At TIAA, customer data security is a top priority and we combine technology, people, and processes to protect our customers and their personal information. In light of this, we comply with both state and federal regulations and industry guidelines.
TIAA’s Cybersecurity Program relies on layers of security and seeks to prevent, protect, and resolve issues relating to customer personal information. It includes physical, administrative, and technological controls to:
- Protect the security and confidentiality of client information of the TIAA companies;
- Defend against anticipated threats or hazards to the security or integrity of client information and business information of TIAA; and
- Protect against unauthorized access to or use of client information that could result in substantial harm or inconvenience to any client.
What does TIAA do to protect my data?
Policies and Standards: Our Cybersecurity policies and standards are based on regulatory guidance and industry standards which require controls to minimize risks to customer information and include the Federal Financial Institutions Examination Council (FFIEC) booklets, International Organization for Standardization / the International Electro-technical Commission (ISO/IEC 27002), National Institute of Standards and Technology (NIST), as applicable. We have designated individuals who are responsible for implementing, maintaining, and improving our Cybersecurity Program.
Risk Assessments: TIAA’s IT Risk Assessment Team operates within the enterprise risk framework and executes the assessment methodologies to inform stakeholders of conditions that introduce risk into the business. IT Risk Assessments are currently performed for applications, infrastructure, projects and suppliers.
Employee Compliance: Employees are required to comply with existing policies and standards, including TIAA’s Code of Business Conduct, and face disciplinary action for non-compliance.
Access: Physical and electronic access is granted on a need to know basis, which means only the minimum level of access required for users to successfully complete their job functions are granted. Access will only be provisioned after users and devices have had their identity properly verified and authorized. All access levels and permissions are regularly reviewed in accordance with TIAA policies and standards to ensure that the access granted to users is consistent with the user’s current job role. Alteration to a user’s access must go through an approval process. Access rights are removed for employees who are no longer with TIAA.
Encryption: TIAA issued laptops and mobile devices employ whole disk encryption and valid user login credentials to operate. Remote access to our systems also requires valid user login credentials, as well as two-factor authentication.
The organization routinely updates its computing environment with security patches, virus protection, and other similar safeguards to address identified risks.
Patch Management, Anti-Virus and Malware, Firewalls: TIAA requires systems containing company and client information be maintained with reasonably up-to-date security patches, including anti-malware and antivirus software that receive updates on a regular basis. In addition, our network is protected via firewalls.
Oversight: TIAA is regularly monitored by internal auditors, external auditors, and regulatory bodies for compliance with privacy and cybersecurity laws, regulations and industry best practices.
Authentication: When you contact us to access your accounts we perform a number of security checks to help us determine it is you that is trying to access your accounts. Several factors are used to determine if we will ask for additional verification. We offer and recommend all of our customers use the strongest forms of verification we have available. For the phone we suggest you enroll in Voice Biometrics, for the Web we recommend you set your security preferences to prompt you to enter a code we send to your phone, and for your mobile device we recommend you use any biometric capability you may have on your phone. Thank you for being a valued customer of TIAA and helping us, help you, to be more secure!
Financial Fraud Oversight: TIAA has an Enterprise Financial Crime Prevention program comprised of multiple specialty units that handle all suspected unauthorized financial activity. Any customer / participant who reports such activity will be referred to the appropriate unit based on the facts and circumstances of the issue.