Attacks/Breaches
9/15/2011
12:57 PM
50%
50%

UBS Discloses $2 Billion In Unauthorized Trades

Three years after unauthorized trading at Societe Generale, incident suggests that banks have more governance, risk, and compliance work to do.

Swiss banking giant UBS disclosed Thursday that it had lost $2 billion due to unauthorized trading, and British police arrested the suspected trader on fraud charges.

"UBS has discovered a loss due to unauthorized trading by a trader in its investment bank. The matter is still being investigated, but UBS's current estimate of the loss on the trades is in the range of $2 billion. It is possible that this could lead UBS to report a loss for the third quarter of 2011," according to a statement released by the bank. It added that "no client positions were affected."

UBS discovered the unauthorized trades on Wednesday, and contacted police, who arrested a 31-year-old man in London at 3:30 a.m. Thursday, "on suspicion of fraud by abuse of position," said commander Ian Dyson of the City of London Police, in a statement.

The man, who remains in custody, has been named in news reports as Kweku Adoboli. According to his LinkedIn profile, he's the director of exchange-traded funds and Delta One--a complex form of derivative trading--at UBS Investment Bank in London. Adoboli's boss, John Hughes, resigned on Wednesday, according to news reports.

The timing of the unauthorized trades is potentially awkward for the bank, since on Thursday, the Swiss parliament was due to debate tighter regulations for UBS and Credit Suisse Group, over concerns that the banks have become "too big to fail."

The failure of UBS to catch the unauthorized trading is surprising since in 2008, rogue trader Jerome Kerviel at Societe General had used stolen passwords to hide Delta One trades that ultimately resulted in $7 billion in losses for the French bank. Ultimately, in October 2010, Kerviel was fined and jailed for three years. Furthermore, Kerviel is far from the only rogue trader to have bedeviled a financial institution in recent years.

While it's not clear how the UBS trades took place, "the risk management of UBS obviously failed," said Martin Kuppinger, principal analyst at market researcher KuppingerCole, which focuses on identity management and information security, in a blog post.

"Did some people cooperate? Did the risk management system specifically for that type of transactions fail? Or has it been an access management problem like at SocGen some time ago, where the trader was able to control [it] himself?" he said. "Whatever the reason is, the incident proves that there is still a long way to go in risk management and overall GRC--not only in the finance industry."

Shorthand for governance, risk, and compliance, GRC refers to a set of business practices designed to measure and report on various risks facing a business. Specifically, GRC focuses on governing an organization's management, business, and IT decisions. It's also meant to manage risks to the business, be they business-related, involving finances, or technology. Finally, GRC is meant to demonstrate compliance with whatever regulations the business must comply.

But too many businesses may not be taking a crucial next step, from not just having policies, but also the correct tools in place to automate and enforce them. "Most large enterprises today have risk, compliance, and privacy policies in place to govern processes for access, sharing, and storage of sensitive corporate information, yet as the growing number of public breaches can attest, policies alone are not the answer," according to business ethics and compliance advisor Michael Rasmussen of Corporate Integrity.

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.