Many of the security weaknesses are linked to the poor design of its applications, some of which were written 10 years ago, according to Price Waterhouse Coopers (PwC), which filed a review and action plan for the bank on Friday.
PwC said that, despite the level of investment in SocGen's IT, the bank's systems had been unable to keep pace with the growing complexity of the trading environment and had been unable to process transactions effectively.
The auditor's review was contained in a three-part report on the events which led to the fraud. During 2007, rogue trader Jerome Kerviel used fake emails to cover up his actions, which remained undetected for months until its uncovering in January.
PwC stressed that the fraud did not arise because of the weaknesses in SocGen's IT systems. Nevertheless, its audit uncovered a vast range of security weaknesses.
PwC has developed an IT security development plan, which is due to be implemented by 2010 and which it says will "significantly and progressively improve IT security".
The auditors outlined a range of projects which must be completed, and added: "Taken individually, some of these projects seem ambitious to us and will require particular attention."
The projects it labelled ambitious include an overhaul of managing accounts and access rights, implementation of a stronger authentication system, centralised password management and better application security.
Bank staff currently use multiple passwords to access their applications, which could increase the risk of a security breach. The auditors want the project to centralise password management to be completed next year.
One major area of work will be the elimination of weaknesses in the main transaction management application in the equities division where Kerviel worked. PwC said it expects those vulnerabilities to be removed by the end of this year, though the project is scheduled to continue for at least two years in order to deal with other applications.
The importance of each application should be analysed in terms of the exposure to fraud risk which it creates, PwC advised.
Other priorities outlined by PwC include:
- preventing front office staff from being able to modify data used by middle office applications;
- regularly changing user passwords for sensitive applications;
- improved incorporation of security considerations upstream of IT projects;
- closer monitoring of IT systems compliance with security policy;
- improved management of corrective security measures.
But despite all the increased security measures, PwC has recommended a downscaling in the importance of a biometric authentication project in the team where Kerviel worked.
The project, within the Delta One products team, has replaced Windows usernames and passwords with a biometric solution. PwC insisted the project should remain a pilot, rather than a "genuine control".
This was at least in part due to the fact that some users had not been equipped with the solution, and because other users were leaving their cards unattended in open access areas.