Vodafone 2024 Annual Report

Purpose (continued) 48 Vodafone Group Plc Annual Report 2024

Strategic report

Governance

Financials

Other information

We conduct regular reviews of the most significant security risks affecting our business and develop strategies and policies to detect, prevent and respond to them. Our cyber security strategy focuses on minimising the risk of cyber incidents that affect our networks and services. When incidents do occur, we identify the root causes and use them to improve our controls and procedures. Cyber security risk is aligned with Vodafone’s enterprise risk framework. Each principal risk owner is responsible to produce a formal Line of Sight document twice a year that describes the risk, the Company’s risk tolerance, current position, control position and actions to move to tolerance if required. Second and third line assurance supporting the report is also included in the Line of Sight document. Risk and control approach The global Cyber and Information Security policy applies to all Vodafone-controlled entities. Each security domain has a more detailed supporting policy document with detailed control objectives. The policies are underpinned by security standards which provide relevant technical specifications. Control framework Security controls and procedures define the requirements which allow our policies to be met. These controls and procedures are designed to prevent, detect or respond to threats. Most risks and threats are prevented from occurring and we expect most will be detected before they cause harm and need a response. We have defined a common global control framework called the Cyber Security Baseline (‘CSB’) and adoption is mandatory across the entire Group. We based the CSB on the ISO 27001 international standard, mapping those controls to our cyber risks to identify the most impactful. Our original baseline included 48 key controls, this has grown to 56 as we have reviewed and identified new controls to counter new cyber threats. All controls in the baseline need to be effective in all entities. We define effectiveness based on the depth of the control implementation and coverage of the relevant assets. We understand that cyber security controls need to be continuously evolved and enhanced to mitigate risks and threats. Each year we set new annual targets, and progress against the targets is monitored and reported to the senior leadership team in each market and the technology leadership team quarterly. We update our priorities with changes, including any necessary new controls and procedures. In addition to this top-down process of risk identification and mitigation, we identify individual cyber risks at the product or system level, for example through our Secure by Design process, operational activities, scanning and monitoring, or through an incident. Risks are evaluated on a common impact and likelihood scale, mitigating actions are agreed and captured in a risk register. Any high risks identified through these processes require senior management oversight and agreement of mitigating actions. Adaptive risk and control methodology A risk and control methodology is important to drive action in any company. We are launching a new global methodology for cyber security risk management, which was developed with the assistance of a major consulting firms. During FY25 we will retire the CSB and replace it with the new methodology. This methodology has a greater focus on risk and threats but retains the structured control framework and common targets of CSB. Controls are vital to reduce risk and initially we will continue to use the same control set under the new methodology. To adapt to the changing threat landscape, the new methodology introduces threat and risk scenarios. The threats and specific attack techniques are mapped to the controls that most significantly reduce risk, allowing gaps to be highlighted. The control framework will continue to evolve based on technology changes, our strategic and business priorities, and changing regulation. Over the next three years, we intend to automate the capture and reporting of key risk indicator data from source systems. This will reduce manual effort, be more accurate and provide stronger assurance of effectiveness. Further, to better quantify residual risk, we have also created a risk quantification model based on threats, control effectiveness and incident data. This will be tested and launched during FY25.

Assurance A dedicated technology assurance team review and validate the effectiveness of our cyber security controls and procedures, and our control environment is subject to regular internal audit. We test the security of our mobile networks every year using a specialist testing company, they also benchmark our security against other telecommunications operators. This provides assurance that we are maintaining the highest standards and our telecommunications controls are operating effectively. We have also appointed external specialists to perform testing on our security controls (‘red teaming’) to uncover any areas for improvement. We maintain externally audited information security certifications, including ISO 27001, which cover our global technology function and 11 local markets. In addition, our markets comply with national information security requirements where applicable. All systems going live and those undergoing change are independently penetration tested. An internal team performs some testing, and we engage third party testers where appropriate. Across Vodafone, we complete over 1,000 1 penetration tests every year. We also perform adversary testing exercises using independent third parties. Supply chain As well as monitoring control effectiveness within Vodafone, we oversee the cyber security of our suppliers and third parties. Controls and procedures are embedded in the supplier lifecycle to set requirements, assess the risk and monitor each supplier’s security performance. At supplier onboarding, minimum security requirements are written into contracts, and we determine the inherent risk of the supplier based on the service they are providing. We then assess their controls and procedures using a questionnaire to understand the residual risk, which informs the frequency of review from annual to every three years. We follow up on open actions and ensure any security incidents are tracked and managed. Regulatory landscape We expect a continued increase in security regulation over the next few years as governments respond to the heightened cyber threat landscape, recognising that telecommunications operators provide critical national infrastructure. We engage directly with governments and industry partners to promote proportionate, risk-based and cost-effective solutions to security threats. We look to establish shared approaches to reinforce standardisation and regulatory frameworks that apply equally to all market participants. In the UK, we are implementing the provisions of the Telecommunications Security Act which sets enhanced security requirements for UK network operators and their suppliers. In Europe, individual member states have their own current or pending legislation, which incorporate EU-wide standards such as the 5G Security toolbox and the Network and Information Security 2 Directive. We continue to monitor the forthcoming EU Cyber Resilience Act which aims to ensure that all digital products and services fulfil the same security requirements. The US Securities and Exchange Commission (‘SEC’) introduced new cyber security incident disclosure and periodic reporting requirements in December 2023. We have updated our incident management process to include the relevant disclosure steps should a material incident occur; this is described in the Cyber Operations and Incidents section. Where applicable we have expanded these cyber security disclosures in response to the new We have implemented a globally consistent cyber security operating model that is based on the leading industry security standards published by the US National Institute of Standards and Technology (‘NIST’). The model is designed to reduce risk by constantly identifying threats, protecting, defending and improving our security. We operate cyber capabilities with an in-house international team of over 900 1 employees. reporting requirements. Operating model Our approach to cyber security

Note: 1. Includes Vodafone Italy and Vodafone Spain.

Powered by