Vodafone 2026 Annual Report

54 Vodafone Group Plc Annual Report 2026

Strategic report

Governance

Financials

Other information

Maintaining Trust continued

security requirements where applicable. All systems going live are independently penetration tested and regular follow-up testing is done on a risk basis. An internal team performs some of the testing, and we engage third party testers where appropriate. Across Vodafone, we complete over 1,000 penetration tests every year. As well as monitoring control effectiveness within Vodafone, we oversee the cyber security of our suppliers and third parties. Controls and procedures are embedded in the supplier lifecycle to set requirements, assess risk and monitor each supplier’s security performance. At supplier onboarding, minimum security requirements are written into contracts, and we determine the inherent risk of the supplier based on the service they are providing. We then assess their controls using a questionnaire to understand the residual risk, which informs the frequency of review from annual to every three years. We follow up on open actions and ensure any security incidents are tracked and managed. Read more about our approach to Responsible supply chain on page 48 Cyber insurance is an important part of our risk management and mitigation approach. Vodafone holds cyber liability insurance alongside business interruption and professional indemnity policies. Should a serious cyber event occur, we could recover the costs in whole or in part through these policies. Industry and government collaboration We actively engage with stakeholders across industry, including regulators, standard-setting bodies and governments. Collaboration is vital to protect our organisation and workforce, build safe online and digital spaces for customers and society, and respond to threats. We use our expertise and experience to help improve cyber security practice. We contribute to public policy, technical standards, information sharing, risk assessment, and governance. Within our sector we collaborate with European and international

We are in progress to automate the capture and reporting of KRI data from source systems. This reduces manual effort, is more timely and accurate and provides stronger assurance of effectiveness. We plan to complete the automation of all controls for which KRIs can be defined over the next two years. We have created a risk quantification model based on threats, control effectiveness and incident data. We used this model with our internal insurance team to estimate losses in various scenarios as part of annual planning to obtain cyber insurance cover. We are exploring future use cases to increase the value we can obtain from the model. In addition to this top-down process of risk identification and mitigation, we identify individual cyber risks at the product or system level, for example through our Secure by Design process, operational activities, scanning and monitoring, or through an incident. Risks are evaluated on a common impact and likelihood scale, mitigating actions are agreed and captured in a risk register. Any high risks identified through these processes require senior management oversight and agreement of mitigating actions. A dedicated technology assurance team reviews and validates the effectiveness of our cyber security controls, and our control environment is subject to regular internal audits. We test the security of our mobile networks annually using a specialist testing company, they also benchmark our security against other telecommunications operators. This provides assurance that we are maintaining high standards and our telecommunications controls are operating effectively. We have also appointed external specialists to perform testing on our security controls (‘red teaming’) to uncover any areas for improvement. We maintain externally audited information security certifications, including ISO 27001, which cover our global technology function and 11 local markets. An additional market is currently undergoing recertification. Our markets also aim to comply with national information

telecommunications companies. We engage in cross-industry collaboration through the European Round Table of large European based companies, where we chair the CISO committee. Cyber security is increasingly integral to national security strategies. We collaborate with governments and national cyber security bodies including the UK National Cyber Security Centre and the German Federal Office for Information Security on topics such as sharing intelligence, engaging on emerging risks and contributing to collective resilience. The Cyber Director is an appointed member on the National Cyber Advisory Board in the UK. We actively engage in security standards working groups such as the OpenRAN Alliance and GSMA Fraud and Security Group. We have a research programme working on security topics with the German Federal Ministry of Education & Research, for example on securing future generations of mobile technology. Awareness & training Our cyber security awareness approach is to educate our employees to protect themselves and our customers from cyber threats. Cyber security training is mandatory for all employees. The training module is designed by the cyber security team to inform employees of key threats and how to avoid them. The corporate security function lead on all employee security training and they deliver the programme and materials. If the employee fails the knowledge check which is part of the training, they are required to retake the full cyber security training module. A training manual has been produced for non-employees, so they also receive the same level of awareness. Training on cyber security is also included in our induction process for new employees. We track completion rates to ensure every employee completes the mandatory training. Read more about our approach to mandatory Doing What’s Right training on page 44

Security controls and procedures define the requirements which allow our policies to be met. These controls and procedures are designed to prevent, detect or respond to threats. Most risks and threats are prevented from occurring and we expect most will be detected before they cause harm and need a response. We use a global methodology for cyber security risk management which we call the Cyber Health and Adaptive Risk Method or CHARM. The targeted goals of this approach include: Cyber Health: providing a continuous view of security based on automated key risk indicators (‘KRIs’); Adaptive: our framework responds to changing threats, technology evolution and regulation; and Risk Method: managing and quantifying risk to provide better decision-making and prioritisation. This approach is focused on risk and threats and underpinned by a structured control framework and common targets for control effectiveness across all our markets and entities. Effectiveness is based on the completeness of the control implementation and coverage of the relevant assets. Cyber security controls need to be continuously evolved and enhanced to mitigate risks and threats, Each year we set new annual targets, progress against the targets is monitored and reported quarterly to the senior leadership in each market and Group. We update our framework with changes, including any necessary new controls. The control framework will continue to evolve based on changing threats, technology developments, our strategic and business priorities, and regulation. To adapt to the changing threat landscape, we have defined threat and risk scenarios. The threats and associated attack techniques are mapped to the controls that most significantly reduce risk, allowing gaps to be highlighted.