UBS Rogue Trader Incident Stirs Access Management Speculation

Details are still sparse, but UBS rogue trader incident sets off identity and access management debate
As very basic details about the massive $2.3 billion rogue-trading incident at UBS begin to trickle out, speculation and scuttlebutt swirl around what exactly broke down within the Swiss finance company's business process and IT system risk management controls. While most IT experts believe it is too early to say what security lessons the industry will learn from the gaffe, many have already extended comparisons to the Societe Generale $6 billion rogue-trading incident incident and believe that the UBS trader might have taken advantage of similar weaknesses within the firm's access controls as Jrme Kerviel did at the French firm in 2008.

News of the $2.3 billion loss UBS experienced at the hands of a rogue trader broke late on Thursday last week when the firm put out a short press release explaining that an incident occurred. The next day, law enforcement officials said they had arrested UBS trader Kweku Adoboli in London for fraud. Though UBS is not confirming Adoboli as the culprit, it did yesterday dribble out a bit more information about how the rogue trader acted.

"The positions taken were within the normal business flow of a large global equity trading house as part of a properly hedged portfolio," the company said in a statement. "However, the true magnitude of the risk exposure was distorted because the positions had been offset in our systems with fictitious, forward-settling, cash ETF positions, allegedly executed by the trader. These fictitious trades concealed the fact that the index futures trades violated UBS's risk limits."

UBS said the employee made unauthorized trades in S&P 500, DAX, and EuroStoxx index futures during the course of three months.

"If you look at what this trader has allegedly done, working in different roles inside the organizations, moving from what appears to have been a back-office role into a trading role, it seems like the combination of having the knowledge of how those internal systems work as well as having retained the access is what enabled this," says Jason Garbis, vice president of marketing for identity player Aveksa, who wonders if this was a case of Adoboli getting more access to systems than he should have been afforded during the transition. "Often organizations don't have very sophisticated or very rigorous mover processes. When someone changes from role A to role B, they very often don't have a program in place to detect this ad, then automatically set up what is called an access review to have the new manager look at and validate the access to critical applications."

Garbis believes this could end up being a wake-up signal for financial organizations to do a better job reviewing privileges among user roles and also instilling better segregation of duties.

"Even if all the access they have is appropriate or tied to their role, maybe someone in that role shouldn't have all that access -- for example, it would make sense to have a rule where someone can't execute a trade as well as approve that trade because it sets a very high-risk scenario," he says.

Until UBS releases more information, the industry can only speculate as to how its roles and access management systems were set up. But experts say it is likely that the problems ran deeper than just identity management.

"What you really often see people do in these situations is they'll go and strengthen some point activity, and then it's sort of like a bunch of kids walking in the dark at night, and they've got all the flashlights focused on different rocks, but there's all these dark spots between their flashlights," says Brian Barnier, the author of The Operational Risk Handbook for Financial Companies, an ISACA volunteer and consultant for Value Bridge Advisors. "Identity is important, and you've got to think about roles because that's one of the classic things in an insider-trading incident is having authorization for too many roles. But it is also important that we not just go for identity and access management and be all over that without being concerned about all the other systems pieces involved. Otherwise, we'll have those big, dark spaces that some other rogue trader will be able to exploit."

According to securities fraud expert Louis Straney, no matter what kind of technology organizations is put in place, there is no replacement for actual human supervision. "As quickly as you develop an internal system that screens, filters, isolates, or identifies risk, someone will think of a workaround," says Straney, who has written several books on fraud in the financial markets. "It really all falls back on the supervision, and this is a massive failure to supervise the trading activity."

Straney believes that one potential lesson from this incident is that financial organizations don't do a good enough job trying to look for and anticipate the loopholes in identity and overall fraud prevention systems. He thinks that much like penetration testers look for network security holes, financial organizations should also have technical and business teams working to test business process and system flaws that would allow massive security lapses, such as the UBS incident.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Jeffrey Schwartz, Contributing Writer, Dark Reading
Jai Vijayan, Contributing Writer, Dark Reading