Vodafone 2024 Annual Report

51 Vodafone Group Plc Annual Report 2024

Strategic report

Governance

Financials

Other information

We classify security incidents on a scale according to severity, measured by potential business and customer impact. The highest severity category of event is called Severity 0 down to the lowest Severity 4. Severity 0 corresponds to a significant data breach or loss of service caused by the incident. If a Severity 0 incident occurs, we notify the Executive Committee, the Board and external auditors and provide regular updates. A crisis group is formed composed of relevant senior management who oversee the response. SEC requirements have been incorporated into our incident management process. In the event of a Severity 0 incident, the Disclosure Committee (composed of the CFO and General Counsel) would decide if a UK market disclosure is necessary for materiality reasons, that would also trigger disclosure to the SEC. In the past two financial years, no incidents have been Severity 0. In FY22 we experienced one Severity 0 in Vodafone Portugal in February 2022 and in FY21 we experienced one Severity 0 incident at Italy Ho. Mobile in December 2020. Details of these two previous disclosures are in our FY23 Cyber Security Factsheet. These incidents did not have a material impact on the Company’s business strategy, results of operations or financial condition. Whilst overall incident volumes have remained stable, a higher proportion of these are at suppliers and third parties. In FY24, 55% of severity 1 and 2 incidents were related to our suppliers and third parties (FY23; 47%). We contractually require our suppliers to report incidents and we track and manage the incidents using the same framework as we do for internal events. In two cases in this financial year, our team helped a supplier recover services after a ransomware attack. Neither of these incidents were material to Vodafone’s business strategy, results of operations or financial condition. When incidents are closed, we complete a post-incident review to learn the lessons from the incident, including the root cause and any improvements needed. Cyber insurance is an important part of our risk management and mitigation approach. Vodafone holds cyber liability insurance alongside business interruption and professional indemnity policies. Should a serious cyber event occur, we could recover the costs in whole or in part through these policies. Click to read more about how we manage risks from technology disruptions in our SASB disclosure: investors.vodafone.com/sasb Society Protecting people Wherever we operate, we have an opportunity to contribute to the advancement of fundamental rights for our customers, colleagues and communities. We are also conscious of the risks associated with our operations, and we work hard to mitigate negative impacts, ensuring we keep people safe. Mobiles, masts and health The health and safety of our customers and the wider public has always been, and continues to be, a priority for us. Our masts fully comply with national regulations, which are typically based on, or go beyond, international guidelines set by the independent scientific body, the International Commission for Non-Ionizing Radiation Protection (‘ICNIRP’). There has been scientific research on mobile frequencies for decades, including those used by 5G. If exposure is within national regulations, the scientific consensus is that there is no adverse impact on health. We continually monitor and evaluate our mobile networks to make sure we meet all regulations. In addition, all the products we sell are rigorously evaluated to ensure they comply with international safety guidelines.

As well as complying with national regulations, markets that have rolled out 5G apply the Smart PowerLock (‘SPL’) feature. This technology, designed for use with the adaptive antennas used for 5G, continuously monitors the transmitted radio frequency power of the antenna to ensure it is always below a threshold when averaged over a predefined time window. This takes into account compliance with electromagnetic field (‘EMF’) regulations under all possible operating conditions for 5G sites. This is now one of many software features that are routinely active on 5G sites. SPL also includes statistics that can be used to build evidence of compliance over several weeks for a given site if needed by regulators. National regulators have accepted the feature as effective. Science monitoring Scientific reviews have made a vital contribution to establishing industry guidelines and standards. We follow the results of these independent expert reviews to understand developments in scientific research related to mobile devices, base stations and health. We continue to fund research into mobile devices, base stations and health through funding bodies such as national governments to ensure that the research remains independent of industry influence, including our own. We also respond to requests from bodies conducting research by providing technical advice and information on the use of mobile devices. This helps to ensure scientists have access to the best-quality information available. Harmonisation with international science-based guidelines Following the publication in 2020 of updated international guidelines on electromagnetic frequencies, we have supported and promoted the transition from the previous guidelines from 1998 to this more up-to-date and appropriate set. In EU Member States, the EMF regulations are set nationally with most being aligned with the ICNIRP guidelines. In the last year, in the city of Brussels, conditions have been changed to allow for the rollout of 5G services. Click to read more about ICNIRP 2020: icnirp.org Operating model We have robust governance mechanisms in place and conduct regular compliance assessments to ensure that our products meet the standards set by the Group policy and national regulations. The Group EMF leadership team meets through the year and reports to the Executive Committee and the Board. We conduct network measurements and calculations of EMF exposure from network masts and review the test reports we receive on EMF testing on devices. Human rights We want to make sure that we have a positive impact on people and society, which includes respecting human rights in all our operations. We are a long-standing member of the UN Global Compact and our approach is guided by the United Nations Guiding Principles on Business and Human Rights (UNGPs). Click to read more about our human rights approach: vodafone.com/human-rights Our Human Rights Policy Statement details how we do this and is backed up by our internal Human Rights Policy, which sets out how our people must ensure we respect human rights, including steps to take through our other aligned policies, such as those covering artificial intelligence, ethical purchasing, responsible minerals, health and safety, human resources, privacy, business resilience and law enforcement assistance.

Click to read our Human Rights Policy Statement: vodafone.com/human-rights-policy-statement

Powered by