Northwestern Mutual takes the privacy and security of your personal information seriously. It is our mission to protect our client's information and maintain their trust through delivery of innovative cybersecurity and risk management services.
Northwestern Mutual's cybersecurity and risk program includes safeguards.
Program safeguards: The security and privacy of clients' confidential information are important to Northwestern Mutual. The company takes its responsibility to protect this information seriously and uses technical, administrative, and physical controls to safeguard its systems and data. The following are just some of the ways the company keeps client information safe.
Technical: Northwestern Mutual uses layers of technical controls to protect its clients' information:
- Endpoint protection: The company employs a comprehensive endpoint protection program, beyond traditional antivirus. This includes threat protection and response mechanisms to safeguard against evolving threats.
- Email security: The company utilizes a suite of solutions capable of detecting and mitigating not only spam, phishing, and fraud attempts but also advanced malicious email-based threats.
- Encryption by default: The company adopts strong encryption algorithms for both data-in-transit and data-at-rest.
- Next-generation firewalls: The company leverages robust next-generation firewalls (NGFW) technologies providing deep packet inspection, intrusion prevention, and threat protection.
- 24/7 Continuous monitoring and incident response: The company operates a Cyber Defense & Threat Operations organization dedicated to monitoring and responding to threats facing the organization.
- Regular penetration testing: The company utilizes internal and external resources to continually assess, and improve, our preventative controls and our detective capabilities.
- Product security: The company prioritizes security of its products and services through a series of solutions aimed at identifying and correcting vulnerabilities throughout a products lifecycle; including code and operating system (OS) scanning, cloud security enforcements, and runtime protections.
Administrative: Northwestern Mutual supplements its technical controls with processes, procedures, and policies to further protect its clients' information:
- Authentication: The company requires multiple authentication factors to verify the identity of persons requesting policy, contract, or account information. A customer's right to policy, contract or account information follows state and federal regulations based on their role with the policy, contract or account.
- Authorization: Access to company systems is granted on a business-need-to-know basis. Only those people who need access to a given system and its information to accomplish their job responsibilities receive that access.
- Change control: The company uses a change control process to help ensure all changes to company systems maintain the confidentiality, integrity, and availability of those systems.
- Corporate governance: The company has a strong governance process with multiple committees supporting information protection initiatives.
- Cybersecurity exercises and business continuity planning: The company maintains a comprehensive business continuity plan and conducts periodic cybersecurity tabletop and functional exercises and threat simulations to identify areas of program strength and opportunities for improvement.
- Privacy notice: Northwestern Mutual uses Privacy Notices to communicate how we collect, use, share, retain, and protect their Personal information. For more information, visit: northwesternmutual.com/privacy-notices/.
- Internal and external IT auditors: The company's internal and external auditors regularly review and assess the company's information technology systems and operations.
- Records and information management and sanitization: The company maintains a records and information management program that manages the lifecycle of the company's information, including adherence to regulatory requirements and secure disposal of confidential information.
- Risk assessments: The Company has multiple departments that specialize in identifying and mitigating risks through risk assessment processes. These departments include Information Risk Management, Privacy, Enterprise Risk Assurance, Financial Management, and Enterprise Risk Management.
- Security assessments: Security assessments are a key component of our information protection program. We execute a rigorous process to evaluate technology solutions against common security standards and controls.
- Security awareness: The company recognizes that end users are a critical component of an effective information security and risk management program. The company provides employees and financial representatives with security education and training, such as ongoing security education articles and events, training in company policies and standards, and simulated phishing exercises. Information to help clients protect themselves is also available on this page.
- Separation of duties: The company separates specific job duties to prevent a conflict of interest when appropriate.
- Storage locations: The company maintains certain personal information on its own internal systems. It also uses service providers for the purpose of maintaining data. Service providers are only entrusted with data after successfully undergoing a due diligence review and having signed a contract requiring information to be protected and use of data restricted to Northwestern Mutual's business purposes.
- Threat monitoring & hunting: The company works with internal teams and third-party industry security organizations to proactively monitor its environment for existing and potential threats.
- Training and user behavior: All employees and financial representatives receive training on protecting confidential information, which is tailored to Company business needs, identified risks, and emerging threats.
- User access reviews: The company regularly reviews user access to company systems to help ensure users maintain an appropriate level of access to those systems.
