The Capital Insider – Claire Withycombe
SALEM — The state’s public pension agency isn’t prepared for a major disaster like an earthquake or flood, and Oregonians’ personal information could be at risk if the agency doesn’t do more to protect its systems from attacks, state auditors say.
More than 365,000 Oregonians are in the Public Employees Retirement System, which pays about $310 million in pensions every month.
The long-criticized system is facing $25.3 billion in unfunded retirement obligations, making it a perennial point of contention in the Legislature and on the campaign trail.
But a report released Wednesday by Secretary of State Dennis Richardson said PERS is also beleaguered by a lack of planning for critical information technology projects.
Auditors found that the agency couldn’t restore its IT systems after a disaster.
A major disaster — depending on how long critical systems are unavailable — could threaten the agency’s ability to issue payments on time or to the right people.
It could also mean that critical information is lost.
The agency keeps back-up tapes stored a mile and a half away from the PERS headquarters. In a natural disaster like the Cascadia earthquake, that information would likely also be destroyed. PERS now said that it will arrange a backup in the cloud by next June.
The audit said PERS hasn’t tested its disaster recovery plans and has yet to comply with directives from the Legislature to improve disaster recovery planning.
The Legislature allocated $1.65 million to shore up the pension agency’s disaster planning.
As of July, according to the audit, the agency has spent $22,000 – for a consultant’s report.
And PERS has been told before to fix such gaps.
“Over the last several years, work on disaster recovery has often started and stopped with little continuity or sustained effort,” auditors wrote.
In 2015, the Legislature flagged the agency’s inability to respond to a disaster.
About a year later, Gov. Kate Brown put a budget request from PERS on hold because it hadn’t done enough to address the Legislature’s concerns. Brown’s office was also concerned that PERS didn’t share a consultant’s findings about inadequate information security at PERS with her office, according to the audit.
The audit also said the agency could make member information more secure by better monitoring who has access to personal data.
PERS can also do a better job updating software. Attackers tend to target systems that have known gaps in security, auditors said.
The agency may also need to overhaul its information management because the current system — which was finalized in 2010 — is hard to modify and doesn’t do everything the agency needs, according to the audit.
The agency has struggled to recruit and retain skilled information technology workers, instead relying heavily on contractors. PERS spends about 25 percent of its IT budget on contractors.
PERS didn’t dispute the findings and its director, Kevin Olineck, promised action.
“The PERS mission is to pay the right person, the right benefit, at the right time, and the functionality of our technology systems and disaster preparedness planning are key to that mission,” Olineck wrote to auditors.
Olineck said the agency would implement most of the audit’s recommendations by next June.