Cybersecurity Program

At TIAA, customer data security is a top priority and we combine technology, people, and processes to protect our customers and their personal information. In light of this, we comply with both state and federal regulations and industry guidelines.
 
TIAA’s Cybersecurity Program relies on layers of security and seeks to prevent, protect, and resolve issues relating to customer personal information. It includes physical, administrative, and technological controls to:
  • Protect the security and confidentiality of client information of the TIAA companies;
  • Defend against anticipated threats or hazards to the security or integrity of client information and business information of  TIAA; and
  • Protect against unauthorized access to or use of client information that could result in substantial harm or inconvenience to any client.
     

What does TIAA do to protect my data?

Policies and Standards: Our Cybersecurity policies and standards are based on regulatory guidance and industry standards which require controls to minimize risks to customer information and include the Federal Financial Institutions Examination Council (FFIEC) booklets, International Organization for Standardization / the International Electro-technical Commission (ISO/IEC 27002), National Institute of Standards and Technology (NIST), as applicable. We have designated individuals who are responsible for implementing, maintaining, and improving our Cybersecurity Program.

Risk Assessments: TIAA’s IT Risk Assessment Team operates within the enterprise risk framework and executes the assessment methodologies to inform stakeholders of conditions that introduce risk into the business. IT Risk Assessments are currently performed for applications, infrastructure, projects and suppliers.
 
Training and Awareness: TIAA requires Information Security training be provided to all new hires and all TIAA employees annually. Cybersecurity Awareness runs a continuous cycle of phishing awareness campaigns. In addition, we provide targeted training to employees based on their role or at-risk behaviors. The Awareness program also includes regular communications and events to remind employees of their security responsibilities. Training completion is monitored, recorded, and reported to management.
 
Employee Compliance: Employees are required to comply with existing policies and standards, including TIAA’s Code of Business Conduct, and face disciplinary action for non-compliance.
 
Third Party Service Providers: TIAA has a supplier risk management program. Third party service providers are subject to an information security assessment process prior to receiving, accessing, storing or processing confidential company or client information and then on a regular basis thereafter. Third party service providers are contractually required to implement information security safeguards to protect our sensitive information according to our standards and applicable law.

Access: Physical and electronic access is granted on a need to know basis, which means only the minimum level of access required for users to successfully complete their job functions are granted. Access will only be provisioned after users and devices have had their identity properly verified and authorized. All access levels and permissions are regularly reviewed in accordance with TIAA policies and standards to ensure that the access granted to users is consistent with the user’s current job role. Alteration to a user’s access must go through an approval process. Access rights are removed for employees who are no longer with TIAA.
 
Encryption: TIAA issued laptops and mobile devices employ whole disk encryption and valid user login credentials to operate. Remote access to our systems also requires valid user login credentials, as well as two-factor authentication.
 
The organization routinely updates its computing environment with security patches, virus protection, and other similar safeguards to address identified risks.
 
Storage and Transportation: All Electronic Media, whether in transit or vaulted, has physical / logical controls in place to safeguard critical data.  
 
Patch Management, Anti-Virus and Malware, Firewalls: TIAA requires systems containing company and client information be maintained with reasonably up-to-date security patches, including anti-malware and antivirus software that receive updates on a regular basis. In addition, our network is protected via firewalls.
 
Monitoring: TIAA has 24x7 monitoring of information traveling on our network via web-browsing or email and utilizes best of breed enterprise-wide malware protection. Our Cybersecurity policies and standards requires that all systems connected to the TIAA network have reasonably up-to-date firewall protection, virus definitions, and operating system security patches designed to maintain the integrity of data. All laptops utilize full disk encryption, and all mobile devices utilizing Blackberry Work have the Blackberry container (data) fully encrypted. Cybersecurity monitors for new vulnerabilities announced by vendors and researchers, and notifies internal stakeholders of the need to apply patches.
 
Oversight: TIAA is regularly monitored by internal auditors, external auditors, and regulatory bodies for compliance with privacy and cybersecurity laws, regulations and industry best practices.
 
Online Controls: Secure Sockets Layer (SSL) is a type of encryption that provides a secure connection, allowing you to transmit private data securely. Extended Verification checks daily for malware and vulnerabilities on our site. TIAA uses SSL in combination with Extended Verification to verify our site’s identity and keep your information safe. You’ll know your information is safe when you see green or a padlock in the address bar. Online sessions will end after 20 minutes to ensure no one can access your accounts if you leave your computer unattended.
 
Authentication: When you contact us to access your accounts we perform a number of security checks to help us determine it is you that is trying to access your accounts. Several factors are used to determine if we will ask for additional verification. We offer and recommend all of our customers use the strongest forms of verification we have available. For the phone we suggest you enroll in Voice Biometrics, for the Web we recommend you set your security preferences to prompt you to enter a code we send to your phone, and for your mobile device we recommend you use any biometric capability you may have on your phone. Thank you for being a valued customer of TIAA and helping us, help you, to be more secure!
 
Financial Fraud Oversight: TIAA has an Enterprise Financial Crime Prevention program comprised of multiple specialty units that handle all suspected unauthorized financial activity. Any customer / participant who reports such activity will be referred to the appropriate unit based on the facts and circumstances of the issue.