Physical: Northwestern Mutual also protects its clients' information from physical harm and theft:
- Building and data center physical security: The company controls physical access to its buildings, data centers, and other facilities. Restricted access helps to ensure the confidentiality, integrity, and availability of company systems and physical assets within the company.
- Business continuity and disaster recovery planning: The company maintains and periodically tests defined business continuity and disaster recovery plans. These plans are designed to maximize the availability of company systems and information and recover from natural or human-made disasters as efficiently and effectively as possible.
- Redundancy: As part of its business continuity and disaster recovery plans, the company uses redundant infrastructure to ensure availability of company systems and client information.
Required legal policies/language
The company maintains written policies and standards for information protection. These policies and standards provide the foundation and guidance for the company's information security, privacy, and risk management program.
- Online Privacy Statement
- Customer Privacy Notice
- Hippa Privacy Notice
- Responsible disclosure policy: We want to hear from security researchers ("You" or "Your") who have information related to suspected security vulnerabilities ("Vulnerability" or "Vulnerabilities") of any Northwestern Mutual services exposed to the internet. We value Your work and are committed to working with You. Please report Vulnerabilities to us in accordance with this Responsible Disclosure Policy.
General security hygiene & suggestions for staying safe
Protecting your NM account
Registering for online account access
- When you register for Northwestern Mutual online account access, we will require several pieces of personal information from you. This helps ensure that only you may register to access your own accounts. Avoid accessing your online accounts through publicly shared computers and Wi-Fi networks.
- Multi-Factor Authentication: The company requires users to add an extra layer of protection to their northwesternmutual.com account login process by requiring entry of a security code in addition to their username and password. The security code is a unique, single-use number they receive via phone call, text, or your preferred authenticator app on your mobile device.
- A strong password is important to protect your online accounts. When you are selecting a password, keep the following tips in mind:
- Strong (good) passwords have the following characteristics:
- Contain both upper and lower-case characters (e.g., a–z, A–Z)
- Have digits and punctuation characters as well as letters (e.g., 0–9, !@#$%^&*)
- Fourteen (14) or more alphanumeric characters
- Not based on personal information, names of family, or important calendar dates
- Change passwords frequently.
- Consider using a password manager.
- Keep your new password private and change it immediately if someone else learns it or you believe it has been compromised in any way.
- Constructing a passphrase based on a sentence or phrase makes a password easy to remember. Passphrase is a type of string password that uses a short sentence or group of random words.
- Weak (bad) passwords have the following characteristics:
- Default password
- Contain less than eight (8) characters
- Common, easily guessed phrases (e.g. "Winter is coming")
- A common usage word such as names of family, pets, friends, co-workers, fantasy characters, etc.
- The words "Northwestern Mutual" or any derivation
- Do not use Social Security numbers, words or numbers associated with easily attainable personal information, like birthdays, anniversaries, license plates, telephone numbers, or addresses.
- Do not use the same pattern for your passwords, such as smart1, smart2, etc.
- Any of the above spelled backward
- Any of the above preceded or followed by a digit (e.g., secret1 or 1secret).
- Do not use real names or your login name or any variation of it.
- Do not write down your password or share your password with anyone else.
- Do not reuse passwords. Make sure you use different and unique passwords for all of your online accounts. Reusing a single password for multiple websites is never a good idea. If a cybercriminal obtains your password, they may try to use it on other websites.
- Protecting your account: Be prepared to provide your account/policy number when reaching out to us to set up the following safeguards:
- Life, Disability Income and Annuity: You can request a password to be used to verify your identity when you call the home office.
- For Life and Disability Income Policies, call 1-800-388-8123.
- For Annuities, call 1-888-455-2232.
- Long-Term Care: You can request additional authenticators be added to verify your identity when calling about your policy by calling 1-800-748-9493.
- Investment Accounts: You can request a note or block be added to your account.
- For Northwestern Mutual Investment Services and Northwestern Mutual Wealth Management Company, including Trust and Private Client Services, call 1-866-950-4644 and ask for "investments".
Staying safe online
- Email Hacking: Email hacking occurs when a cybercriminal illegally gains access to an individual's email account. This allows the hacker to read email messages and view the address book on the email account. Using this information, the cybercriminal (appearing to be the individual), contacts the individual's financial institutions via an email message and tries to obtain funds. Learn about how to protect yourself at Email Hacking Fraud. When email hacking occurs, emails can/will be intercepted and deleted by the hacker, and the rightful sender and receiver will no longer see legitimate email traffic. We recommend that you take the following actions to protect yourself:
- Never give your email address to anyone or any site that you do not trust.
