Attacks/Breaches
9/15/2011
12:57 PM
50%
50%

UBS Discloses $2 Billion In Unauthorized Trades

Three years after unauthorized trading at Societe Generale, incident suggests that banks have more governance, risk, and compliance work to do.

Swiss banking giant UBS disclosed Thursday that it had lost $2 billion due to unauthorized trading, and British police arrested the suspected trader on fraud charges.

"UBS has discovered a loss due to unauthorized trading by a trader in its investment bank. The matter is still being investigated, but UBS's current estimate of the loss on the trades is in the range of $2 billion. It is possible that this could lead UBS to report a loss for the third quarter of 2011," according to a statement released by the bank. It added that "no client positions were affected."

UBS discovered the unauthorized trades on Wednesday, and contacted police, who arrested a 31-year-old man in London at 3:30 a.m. Thursday, "on suspicion of fraud by abuse of position," said commander Ian Dyson of the City of London Police, in a statement.

The man, who remains in custody, has been named in news reports as Kweku Adoboli. According to his LinkedIn profile, he's the director of exchange-traded funds and Delta One--a complex form of derivative trading--at UBS Investment Bank in London. Adoboli's boss, John Hughes, resigned on Wednesday, according to news reports.

The timing of the unauthorized trades is potentially awkward for the bank, since on Thursday, the Swiss parliament was due to debate tighter regulations for UBS and Credit Suisse Group, over concerns that the banks have become "too big to fail."

The failure of UBS to catch the unauthorized trading is surprising since in 2008, rogue trader Jerome Kerviel at Societe General had used stolen passwords to hide Delta One trades that ultimately resulted in $7 billion in losses for the French bank. Ultimately, in October 2010, Kerviel was fined and jailed for three years. Furthermore, Kerviel is far from the only rogue trader to have bedeviled a financial institution in recent years.

While it's not clear how the UBS trades took place, "the risk management of UBS obviously failed," said Martin Kuppinger, principal analyst at market researcher KuppingerCole, which focuses on identity management and information security, in a blog post.

"Did some people cooperate? Did the risk management system specifically for that type of transactions fail? Or has it been an access management problem like at SocGen some time ago, where the trader was able to control [it] himself?" he said. "Whatever the reason is, the incident proves that there is still a long way to go in risk management and overall GRC--not only in the finance industry."

Shorthand for governance, risk, and compliance, GRC refers to a set of business practices designed to measure and report on various risks facing a business. Specifically, GRC focuses on governing an organization's management, business, and IT decisions. It's also meant to manage risks to the business, be they business-related, involving finances, or technology. Finally, GRC is meant to demonstrate compliance with whatever regulations the business must comply.

But too many businesses may not be taking a crucial next step, from not just having policies, but also the correct tools in place to automate and enforce them. "Most large enterprises today have risk, compliance, and privacy policies in place to govern processes for access, sharing, and storage of sensitive corporate information, yet as the growing number of public breaches can attest, policies alone are not the answer," according to business ethics and compliance advisor Michael Rasmussen of Corporate Integrity.

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.