Rethinking the Role of Compliance

JP Morgan refutes responsibility for theft of $272M, blames client’s lax internal controls in wake of merger

Mergers and other major changes in corporate governance carry inherent integration risk. As functions shift and staff transition, oversight and internal control capabilities are frequently impacted, creating openings to be exploited by nefarious actors including malicious insiders. The need for extra vigilance and increased attention to corporate security, including cyber, is critical yet often overlooked.

In 2019, Essilor and Luxottica, two of the world’s largest makers of fashion eyewear, merged to become the global industry leader, setting the stage for an internal power struggle and one of the largest internal fraud cases in recent memory.

As leaders of both firms fought for the CEO spot and board dominance, employees at the firm’s Thailand offices surreptitiously engineered a series of unauthorized outbound wire transfers totaling $272M, exploiting their knowledge of the internal approval process to bypass controls. Despite the unusual pattern of activity at the JP Morgan account, the transactions evaded detection until the funds were long gone, spread to multiple cut-out accounts across Asia.

To date, EssilorLuxottica has only been able to recover $100M of the stolen cash, leading the firm to file a lawsuit against JP Morgan for failing to safeguard their customer’s funds. JP Morgan, predictably, responded by framing the incident as a “failure of our client’s internal controls”, disclaiming any responsibility for the incident.

Risk management is a complex discipline, but it can be generally organized into several categories of activities: Left of bang, at the bang, and right of bang. Strategic risk management means balancing investments of time, effort, and resources across these categories as informed by past, current, and predicted events.

Critical to all these activities is the ability to consistently and reliably capture and understand the state of controls and the resultant risk posture across the enterprise – and in real-time, not weeks or months after a control failure. To that end, understanding which controls can be monitored through technical evidence to ensure real-time control monitoring coverage for all critical systems whenever possible should be thought of as a critical-path strategic activity.

Risk leaders need to focus on maximizing real-time control coverage, reducing risk visibility gaps, and closing the time-to-detect lag affecting their ability to identify and remediate control failures before they’re exploited.

Annual or quarterly audits and assessments alone won’t get the job done anymore, and frankly never did. It’s time to put risk and compliance management on the same footing with security operations. It’s time to evolve to Converged Continuous Compliance.

Others have also read ...


Qmulos Enhances Q-Compliance Platform, Adds Support for CMMC Level 3 Requirements, NERC CIP, OSCAL Interoperability, NIST 800-53 Rev. 5 Migration Capabilities, and Creates Technical Add-Ons for OpenShift and Microsoft Azure

Qmulos announced significant updates to its flagship compliance automation platform, Q-Compliance. Q-Compliance V4.5.0, now generally available, features added support for the recently released CMMC level 3 compliance requirements; NERC CIP support for North American electric utility companies; and enhanced data migration capabilities to help security and risk management teams migrate NIST 800-53 rev. 4 objectives and results to rev. 5 objectives.

Read More »

Qmulos Announces General Availability of Q-Compliance V4.4.0 and Q-Audit V3.70

Qmulos announced the new versions and general availability of its two flagship products, Q-Compliance V4.2.0 – an all-in-one solution for any enterprise, environment, framework, control, and datasource, and Q-Audit V3.4.0 – Qmulos’ Splunk-powered real-time audit software, an enterprise-grade tool designed to meet the most stringent audit requirements.

Read More »

Request a Demo

Learn how QMULOS can help your company grow by scheduling a demo with our team.