Security Policies

We protect your information in many ways—from ensuring that our buildings are secure, to proactively preparing for disasters and business interruptions, to using secure computing practices. Safeguarding your information’s confidentiality, integrity, and availability is one of our highest priorities.

The information for the accounts you have with the Principal Financial Group® is kept secure and confidential through multiple security features and procedures.

Our online security features help protect data

The account information you request from our website can only be accessed with your username, password and login image, and phrase. It is your responsibility to keep your login information confidential.

  • Do not disclose your login information to anyone. Our employees and associates will never ask you for your password.
  • If you write your login information down, keep it in a safe place where others can't see it.
  • Contact us immediately to change your login information if you suspect someone has discovered it.

Information you submit through our website, as well as the information we send back to you while you are visiting our website, is protected using strong encryption ("scrambling" to make it incomprehensible) when necessary. Our secure server software encrypts information, ensuring that Internet communications through our website stay private and protected.

To allow you to process transactions on our website, we use cookies. See what types of information we collect by using cookies and spotlight tags.

Your account information is not permanently stored on our web server. The information only resides on our web server while you are viewing the information. It is, however, permanently stored on our secured corporate computer systems and retained according to our company record retention policy.

Security software keeps information private

To ensure the security of your confidential account information, we use proven security software to encrypt the information before it is transmitted through the Internet. We only allow confidential information to be submitted for transmission if your browser is compatible with Transport Layer Security (TLS), our security software. If your browser is not compatible, you will receive a message indicating your transaction cannot be completed because of the security risk.

TLS establishes a secure connection between two parties (e.g., your browser and our web server). It is used to implement HTTPS, the secure version of HTTP, and is an open technology supported across various browsers (e.g., Microsoft Internet Explorer). We require that you use a TLS-enabled browser to communicate with the secure area of our site. You know you are visiting the secure area of our site when the URL begins with "https://".

We recommend using the most current browsers that support the latest encryption technology, to ensure a high level of security.

In addition to protecting communications between your browser and our server, TLS is also used to protect communications between our web server and our mainframe system. We have also implemented a firewall to protect all of our systems that are not part of the Internet from intrusion.

Encryption

The Principal-owned laptops and desktops are encrypted. All confidential data in transmission is encrypted. Encrypted data is transmitted via secured connections, such as:

  • HTTPS (HTTP over TLS)
  • Secure File Transfer Protocol (SFTP) over the Internet
  • Pretty Good Privacy (PGP) encryption via SFTP

Security protocols also help protect your data

Customer access to web and mobile applications requires the use of unique usernames and strong passwords. The Principal uses adaptive authentication systems to evaluate your location at the time of authentication and monitor historical patterns of login locations. We also use additional login security features, including:

  • Login image and phrase
  • Security questions and answers
  • Timed log-off

We limit access to your company data

The Principal has a formal, documented process to grant and revoke access to company resources (systems, data, mobile, etc.) that is supported by administrative, technical, and physical controls. Access is restricted to those with a business need. Our employees may not access or disclose personally identifiable information for any reason except as authorized for company-related business purposes.

Other ways we protect your information

Our security program: safeguarding your information

The Principal has a comprehensive written Information Security Program that safeguards information against unauthorized or accidental modification, disclosure, fraud, and destruction.

  • Security policies, standards, and procedures are documented and available to our employees.
  • Collection of personal information is limited to business need and protected based on its sensitivity.
  • Employees are required to complete privacy, security, ethnics, and compliance training.
  • Work area assessments are completed to ensure protection of customer information and compliance with company policy.
  • Risk management processes and procedures are documented and communicated.

Business Continuity (BC) and Disaster Recovery (DR) Programs

We also have a BC and DR program. Critical business functions, processes, and supporting applications have been identified and are regularly reviewed. Appropriate response and recovery plans have been developed. Testing is completed annually.

We use professional best practices established by the Disaster Recovery Institute International as the basis for the program. The technology recovery plan leverages geographically distant data centers, while the incident management process facilitates response and recovery activities by appropriately implementing plans if a disruptive event occurs.

Antivirus protection

All servers and workstations have antivirus software installed, and updates to definitions are applied frequently. Our information technology managers review recurring reports to ensure compliance levels are met.

Patch management

Updates, patches, and fixes are quickly communicated to affected areas to address critical security issues. Systems are consistently monitored to identify vulnerabilities and threats and updated when needed.

