2024 Cyber Security Factsheet

5

Culture, training and awareness

Vodafone Group Plc Cyber Security Factsheet 2024

Introduction

Strategy

Risk management

Our operating model

Threats and incidents

Compliance

Risk management continued

Risk and control approach The global Cyber and Information Security policy applies to all Vodafone- controlled entities. Each security domain has a more detailed supporting policy document with detailed control objectives. The policies are underpinned by security standards which provide relevant technical specifications. Control framework Security controls and procedures define the requirements which allow our policies to be met. These controls and procedures are designed to prevent, detect or respond to threats. Most risks and threats are prevented from occurring and we expect most will be detected before they cause harm and need a response. We have defined a common global control framework called the Cyber Security Baseline (‘CSB’) and adoption is mandatory across the entire Group. We based the CSB on the ISO 27001 international standard, mapping those controls to our cyber risks to identify the most impactful. Our original baseline included 48 key controls, this has grown to 56 as we have reviewed and identified new controls to counter new cyber threats. All controls in the baseline need to be effective in all entities. We define effectiveness based on the depth of the control implementation and coverage of the relevant assets. We understand that cyber security controls need to be continuously evolved and enhanced to mitigate risks and threats. Each year we set new annual targets, and progress against the targets is monitored and reported to the senior leadership team in each market and the technology leadership team quarterly. We update our priorities with changes, including any necessary new controls and procedures. In addition to this top-down process of risk identification and mitigation, we identify individual cyber risks at the product or system level, for example through our Secure by Design process, operational activities, scanning and monitoring, or through an incident. Risks are evaluated on a common impact and likelihood scale, mitigating actions are agreed and captured in a risk register. Any high risks identified through these processes require senior management oversight and agreement of mitigating actions.

Supply chain As well as monitoring control effectiveness within Vodafone, we oversee the cyber security of our suppliers and third parties. Controls and procedures are embedded in the supplier lifecycle to set requirements, assess the risk and monitor each supplier’s security performance. At supplier onboarding, minimum security requirements are written into contracts, and we determine the inherent risk of the supplier based on the service they are providing. We then assess their controls and procedures using a questionnaire to understand the residual risk, which informs the frequency of review from annual to every three years. We follow up on open actions and ensure any security incidents are tracked and managed. Regulatory landscape We expect a continued increase in security regulation over the next few years as governments respond to the heightened cyber threat landscape, recognising that telecommunications operators provide critical national infrastructure. We engage directly with governments and industry partners to promote proportionate, risk-based and cost-effective solutions to security threats. We look to establish shared approaches to reinforce standardisation and regulatory frameworks that apply equally to all market participants. In the UK, we are implementing the provisions of the Telecommunications Security Act which sets enhanced security requirements for UK network operators and their suppliers. In Europe, individual member states have their own current or pending legislation, which incorporate EU-wide standards such as the 5G Security toolbox and the Network and Information Security 2 Directive. We continue to monitor the forthcoming EU Cyber Resilience Act which aims to ensure that all digital products and services fulfil the same security requirements. The US Securities and Exchange Commission (‘SEC’) introduced new cyber security incident disclosure and periodic reporting requirements in December 2023. We have updated our incident management process to include the relevant disclosure steps should a material incident occur; this is described in the Cyber Operations and Incidents section. Where applicable we have expanded these cyber security disclosures in response to the new reporting requirements.

Adaptive Risk and Control Methodology A risk and control methodology is important to drive action in any company. We are launching a new global methodology for cyber security risk management, which was developed with the assistance of a major consulting firms. During FY25 we will retire the CSB and replace it with the new methodology. This methodology has a greater focus on risk and threats but retains the structured control framework and common targets of CSB. Controls are vital to reduce risk and initially we will continue to use the same control set under the new methodology. To adapt to the changing threat landscape, the new methodology introduces threat and risk scenarios. The threats and specific attack techniques are mapped to the controls that most significantly reduce risk, allowing gaps to be highlighted. The control framework will continue to evolve based on technology changes, our strategic and business priorities, and changing regulation. Over the next three years, we intend to automate the capture and reporting of key risk indicator data from source systems. This will reduce manual effort, be more accurate and provide stronger assurance of effectiveness. Further, to better quantify residual risk, we have also created a risk quantification model based on threats, control effectiveness and incident data. This will be tested and launched during FY25. Click to read more about our identification of cyber threat as a principal risk on page 60 of our FY24 Annual Report: vodafone.com/ar2024 Assurance A dedicated technology assurance team review and validate the effectiveness of our cyber security controls and procedures, and our control environment is subject to regular internal audit. We test the security of our mobile networks every year using a specialist testing company, they also benchmark our security against other telecommunications operators. This provides assurance that we are maintaining the highest standards and our telecommunications controls are operating effectively. We have also appointed external specialists to perform testing on our security controls (‘red teaming’) to uncover any areas for improvement. We maintain externally audited information security certifications, including ISO 27001, which cover our global technology function and 11 local markets. In addition, our markets comply with national information security requirements where applicable. All systems going live and those undergoing change are independently penetration tested. An internal team performs some testing, and we engage third party testers where appropriate. Across Vodafone, we complete over 1,000 1 penetration tests every year. We also perform adversary testing exercises using independent third parties.

Note: 1. Includes Vodafone Italy and Vodafone Spain.

Powered by