What
controls, if any, were in place at the level of application
software to detect or even prevent this from happening?
Of the 75 separate alerts concerning Kerviel's fraudulent
activities, only one led to the discovery of the rogue trades. This
alert was raised because a set of eight Kerviel trades were not
compliant with the Basel II risk standards. An
almost comical chain of e-mails and telephone calls involving some
30 employees in various bank departments followed before a full
appreciation of the situation was realised. Société Générale's
incident response procedures seems sorely lacking.
And what of the other 74 alerts? Each was acted on by bank staff
in full accordance with the bank's recommended controls. But these
were simply ineffective. For example, in one case anomalies in
Kerviel's accounts were attributed to recurring problems with the
bank's IT systems. In another case, staff in the accounting
department sought explanation for discrepancies, but did not alert
their immediate superiors even though the amounts involved were
high (in some cases, more than 1 billion euros). In yet other
cases, the middle-office was fobbed off with explanations that
would not have stood up to any serious scrutiny.
The Société Générale report repeatedly highlights that audit and
accounting rules were followed to the letter, but that
staff did not go beyond the rules to ask hard
questions of Kerviel or his office. Kerviel's activities were also
spread across different financial instruments, and the bank lacked
an integrated view of each trader's activities.
To summarise: the back- and middle-office information security
culture was not as it should have been, and lacked an appropriately
cynical, hard-nosed and joined-up view of front-office activities.
Biometric red herring?
Finally, we close with what would be the most amusing point of
all, if it were not so startling. Société Générale's interim report
opens with a statement from the special investigation committee,
composed of directors of the bank. It identifies the need to
strengthen the bank's control systems. And the number one control
listed? The development of
biometric identification solutions.
This seems to be a singularly inappropriate response to the
problem, unless there are significant factors involved in Kerviel's
activities which are not covered in the interim report. Nothing in
this case has anything to do with the bank's inability to identify
its employees. If biometrics are the answer, then what exactly was
the question?
The 10 deadly sins of information security management
>>
Read more expert advice from the Computer Weekly Security Think
Tank >>