Attacks/Breaches
9/15/2011
12:57 PM
Connect Directly
RSS
E-Mail
50%
50%

UBS Discloses $2 Billion In Unauthorized Trades

Three years after unauthorized trading at Societe Generale, incident suggests that banks have more governance, risk, and compliance work to do.

Swiss banking giant UBS disclosed Thursday that it had lost $2 billion due to unauthorized trading, and British police arrested the suspected trader on fraud charges.

"UBS has discovered a loss due to unauthorized trading by a trader in its investment bank. The matter is still being investigated, but UBS's current estimate of the loss on the trades is in the range of $2 billion. It is possible that this could lead UBS to report a loss for the third quarter of 2011," according to a statement released by the bank. It added that "no client positions were affected."

UBS discovered the unauthorized trades on Wednesday, and contacted police, who arrested a 31-year-old man in London at 3:30 a.m. Thursday, "on suspicion of fraud by abuse of position," said commander Ian Dyson of the City of London Police, in a statement.

The man, who remains in custody, has been named in news reports as Kweku Adoboli. According to his LinkedIn profile, he's the director of exchange-traded funds and Delta One--a complex form of derivative trading--at UBS Investment Bank in London. Adoboli's boss, John Hughes, resigned on Wednesday, according to news reports.

The timing of the unauthorized trades is potentially awkward for the bank, since on Thursday, the Swiss parliament was due to debate tighter regulations for UBS and Credit Suisse Group, over concerns that the banks have become "too big to fail."

The failure of UBS to catch the unauthorized trading is surprising since in 2008, rogue trader Jerome Kerviel at Societe General had used stolen passwords to hide Delta One trades that ultimately resulted in $7 billion in losses for the French bank. Ultimately, in October 2010, Kerviel was fined and jailed for three years. Furthermore, Kerviel is far from the only rogue trader to have bedeviled a financial institution in recent years.

While it's not clear how the UBS trades took place, "the risk management of UBS obviously failed," said Martin Kuppinger, principal analyst at market researcher KuppingerCole, which focuses on identity management and information security, in a blog post.

"Did some people cooperate? Did the risk management system specifically for that type of transactions fail? Or has it been an access management problem like at SocGen some time ago, where the trader was able to control [it] himself?" he said. "Whatever the reason is, the incident proves that there is still a long way to go in risk management and overall GRC--not only in the finance industry."

Shorthand for governance, risk, and compliance, GRC refers to a set of business practices designed to measure and report on various risks facing a business. Specifically, GRC focuses on governing an organization's management, business, and IT decisions. It's also meant to manage risks to the business, be they business-related, involving finances, or technology. Finally, GRC is meant to demonstrate compliance with whatever regulations the business must comply.

But too many businesses may not be taking a crucial next step, from not just having policies, but also the correct tools in place to automate and enforce them. "Most large enterprises today have risk, compliance, and privacy policies in place to govern processes for access, sharing, and storage of sensitive corporate information, yet as the growing number of public breaches can attest, policies alone are not the answer," according to business ethics and compliance advisor Michael Rasmussen of Corporate Integrity.

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio