The case for CSR/ Sustainability Reporting Done Responsibly


Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How Wells Fargo promotes cybersecurity

Case study: How Wells Fargo promotes cybersecurity

Wells Fargo is a diversified, community-based financial services company, with $1.97 trillion in assets and approximately 266,000 active, full-time equivalent employees serving one in three households in the United States. As Wells Fargo manages billions of customer interactions each year, it takes a proactive approach to information security and cybersecurity.  Tweet This!

This case study is based on the 2020 ESG Report by Wells Fargo published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1Abstract

Wells Fargo is continuously investing in emerging technologies and leveraging its digital channels and assets with the goal of making digital banking faster, easier, smarter, and safer for its customers. In order to promote cybersecurity Wells Fargo took action to:

  • implement the Information Security Programme
  • increase cybersecurity awareness
  • implement a Third-Party Information Security Risk Management Programme
  • train employees to protect customer information
  • educate customers on digital security
  • protect data in open banking environments

What are the material issues the company has identified?

In its 2020 ESG Report Wells Fargo identified a range of material issues, such as business ethics, climate risk management, community development, environmental and social due diligence, fair and responsible lending and pricing. Among these, promoting cybersecurity stands out as a key material issue for Wells Fargo.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Wells Fargo engages with: 

Stakeholder Group
Community members

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics Wells Fargo interviewed internal and external stakeholders, including more than 30 Wells Fargo leaders and subject matter experts from across the company and members of its external Stakeholder Advisory Council. Wells Fargo also included content from stakeholders representing Wells Fargo customers, employees, ESG (Environmental, Social and Governance) investors, government, media, NGOs, and financial peers.

What actions were taken by Wells Fargo to promote cybersecurity?

In its 2020 ESG Report Wells Fargo reports that it took the following actions for promoting cybersecurity:

  • Implementing the Information Security Programme
  • Wells Fargo’s Information and Cyber Security (ICS) organisation aims to protect Wells Fargo systems, networks, and customer data through the design, execution, and oversight of its Information Security Programme (ISP). ICS is led by Wells Fargo’s chief information security officer, who reports to the head of Wells Fargo Technology. The Wells Fargo Board of Directors annually approves the ISP and is kept informed of the ongoing status of the programme. Wells Fargo organisations and employees, as well as vendors, nonemployees, and third parties with access to its systems or sensitive information, must adhere to the ISP’s policies, procedures, and requirements. Those requirements are designed to help make certain that information security risks are effectively identified, assessed, mitigated, and reported throughout Wells Fargo. The Wells Fargo ISP is designed to comply with applicable laws and regulations, and uses guidance from many industry best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the International Organization for Standardization (ISO) 27002 standard, the Payment Card Industry Data Security Standards, and COBIT 5.
  • Increasing cybersecurity awareness
  • From malicious software to phishing emails, cyberattacks on the internet have created an urgent need to increase Wells Fargo’s cybersecurity awareness. Wells Fargo’s ICS Cyber Threat Management team supports threat and vulnerability management, and intrusion detection policies. It also develops best practices based on an assessment of the internal and external threat landscape, and leads companywide efforts to reduce Wells Fargo’s exposure through continuous monitoring of several key information security control areas, including:
    • Management of security patches and security configurations
    • Condition and activity monitoring
    • Threat and vulnerability management
    • Patch management processes
  • Wells Fargo’s defense strategy includes continuous monitoring, integrated risk management, identification of human risk factors, enhanced customer awareness, and external engagement on best practices. Wells Fargo prepares the enterprise for cyberattack scenarios through education, training and simulations, also conducting cyber exercises with other financial services companies and government agencies to help build a stronger, more secure environment for the entire industry. Effective data protection reduces Wells Fargo’s risk from incidents related to information theft, loss, or disclosure. Wells Fargo requires hard drive encryption on all laptops and also requires email encryption for all sensitive data. USB ports are locked down and only available for use with a company-approved encrypted thumb drive. Wells Fargo has also implemented data loss prevention technology across the enterprise to help identify or block the transmission or release of confidential customer information.
  • Implementing a Third-Party Information Security Risk Management Programme
  • Wells Fargo has an established Third-Party Information Security Risk Management Programme that reviews and assesses third parties prior to engagement and throughout the third-party relationship. The programme also requires periodic risk assessments to be carried out throughout the term of the engagement, the type of interval of which are driven by the risk associated with the engagement. In providing products and services to Wells Fargo, third parties and their employees are required to adhere to information security standards and requirements. These standards also apply to third parties located outside of the U.S. who have access to company and consumer information for purposes of delivering products or services to or on behalf of Wells Fargo. As part of this compliance obligation, Wells Fargo has contracts in place with third parties that include confidentiality language, nondisclosure obligations, and security provisions.
  • Training employees to protect customer information
  • Employees and contingent resources with access to Wells Fargo’s systems or customer information are required to complete annual training on customer information protection and Gramm Leach Bliley Act (GLBA) 501(b) compliance. They are also required to abide by Wells Fargo’s Code of Ethics and Business Conduct, including its provisions related to the treatment of confidential information. Wells Fargo regularly updates companywide training, policies, and information-handling standards to help employees understand their role in protecting customer information. Wells Fargo also performs employee background checks, which it also requires for nonemployees and third-party service providers who handle Wells Fargo’s customer information.
  • Educating customers on digital security
  • Wells Fargo encourages digitally active customers to protect their accounts by offering security options like two-factor authentication, biometrics, and the ability to turn debit cards on and off. Wells Fargo’s online security centre provides customers with resources to explore security options, spot scams, report fraud, and more. Wells Fargo also provides educational materials that encourage customers to create strong passwords, avoid suspicious links, keep their software updated, limit the personal information they share online, and use a screen lock on mobile devices.
  • Protecting data in open banking environments
  • With the growing number of apps designed to help customers lead healthier financial lives, there’s an increased chance that customers’ banking information can be accessed and used without their knowledge or permission. Wells Fargo believes it’s important to support its customers’ ability to use these apps to share their Wells Fargo account information in a seamless and more secure way. So far, Wells Fargo has reached data exchange agreements with at least 15 platforms, including Plaid and Intuit. This gives its customers greater control over the bank account information they share with supported apps, including the ability to turn data sharing on or off through Wells Fargo’s Control Tower℠ digital experience.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:


80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

FBRH GRI Standards Certified, IEMA & CIM recognised Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI Standards Certified, IEMA & CIM recognised course you will be taking the first step in gaining the many benefits of sustainability reporting.

Most importantly, you will gain the knowledge to use the GRI Standards, project manage your own first-class sustainability report and:

  • Identify your most important impacts on the Environment, Economy and Society
  • Begin taking solid, focused, all-round sustainability action ASAP



1) This case study is based on published information by Wells Fargo, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:


Note to Wells Fargo: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.