WELLS FARGO & COMPANY/MN 10-K Cybersecurity GRC - 2025-02-25

Page last updated on July 28, 2025

WELLS FARGO & COMPANY/MN reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:36:31 EST.

Filings

10-K filed on 2025-02-25

WELLS FARGO & COMPANY/MN filed a 10-K at 2025-02-25 16:36:31 EST
Accession Number: 0000072971-25-000066

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Information in response to this Item 1C can be found in the 2024 Annual Report to Shareholders under “Financial Review – Risk Management – Operational Risk Management.” That information is incorporated into this item by reference.
Information Security Risk Management. Information security risk, which includes cybersecurity risk, is a significant operational risk for financial institutions such as Wells Fargo and includes the risk arising from unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems.
The Board’s Risk Committee has primary oversight responsibility for information security risk and approves the Company’s information security program, which includes information protection and cyber resiliency. The Risk Committee receives regular reports from the Company’s Head of Technology and Chief Information Security Officer (CISO), as well as from Operational Risk Management representatives, on information security risks and significant information security developments, including certain incidents involving third parties.
At the management level, Operational Risk Management has oversight responsibility for information security risk. As a second line of defense, Operational Risk Management reviews and provides guidance to the Front Line technology team, including with respect to the development and maintenance of risk management policies, governance documents, processes, and controls, and oversees and challenges the Front Line technology team’s risk assessment activities.
The Company’s cybersecurity team, which is part of the broader technology team, provides Front Line information security risk assessment and management and is responsible for protecting the Company’s information systems, networks, and data, including customer and employee data, through the design, execution, and oversight of our information security program. The technology team is led by the Company’s Head of Technology, who reports to the CEO and leads our efforts to manage information security and related risks across the enterprise, including overseeing the Company’s CISO. Our Head of Technology has over 30 years of technology and information security risk management experience in the financial services industry.
The Company has processes designed to prevent, detect, mitigate, escalate, and remediate cybersecurity incidents, including monitoring of the Company’s networks for actual or potential attacks or breaches. The Company’s incident response program includes notification, escalation, and remediation protocols for cybersecurity incidents, including to our Head of Technology and CISO as appropriate. In addition, to help monitor and assess our exposure to ongoing and evolving risks in these areas, the Company has a cyber and information security focused risk committee led by the CISO and a technology risk committee led by the Head of Technology.
Additional components of the Company’s information security program include: (i) enhancing and strengthening of our practices, policies, and procedures in response to the evolving information security landscape; (ii) designing our information security program to align with regulatory and industry standards; (iii) investing in emerging technologies to proactively monitor new vulnerabilities and reduce risk; (iv) conducting periodic internal and third-party assessments to test our information security systems and controls; (v) leveraging third-party specialists and advisors to review and strengthen our information security program; (vi) evaluating and updating our incident response planning and protocols; and (vii) requiring employees and third-party service providers who have access to our systems to complete annual information security training modules designed to provide guidance for identifying and avoiding information security risks.
Operational Risk Management also oversees the Company’s third-party risk management program, which is designed to identify and address information security risks arising from third-party service providers. Components of this program include incorporating information security and cybersecurity incident notification requirements into contracts with third-party service providers, requiring third parties to adhere to defined information security and control standards, and performing periodic third-party risk assessments.
Wells Fargo and other financial institutions, as well as our third-party service providers, continue to be the target of various evolving and adaptive information security threats, including cyberattacks, malware, ransomware, phishing, credential validation, and distributed denial-of-service attacks. Cyberattacks have also focused on targeting online banking platforms, cloud-based services, and internet infrastructure, causing service disruptions. As a result, information security and continued improvement of controls and defenses remain a corporate priority. Wells Fargo also participates in industry cybersecurity initiatives and collaborates with third parties and government agencies to enhance threat defense and resilience.

See the “Risk Factors” section in this Report for additional information regarding the risks and potential impacts associated with a failure or breach of our operational or security systems or infrastructure, including as a result of cyberattacks or other information security incidents.

Company Information