Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | The Company has processes designed to defend against, detect, mitigate, escalate, and remediate cybersecurity incidents, including monitoring of the Company’s networks for actual or potential attacks or breaches. The Company’s incident response program includes notification, escalation, and remediation protocols for cybersecurity incidents, including to our Head of Technology and CISO as appropriate. In addition, to help monitor and assess our exposure to ongoing and evolving risks in these areas, the Company has a cyber and information security focused risk committee led by the CISO and a technology risk committee led by the Head of Technology. Additional components of the Company’s information security program include: (i) enhancing and strengthening of our practices, policies, and procedures in response to the evolving information security landscape; (ii) designing our information security program to align with regulatory and industry standards; (iii) investing in emerging technologies to proactively monitor new vulnerabilities and reduce risk; (iv) conducting periodic internal and third-party assessments to test our information security systems and controls; (v) leveraging third-party specialists and advisors to review and strengthen our information security program; (vi) evaluating and updating our incident response planning and protocols; and (vii) requiring employees and third-party service providers who have access to our systems to complete annual information security training modules designed to provide guidance for identifying and avoiding information security risks. In addition, Operational Risk Management oversees the Company’s third-party risk management program, which, among other things, is designed to identify and address information security risks arising from third-party service providers. Components of this program include incorporating information security and cybersecurity incident notification requirements into contracts with third-party service providers, requiring third parties to adhere to defined information security and control standards, and performing periodic third-party risk assessments. Wells Fargo and other financial institutions, as well as our third-party service providers, continue to be the target of various evolving and adaptive information security threats, including cyberattacks, malware, ransomware, other malicious software intended to exploit hardware or software vulnerabilities, phishing, social engineering attacks, credential validation, and distributed denial-of-service, in an effort to disrupt the operations of financial institutions, test their cybersecurity capabilities, commit fraud, or obtain confidential, proprietary or other information. Cyberattacks have also focused on targeting online applications and services, such as online banking, as well as cloud-based and other products and services provided by third parties, and have targeted the infrastructure of the internet causing the widespread unavailability of websites and degrading website performance. As a result, information security and the continued development and enhancement of our controls, processes and systems designed to protect our networks, computers, software and data from attack, damage or unauthorized access remain a priority for Wells Fargo. Wells Fargo is also involved in industry cybersecurity efforts and working with other parties, including our third-party service providers and governmental agencies, to continue to enhance defenses and improve resiliency to information security threats. See the “Risk Factors” section in this Report for additional information regarding the risks and potential impacts associated with a failure or breach of our operational or security systems or infrastructure, including as a result of cyberattacks or other information security incidents.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Information security risk, which includes cybersecurity risk, is a significant operational risk for financial institutions such as Wells Fargo and includes the risk arising from unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Information security risk, which includes cybersecurity risk, is a significant operational risk for financial institutions such as Wells Fargo and includes the risk arising from unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems. The Board’s Risk Committee has primary oversight responsibility for information security risk and approves the Company’s information security program, which includes information protection and cyber resiliency. The Risk Committee receives regular reports from the Company’s Head of Technology and Chief Information Security Officer (CISO), as well as from Technology Risk Management representatives, on information security risks and significant information security developments, including certain incidents involving third parties. As described above, at the management level, Technology Risk Management has oversight responsibility for information security risk. As a second line of defense, Technology Risk Management reviews and provides guidance to the Front Line technology team, including with respect to the development and maintenance of risk management policies, governance documents, processes, and controls, and oversees and challenges the Front Line technology team’s risk assessment activities. The Company’s cybersecurity team, which is part of the broader technology team, provides Front Line information security risk assessment and management and is responsible for protecting the Company’s information systems, networks, and data, including customer and employee data, through the design, execution, and oversight of our information security program. The technology team is led by the Company’s Head of Technology, who reports to the CEO and leads our efforts to manage information security and related risks across the enterprise, including overseeing the Company’s CISO. Our Head of Technology has over 30 years of technology and information security risk management experience in the financial services industry.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Board’s Risk Committee has primary oversight responsibility for information security risk and approves the Company’s information security program, which includes information protection and cyber resiliency. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Risk Committee receives regular reports from the Company’s Head of Technology and Chief Information Security Officer (CISO), as well as from Technology Risk Management representatives, on information security risks and significant information security developments, including certain incidents involving third parties. |
| Cybersecurity Risk Role of Management [Text Block] | As described above, at the management level, Technology Risk Management has oversight responsibility for information security risk. As a second line of defense, Technology Risk Management reviews and provides guidance to the Front Line technology team, including with respect to the development and maintenance of risk management policies, governance documents, processes, and controls, and oversees and challenges the Front Line technology team’s risk assessment activities. The Company’s cybersecurity team, which is part of the broader technology team, provides Front Line information security risk assessment and management and is responsible for protecting the Company’s information systems, networks, and data, including customer and employee data, through the design, execution, and oversight of our information security program. The technology team is led by the Company’s Head of Technology, who reports to the CEO and leads our efforts to manage information security and related risks across the enterprise, including overseeing the Company’s CISO. Our Head of Technology has over 30 years of technology and information security risk management experience in the financial services industry.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | As described above, at the management level, Technology Risk Management has oversight responsibility for information security risk. As a second line of defense, Technology Risk Management reviews and provides guidance to the Front Line technology team, including with respect to the development and maintenance of risk management policies, governance documents, processes, and controls, and oversees and challenges the Front Line technology team’s risk assessment activities. The Company’s cybersecurity team, which is part of the broader technology team, provides Front Line information security risk assessment and management and is responsible for protecting the Company’s information systems, networks, and data, including customer and employee data, through the design, execution, and oversight of our information security program. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our Head of Technology has over 30 years of technology and information security risk management experience in the financial services industry. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | As described above, at the management level, Technology Risk Management has oversight responsibility for information security risk. As a second line of defense, Technology Risk Management reviews and provides guidance to the Front Line technology team, including with respect to the development and maintenance of risk management policies, governance documents, processes, and controls, and oversees and challenges the Front Line technology team’s risk assessment activities. The Company’s cybersecurity team, which is part of the broader technology team, provides Front Line information security risk assessment and management and is responsible for protecting the Company’s information systems, networks, and data, including customer and employee data, through the design, execution, and oversight of our information security program.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |