continuous basis. As our customer base and locations have a
broad geographic footprint throughout the U.S. and
internationally, as we have increasingly used the internet and
mobile banking to provide products and services to our
customers, as customer, public, legislative and regulatory
expectations regarding operational and information security
have increased, and as cyber and other information security
attacks have become more prevalent and complex, our
operational systems, controls and infrastructure must continue
to be safeguarded and monitored for potential failures,
disruptions and breakdowns. Our business, financial, accounting,
data processing systems or other operating systems and
facilities may stop operating properly, become insufficient based
on our evolving business needs, or become disabled or damaged
as a result of a number of factors including events that are wholly
or partially beyond our control. For example, there have been and
could in the future be sudden increases in customer transaction
volume; electrical or telecommunications outages; degradation
or loss of internet, website or mobile banking availability; natural
disasters such as earthquakes, tornados, and hurricanes; disease
pandemics such as COVID-19; events arising from local or larger
scale political or social matters, including terrorist acts; and, as
described below, cyber attacks or other information security
incidents. The COVID-19 pandemic or any new pandemic could
result in the occurrence of new, unanticipated adverse effects on
us or the recurrence of adverse effects similar to those already
experienced, including creating additional operational and
compliance risks, such as the need to comply with rapidly
changing regulatory requirements and to quickly implement new
measures to protect the functionality of our systems, networks,
and operations.
Furthermore, enhancements and upgrades to our
infrastructure or operating systems may be time-consuming,
entail significant costs, and create risks associated with
implementing new systems and integrating them with existing
ones. Due to the complexity and interconnectedness of our
systems, the process of enhancing our infrastructure and
operating systems, including their security measures and
controls, can itself create a risk of system disruptions and
security issues. Similarly, we may not be able to timely recover
critical business processes or operations that have been
disrupted, which may further increase any associated costs and
consequences of such disruptions. Although we have enterprise
incident response processes, business continuity plans and other
safeguards in place to help provide operational resiliency, our
business operations may be adversely affected by significant and
widespread disruption to our physical infrastructure or operating
systems that support our businesses and customers. For
example, we have experienced system issues caused by a variety
of factors that have resulted in intermittent service
interruptions, such as temporary disruptions to online and mobile
banking services, delays in posting transactions, and customer
difficulty signing into accounts.
As a result of financial institutions and technology systems
becoming more interconnected and complex, any operational
incident at a third party may increase the risk of loss or material
impact to us or the financial industry as a whole. Furthermore,
third parties on which we rely, including those that facilitate our
business activities or to which we outsource operations, such as
exchanges, clearing houses, financial intermediaries or vendors
that provide services or security solutions for our operations,
could continue to be sources of operational risk to us, including
from information breaches or loss, breakdowns, disruptions or
failures of their own systems or infrastructure, or any deficiencies
in the performance of their responsibilities. These risks are
increased to the extent we rely on a single third party or on third
parties in a single geographic area. We are also exposed to the
risk that a disruption or other operational incident at a common
service provider to our third parties could impede their ability to
provide services or perform their responsibilities for us. In
addition, we must meet regulatory requirements and
expectations regarding our use of third-party service providers,
and any failure by our third-party service providers to meet their
obligations to us or to comply with applicable laws, rules,
regulations, or Wells Fargo policies could result in fines, penalties,
restrictions on our business, or other adverse consequences.
Disruptions or failures in the physical infrastructure, controls
or operating systems that support our businesses and
customers, failures of the third parties on which we rely to
adequately or appropriately provide their services or perform
their responsibilities, or our failure to effectively manage or
oversee our third-party relationships, could result in business
disruptions, loss of revenue or customers, legal or regulatory
proceedings, remediation and other costs, violations of
applicable privacy and other laws, reputational damage, customer
harm, or other adverse consequences, any of which could
materially adversely affect our results of operations or financial
condition.
A cyber attack or other information security incident could
have a material adverse effect on our results of operations,
financial condition, or reputation. Information security risks for
large financial institutions such as Wells Fargo have generally
increased in recent years in part because of the proliferation of
new technologies, the use of the internet, mobile devices, and
cloud technologies to conduct financial transactions, the
increased prevalence and availability of artificial intelligence, the
increase in remote work arrangements, and the increased
sophistication and activities of organized crime, hackers,
terrorists, activists, and other external parties, including foreign
state-sponsored parties. Those parties also may continue to
attempt to misrepresent personal or financial information to
commit fraud, obtain loans or other financial products from us, or
attempt to fraudulently induce employees, customers, or other
users of our systems to disclose confidential, proprietary, or
other information to gain access to our data or that of our
customers. Geopolitical matters may also elevate the risk of an
information security threat, particularly by foreign state-
sponsored parties or their supporters. As noted above, our
operations rely on the secure processing, transmission and
storage of confidential, proprietary, and other information in our
computer systems and networks. Our banking, brokerage,
investment advisory, and capital markets businesses rely on our
digital technologies, computer and email systems, software,
hardware, and networks to conduct their operations. In addition,
to access our products and services, our customers may use
personal smartphones, tablets, and other mobile devices that are
beyond our control systems. Our technologies, systems,
software, networks, and our customers’ devices continue to be
the target of cyber attacks or other information security threats,
which could materially adversely affect us, including as a result of
fraudulent activity, the unauthorized release, gathering,
monitoring, misuse, loss or destruction of Wells Fargo’s or our
customers’ confidential, proprietary and other information, or
the disruption of Wells Fargo’s or our customers’ or other third
parties’ business operations. For example, various retailers have
reported they were victims of cyber attacks in which large
amounts of their customers’ data, including debit and credit card
information, was obtained. In these situations, we generally incur
costs to replace compromised cards and address fraudulent
Wells Fargo & Company 73