TIAA REAL ESTATE ACCOUNT 10-K Cybersecurity GRC - 2024-03-14

Page last updated on July 16, 2024

TIAA REAL ESTATE ACCOUNT reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 12:27:02 EDT.


10-K filed on 2024-03-14

TIAA REAL ESTATE ACCOUNT filed a 10-K at 2024-03-14 12:27:02 EDT
Accession Number: 0001628280-24-011115

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. TIAA, on behalf of the Account, has a program and formal processes in place to assess, identify, and manage material risks from cybersecurity threats. The Account’s business is dependent on the communications and information technology (“IT”) systems of TIAA and other third-party IT service providers to TIAA. TIAA, with support from certain of its subsidiaries, manages the Account’s day-to-day operations and has implemented a cybersecurity program that applies to the Account. The Account depends on and engages various third parties and service providers, including suppliers, custodians, transfer agents, property management companies, and joint venture partners, to operate its commercial real estate and investment business. The Account relies on the expertise of risk management, legal, information technology, and compliance personnel of TIAA when identifying and overseeing risks from cybersecurity threats associated with the Account’s use of such entities. Cybersecurity Program Overview TIAA has instituted an enterprise cybersecurity program designed to identify, assess, and mitigate cyber risks applicable to TIAA, the Account, and other products, subsidiaries and affiliates of TIAA and their respective third party service providers. This cyber risk management program is integrated into TIAA’s overall risk management program. It involves risk assessments, implementation of security measures, and ongoing monitoring of systems and networks, including networks on which the Account relies. TIAA relies on its internal subject matter experts and external experts, as needed, including but not limited to cybersecurity assessors, consultants, and auditors, to evaluate cybersecurity measures and risk management processes, applicable to the Account and other products, subsidiaries, and affiliates of TIAA. TIAA actively monitors the current cyber threat landscape in an effort to identify material risks arising from new and evolving cybersecurity threats, including material risks faced by the Account in connection with its day-to-day commercial real estate, investment, and other operations. Board Oversight of Cybersecurity Risks The Board provides strategic oversight on cybersecurity matters, including risks associated with cybersecurity threats. The Board receives periodic updates from TIAA’s Cybersecurity leadership regarding the overall state of TIAA’s cybersecurity program, information on the current threat landscape, and risks from cybersecurity threats and cybersecurity incidents impacting the Account. 35 Management’s Role in Cybersecurity Risk Management TIAA’s management, including its Chief Information Security Officer, is responsible for assessing and managing material risks from cybersecurity threats to the TIAA organization, including the Account. TIAA’s Chief Information Security Officer and cybersecurity leaders have significant expertise in this area, including in IT and cybersecurity engineering as well as cybersecurity leadership experience in other major financial institutions. Management of the Account is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents impacting the Account, including through the receipt of notifications from third party service providers and reliance on communications with cybersecurity, risk management, legal, IT, and/or compliance personnel of TIAA. Assessment of Cybersecurity Risk The potential impact of risks from cybersecurity threats on the Account are assessed on an ongoing basis, and how such risks could materially affect the Account’s business strategy, operational results, and financial condition are regularly evaluated. TIAA maintained appropriate cyber security policies and procedures during the 12-month period covered by this report and there were no material cybersecurity issues that affected the Account. Cybersecurity risk remains heightened to the financial industry, including the Account, and a failure in or breach of our systems or infrastructure, or those of a material third party or service provider, could cause disruption and adversely impact the Account’s operations and performance. TIAA continues to invest in its cybersecurity program to protect against emerging threats, including threats against third parties and service providers. 36

Company Information

SIC DescriptionReal Estate
CategoryNon-accelerated filer
Fiscal Year EndDecember 30