Oregon Pension System Vulnerable to Attacks

An audit of the Oregon Public Employees Retirement System’s IT security management practices found a slew of problems that “pose substantial risks” to its members and the state.

The Oregon secretary of state’s department of audits said the state retirement system needs to improve its IT strategic planning efforts to “ensure that IT investments return the most value and pose the least amount of risk to the agency.”

It also said the system’s existing IT planning efforts are inadequate to enable timely completion of the agency’s strategic objectives.

The purpose of the audit was to determine whether the system could improve IT security and IT strategic planning efforts, and to assess the agency’s preparedness to restore critical IT systems in response to a disaster.

Never miss a story — sign up for CIO newsletters to stay up-to-date on the latest institutional investment industry news. 

The report said PERS should immediately correct deficiencies in existing disaster recovery plans so the agency can respond to catastrophic events that would prevent the use of existing IT systems. However, according to the report, the agency has not tested any disaster recovery plans, and has no alternative recovery site.

Although the report acknowledged the system is making progress to update current plans and implement a recovery site, it insisted that “a more urgent effort is needed.”

The audit, which included an assessment of critical security controls and the agency’s IT security management practices, said Oregon PERS should “improve security management roles and training, as well as correct weaknesses in inventory management, configuration change management, vulnerability management, and controlling administrative accounts.”

The audit found that while the system has identified a method to issue most pension payments in the event of a disaster, it has not fully addressed changes in payment processing by the Oregon State Treasury.

“The agency’s disaster recovery plans pose serious risks because they are insufficient to restore critical IT systems,” said the report. “Furthermore, the agency has not tested those plans and has not yet complied with legislative mandates to acquire an alternative recovery site and improve disaster recovery planning.”

It also said Oregon PERS’ strategy to re-issue the prior month’s payments poses risk of benefit payment errors and has never been tested.

The report included 16 recommendations for the system to implement to improve its IT strategic planning critical security controls.

Among the recommendations, the reported suggested the system develop a process to schedule, track, and allocate sufficient resources to completing the disaster recovery plan; ensure the disaster recovery plan reflects short-term and long-term recovery of all critical business systems; and establish an alternative backup site that is geographically distant from the primary storage location.

In response to the audit report, Kevin Olineck, Oregon PERS’s new director, said the system generally agreed with the report’s findings.

“We are committed to improving our capabilities in these areas, and have identified opportunities for improvements in recent years which this audit report validates,” said Olineck in a letter to the state’s audit division. “We are incorporating these practices as we hone our focus on strategic planning and communication with stakeholders about our continuing progress toward change.”

Olineck said he expects the implementation of at least 13 of the 16 recommendations by the end of next June.

Tags: IT, Oregon, Oregon Public Employees Retirement System (PERS), Pension

The University of Texas/Texas A&M Investment Management Co. (UTIMCO), which oversees the $22 billion Permanent University Fund for the two university systems, is expanding its sanctions compliance procedures to include companies that are considered scrutinized entities at risk of becoming sanctioned by the US government.

“UTIMCO currently is compiling a list of scrutinized entities that will be reviewed with the board’s risk committee to determine how they will be addressed,” Britt Harris, UTIMCO’s chief investment officer, said in a release. “The financial impact to the endowment is expected to be minimal.”

Although scrutinized entities have not been officially sanctioned by the US government, they are known to conduct business with companies that are sanctioned, and therefore could potentially be sanctioned in the future.

Because of this, says UTIMCO, the market value of the companies could be negatively affected, which would in turn diminish the value of the endowments UTIMCO manages. Current targets of US government sanctions include companies based in North Korea, Syria, Sudan, Russia, and Iran, among others.

Never miss a story — sign up for CIO newsletters to stay up-to-date on the latest institutional investment industry news. 

While many of these countries are considered “rogue nations,” the list of scrutinized entities includes some mainstream international companies. For example, according to the Texas Government Code, companies engaged in scrutinized business operations in Iran include UK-based Lloyd’s Banking Group, Italian and Spanish telecommunications operators Telecom Italia and Telefonica, mining company Glencore, and Korean automaker Hyundai.

UTIMCO said that as a fiduciary, it already complies with US sanctions laws that prohibit investments in sanctioned companies, and in accordance with investment policies approved by the UT System Board of Regents. The firm said the new additional procedures will extend the same prohibitions to include scrutinized entities.

“UTIMCO’s prudent investment decisions demonstrate not only legal compliance with US law,” Jeffery Hildebrand, chairman of the UTIMCO board of directors, said in a release, “but high ethical and fiduciary standards as it proactively considers divesting from companies that are closely connected with sanctioned companies.”

Tags: Britt Harris, Endowments, Scrutinized Entities, UTIMCO