- Never send personal or sensitive information in an unsecured email.
- Phishing: One of the most common ways cybercriminals trick their victims is through phishing. This occurs when a cybercriminal tries to either get the victim to reveal confidential information or installs malicious software (malware) on the victim's computer. A phishing attack can take many forms, although the most common is an email message.
- Identifying phishing messages: common phishing message characteristics and red flags include:
- Unsolicited email or attachments: Always regard unsolicited email or attachments as suspicious, even if the message appears to come from a known sender. The "From" address in emails can be easily faked. In addition, the sender's email account may have been hacked.
- Spoofing: Email spoofing refers to email messages that are sent with a forged sender address. The email is sent to look like it is from a known company or people such as your friend, relative, or co-worker, but the email is fake.
- If you receive an email asking for confidential information and demanding unusual or urgent action, be suspicious. Take action against this and call the sender directly, using contact information on record, to ask if they sent the email.
- Generic greetings: Phishing messages often contain generic, non-personalized greetings both in the subject line and the message. Some legitimate messages may contain generic greetings, but a generic greeting should raise suspicions. It's important to note, though, that a personalized greeting in and of itself does not guarantee that a message is legitimate.
- Urgent or threatening language: Many phishing messages contain urgent or threatening language. Phishers often try to manipulate people's emotions. Don't fall for that trick. Take the time to examine unsolicited messages carefully.
- Awkward grammar or spelling errors: Awkward grammar or spelling errors may be signs of phishing messages. However, don't assume that polished, professional-looking messages are necessarily legitimate.
- Tricky links: Always be suspicious of links in unsolicited messages. The web address displayed in the message can be easily faked. Hover the mouse pointer over the link on a computer or long-press the link on a mobile device to preview the actual link address.
- Never send personal or sensitive information in an unsecured (unencrypted) email.
- Never make a purchase from an unsolicited email. Not only can an email user fall prey to a potentially fraudulent sales scheme, but their email address may be added to email lists sold within the spamming community, further compounding the number of unsolicited emails the user receives.
- Phishing resources: To learn more about phishing and handling phishing messages, see the Federal Trade Commission (FTC) website.
- Spam: Spam is defined as unwanted or unsolicited email. What can you do to reduce spam emails? If the volume of spam email is low, the easiest thing to do is simply delete the spam messages. Consider following these steps to prevent or reduce spam:
- It is okay to "unsubscribe" from something you signed up for. However, if the newsletter or email is unsolicited or suspicious, safely unsubscribe by going directly to the site through your browser, rather than clicking a link in the email.
- Never provide your email address to a website, app, or service you do not trust.
- If you opt-in (sign up) on a website to receive email marketing, deselect checked boxes that opt you in to receive additional related, but possibly unwanted email.
- Check with your email providers to determine how to report an unsolicited message.
- For additional information, refer to the FTC website.
- Use a password manager: Password management software, a virtual space that allows you to safely store your account usernames and passwords, can help simplify choosing and maintaining passwords for your online accounts. Make sure to keep your passwords updated within your password manager. Several password management applications are available for a variety of devices and operating systems. Check with a trusted technology expert to help you choose the appropriate password manager.
- Social media safety: social media includes websites and mobile apps that allow you to stay connected with friends and family—but be careful what you share. Cybercriminals could use the confidential details that you share publicly to conduct identity theft. A few tips will help you stay secure on these sites:
- Most social media sites offer privacy settings and other tools to help you restrict who sees your content. Learn how these settings and tools work for each site and be aware of any updates to how they work.
- Realize that cybercriminals can use social media to trick their victims. If a contest seems too good to be true, it most likely is. Links to the latest celebrity gossip, personality quizzes or shocking pictures can lead to malicious software (malware) or sites designed to steal confidential information.
- Limit the information that you share online such as where you attend school, children's ages, details about your work or family or other personally identifiable information.
- Be careful what images you and your family are sharing, especially if you are on vacation and away from home. You could alert others that your home is unattended.
- Remember that any information you post online can be saved and accessed forever.
