Independent lawyer finds no security risks with TIAA accounts


Cyber security and legal experts assured members of the Benefits and Welfare committee on Oct. 5 that there are no immediate cyber security risks to employee retirement accounts and that multiple safeguards are in place to protect employees’ investments.

Matthew Clyde, an attorney with Cozen O’Connor specializing in employee benefits, provided legal analysis and historical background for Pitt’s retirement investment funds.

Ron Barthel, a business information security officer with the Teachers Insurance and Annuity Association of America-College Retirement Equities Fund (TIAA), and Jay Mahoney, a senior account representative for TIAA, gave members background on TIAA’s cyber security operation and the steps it takes to ensure investments are secured.

These presentations come after Gunduz Caginalp, a professor in the Department of Mathematics, raised several concerns in a previous committee about the handling of employee retirement funds. He said Pitt employees' Vanguard Group custodial accounts have been converted into annuities without consent. This, he said,  violates an agreement that faculty and staff signed. As a result, the funds Pitt deducts from employee salaries will be placed into a Vanguard account, he said.

Caginalp also submitted six documents to the committee that discuss this topic.   

John Kozar, assistant vice chancellor of University benefits, hired Clyde to address these concerns and analyze TIAA’s business practices.

In Clyde’s analysis, he found that TIAA, the TIAA Bank (TIAA FSB) and its other entities are highly regarded credit agencies.

TIAA has an agreement with the University and its employees to abide by several legal protections, and TIAA FSB has contractually agreed to not use employee investments “improperly” or as collateral.

Additionally, TIAA has agreed to compensate the University if assets are somehow lost because of TIAA’s negligence or employee misconduct.

This also applies to TIAA FSB if an employee with the organization is negligent or commits fraud, he added.

“There’s a lot of protections in place,” Clyde said. “And in reviewing the trust agreement, the custodian agreements, I feel fairly confident that we’ve got all the protections we need legally,  and even beyond what we need legally, to protect the participants.”

At the end of his analysis, Clyde made a series of recommendations for the University, including:

  • Don’t push participants into any particular investment.

  • Make sure participants understand that they do not have to invest in an annuity.

  • Revisit the amount of the University’s breach of fiduciary duty insurance, which has $10 million in coverage. This may not be enough in the event something goes wrong with an employee’s investments, and they decide to sue the University.

Following Clyde’s presentation, Barthel told members that TIAA takes cyber security seriously, especially as the internet landscape continues to evolve.

TIAA’s cyber security practices are closely aligned with Department of Labor guidelines, he said, which offer a strong layer of security.

Additionally, employees of TIAA’s global security operation, based in Charlotte, N.C., run a tight ship, working 24/7 to monitor and respond to potential cyber security threats.

After the presentations, Caginalp thanked the presenters but said none of his concerns outlined in the documents he submitted had been addressed. The lawyer said he was "unaware" of the documents.

Clyde said that the risk of fraud will always remain, no matter who handles the investments.

“I don’t think that TIAA presents any special risks that any other custodian wouldn’t also present,” Clyde said.

Linda Tashbook, chair of the Benefits and Welfare Committee, said Clyde provided members with valuable information.

“I thought that Mr. Clyde, the neutral outside legal counsel, did a masterful job of demonstrating that all of the separate TIAA entities in their various capacities are fully compliant with all of their legal obligations, highly regarded among experts, and at least as secure as any other firm that manages investments and institutional investment record-keeping,” Tashbook said in an email after the meeting.

Correction: A previous version of this article said Caginalp's concerns at a previous meeting were about how TIAA and its various entities handle employee investments in the event of fraud. The story has been updated to reflect that Caginalp's said his main concern was that Pitt employees' vanguard custodial accounts have apparently been converted into annuities without consent. 

Donovan Harrell is a writer for the University Times. Reach him at or 412-383-9905.


Have a story idea or news to share? Share it with the University Times.

Follow the University Times on Twitter and Facebook.