By its very nature, selling loans is a risky business. You may not get your money back, or you may run out of funds with which to continue your business.
For most financial institutions, the likelihood of either happening is a known risk, and one that is continually assessed.
Or so it should be. Northern Rock's recent plight shows us that some organisations are willing to gamble that neither will happen. Hindsight tells us that its risk assessment was poor, but is that fair? And what lessons does this episode have for information security professionals?
Northern Rock used the international capital markets to find the money to lend to its customers in the UK. Up until very recently, much of this capital had been used to finance the booming sub-prime market in the US, forged by low interest rates and aggressive selling techniques. Behind those capital markets is a complicated and risky world of reselling and repackaging loans, one which Northern Rock benefited from and used to become one of the UK's biggest lenders.
When the sub-prime market collapsed, other financial institutions were reluctant to buy the loans Northern Rock had turned into bonds. So when US interest rates rises pushed already over-extended sub-prime borrowers into default and, as a result, put the bonds Northern Rock was using as guarantees for loans it was making elsewhere at risk, the bank was left exposed. It began to run out of money to lend.
This lack of funds came to a head last month, sparking fears it would collapse. Panicking investors queued outside branches to withdraw savings. Despite assurances from the bank and government, these ordinary savers made their own risk assessment and continued to take out their cash - to the detriment of Northern Rock.
All manner of analysts will now say that Northern Rock was playing with fire and should have spread its borrowing. Others have simply accused the bank of being reckless. Both are probably correct.
What all this shows is that risk assessment is hardly the exact science that many would have you believe. In Northern Rock's case, it seems to have been based largely on hope and a belief that capital markets, clearly out of its control, would continue to behave in a wholly favourable manner.
The same may be said of many organisations making equally dodgy assessments of their continued exposure to attack. "It hasn't happened in the past, hackers have always behaved like this, so this is what could happen," is typical.
But what could happen isn't the same as what actually happens. The sub-prime market looked robust because no one had bothered to model the effects of all known probabilities and, more importantly, the unknown probabilities.
Dig a little deeper into the causal nexus and you will unearth a fundamental truth. Here was the delusion by so many that they could repay their loans and the belief by others that they actually would. It's a known risk that those very same human traits are currently to be found inside and outside your business.
- Paul Fisher is editor of SC Magazine.