Societe Generale: Lessons Learned on the Insider ThreatIt was the scandal that rocked the banking world. French Bank Societe Generale recently revealed details of a disaster created by a rogue insider who cost the institution $7.2 billion in fraudulent trades. It was the biggest such scandal in history.
We recently spoke with Linda Najim and Jason Gaswirth of Diamond Management & Technology Consultants, authors of a new report, "Notes on a Scandal: Lessons in Operational Risk Management from Societe Generale." Read this interview transcript for insights on:
- How Soc Gen happened;
- Why it can happen again;
- How the fraud could have been prevented;
- Actions institutions can take to prevent such crimes in the future.
TOM FIELD: Hi, this is Tom Field with Information Security Media Group, and today we're here to talk about the insider threat. Specifically, we're going to talk about the aftermath of Societe Generale, the scandal that represents lessons learned in operational risk management, really. We're talking today with two representatives of Diamond Management and Technology Consultants Financial Services Practice. They've authored a new report called "Notes on a Scandal: Lessons in Operational Risk Management from Societe Generale," which we'll refer to from now on as Soc Gen. With us today are Linda Najim, partner in Diamond Management and Technology Consultants Financial Services Practice, with expertise in operational risk and compliance, technology strategy development and process reengineering. Also with us is Jason Gaswirth, manager of Diamond Management and Technology Consultants Financial Services Practice as well, who recently worked closely with a leading Wall Street client to develop robust information protection and access entitlement management practices and capabilities. Linda and Jason, thanks so much for joining me today.
LINDA NAJIM: Good morning, Tom.
JASON GASWIRTH: Good morning.
FIELD: Linda, let me throw the first question your way. Soc Gen - why does this resonate so well in the global marketplace?
NAJIM: Tom, I think there are really two reasons. The first simply is the magnitude of the event - $7 billion in losses, far surpassing any other example of unauthorized trading incidents, and really not just in recent history, but in history. It's had a ripple effect both on Soc Gen's financial position and also the European and world marketplace. The second thing is a bit of a Robin Hood scenario, I think. Jerome is a relatively junior trader - fairly young guy. He was able to accumulate a $7 billion loss position over four years, really covering his tracks, and he's actually turned into a little bit of a cult hero with some people who look at him as someone who's sort of brought down potentially one of the largest banks of France.
FIELD: You're exactly right. Jason, is there anything you want to add to what Linda said?
GASWIRTH: No, I mean I think part of - I think Linda hit it right on with the fact that he's kind of been romanticized, and, you know, we were just discussing that there's websites kind of out there dedicated to Jerome. So I think it's become a bit of a phenomenon beyond the actual fraud incident.
FIELD: That's a great point. Now Linda I want to turn to you again because the big question that we here constantly at Information Security Media Group is how did it happen?
NAJIM: Well, the details are still emerging, but there are different causes that have been verified in both internal audit reports and other findings. So, some of the causes are quite clear. The first is that Jerome was a trusted insider. He worked in the back and middle office, and he used that knowledge to circumvent controls that were in place in the bank to avoid detection - so things like manufacturing emails or fax confirmations. He also had unauthorized access to systems. We're not entirely clear. It seems that he used both the credentials and access of other people, and perhaps had access to systems he shouldn't have had access to that allowed him to cover his tracks. There also seemed to be inadequate trading limits in place, so that his positions weren't raising the right kinds of red flags across Soc Gen. Finally, and maybe most importantly, is that there was really inadequate management response to the irregularities that were uncovered. So in one Wall Street Journal report, as an example, they mention that there were 24 alarms on ... over a 12 month period, and that those alarms were ignored because they felt that there were some inaccuracies in the system itself. So they took it as a system issue rather than a real issue. In fact, there were a number of control personnel who approached Jerome over a several month or multi-year period with questions about his positions and his trading, and the responses he gave were not followed up on. So, while the control personnel did their job it seems to the kind of spirit of their job description, they didn't really dig any deeper than what was absolutely required.
FIELD: So the bigger question is the one that we heard about immediately from our institutions is, "Can this happen to my institution?" And when you hear that how do you respond?
