A report by the New York State Department of Financial Services on Aug. 20 criticized the information technology systems of the New York State Common Retirement Fund, saying the systems' “deficiencies … would create significant risks for any large institution” and that the $158.7 billion Albany-based pension fund “has not taken adequate steps to address these deficiencies.”
Eric Sumberg, a spokesman for state Comptroller Thomas DiNapoli, who is sole trustee of the pension fund, disputed the findings.
“New York state retirees and taxpayers are not at risk,” Mr. Sumberg said in a prepared statement.
“We have long been aware of the need to modernize our legacy information technology system. In 2012, following a lengthy procurement process, a contractor was selected and work has begun to overhaul this system, a fact that examiners chose not to highlight in their report.”
Mr. Sumberg declined to comment beyond the written statement.
The report by the Financial Services Department said: “The deficiencies in the CRF's technology infrastructure, disaster recovery planning (for protecting data) and IT auditing would create significant risks for any large institution, particularly a nearly $160 billion public pension system that holds the highly sensitive information and important assets of many New Yorkers.”
The report added that “the CRF has not taken adequate steps to address these deficiencies. They must be addressed immediately.
The Financial Services Department reviewed the pension fund's information technology systems for the five-year period from April 1, 2006, through March 31, 2011.
“In a world of high-tech hackers and high-frequency trading, a nearly $160 billion pension fund is being managed with computer code from the 1950s and hardware from the 1980s,” Benjamin M. Lawsky, superintendent of financial services, said in a news release announcing the report's findings.
Mr. Lawsky's office will propose new regulations requiring all New York public pension systems “to have IT governance, risk management and internal controls in place in order to ensure IT systems are operated and maintained securely and efficiently,” the news release said.
“In particular, the regulation will require the adoption of policies to protect sensitive information; the appointment of an information security officer; the establishment of an internal IT audit unit; and annual IT assessments, penetration testing, and disaster recovery testing,” the news release said.
In his statement, Mr. Sumberg wrote the comptroller's office will present a detailed response to the report in a few days. “Many of the conclusions of this report are either incorrect, exaggerated or misleading,” he wrote.