XML 60 R35.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] As such, Comerica uses a library of processes, risk and controls to assess, identify and manage cybersecurity risks. Comerica measures such risks in part by estimating the likelihood and potential impact of incidents. Comerica seeks to manage such risks by designing, documenting, and implementing controls, testing those controls through compliance assessments and internal and external audits and, in some cases, by transferring the risk in whole or in part through methods such as insurance. When an incident occurs, Comerica works to remediate the incident while complying with its regulatory obligations, and then evaluate the remediation for effectiveness. Comerica communicates on risk management matters through documented policies and procedures, management and Board committee reporting, and training and other employee communications.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Managing technology risks, including risks related to cybersecurity, is an integral part of Comerica’s enterprise risk management framework and processes.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] For a description of how cybersecurity risks may materially affect Comerica’s business strategy or results, see "Item 1A. Risk Factors.” To date, there have been no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect Comerica's business strategy, financial condition or results of operations.
Cybersecurity Risk Board of Directors Oversight [Text Block] Board members have direct access to senior management (and others, at their request) on matters related to cybersecurity threats and may direct questions to senior management and request further information as they see fit to fulfill their oversight responsibilities.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board’s Enterprise Risk Committee oversees Comerica’s risk management policies, procedures and practices, including those related to cybersecurity. Senior management generally reports quarterly, or more often as necessary, to the Enterprise Risk Committee on technology risks, including risks from cybersecurity threats. The Board’s Audit Committee and the Board as a whole, also receive such reports as part of their risk management oversight roles.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Senior management generally reports quarterly, or more often as necessary, to the Enterprise Risk Committee on technology risks, including risks from cybersecurity threats.
Cybersecurity Risk Role of Management [Text Block] They report significant matters to enterprise-wide risk committees overseeing the broad scope of risk management for the enterprise as appropriate. Through these and other efforts, senior management makes decisions and sets priorities in allocating resources to address risk management issues.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Senior management at Comerica governs risk management and is informed about, and monitors the prevention, detection, mitigation and mediation of cybersecurity incidents, in part through working review committees on which our Chief Information Security Officer and/or Chief Information Officer serve.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Comerica engages information technology risk management employees with experience and expertise in cybersecurity. The organization consists of professionals in identity and access management, cyber defense operations, security engineering and information technology governance, risk and compliance. An Executive Vice President/ Chief Information Security Officer (with over 25 years’ experience in cybersecurity risk management) and a Chief Information Officer (with over 27 years’ experience in technology risk management) lead this team.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Each review committee receives risk management reports appropriate to its scope of review, covering matters such as assessment results, risk ratings and critical issues.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true