Incident management

We have detailed processes to track, manage, and resolve all incidents. All incidents are investigated. If a data security incident is discovered, a response plan is promptly initiated and thoroughly executed. We adhere to all applicable state and federal disclosure laws.

Cyber security insurance

The Principal has cyber security insurance. Our policy provides Network Security and Privacy Liability insurance coverage. It includes any network security or privacy event discovered during the policy period affecting a majority-owned member company of The Principal and events originating from our third-party service providers.

Industry collaboration

The Principal is a member of the Financial Services–Information Sharing and Analysis Center (FS-ISAC). FS-ISAC is an industry forum for collaboration on critical security threats facing the global financial services industry.

Vetting third-party service providers

The Principal has a defined Supplier Management Program, which includes processes for vetting, selecting, and monitoring third-party service providers. Third-party security profiles are completed when certain types of data are provided to and/or stored at a third-party location. A separate detailed risk assessment is completed if the third party is granted access to our networks, systems, or data.

Additional security practices

  • Call centers have procedures in place to help validate the identity of callers.
  • Social Security numbers are eliminated from all correspondence, unless legally required.
  • Regular training is conducted with our employees on how to detect fraudulent activities.
  • Strict standards that limit access to data are followed.
  • Regular testing of our security technology is performed.

If you have questions or comments regarding any of our security policies, procedures, or practices, please contact us

You can help protect your data, too

In addition to the steps we take to secure your account information, your actions play a big part in protecting your data, too. 

Protect your account numbers, PINs, and passwords

  • Never share your PINs, usernames, or passwords with anyone. Be cautious of emails or individuals who ask for this information. We will never ask for your personal password via email or telephone.
  • If you do need to write down login information, put it in a safe and secure place. Don’t carry this information in your wallet.
  • Identify one secure location in your home to store all of your financial records.
  • Shield the keypad with your hand or body while entering your PIN at an ATM.
  • Always wait for all ATM and credit card receipts. Do not leave them at the ATM or store counter.
  • Change all passwords regularly. Use a mix of numbers and characters—never use common words or phrases. Your password is more secure and harder for criminals to guess if you include a special character, like an asterisk or an exclamation point.
  • Review and balance your account statements on a regular basis. Watch for any transactions showing unfamiliar payees and amounts you do not recognize. If you have online access to your accounts, including your accounts with The Principal, review the activity in these accounts on a regular basis.

Log out of websites

After you sign into a website, remember to sign out. It's an easy step you can take to ensure your information doesn't end up in the wrong hands.

Check your credit report regularly

We recommend checking your credit rating regularly with each of the 3 major credit bureaus. Consider ordering a credit report from 1 of the 3 nationwide consumer-reporting companies every 4 months. By rotating from 1 agency to the next, you can have year-round monitoring.

If you have joint credit with your spouse, you can alternate between you and your spouse and between the 3 consumer-reporting companies to check your credit report every other month.

An amendment to the federal Fair Credit Reporting Act (FCRA) requires each of the nationwide consumer-reporting companies to provide you with a free copy of your credit report, at your request, once every 12 months. Go to www.annualcreditreport.com to request your report. Additional information, including your credit score, will cost extra, but the credit report itself is free.

A credit report contains information on where you live, how you pay your bills, and whether you've been sued, arrested, or filed for bankruptcy. Nationwide consumer-reporting companies sell the information in your report to creditors, insurers, employers, and other businesses that use it to evaluate your credit.

Choose a secure password

  • Do not use the same password on other websites that you use for more sensitive, secure sites, such as your online banking account. If other sites are not secure, your password could be compromised.
  • Choose passwords that are not a duplicate of other personal information (e.g., Social Security number, birth date, etc.)
  • Choose a password that is easy for you to remember, but difficult for others to guess. Do not use information about yourself that others can easily find out.
  • Use at least 8 characters, and vary the types of characters in your passwords, if possible. Using combinations of capital letters, numbers, and special characters makes passwords much more difficult to figure out. If possible, use more than 8 characters to increase password complexity.
  • Using a mobile device?  We highly recommend setting a device passcode/password of at least 6 characters on your device.

If you experience fraud or suspect a breach of an account

Call our fraud hotline at 800-642-3788 or report unethical or fraudulent activity online.