JP Morgan refutes responsibility for theft of $272M, blames client’s lax internal controls in wake of merger

Mergers and other major changes in corporate governance carry inherent integration risk. As functions shift and staff transition, oversight and internal control capabilities are frequently impacted, creating openings to be exploited by nefarious actors including malicious insiders. The need for extra vigilance and increased attention to corporate security, including cyber, is critical yet often overlooked.

In 2019, Essilor and Luxottica, two of the world’s largest makers of fashion eyewear, merged to become the global industry leader, setting the stage for an internal power struggle and one of the largest internal fraud cases in recent memory.

As leaders of both firms fought for the CEO spot and board dominance, employees at the firm’s Thailand offices surreptitiously engineered a series of unauthorized outbound wire transfers totaling $272M, exploiting their knowledge of the internal approval process to bypass controls. Despite the unusual pattern of activity at the JP Morgan account, the transactions evaded detection until the funds were long gone, spread to multiple cut-out accounts across Asia.

To date, EssilorLuxottica has only been able to recover $100M of the stolen cash, leading the firm to file a lawsuit against JP Morgan for failing to safeguard their customer’s funds. JP Morgan, predictably, responded by framing the incident as a “failure of our client’s internal controls”, disclaiming any responsibility for the incident.

Risk management is a complex discipline, but it can be generally organized into several categories of activities: Left of bang, at the bang, and right of bang. Strategic risk management means balancing investments of time, effort, and resources across these categories as informed by past, current, and predicted events.

Critical to all these activities is the ability to consistently and reliably capture and understand the state of controls and the resultant risk posture across the enterprise – and in real-time, not weeks or months after a control failure. To that end, understanding which controls can be monitored through technical evidence to ensure real-time control monitoring coverage for all critical systems whenever possible should be thought of as a critical-path strategic activity.

Risk leaders need to focus on maximizing real-time control coverage, reducing risk visibility gaps, and closing the time-to-detect lag affecting their ability to identify and remediate control failures before they’re exploited.

Annual or quarterly audits and assessments alone won’t get the job done anymore, and frankly never did. It’s time to put risk and compliance management on the same footing with security operations. It’s time to evolve to Converged Continuous Compliance.