Royal Holloway: Control the controllers

So what really happened at Société Générale?

It is still too early to offer a definitive opinion on what went wrong at Société Générale and how to prevent it in future, but given the rumours swirling around, let's focus instead on the established facts, says Kenneth Paterson of the information security group at Royal Holloway, University of London.

Société Générale’s own interim report is a veritable goldmine of information. At 27 pages, it’s not an easy document to digest, but it makes for fascinating reading. It explains that the trader at the centre of the storm, Jerome Kerviel, was able to disguise extreme trading positions by creating false trades in the reverse direction, using undetermined, internal or even non-existent counterparties.

Slew of alerts

The report also reveals that a total of 75 separate internal alerts were raised on Kerviel’s trading activities between 2005 and 2008, but that none led to a robust internal investigation. Several externally generated alarms seem to have been ignored too.
The interim report indicates that Kerviel was not some new breed of super-hacker, and did not appear to have accomplices in other parts of the bank. Instead, he understood how to create layers of obfuscation to disguise his trading activities, and how to throw internal investigations off the scent.

It may be that the time Kerviel spent in the bank’s back-office gave him an insight into exactly how to achieve this. Sometimes, his techniques were laughably simple: bamboozling colleagues in the middle- and back-offices with phoney explanations for odd-looking trades, and even sending spoof-forwarded e-mails from alleged counterparties to persuade internal auditors that all was well.

The interim report shows Kerviel made a profit of 1.5 billion euros for Société Générale from these kinds of activities in 2007, and was apparently an overnight star performer. But Kerviel’s luck could not last, and in early 2008 his activities were uncovered. But only just. 

The first sign came on 2 January, when a daily report passed to Société Générale's group risk department failed because it did not contain up-to-date information on eight of Kerviel's transactions. When Kerviel supplied the missing data, the risk team's calculations revealed an unacceptably high level of risk associated with "Bank E"', the counterparty to these trades.

It then took the best part of three weeks of to-ing and fro-ing between various Société Générale departments before the full picture emerged. Société Générale discovered it had an exposure of around 49 billion euros on index futures that was offset only by fictitious trades in the reverse direction. Société Générale was then forced to unwind Kerviel's positions under unfavourable market conditions, resulting in a loss of 6.4 billion euros.  

Lessons to be learned  

A key issue is whether Société Générale's internal controls were sufficiently robust to detect Kerviel's trading patterns. It is surprising that the bank's trading platform allowed Kerviel to initiate trades with bogus and non-existent counterparties. What controls, if any, were in place at the level of application software to detect or even prevent this from happening?

Of the 75 separate alerts concerning Kerviel's fraudulent activities, only one led to the discovery of the rogue trades. This alert was raised because a set of eight Kerviel trades were not compliant with the Basel II risk standards. An almost comical chain of e-mails and telephone calls involving some 30 employees in various bank departments followed before a full appreciation of the situation was realised. Société Générale's incident response procedures seems sorely lacking.  

And what of the other 74 alerts? Each was acted on by bank staff in full accordance with the bank's recommended controls. But these were simply ineffective. For example, in one case anomalies in Kerviel's accounts were attributed to recurring problems with the bank's IT systems. In another case, staff in the accounting department sought explanation for discrepancies, but did not alert their immediate superiors even though the amounts involved were high (in some cases, more than 1 billion euros). In yet other cases, the middle-office was fobbed off with explanations that would not have stood up to any serious scrutiny.

The Société Générale report repeatedly highlights that audit and accounting rules were followed to the letter, but that staff did not go beyond the rules to ask hard questions of Kerviel or his office. Kerviel's activities were also spread across different financial instruments, and the bank lacked an integrated view of each trader's activities.

To summarise: the back- and middle-office information security culture was not as it should have been, and lacked an appropriately cynical, hard-nosed and joined-up view of front-office activities.  

Biometric red herring?

Finally, we close with what would be the most amusing point of all, if it were not so startling. Société Générale's interim report opens with a statement from the special investigation committee, composed of directors of the bank. It identifies the need to strengthen the bank's control systems. And the number one control listed? The development of biometric identification solutions.

This seems to be a singularly inappropriate response to the problem, unless there are significant factors involved in Kerviel's activities which are not covered in the interim report. Nothing in this case has anything to do with the bank's inability to identify its employees. If biometrics are the answer, then what exactly was the question?

The 10 deadly sins of information security management >>

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management