In the financial services sector, insiders have been a longstanding problem. In the past, it was individual crooks or gangs making alliances with disgruntled bank tellers, security guards, and vulnerable employees. However, in today’s information age, the situation is even more dangerous. Insiders now have extensive knowledge of their organisation’s practices, systems, and applications, allowing them to inflict significant damage. Just think about some high-profile examples of insiders who have caused major setbacks for financial organisations:
- Logic Bomb UBS PaineWebber: In March 2002 a logic bomb—a piece of often-malicious code that is intentionally inserted into software—erased 10 billion files in the computer systems of an international financial service company. Losses were estimated at $3 million. It was later revealed that the logic bomb was planted by a disgruntled employee who had recently vacated the company over an annual bonus dispute.
- Amazon Web Services Case: In 2019, software engineer Paige A. Thompson used her former insider knowledge to illegally access one of the AWS servers storing Capital One’s data, resulting in the exposure of personal and financial data from more than 100 million customers in the United States and over 6 million in Canada.
- Postbank: In 2020, the South African Post Office Bank suffered a significant internal security breach, forcing the bank to replace 12 million bank cards at the cost of $58 million after insiders compromised the personal data of account holders by copying a master key.
- London Whale a.k.a Bruno Iksil: In 2013, JPMorgan Chase, one of the U.S. largest banks, was set to pay US$ 920 million to U.S. and British regulatory authorities by admitting errors in its internal controls that led to the “London Whale” scandal. Recognized as the “London Whale”, was Bruno Iksil, an employee at JPMorgan’s London office, whose recorded losses of more than $6.2 billion triggered a significant reaction in credit markets worldwide.
Insiders targeting financial organisations have been at the forefront of headlines for an extended period of time, but few truly understand the current scope of these risks and how they emanate across the globe. It is almost impractical to talk about them without focusing on the imminent insider risk problem within banks. Often such institutions are seen as high-profile targets in the financial sector for the amount of personal data they gather in order to perform most or even all of their functions. Research suggests that losses caused by an insider are greatly more than the losses caused by a hacker. Nevertheless, organisations in this sector have historically invested more resources in external threat mitigation. This is partly because vulnerabilities to cyber criminals have been a major issue. But now that financial institutions have made attacking externally harder, we have seen a significant increase in the use of insiders as a medium through which attackers pursue their goals. In addition, with such traditional institutions adopting and complying with the push for further digitization, technologies ranging from smart credit cards, and online banking to e-commerce applications, have left banks even more vulnerable to insider acts, especially when it comes to data breaches. Currently, the average cost of a data breach within the Financial Sector is ranked among the highest, at $58.85 million USD.
While concerns raised from emerging technologies and their vulnerabilities in the cyber domain are well-founded, it is important to acknowledge that most of the insiders in this sector have often demonstrated little to no technical literacy. This has been particularly prevalent in the case of insider fraud, where most insiders did not require any knowledge pertaining to information technology, networks, or computer systems to commit their crimes.
With a better picture in mind of this threat landscape, let’s turn to a real-life example, the infamous Nick Leeson case:
Nick Lesson, who conducted fraudulent, unauthorised, and speculative trades and was found guilty of deceiving bank auditors and cheating the Singapore International Monetary Exchange was sentenced to six and a half years of prison in Singapore for the crimes committed during his time at Barings Bank.
Founded in 1762, Barings Banks was the second oldest bank in the world. It had financed the Napoleonic Wars and the Louisiana Purchase and helped finance the United States government during the War of 1812. Ultimately, it had survived panics, depressions, and other wars but was disrupted in 1995 by a 28-year-old rogue trader. Leeson, a derivatives trader, in an attempt to recover lost money, began taking increasingly bigger odds. In late 1993, the losses in the secret account that Leeson was maintaining exceeded £23 million. By the end of 1994, the amount had increased to £208 million.
Rogue trading and heightened risk appetite have left their mark on wall street, but few accounts of these infamous events tend to look at the insider risk component. Some accounts of Leeson’s experiences and personality traits highlight certain personal predispositions to insider risk. Among some, his extreme risk-taker and loss-aversion personality coupled with a drive for success and fear of failure. All of this was put to test once the stressors of his occupation, such as the high-competition trading environment and the constant pressure to perform and collect bonuses lead him towards a critical pathway. Undoubtedly, the Nick Leeson case highlights once more the impact of organisations that continuously fail to address the “red flags”, paying little to no attention to what is going on at the periphery of the organisation. As mentioned in many accounts, people around Leeson raised concerns, only for them to be ignored or not taken up the proper chain of command. Trades were being executed without proper oversight, once Barings had given Leeson the responsibility of double-checking his own trades, rather than reporting them to a superior. Leeson’s experience at Barings Bank shows at its best how the critical pathway to insider risk can provide guidance for line managers for monitoring, reporting, and performing early interventions so that duty of care towards employees is at the top of the organisation’s agenda.
The consequences of insider activity taking place over institutions like banks are dramatic. Not only in the astronomical financial losses we have seen throughout some of the cases highlighted above but more importantly, in the reputational risk impact internal acts like fraud may have on such institutions. There is no more problematic and direct connection between reputation and customer trust than in financial services. Ultimately, people do not want to keep their money with a company that they do not trust.
As insider risk management takes precedence, it is fair to point out that not only Baring’s bankruptcy could have been avoided, but also Lesson derailment. Think about how powerful risk management practices such as regulatory screenings, financial controls, reporting systems, a healthy work environment, and the proper handling of risk indicators could have removed Lesson from the critical pathway and saved Baring’s reputation and integrity from total collapse.
There’s much more to say on systematic failures and the need for a constant reevaluation of organisational response mechanisms, but what shouldn’t be left unsaid is that the financial sector has demonstrated significant susceptibility to insider acts since its inception, and will continue to be a major target, currently suffering from the highest average annual insider risk costs, at $14.5 million. The solution? Matching these upcoming threats with the proper implementation of robust holistic insider risk management programmes, addressing both employer and employee.
Author: Isabela Serra
Insider Risk Analyst