Maintaining Trust continued 53
Vodafone Group Plc Annual Report 2026
Vodafone Group Plc Annual Report 2026
Strategic report
Governance
Financials
Other information
Insider: Our employees may accidentally leak information or maliciously misuse their privileges to steal confidential data or to cause disruption. In addition, external attacks increasingly resemble insider activity following credential theft. Agentic AI will further blur boundaries. Supply chain: We use a range of third-party service providers to support our operations. Although we mandate security requirements contractually and undertake continuing oversight, a cyber incident affecting a supplier could cause services to be unavailable or enable a data breach to occur. We conduct regular reviews of the most significant security risks affecting our business and develop strategies and policies to detect, prevent and respond to them. Our cyber security strategy focuses on minimising the risk of cyber incidents that affect our networks and services. When incidents do occur, we identify the root causes and use them to improve our controls and procedures. Cyber security risk is aligned with our global enterprise risk management framework. The most important risks to the company are referred to as principal risks, of which Cyber risk is one. The risk owner produces a formal line of sight document that describes the risk, the risk tolerance, current position against tolerance, controls and actions to move to tolerance if required. Second line assurance and third line audit information is also included in the document. The global Cyber and Information Security policy sets out overall objectives, roles and responsibilities that apply to all Vodafone- controlled entities. The policy is approved annually by the CTO. Each underlying security area has a supporting global standard document that defines detailed control objectives. The global standards are underpinned by a layer of technical security standards which provide more detailed specifications to aid control implementation.
is faced with a unique set of risks as we provide connectivity services and handle private communication data. A successful cyber attack could cause serious harm to our customers, including unavailability of services or a data breach leading to disclosure or misuse of customer personal data. The consequences could include, but are not limited to, exposure to contractual liability, litigation, regulatory action, or damage to the company’s reputation and brand and loss of market share. In the worst case, the cyber security incident could cause material impact. There is increasing regulatory focus on telecommunications providers to improve their cyber security practices. We are subject to GDPR and equivalent legislation in many countries in which we operate. In addition, there are local and regional laws and regulations which impact cyber security, for example the Telecommunications Security Act in the UK and Network & Information Security 2 (‘NIS2’) and the Digital Operational Resilience Act (‘DORA’) in the EU. A cyber incident may lead to regulatory fines and other enforcement activities if deemed to be due to inadequate security. Measures to meet these laws and regulations will also result in increased compliance costs. We dedicate significant resources to reducing cyber security risks, however due to the nature of the threats, we cannot provide absolute security and some cyber security incidents will occur. Risk and threat management are fundamental to maintaining the security of our services across every aspect of our business. We separate cyber security risk into three main areas of risk. External: A wide variety of attackers, including criminals and state-backed groups, target our networks, systems and people using a range of techniques. They seek to gain unauthorised access to steal or manipulate data or disrupt our services. Geopolitical factors also increase the threat of an external attack.
standards, monitors and oversees cyber risk and threat. Regular management reporting is provided to the Technology Leadership Team and ExCo. This is supplemented by control status reports that track targets and are discussed in regular meetings with local market leadership teams. We produce dashboards of key risk indicators (‘KRIs’) for our most important controls. Examples of KRIs include results of independent network testing by third parties, vulnerability management, patching, hardening and endpoint security status, network controls and incident metrics. This reporting provides a detailed view of risk reduction. If markets are consistently not achieving targets, they are expected to have plans in place to remediate . We continue to expand our KRI coverage to provide timely, accurate and comprehensive reporting. Board The Group Audit and Risk Committee (‘ARC’) is the responsible Board committee for the oversight and effective governance of the Group’s management of cyber security risks. The Committee receives updates from Internal Audit throughout the year. The ARC reviews the risk tolerance, risk position and mitigating actions for the Group’s principal and emerging risks, including cyber threat. In addition, the Committee reviews cyber risk based on deep dive papers and presentations from the CTO and Cyber Director. The papers typically include threat landscape, incidents, security position, residual risk, strategy and programme progress across the Company. Cyber security is also discussed at the Board Technology Committee which assists the Board by overseeing how technology underpins company strategy. Risk management Cyber attacks are part of the technology landscape today and will be in the future. All organisations, governments and people are subject to cyber attacks and some will be successful. The telecommunications industry
Governance The Chief Technology Officer (‘CTO’) and Chief Network Officer (‘CNO’) are the Executive Committee (‘ExCo’) members accountable for managing the risks associated with cyber threats and information security. The Cyber Security, IT Architecture, Data & Analytics and Technology Strategy (‘Cyber’) Director is responsible for managing and overseeing cyber security across Vodafone and reports to the CTO. The Cyber Director has led cyber security in Vodafone since 2015. Prior to joining Vodafone, the Cyber Director was chief security officer at a large UK bank, after previously holding security and technology audit leadership roles in financial services and the UK postal service. The global cyber leadership team reporting to the Cyber Director consists of the leaders of global cyber security functions, European and African markets, and Group functions. This leadership team is responsible for directing, managing and reducing cyber risk across Vodafone. Market and regional cyber security leaders are also part of their local management teams, with a dotted matrix reporting line to local chief information officers. Leadership team members have significant cyber security and technology risk experience across business sectors including telecommunications, financial services and professional services. Cyber security risk is overseen and monitored by a number of senior level committees. These include the Group Risk and Compliance Committee, chaired by the Chief Financial Officer; and the Technology Audit and Risk Committee, chaired by Finance and led by Internal Audit. The Cyber Director attends both of those committees to provide updates as required. Operational risk governance is provided by a quarterly Cyber Risk Council meeting, chaired by the Head of Cyber Governance Risk and Control, and attended by senior cyber security leaders. The meeting reviews and approves cyber policies and
Powered by FlippingBook