2024 Cyber Security Factsheet

10

Culture, training and awareness

Vodafone Group Plc Cyber Security Factsheet 2024

Introduction

Strategy

Risk management

Our operating model

Threats and incidents

Compliance

Compliance with Securities and Exchange Commission cyber security disclosure requirements

The United States Securities and Exchange Commission (‘SEC’) introduced new cyber security reporting requirements in December 2023. We have adopted the requirements in our processes for assessing, identifying, and managing material risks from cyber security threats throughout this report. Many of the requirements were covered in our previous cyber security reporting, however this content has been moved into this report. Additionally, we have cross-referenced our disclosures to the new SEC requirements in this table. SEC disclosure requirement Disclosure Page Risk management & strategy (Form 20-F Item 16K (b)) Page 5 iii. Whether the registrant has processes to oversee and identify such risks from cyber security threats associated with its use of any third-party service provider Risk management > Risk and control approach > Supply chain Page 5 2. Describe whether any risks from cyber security threats, including as a result of any previous cyber security incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition Threats and incidents > Cyber operations and incidents Page 9 Governance (Form 20-F Item 16K(c)) 3. Describe the board’s oversight of risks from cyber security threats. If applicable, identify any Board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the process by which the board or such committee is informed about the risks Operating Model > Governance > Board Page 7 4. Describe management’s role in assessing and managing material risks from cyber security threats: i. Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant experience of such persons or members in such detail as necessary to fully describe the nature of the expertise ii. The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cyber security incidents iii. Whether such persons or committees report information about such risks to the board or a committee or subcommittee of the board Operating model > Governance > Management Page 7 Material cyber security incidents (Form 6-K) Information on material cyber security incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders There have been no such incidents in the current or prior financial years. 1. Describe the registrant’s processes for assessing, identifying, and managing material risks from cyber security threats: i. Whether any such processes have been integrated into the registrant’s overall risk management system or processes ii. Whether the registrant engages assessors, consultants, auditors or other third parties in connection with any such processes, and; Risk management > Identification of vulnerabilities and risks Page 4 Risk management > Risk and control approach > Assurance

Powered by