|
Page 4 of 4
Technology Lags
As Damianides, the former president of the ISACA notes, financial firms like Morgan Stanley, Bear Stearns and French bank Societe Generale, have been coming out with increasingly arcane investment offerings such as CDOs and so called equity derivatives, whose value is at least partially derived from one or more equity securities. Concurrently, the risk management technology hasn't been able to keep pace, Damianides claims.
At the same time, much of the trading-related technology has been allowed to develop outside the purvey of the CIO or the central IT department. The result, says SAS's Rogers, is a lack of standardization and a profusion of silos that prevent senior management from getting a holistic view of trading pitfalls as they emerge often in real time.
It is also problematic that many organizations view risk simply in terms of security. That, however, is changing, according to Samir Kapuria, managing director of advisory services at Symantec, a risk software company based in Cupertino, Calif. "In today's connected world where you manage IT across your own borders and across the borders of those you do business with, businesses are starting to understand that failures across a broad spectrum can impact the business operations and results."
advertisement
Kapuria notes another misconception that is pertinent in protecting financial services firms—that is, IT risk management is a single, or even a series of point in time exercises across budget periods or years. "This ignores that dynamic nature of the internal and external risk environment," says Kapuria. It also ignores that new element of risk that must be dealt with every time an investment firm or brokerage house rolls out a new product, Kapuria notes.
Another security gap that has bedeviled financial firms is outdated employee fraud protection, says Orad, the chief marketing officer at compliance and fraud prevention software maker Actimize.
advertisement
Actimize breaks fraud protection technology and procedures into three generations. In the first, the organization IT manages queries against databases, manually looking over results for suspicious behavior. With the second, a company has tools in place to automate queries and deliver reports in electronic format via email or portal report, but these queries still need to be reviewed manually. Finally, the organization has a single platform and workflow tools that automatically execute analytics and data mining to detect defined and unknown patterns across many databases and applications.
A recent Actimize survey of financial institutions in the U.S. and U.K., half of which had assets of more than $30 billion, found that more than 90 percent were using first and second generation technology to combat employee fraud, while only 8 percent had adapted third generation technology.
"You need analytics and data mining to detect aberrations in trading and employee fraud," says Orad. "Otherwise, you can have the kind of situation that developed at Societe Generale. But this kind of thing is much more common than people realize."
Indeed, Credit Agricole SA, the largest retail banking group in France and the second largest in Europe, said in September that an unauthorized proprietary trade at its investment bank in New York cost the company 250 million euros. Credit-Swisse, Switzerland's second-largest bank, took $2.85 billion of writedowns on asset-backed securities after an internal review found "mismarkings" by a group of traders that its risk management systems failed to catch.
"We've got a client that is firing on average five people a day because of unauthorized trades and fraud," Orad says. "It's a major problem."
At Societe Generale the problem almost brought down France's second largest bank and created a national fervor.
Next: The French Connection
Only registered users can write comments.
Please login or register.
|