- More information about social media safety is available at the National Cybersecurity Alliance.
- Keeping your kids safe online: Talking with your children about being smart and safe online is one of the best ways you can protect them from harm. Begin by talking early and often about what is an acceptable online activity. Learn from your children by having them show you what they do online, stay calm and listen carefully if there is something online that makes them uncomfortable. If you don't know where to start, you're not alone. Visit NetSmartz for more tips and discussion starters. If you are wondering whether your child is being exposed to age-inappropriate materials, CommonSenseMedia provides ratings for a variety of media. Children may become victims of cyber-bullying. Depending on the severity of the issue, contact the social media site, school officials, or law enforcement to report the incident. You may want to monitor your child's social media activity and review their friends list to ensure they are communicating responsibly. Have your kids follow these tips to stay safe online. Instruct them:
- Never to post personally identifiable information about themselves such as address, phone, school, or email address.
- Not to tell anyone their usernames or passwords except for parents or guardians.
- Not to open emails from strangers.
- Never to arrange to meet someone in-person who they met online.
- That people are not always who they say they are.
- Not to click on pop-ups, even if they say that you will win a prize.
- What you put online may never be truly private and may stay online forever.
- If someone puts something online that makes them feel sad or scared, log off and tell someone. When in doubt, always ask a parent, guardian, or teacher.
- And most important: Get off the computer and put down the phone because nothing beats spending time with friends in-person.
- Parental controls: Parental controls are available on most internet-enabled devices, like computers, smartphones, tablets, and gaming systems. When enabling parental controls, use age-appropriate settings to filter, monitor and block your child's activities. Work with a trusted technology expert if you have questions.
Secure your device
Antivirus/anti-malware: Protect your computer from malicious software (malware) by installing and running up-to-date malware protection. A variety of options are available online or at local retail stores. Work with a trusted technology expert if you have questions.
- Operating systems: To remain secure online, update your operating system (the system that manages the hardware and software on your computer and mobile devices) frequently. Consider activating automated updates if available. Apple, Google, Microsoft and other operating system vendors frequently update their operating systems. These updates may add functionality, increase security, and fix problems in existing software. Apps: Be cautious when downloading apps. Some apps may contain malware designed to steal your personal and financial information. Make sure that the updates or downloads come from the company that originally released the software. Safely download apps only from reputable, approved sources like the Apple App Store or Google Play. To protect your privacy, review permissions at the time of installation or update to decide if you are comfortable granting access requested by that app. Other applications also typically offer automatic update options. Turning on auto updates will ensure you always have the latest software version available. It's important to make sure you keep your applications updated to protect from vulnerabilities and increase functionality of services provided.
- Using GPS on your mobile device: Your device's built-in global positioning system (GPS) locates and publishes information about your whereabouts. For example, apps may allow you to check in at places using your mobile device, and then share your location on social networks. Here are some tips to use GPS location services safely:
- Turn off GPS on your mobile device when you do not need it or only allow certain apps to use your location data. Refer to your mobile device manual for further instructions on how to adjust this feature.
- Know that what you share on one site may be linked to another site (such as social media sites).
- Check the privacy settings on all your accounts. Make sure you are only sharing information with people you know.
- Remember when taking pictures with your mobile device that location information (known as geotagging) may be embedded in the photo. For more information visit National Cybersecurity Alliance.
- Physical security of mobile devices: Mobile devices require additional protection. Treat your mobile devices as you would your wallet. Consider the following best practices to keep your mobile devices secure:
- Always lock your screen when not in use. Locking your screen is a simple yet important thing you can do to ensure security on your mobile device, especially if it's lost or stolen.
- Beware of shoulder surfers: thieves who physically watch your onscreen activities to steal your confidential information or passwords. Pay attention to your surroundings and leave if you are uncomfortable.
- Never leave your mobile device unattended.
- If you are not able to keep your device with you, lock your mobile device in a secure location. If you need to leave your mobile device in your vehicle, lock it in the trunk out of sight; don't leave it in the passenger compartment.
- Web browsers: It is important to keep your web browsers up to date to correct any bugs or vulnerabilities that older versions may have. Download the latest version of your web browser. If your web browser supports automatic updating, consider turning on that feature to ensure you always have the latest version.
