August 20, 2013
Contact: Matt Anderson, 212-709-1691
DFS Audit Uncovers Serious Information Technology Problems At State Pension Fund That Put Retirees And Taxpayers At Risk
Mainframe Computers Used for State Pension Business More than a Quarter Century Old, Run on Programming Code from the 1950s
DFS – the State’s Pension Regulator – to Propose New Regulations Requiring New York Pension Funds to Strengthen Their Information Technology Policies and Procedures
NEW YORK, NY – Today, the Department of Financial Services (DFS) released the first in a series of audits on the New York State Common Retirement Fund (CRF). The audit DFS released today uncovered serious information technology problems at the Office of the State Comptroller (OSC) that are putting retirees and taxpayers at significant risk. To help address these problems, DFS – the state’s pension regulator – will issue new regulations requiring theCRF and other New York pension funds to strengthen their information technology policies and procedures.
DFS’s audit revealed that the mainframe computer that OSC uses to process pension transactions is more than a quarter century old and runs on computer code from the 1950s in which few programmers are still trained. Additionally, key software that OSC uses for pension fund business is no longer supported by its manufacturer and is not updated with security patches to protect against new security threats. Furthermore, OSC conducted inadequate and infrequent internal audits of its own information technology systems and failed to take prompt, corrective action that could have helped avoid these problems. CRF executives also acknowledged during DFS’s examination that the pension fund’s technology programs are “approaching a point of failure.” A system failure would be devastating for New Yorkers that rely on OSC to handle their private information and to administer and distribute their retirement savings.
Benjamin M. Lawsky, Superintendent of Financial Services said: “In a world of high-tech hackers and high-frequency trading, a nearly $160 billion pension fund is being managed with computer code from the 1950s and hardware from the 1980s. The regulations we are proposing to address the problems our audit uncovered will help better protect the millions of retirees and taxpayers who are today at risk.”
Under New York law, the Department of Financial Services is charged with supervising New York State’s actuarially funded public retirement systems. In carrying out that responsibility, DFS is required to conduct audits and issue regulations regarding the management of New York’s public pension funds.
DFS’s extensive audit into the CRF’s information technology systems uncovered the following serious problems:
- Antiquated Technology.OSC supports the core business processes of the retirement system, including benefits processing, calculating and payment, employer billing and reporting, and enrollment and termination of memberships through its Member, Employer, Benefits, Executive, and Legal (“MEBEL”) application. The system processes more than one million transactions per month for member salary and service credit calculations alone. MEBEL was created for the OSC more than a quarter century ago in 1987 with support from Anderson Consulting. That system is written in the programming language COBOL (Common Business-Oriented Language) and uses CICS (Customer Information Control System), which is a transaction server that supports online transaction processing. COBOL was created in 1959 and is one of the oldest programming languages. CICS was released in 1968. Both are very outdated. The CRF faces a serious problem as the availability of programmers proficient in both COBOL and CICS is small and will continue to deteriorate over time as new computer specialists are not being trained in these old systems and the COBOL/CICS specialists at the CRF approach retirement.
- Out-of-Date Software. The operating system for MEBEL has not been supported by its manufacturer since September 30, 2012 and will be out of date until a replacement scheduled for later this year. Its database management system was out of support from July 2011 until it was upgraded in January 2013, several months after the DFS examination began. Using software that is not supported creates serious security and business risks and contravenes best practices and industry standards. Software vendors do not create security patches or fixes for recently identified problems for software that is past their formal support end dates. This lack of security protection leaves the retirement system’s data vulnerable to bugs and to security breaches, including attacks by hackers.
- Inadequate Disaster Recovery Plans. The CRF’s disaster recovery plans are not prudent because the designated data recovery and business continuity sites are both too close to the CRF’s headquarters at 110 State Street in Albany. For example, the CRF plans to use either 90 State Street (in Albany, NY) or Riverview Center (150 Broadway, Menands, NY) as a business continuity site where employees could work if the 110 State Street headquarters was not available in a disaster. The 90 State Street building is less than 200 feet away from 110 State Street and Riverview Center is approximately three miles away. Both are too close to the headquarters to serve as an effective business continuity site. In the event of a disaster that impeded the use of the CRF headquarters, it is likely that surrounding buildings would also be unavailable for use – potentially jeopardizing pension payments for retirees.
- Red Flags Missed. In testimony taken during DFS’s audit, executives of the CRF acknowledged that its technology programs are “approaching a point of failure.” Moreover, IT professionals at the CRF stated that, although the need to replace the antiquated hardware and software has been known for some time, the replacement process has been halted by “higher-ups in the Comptroller’s office.”
- Inadequate, Infrequent Internal Audits. DFS’s investigation uncovered that OSC’s internal IT audits of the CRF do not happen frequently enough. There is no defined cycle within which all elements of the IT audit universe are reviewed and/or audited and the IT portion of the annual audit plan is sparse, especially given that the audit plan is for the entire agency rather than specific to the CRF. There are only three IT internal auditors for the entire agency and IT-specific audits occur only 2–3 times a year agency-wide (so most are not related to the CRF). Indeed, although DFS requested IT audits from the previous year, the CRF had to go back several years to find 2–3 IT audits because of the infrequency with which IT audits are performed for the CRF. Additionally, the IT auditors currently employed at the OSC are not highly qualified. In fact, two of the IT auditors have no professional certifications and had no audit experience before joining the OSC.
To help address the serious information technology problems at the CRF that DFS uncovered in its audit, DFS will propose new regulations requiring New York public pension systems to have IT governance, risk management, and internal controls in place in order to ensure IT systems are operated and maintained securely and efficiently. In particular, the regulation will require the adoption of policies to protect sensitive information; the appointment of an Information Security Officer; the establishment of an internal IT audit unit; and annual IT assessments, penetration testing, and disaster recovery testing.
To view a full copy of the audit DFS released today, please visit, link.