Cybersecurity Program

At TIAA, customer data security is a top priority and we combine technology, people and processes to protect our customers and their personal information. In light of this, we comply with both state and federal regulations and industry guidelines.
TIAA’s Cybersecurity Program relies on layers of security and seeks to prevent, protect and resolve issues relating to customer personal information. It includes physical, administrative and technological controls to:
  • Protect the security and confidentiality of client information of the TIAA companies;
  • Defend against anticipated threats or hazards to the security or integrity of client information and business information of  TIAA; and
  • Protect against unauthorized access to or use of client information that could result in substantial harm or inconvenience to any client.
     

What does TIAA do to protect my data?

Policies and Standards: The TIAA Code of Business Conduct and enterprise-wide cybersecurity related policies and standards guide the actions and activities of the TIAA workforce. Our cybersecurity policies and standards are based on regulatory guidance and industry standards which require controls to minimize risks to customer information and include  the Federal Financial Institutions Examination Council (FFIEC) booklets, International Organization for Standardization / the International Electrotechnical Commission (ISO/IEC 27002), National Institute of Standards and Technology (NIST), and Payment Card Industry (PCI) as applicable. We have designated individuals who are responsible for implementing, maintaining and improving our Cybersecurity Program.

Risk Assessments: TIAA’s IT Risk Assessment Team operates within the enterprise risk framework and executes the assessment methodologies to inform stakeholders of conditions that introduce risk into the business. IT Risk Assessments are currently performed for suppliers and projects.
 
Training and Awareness: TIAA requires Information Security training be provided to all new hires and all TIAA employees annually. Managers are required by policy to allocate sufficient on-the-job time for employees to complete this training. Managers must also provide ongoing reinforcement and awareness to remind employees of their information security obligations.

Employee Compliance: Employees are required to comply with existing policies and standards, and face disciplinary action for non-compliance.
Third Party Service Providers: All third party service providers are subject to a security assessment process prior to receiving, accessing, storing or processing confidential company or client information and then at least bi-annually thereafter. Third party service providers are contractually required to implement information security safeguards to protect our information according to our standards and applicable law.

Access: Physical and electronic access is granted on a need to know basis, which means only the minimum level of access required for users to successfully complete their job functions should be granted. Access will only be provisioned after users and devices have had their identity properly verified and authorized. All access levels and permissions are regularly reviewed in accordance with TIAA policies and standards to ensure that the access granted to users is consistent with the users’ current job role. Alteration to a user’s access must go through an approval process.  Access rights are terminated for employees who are no longer with TIAA.

Encryption: TIAA requires encryption of laptops and portable devices as well as electronic transmission of client information outside the enterprise.
 
Storage and Transportation: TIAA extends its access and other security policies to information being transported and/or stored.

Patch Management, Anti-Virus and Malware, Firewalls: TIAA requires systems containing company and client information be maintained with reasonably up-to-date security patches, including anti-malware and antivirus software that receive updates on a regular basis.  In addition, our network is protected via firewalls.
 
Monitoring: TIAA has 24x7 monitoring of information traveling on our network via Web browsing or email.

Oversight: TIAA is regularly monitored by internal auditors, external auditors, and regulatory bodies for compliance with privacy and cybersecurity laws, regulations and industry best practices.
 
Online Controls: Secure Sockets Layer (SSL) is a type of encryption that provides a secure connection, allowing you to transmit private data securely. Extended Verification checks daily for malware and vulnerabilities on our site. TIAA uses SSL in combination with Extended Verification to verify our site’s identity and keep your information safe. You’ll know your information is safe when you see green or a padlock in the address bar. Online sessions will end after 20 minutes to ensure no one can access your accounts if you leave your computer unattended.

Authentication: When you are accessing data electronically, we block your account after a certain amount of failed log in attempts. If you try to log in on a computer we don’t recognize, we will ask you to verify your identity.  We will require multifactor authentication to verify your identity during important account changes and financial transactions, whether they are made online or over the phone. We will also send you an email alert when changes are made to your personal information.
 
Financial Fraud Oversight: TIAA has an Enterprise Financial Crime Prevention  program that handles all suspected unauthorized financial activity.  Any customer/participate who reports such activity will be referred to this program.