Home > Uncategorized > ”Lessons Learned” from the Société Générale Incident

”Lessons Learned” from the Société Générale Incident

You probably noticed all the hoopla recently concerning Société Générale’s catastrophic trading incident that reportedly cost this bank nearly €5 billion. Although this loss figure is huge, it is not unprecedented. Brian Hunter, then of Amaranth, lost the equivalent of €4.5 billion in bad energy trades in 2006.

How do incidents of this magnitude happen? The disturbing answer is that it depends. The case of the Jerome Kerviel of Société Générale had a huge security component to it. Kerviel initiated huge trades that turned sour. He should not have been able to initiate such large trades because of controls that Société Générale had in place that required additional approval for such transactions. Kerviel allegedly broke into systems of his fellow employees, however, by allegedly simply learning and guessing usernames and passwords to these systems while he worked late. With access to these accounts, he allegedly was able to use automated means to initiate the necessary approvals, thereby effectively bypassing the traditional “two man rule” that permeates the financial and trading arenas and rendering the bank’s risk management staff unable to see his huge transactions on the bank’s direction of indexes. He allegedly also entered bogus trades that were in the reverse direction from real ones that he made to further cover up his actions. This set of events was very similar to ones that transpired well over a decade ago when a Barings Bank trader, Nick Leeson, was able to social engineer his way around trading controls. In so doing, Leeson racked up a loss of $1.3 billion, an amount that would translate to approximately $2 billion in today’s economy.

Hunter, on the other hand, did not really engage in any activity that could be construed as improper. He ended up being the manager of an energy trading unit within Amaranth and started initiating larger and larger transactions without the restrictions that he had before he was promoted. The only potential clue that Hunter might be a bad risk is that he had a troubled history in his previous job with Deutsch Bank.

Because the cause of incidents such as the ones I have just discussed generally varies so widely, it is important for information security professionals (who are so often pressed to come up with an overwhelmingly convincing case for investing resources in needed security-related controls) to be ultradiscreet in coming up with and communicating “lessons learned” from such incidents. A definite security-related “lesson learned” exists in the Kerviel incident—at a minimum, any financial (let alone other) institution that relies on password security for mega-transactions is effectively “asking for it.”  In contrast, no such “lesson learned” appears to exist in the Hunter incident. At the same time, however, these and other incidents in which huge trading losses have occurred once again all point to one indelible truth—that when all is said and done, people are by far the greatest source of risk.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.