Every time I write UBS Rogue Trader blog post I think its the last one and then something else happens. That something in today's post is that UBS' CEO is stepping down the reason given is the rogue trading scandal. Is one "rogue" trader's actions even losing $3.2 billion enough to bring down a CEO? Up to this point Oswald Grübel's reign atop UBS has generally been given high marks so its does not appear to be a case of the board looking for a reason to show the CEO the door.
One item that came to light is that the "rogue" trading lasted three years, this makes it sound more like an institutional risk control issue rather than one outlier rogue action. Again, an important back drop - the trader, Kweku Adoboli, was relatively junior and worked on a small trading desk, so the magnitude of the loss and lack of control should be viewed in that context.
Oswald Grübel's resignation was a surprise given his track record, from his outgoing memo:
"That it was possible for one of our traders in London to inflict a multibillion loss on our bank through unauthorized trading shocked me. This incident has world-wide repercussions, including political ones.... I am convinced that it is in the best interest of UBS to approach the future with a new leader at the top."
From an infosec standpoint teh word "unauthorized" jumps right out. From the information at hand it looks like a long running lack of governance. Again, the Lessons that Jeremy Epstein raised in the wake of Societe Generale come to mind, especially:
Lesson 0: Make sure that you’re measuring the right risks.
Lesson 1: Low tech attacks are easier.
Lesson 2: Logs are only useful if they’re examined.
Lesson 4: We’re looking at the wrong things
What's the maximum value that a small trading desk should be able to put at risk? $3.2 billion unhedged sounds like a big number for a small trading desk. Were the hedges confirmed? From the information we have so far: no.
Anyone involved in infosec has seen similar issues they may vary in scale and in kind, but these are not unfamiliar governance issues. The fact that they reached the CEO office at a major international bank should give one pause. Executive involvement in a positive sense should be a goal for infosec going forward, earlier this year Hyundai Capital had their own security breach and their CEO had this to say in the aftermath:
His biggest mistake, he says, was that he used to treat the information-technology department as simply one of many units that helped the company get its main job done. Today he treats it as central to everything the company does. Since the attack, Mr. Chung has spent weeks learning the ins and outs of network architecture, security infrastructure and the tradeoffs between data protection and customer satisfaction.
"If you lock the restroom and garage because you are trying to protect the jewelry in the bedroom, sooner or later, the rest of the family complains and finds a way around it," Mr. Chung says. "Like everything, IT security needs a philosophy, and only the CEO can make that kind of a decision."
Infosec is gaining a lot of executive attention, but executive-perscribed actions coming out of this attention could be good or bad. Its important to communicate the core issues in ways execs can understand. In a way the philosophy of Infosec can be looked at like a hedge fund, one side of the trade takes on risk and seeks gain while the other side of the trade protects the downside. The key to making this work is that the downside protection trades use proven controls not fictional trades like Kweku Adoboli's ETFs.
**
Secure Coding Training Class: Mobile AppSec Triathlon
Do you have what it takes to complete a triathlon on three vital topics in the mobile world: Mobile application security, web services security, and mobile identity management?
Come join two leading experts, Gunnar Peterson and Ken van Wyk, for the first Mobile App Security Triathlon, in San Jose, California, on November 2-4, 2011.
I think the key sentence of your blog post is: "From the information at hand it looks like a long running lack of governance."
That a single "rogue" agent could single handedly dig a hole $3.2Bn deep within 3 years sounds odd. Didn't he had a boss? peers? an auditing counterparty? didn't his boss have a boss? This event speaks about an awful lack of risk controls at UBS and I am not convinced that isn't a conscious institutional decision. Are there any other "rogue" agents that generated big profits with equally risky and uncontrolled trades? Where they fired? sued? ... not likely.
Is it possible to prevent a single trader from inflicting a multi-billon dollar loss and at the same time not prevent him from producing a multi-billon dollar gain? how? Are UBS and the entire industry's incentives aligned towards that goal? ... not likely
Posted by: ivan | September 27, 2011 at 03:38 PM
@Ivan - All good points. One part I blogged about last week is that ETFs are accounted for differently in Europe
http://1raindrop.typepad.com/1_raindrop/2011/09/dangers-of-safety-mechanisms.html
So the systems weren't integrated and the ETF part of the hedge (downside protection) was fiction and not uncovered.
Derivatives are a dangerous business, the leverage means that even a small trading desk could expose a company to a lot of risk. One might expect to see additional controls around derivative exposure to manage the additional risk that comes through leverage (side note - the eu is currently looking to use leverage as part of the Greek bailout - what could possiby go wrong there?).
One of my favorite derivatives quotes from Warren Buffett:
"Long ago, Mark Twain said: “A man who tries to carry a cat home by its tail will learn a lesson that can be learned in no other way.” If Twain were around now, he might try winding up a derivatives business. After a few days, he would opt for cats."
This speaks to the issues around managing derivative risk exposure, but then this should be factored in before taking on the leverage and opening the positions.
Posted by: gunnar | September 27, 2011 at 03:59 PM