consequences, any of which could materially adversely affect our
results of operations or financial condition.
A cyber attack or other information security incident could
have a material adverse effect on our results of operations,
financial condition, or reputation. Information security risks for
large financial institutions such as Wells Fargo have generally
increased in recent years in part because of the proliferation of
new technologies, the use of the internet, mobile devices, and
cloud technologies to conduct financial transactions, the increase
in remote work arrangements, and the increased sophistication
and activities of organized crime, hackers, terrorists, activists,
and other external parties, including foreign state-sponsored
parties. Those parties also may continue to attempt to
misrepresent personal or financial information to commit fraud,
obtain loans or other financial products from us, or attempt to
fraudulently induce employees, customers, or other users of our
systems to disclose confidential, proprietary, or other
information to gain access to our data or that of our customers.
Geopolitical matters, such as the conflict in Ukraine, may also
elevate the risk of an information security threat, particularly by
foreign state-sponsored parties or their supporters. As noted
above, our operations rely on the secure processing, transmission
and storage of confidential, proprietary, and other information in
our computer systems and networks. Our banking, brokerage,
investment advisory, and capital markets businesses rely on our
digital technologies, computer and email systems, software,
hardware, and networks to conduct their operations. In addition,
to access our products and services, our customers may use
personal smartphones, tablets, and other mobile devices that are
beyond our control systems. Our technologies, systems,
software, networks, and our customers’ devices continue to be
the target of cyber attacks or other information security threats,
which could materially adversely affect us, including as a result of
fraudulent activity, the unauthorized release, gathering,
monitoring, misuse, loss or destruction of Wells Fargo’s or our
customers’ confidential, proprietary and other information, or
the disruption of Wells Fargo’s or our customers’ or other third
parties’ business operations. For example, various retailers have
reported they were victims of cyber attacks in which large
amounts of their customers’ data, including debit and credit card
information, was obtained. In these situations, we generally incur
costs to replace compromised cards and address fraudulent
transaction activity affecting our customers. We are also exposed
to the risk that an employee or other person acting on behalf of
the Company fails to comply with applicable policies and
procedures and inappropriately circumvents information security
controls for personal gain or other improper purposes.
Due to the increasing interconnectedness and complexity of
financial institutions and technology systems, an information
security incident at a third party or a third party’s downstream
service providers may increase the risk of loss or material impact
to us or the financial industry as a whole. In addition, third parties
(including their downstream service providers) on which we rely,
including those that facilitate our business activities or to which
we outsource operations, such as internet, mobile technology,
hardware, software, and cloud service providers, continue to be
sources of information security risk to us. We could suffer
material harm, including business disruptions, losses or
remediation costs, reputational damage, legal or regulatory
proceedings, or other adverse consequences as a result of the
failure of those third parties to adequately or appropriately
safeguard their technologies, systems, networks, hardware, and
software, or as a result of our or our customers’ data being
compromised due to information security incidents affecting
those third parties.
Our risk and exposure to information security threats
remains heightened because of, among other things, the
persistent and evolving nature of these threats, the prominent
size and scale of Wells Fargo and its role in the financial services
industry, our plans to continue to implement our digital and
mobile banking channel strategies and develop additional remote
connectivity solutions to serve our customers when and how
they want to be served, our geographic footprint and
international presence, the outsourcing of some of our business
operations, and the current global economic and political
environment. For example, Wells Fargo and other financial
institutions, as well as our third-party service providers, continue
to be the target of various evolving and adaptive information
security threats, including cyber attacks, malware, ransomware,
other malicious software intended to exploit hardware or
software vulnerabilities, phishing, credential validation, and
distributed denial-of-service, in an effort to disrupt the
operations of financial institutions, test their cybersecurity
capabilities, commit fraud, or obtain confidential, proprietary or
other information. Cyber attacks have also focused on targeting
online applications and services, such as online banking, as well as
cloud-based and other products and services provided by third
parties, and have targeted the infrastructure of the internet,
causing the widespread unavailability of websites and degrading
website performance. As a result, information security and the
continued development and enhancement of our controls,
processes and systems designed to protect our networks,
computers, software and data from attack, damage or
unauthorized access remain a priority for Wells Fargo. We are
also proactively involved in industry cybersecurity efforts and
working with other parties, including our third-party service
providers and governmental agencies, to continue to enhance
defenses and improve resiliency to information security threats.
As these threats continue to evolve, we expect to continue to be
required to expend significant resources to develop and enhance
our protective measures or to investigate and remediate any
information security vulnerabilities or incidents. Because the
investigation of any information security breach is inherently
unpredictable and would require time to complete, we may not
be able to immediately address the consequences of a breach,
which may further increase any associated costs and
consequences. Moreover, to the extent our insurance covers
aspects of information security risk, such insurance may not be
sufficient to cover all liabilities or losses associated with an
information security breach.
Cyber attacks or other information security incidents
affecting us or third parties (including their downstream service
providers) on which we rely, including those that facilitate our
business activities or to which we outsource operations, or
affecting the networks, systems or devices that our customers
use to access our products and services, could result in business
disruptions, loss of revenue or customers, legal or regulatory
proceedings, compliance, remediation and other costs, violations
of applicable privacy and other laws, reputational damage, or
other adverse consequences, any of which could materially
adversely affect our results of operations or financial condition.
Our framework for managing risks may not be fully effective in
mitigating risk and loss to us. Our risk management framework
seeks to mitigate risk and loss to us. We have established
processes and procedures intended to identify, measure,
monitor, report and analyze the types of risk to which we are
subject, including liquidity risk, credit risk, market risk, interest
Wells Fargo & Company 77