Interview: What Went Wrong at Societe Generale?

Breakdown of IT security and controls underscores the need for security to act as a business partner, says BearingPoint managing director

February 22, 2008 — CSO — How did billions of dollars worth of fraudulent trades escape the notice of one of the largest financial services companies in Europe? Increasingly, it looks as if poor IT security and controls allowed trader Jerome Kerviel, with or without accomplices, to make trades that cost the French bank more than $7 billion. (See our news coverage.)

To get insight on the misfortune of Societe Generale, what it says about security and risk, and what security practitioners can learn from the bank’s plight, CSOonline.com looked to J.R. Reagan, the managing director and global solution leader for risk, compliance and security at management and technology consultancy BearingPoint.

CSO: Do you think Societe Generale suffered from lack of controls, or lack of security for controls?

J.R. Reagan, managing director and global solution leader for risk, compliance and security at BearingPoint: It’s a good example of how the insider threat can become the bigger issue in some companies. Much time is spent on protecting the external threat, and rightly so, but the internal threat can be even larger in terms of risk to the company.

Financial institutions are made up of people in audit, compliance, financial risk and security. They don’t always talk to each other. Even if controls are put in place, the enforcement and automation of those controls isn’t well coordinated between those departments. Societe Generale is a good example of how the gray areas between those activities can be taken advantage of.

CSO: In your opinion, there is a gap between having these controls in place and actually securing them properly?

Reagan: Yes. For example, a company might have in place controls for password management but not enforce them, or the financial risk department might put password management in place but not be evaluated by the security side to make sure no one can break in. Those are the holes we’re talking about.

CSO: Is it more likely that Jerome Kerviel was able to bypass security and obtain access to the systems he did through social engineering, or some other way?

Reagan: He had knowledge of the back office. The other factor at play here is that in most organizations, anywhere between 50 and 60 or 70 percent of passwords are old--those that haven’t been purged from the system after people leave. Someone who has knowledge of the back office could easily use that to their advantage to gain access. In that case, there’s not a