- Wi-Fi security: Wi-Fi allows you to wirelessly connect to the internet. The following tips can help you remain safe when you use Wi-Fi networks:
- Using a wireless network at home or using other internet enabled devices such as baby monitors, cameras, and thermostats is convenient, but leaving them unsecured is an opportunity for cybercriminals to hack in and discover sensitive information. Do not use any default settings or passwords provided by the manufacturer. Make sure to add a unique passcode so that you and your family are the only ones accessing these devices.
- Realize that public Wi-Fi networks are not secure. Other people on the network may be able to view the information you send and receive unless that information is encrypted. If you need to connect to public Wi-Fi, consider using a trusted virtual private network (VPN) provider to encrypt all network traffic.
- Website security
- If you're performing a transaction or sharing confidential information through a website, make sure the site begins with https:// to ensure that the information will be secure during the transmission between your browser and the website.
- If a site begins with anything other than https://, your information may be visible to other people. Never communicate confidential information through those types of sites.
- It's always best to go to a website via your saved favorites or by entering the website's URL in your browser window. Clicking on a link to a website inside an email or on a pop-up that displays on your screen could take you to a malicious site.
- Always log out of your accounts when you are finished if you're accessing those accounts from a shared device.
- Managing your records and information: Managing your records and information appropriately will help keep you organized and in control of your confidential information. Properly disposing of your records when you no longer need them will help protect your confidential information from falling into the wrong hands.
- Records and information management: Government agencies like the Federal Trade Commission offer guidance on managing family and household records. Review the appropriate government agency's information to determine how long you should keep important documents. You should be securely disposing of confidential information on a regular basis.
- Secure disposal: Properly disposing of your records will help prevent criminals sorting through your trash to locate your confidential information. Here are some tips for you to consider:
- Always shred your confidential information. Use a crosscut shredder that cuts the documents into small pieces.
- Shredders that cut documents into long spaghetti-like strands are not as secure. Properly motivated criminals can reconstruct those strands with enough effort.
- Shred DVDs, CDs, diskettes, tapes, and credit cards if possible. High-end shredders often have the capability to shred these items. Always confirm that a shredder can accommodate the items you want to shred.
- Before you sell a smartphone or mobile device, ensure the device is fully encrypted and then perform a factory reset to remove confidential information from the device.
- Use secure erase software to wipe, or electronically "shred," information on a personal computer's hard drive. At a minimum, take the hard drive out of a laptop or desktop computer before disposing of the old computer.
- Regularly delete emails from your Inbox and Deleted Items folder.
Steps to take if you believe you're a victim
- Get a copy of your credit report and review the accounts and other information provided. You can get a free credit report from Annual Credit Report or by calling 1-877-322-8228. You're entitled to one free report from each of the credit reporting agencies every year.
- Review the account statements you receive each month from the banks and credit card companies you work with, and report anything that looks suspicious. If applicable, you are also entitled to receive copies of police reports if any have been filed.
- You may ask that an initial fraud alert be placed on your credit report if you suspect you have been or may become a victim of identity theft. An initial fraud alert stays on your credit report for one year.
- You may have an extended alert placed on your credit report if you have already been a victim of identity theft and you have the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years.
- You can place a fraud alert on your credit report by calling the toll-free fraud number of any of the three national credit reporting agencies listed below.
- Anti-fraud efforts
- You may ask that an initial fraud alert be placed on your credit report if you suspect you have been or may become a victim of identity theft. An initial fraud alert stays on your credit report for one year.
- Credit Freeze
- You have the right to put a credit freeze, also known as a security freeze, on your credit file, so that no new credit can be opened in your name without the use of a personal identification number (PIN) that is issued to you when you initiate a freeze. A credit freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. Federal law allows you to freeze and unfreeze your credit at the three major credit bureaus without charge.
- If you place a credit freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a credit freeze may delay your ability to obtain credit.
- Unlike a fraud alert, you must place a credit freeze on your credit file at each credit reporting company at the addresses below:
- Additional Information
- For tips and other helpful information, contact the Federal Trade Commission (FTC) at 1-877-ID-THEFT or FTC website. You may also contact your state Attorney General. For contact information, call the National Association of Attorney Generals at 1-202-326-6000 or go to naag.org.
- You can request an IRS Identity Protection PIN and, in many states, a state PIN for income tax filing purposes. You can also lock your social security number (SSN) from any changes through myE-Verify.