News Stay informed about the latest enterprise technology news and product updates.

Societe Generale bolsters internal controls, discovers second insider

Trader Jerome Kerviel conducted more than $7 billion in fraudulent trades with the help of an assistant, according to an investigation conducted by banking giant Societe Generale

French banking giant Societe Generale issued a report Friday into how a rogue trader carried out more than $7 billion in fraud and ways the bank is bolstering security and internal control procedures to prevent future problems.

The capacity of the information technology department to respond to all of the demands will be a determining factor in the program's success.
Board of Directors
Societe Generale

The Societe Generale report, written by PricewaterhouseCoopers and a special committee of the bank's board of directors, found that security system upgrades and new procedures were being deployed on schedule. The design phase of the program is nearly complete and the upgrades are expected to be rolled out over the course of two to three years.

Societe Generale acknowledged in January that Jerome Kerviel, a 31-year-old trader, used his knowledge of the bank's processing and control procedures to conduct fraudulent trades that wound up costing the bank more than $7 billion. Kerviel allegedly used stolen passwords and other means to conceal his illegal activity.

The bank's investigation also found that Kerviel had an assistant who entered a large number of fraudulent trades into the bank's systems. The bank calls the assistant a "middle office operational assistant," and said that the person entered at least 15% of Kerviel's fraudulent trades. The person had knowledge of the bank's operations division and was able to turn off any triggered alerts as a result of Kerviel's trades. An email message between Kerviel and his assistant was also discovered referring to the fraudulent trades.

Insider threats:
Societe Generale: A cautionary tale of insider threats The $7.2 billion in fraud against French banking giant Societe Generale wasn't your garden variety cyber attack, but it illustrates an insider threat that gives IT pros nightmares.

Five common insider threats and how to mitigate them: Users can be an enterprise's best defense or its worst enemy. They have access to valuable network resources and information that can be used for ill-gain.

DuPont case highlights insider threat: A former DuPont scientist who admitted trying to steal $400 million worth of information illustrates the seriousness of insider threats, a security expert says.

What are the proper procedures for handling a potential insider threat? In this Q&A, Mike Rothman discusses how corporations can avoid insider threats by forming an incident response plan and monitoring employee behavior.

Since the discovery of the fraud in January, the bank began bolstering its internal controls starting with security training for traders and support staff. The bank is also revoking traders' write-access rights to middle office IT applications.

According to the report, Kerviel's fraudulent activity began in 2005 and took on massive proportions beginning in March 2007. The report characterizes oversight by Kervie's trading manager and direct supervisor as "weak," resulting in little accountability of all the trades he conducted.

"His new manager did not carry out any detailed analysis of the earnings generated by his trades or of their positions, thereby failing to fulfill one of the main tasks expected from a trading manager," according to the committee's findings.

In addition to internal processes, the bank said it was making "significant investments" in IT security to bolster applications and network infrastructure to detect problems and track actions carried out by the end-user. The bank will roll out a system designed to control and monitor the consistency of a user and the workstation used in a given day. A flaw discovered in the bank's Equities division transactional system is also being patched.

End-users have too many passwords for various applications and systems, according to the report. Some users were saving their passwords within spreadsheets and automatically logging into systems. The IT department will bolster management of user accounts and deploy a new authentication system to address the security gap. To reduce the number of passwords that one person needs to access sensitive applications, a software package will be rolled out and in place by 2009 so users can save their passwords securely.

A Societe Generale board of directors concluded that the bank's IT department would be under great pressure to implement internal control procedures and deploy security technologies.

"The capacity of the information technology department to respond to all of the demands will be a determining factor in the program's success," the committee said. "The bank will therefore have to recruit, train and integrate experienced employees."

Dig Deeper on Security Awareness Training and Internal Threats-Information

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.