NAJIM: I think the response is simple. It's happened before, and it will happen again. In fact, just last week, as you're probably well aware, there was an incident reported by MS Global. It wasn't to the magnitude of Soc Gen. It was a trader who accumulated $150 million loss position in weak futures, but it was enough to bring their company shares down by 30 percent in a single day. And while the facts of that case are still emerging, it seems that there were actually some controls that were in place that were disabled for certain traders because it slowed down their transactions ironically enough.
FIELD: Jason, let's talk about the new report you have out on this - "Notes on a Scandal." What are the highlights of this report?
GASWIRTH: Sure, so the report's really a result of us seeing firsthand how some of our clients have been responding to the Soc Gen incident, and we wanted to take the opportunity to share some of those learnings from the field and put out a call-to-action to the broader industry, but also to specific firms that they need to start dealing with these issues. So the report starts by looking at the causes and effects of the Soc Gen incident, and Linda just described some of those. We also discuss some similar incidents that have occurred in the recent past and asked the question, "Have we learned our lesson from history?" because as we know these incidents are continuing to occur. The rest of the paper is focused on how firms can protect themselves, so we outline the components of an effective operational risk management program, and we describe some longer term actions that banks can take to prevent a repeat.
FIELD: So Jason, if you could boil it down, how could Soc Gen have been prevented?
GASWIRTH: We describe three components of an effective operational risk management program in the report. So first - the first component - it's probably the most important one is that organizations need to develop a strong controls culture - culture of compliance. So this is really moving beyond empowering the risk and audit functions and making sure they have a seat at the executive table to instilling supervisory responsibilities throughout the management ranks so that managers, up and down, look at compliance and controls as part of their day to day responsibilities. The second component is automated processes. These are things like warning the computers on trading stations when traders get close to their trading limits, but it's important to emphasize here that technology is really not enough. Management needs to understand what's being automated, what are the limitations, and it needs to all be within a sound governance framework. The third component is strong IT access controls. So, compromised credentials really took center stage in this incident with Jerome having access to systems that he perhaps shouldn't have had access to. We think banks need to look at strong authentication for higher systems and especially start developing robust access and entitlement management programs to try to get a handle on who has access to what when it comes to front and middle office IT systems.
FIELD: Well Jason, that's a good segue to the last question I have for both of you, and Linda let me throw this to you. Based on what you've learned, what actions should financial institutions take to prevent a repeat of Soc Gen?
NAJIM: We actually hope that this will serve as a bit of a call-to-action to banks to take a more comprehensive approach to managing operational risk versus simply focusing on evaluating the risks of, or the specific causes of, Soc Gen or MS Global for that matter. So in our report we actually recommend a 90-day plan with three phases. Simply put, it is to understand the initiatives you have underway around operational risks and identify any quick hit opportunities, particularly focusing on the causes that were uncovered in recent events. The second is to launch a more formal assessment of all the operational risk processes, to understand the gaps that are in place and put together a comprehensive plan of attack going forward. This all seems quite simple, but in our experience the key to this is really through execution and through maintaining a very strong focus on both taking a holistic and integrated view to operational risk and really making sure that the recommendations that are in place are based on strong facts and that are prioritized so companies are positioned for success because what happens perhaps is once the furor dies down, banks take their eye off the ball a bit and focus on, you know, revenue producing opportunities or activities that will drive the profits of the bank and, in this case, these activities will prevent the significant losses we've seen recently.
FIELD: Well said. Jason, sort of the last words -- if you could boil everything down into one lesson learned you'd like people to take away from this scandal. What would that be?
GASWIRTH: One of the key kind of points that's been made and really was summed up pretty well in the auditor's report that came out recently was a point that Linda made earlier around risk managers and control cultures. So people - when people just kind of follow their jobs to the letter without really trying to connect the dots or kind of recognize these patterns in between, kind of the nature of their jobs, then these events can occur.
FIELD: Excellent insight. Linda and Jason, I want to thank you both for your time and for your insight today.
NAJIM: Thank you very much, Tom.
GASWIRTH: Thank you.
FIELD: We've been talking with Linda Najim and Jason Gaswirth, both with Diamond Management Technology Consultants. The discussion has been about the insider threat at Soc Gen. For Information Security Media Group, I'm Tom Field. Thank you very much.