Vodafone 2024 Annual Report

60 Vodafone Group Plc Annual Report 2024

Strategic report

Governance

Financials

Other information

Risk management (continued)

Cyber threat

Data management and privacy

Disintermediation

Description Failure to effectively respond to threats from emerging technology or disruptive business models could lead to a loss of customer relevance, market share and new/existing revenue streams. Risk ranking movement Risk owner Chief Commercial Officer/ CEO Vodafone Business Scenario Increasing ‘softwareisation’ of connectivity services combined with the growing ecosystem power of Big Tech companies could see the emergence of competitors and distribution channels with the potential to disintermediate our customer relationships. Emerging factors In our consumer business, alternative technology solutions may enable new intermediaries to sell communication propositions, while our TV customers may switch to ‘over-the-top’ video-on-demand services. In our corporate business, the ‘softwareisation’ of services may enable new competitors in the value chain. In our infrastructure markets, supplier concentration within the satellite connectivity market and hyperscaler investment in orchestration and network capabilities may present future additional challenges. Mitigation activities Our increasingly deep partnerships with big technology players and the potential to leverage the new Digital Markets Act have improved our ability to defend against the customer ownership risks. In addition, we continue to focus intensively on improving our customers’ experience, strengthening our propositions and bundling digital services for consumer and business markets to enhance customer loyalty.

Description An external cyber attack, insider threat or supplier breach could cause service interruption or data breach.

Description Data breaches, misuse of data, data manipulation, inappropriate data sharing, poor data quality or data unavailability could lead to fines, reputational damage, loss of value, loss of business opportunity, and failure to meet customer expectations. Risk ranking movement Risk owner Group General Counsel and Company Secretary/Group Chief Financial Officer Scenario Failure to manage the privacy of our stakeholders’ data effectively and compliantly could result in regulatory fines, paying significant damages to impacted individuals, and also reputational damage that could result in higher customer churn rates. Emerging factors The proliferation of AI and related regulatory and legislative action across our footprint requires a robust ethics and compliance approach. Geopoliticisation of data will continue to negatively impact cross-border data transfers. New European data regulations, such as the Artificial Intelligence Act or the Cyber Act, will introduce significant new legal requirements around data management of our business activities. Mitigation activities Our data and privacy strategies are designed to continually reduce the risks. We regularly conduct reviews of our significant privacy and data risks. We use the outcomes to prevent, detect and respond to the risks on a prioritised basis. When incidents do occur, we identify the root causes and use them to improve our controls. Read more about our approach to data management and privacy on pages 45 and 46

Risk ranking movement Risk owner Group Chief Technology Officer

Scenario Threat actors could use destructive malware against core infrastructure to disable our ability to serve customers, causing customer dissatisfaction and loss of revenue. Emerging factors Cyber risk is constantly evolving and is influenced by economic, technological and geopolitical developments. We anticipate threats will continue from existing sources as well as evolving ones based on new technologies such as artificial intelligence (‘AI’) and quantum computing. Mitigation activities Our cyber security strategy has a risk and control framework to manage cyber risk to our networks and services. Our controls identify, protect against, detect, respond to, and recover from threats. We measure the control baseline across all parts of the Company and have an in-house team of experts in cyber security. We embed security by design into our products, services and internal operations. Protective controls mitigate the effect of most threats; however, when attacks are successful we focus on rapid response to minimise business and customer impact. Root cause analysis provides continuous improvement and drives action. Click to read more about our approach to cyber security in our fact sheet: investors.vodafone. com/cyber

Year-on-year risk ranking movement Increasing Decreasing

No change

New/change in scope

Powered by