The fallout from the Société Générale implosion continues. Bloomberg reports that Standard & Poor's has downgraded the bank's long-term counterparty credit rating cut one level to AA- from AA, claiming its risk management was completely off the boil. S&P said: "While SocGen's loss was caused by the fraudulent behavior of one of its traders, we consider that significant deficiencies in the bank's risk management framework made possible the magnitude of the loss. Risk control was too oriented toward market risk, at the expense of operational risk and fraud risk in trading activities."

No surprises there. Questions are now being raised whether maverick trader Jérôme Kerviel's superiors knew what was going on. Meanwhile, The Times reports that executive bonuses were boosted by Kerviel's investments.

The question is whether other organizations are vulnerable to this sort of thing. And the post-mortems now suggest they are.

One problem was that Kerviel hacked into the computer systems to eliminate controls that would have blocked his massive bets, reports the Sarbanes-Oxley Compliance Journal. And other organizations are just as vulnerable. "The bottom line is that there is not an organization that is not vulnerable to an attack, either through deliberate targeting or through the failure of IT security staff and auditors who in the interests of saving a nail in their budget are prepared to risk the Kingdom. Société Générale should serve as a wake-up call to any organization that has not addressed the issue of Privileged Password management and Application Password management".

Chief Executive magazine says it's about access rights and "entitlement creep" in which workers move to a new business unit and their information access rights fail to get updated to match their new roles. According to the experts, the problem at SocGen was that Kerviel used and abused the access to information he had in an earlier role.

If these traits are so common, it can only lead to one question: who's next?