AI Content Chat (Beta) logo

46 Cyber defense management From malicious software to phishing emails, cyberattacks on the internet have created an urgent need for all of us to increase our cybersecurity awareness . Wells Fargo’s ICS Cyber Threat Management team supports threat and vulnerability management, and intrusion detection policies . It also develops best practices based on an assessment of the internal and external threat landscape, and leads companywide efforts to reduce our exposure through continuous monitoring of several key information security control areas, including: Management of security patches and security configurations Condition and activity monitoring Threat and vulnerability management Patch management processes Our defense strategy includes continuous monitoring, integrated risk management, identification of human risk factors, enhanced customer awareness, and external engagement on best practices . We prepare the enterprise for cyberattack scenarios through education, training, and simulations . We also conduct cyber exercises with other financial services companies and government agencies to help build a stronger, more secure environment for the entire industry . Effective data protection reduces our risk from incidents related to information theft, loss, or disclosure . We require hard drive encryption on all laptops . And we also require email encryption for all sensitive data . USB ports are locked down and only available for use with a company-approved encrypted thumb drive . We’ve also implemented data loss prevention technology across the enterprise to help identify or block the transmission or release of confidential customer information . Third-Party Information Security Risk Management Wells Fargo has an established Third-Party Information Security Risk Management program that reviews and assesses third parties prior to engagement and throughout the third-party relationship . The program also requires periodic risk assessments to be conducted throughout the term of the engagement, the type of interval of which is driven by the risk associated with the engagement . In providing products and services to Wells Fargo, third parties and their employees are required to adhere to information security standards and requirements . These standards also apply to third parties located outside of the U .S . who have access to company and consumer information for purposes of delivering products or services to or on behalf of Wells Fargo . As part of this compliance obligation, we have contracts in place with third parties that include confidentiality language, nondisclosure obligations, and security provisions . Training employees to protect customer information Employees and contingent resources with access to Wells Fargo’s systems or customer information are required to complete annual training on customer information protection and Gramm Leach Bliley Act (GLBA) 501(b) compliance . They’re also required to abide by our Code of Ethics and Business Conduct, including

Wells Fargo ESG Report - Page 46 Wells Fargo ESG Report Page 45 Page 47