Attacks/Breaches
9/15/2011
12:57 PM
Connect Directly
RSS
E-Mail
50%
50%

UBS Discloses $2 Billion In Unauthorized Trades

Three years after unauthorized trading at Societe Generale, incident suggests that banks have more governance, risk, and compliance work to do.

Swiss banking giant UBS disclosed Thursday that it had lost $2 billion due to unauthorized trading, and British police arrested the suspected trader on fraud charges.

"UBS has discovered a loss due to unauthorized trading by a trader in its investment bank. The matter is still being investigated, but UBS's current estimate of the loss on the trades is in the range of $2 billion. It is possible that this could lead UBS to report a loss for the third quarter of 2011," according to a statement released by the bank. It added that "no client positions were affected."

UBS discovered the unauthorized trades on Wednesday, and contacted police, who arrested a 31-year-old man in London at 3:30 a.m. Thursday, "on suspicion of fraud by abuse of position," said commander Ian Dyson of the City of London Police, in a statement.

The man, who remains in custody, has been named in news reports as Kweku Adoboli. According to his LinkedIn profile, he's the director of exchange-traded funds and Delta One--a complex form of derivative trading--at UBS Investment Bank in London. Adoboli's boss, John Hughes, resigned on Wednesday, according to news reports.

The timing of the unauthorized trades is potentially awkward for the bank, since on Thursday, the Swiss parliament was due to debate tighter regulations for UBS and Credit Suisse Group, over concerns that the banks have become "too big to fail."

The failure of UBS to catch the unauthorized trading is surprising since in 2008, rogue trader Jerome Kerviel at Societe General had used stolen passwords to hide Delta One trades that ultimately resulted in $7 billion in losses for the French bank. Ultimately, in October 2010, Kerviel was fined and jailed for three years. Furthermore, Kerviel is far from the only rogue trader to have bedeviled a financial institution in recent years.

While it's not clear how the UBS trades took place, "the risk management of UBS obviously failed," said Martin Kuppinger, principal analyst at market researcher KuppingerCole, which focuses on identity management and information security, in a blog post.

"Did some people cooperate? Did the risk management system specifically for that type of transactions fail? Or has it been an access management problem like at SocGen some time ago, where the trader was able to control [it] himself?" he said. "Whatever the reason is, the incident proves that there is still a long way to go in risk management and overall GRC--not only in the finance industry."

Shorthand for governance, risk, and compliance, GRC refers to a set of business practices designed to measure and report on various risks facing a business. Specifically, GRC focuses on governing an organization's management, business, and IT decisions. It's also meant to manage risks to the business, be they business-related, involving finances, or technology. Finally, GRC is meant to demonstrate compliance with whatever regulations the business must comply.

But too many businesses may not be taking a crucial next step, from not just having policies, but also the correct tools in place to automate and enforce them. "Most large enterprises today have risk, compliance, and privacy policies in place to govern processes for access, sharing, and storage of sensitive corporate information, yet as the growing number of public breaches can attest, policies alone are not the answer," according to business ethics and compliance advisor Michael Rasmussen of Corporate Integrity.

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

CVE-2014-4511
Published: 2014-07-22
Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.

CVE-2014-4911
Published: 2014-07-22
The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.