Vodafone Group Plc Annual Report 2025 49
Strategic report
Governance
Financials
Other information
Our approach continued
market share. In the worst case, the cyber security incident could cause material financial impact to us. There is increasing regulatory focus on cyber security and requirements for telecommunications providers to improve their cyber security practices. We are subject to GDPR and equivalent legislation in many countries in which we operate. In addition, there are local and regional laws and regulations which impact cyber security, for example the Telecommunications Security Act in the UK and Network & Information Security 2 (‘NIS2’) and the Digital Operational Resilience Act (‘DORA’) in the EU. A cyber incident may lead to regulatory fines and other enforcement activities if deemed to be due to inadequate security. Measures to meet these laws and regulations will also result in increased compliance costs. We dedicate significant resources to reducing cyber security risks, however due to the nature of the threats, we cannot provide absolute security and some cyber security incidents will occur. Risk and threat management are fundamental to maintaining the security of our services across every aspect of our business. We separate cyber security risk into three main areas of risk: – External: A wide variety of attackers, including criminals and state-backed groups, target our networks, systems and people using a range of techniques. They seek to gain unauthorised access to steal or manipulate data or disrupt our services. Geopolitical factors also increase the threat of an external attack; – Insider: Our employees may accidentally leak information or maliciously misuse their privileges to steal confidential data or to cause disruption; and – Supply chain: We only have indirect control over the cyber security of third-party service providers, limiting our ability to defend against cyber threats to these third parties. Such attacks, if successful, could cause services to be unavailable or enable a data breach to occur.
To help us identify and manage emerging and evolving risks, we constantly evaluate and challenge our business strategy, new technologies, government policies and regulation, and cyber threats. We conduct regular reviews of the most significant security risks affecting our business and develop strategies and policies to detect, prevent and respond to them. Our cyber security strategy focuses on minimising the risk of cyber incidents that affect our networks and services. When incidents do occur, we identify the root causes and use them to improve our controls and procedures. Cyber security risk is aligned with Vodafone’s enterprise risk framework. The most important risks to the company are referred to as Principal risks, of which Cyber risk is one. The risk owner produces a formal Line of Sight document that describes the risk, the risk tolerance, current position against tolerance, controls and actions to move to tolerance if required. Second and third line assurance information is also included in the document. Risk and control approach The global Cyber and Information Security policy applies to all Vodafone-controlled entities. Each security domain has a supporting policy document with detailed control objectives. The policies are underpinned by security standards which provide relevant technical specifications. Security controls and procedures define the requirements which allow our policies to be met. These controls and procedures are designed to prevent, detect or respond to threats. Most risks and threats are prevented from occurring and we expect most will be detected before they cause harm and need a response.
Adaptive risk and control methodology (‘CHARM’) We have launched a new global methodology for cyber security risk management which we call the Cyber Health and Adaptive Risk Method or CHARM. The goals of this approach include: – Cyber Health – a continuous view of security based on automated key risk indicators; – Adaptive – responds to changing threats, technology evolution and regulation; – Risk method – quantified risk to provide better decision-making and prioritisation. This new approach has a greater focus on risk and threats but retains the structured control framework and common targets of the former Cyber Security Baseline. Initially we are using the same control set as before under the new methodology. To adapt to the changing threat landscape, we have defined threat and risk scenarios. The threats and specific attack techniques are mapped to the controls that most significantly reduce risk, allowing gaps to be highlighted. We have set targets for key controls to be effective. Effectiveness is based on the depth of the control implementation and coverage of the relevant assets. Cyber security controls need to be continuously evolved and enhanced to mitigate risks and threats. Each year we set new annual targets, progress against the targets is monitored and reported quarterly to the senior leadership in each market and globally. We update our priorities with changes, including any necessary new controls. The control framework will continue to evolve based on changing threats, technology developments, our strategic and business priorities, and regulation. We have begun to automate the capture and reporting of key risk indicator data from source systems. This will reduce manual effort, be more accurate and provide stronger assurance of effectiveness. We plan to automate all relevant controls over the next two to three years.
Industry collaboration We actively engage with stakeholders across industry, including regulators, standard-setting bodies and governments. Collaboration is vital to respond to threats, protect our organisation and workforce, and build safe online and digital spaces for customers and society. We use our expertise and experience to engage with a wide range of organisations to help improve the understanding of cyber security thinking and practice, and contribute to public policy, technical standards, information sharing, risk assessment, and governance. For example, we have engaged in cross-industry collaboration through the European Round Table, where we chair the CISO committee. We have an appointed member on the National Cyber Advisory Board in the UK. We also collaborate with other telecommunication companies, and actively engage in security standards working groups such as ENISA 5G Cyber Security Certification, O-RAN Alliance WG11 and GSMA Fraud and Security Group. We have a research programme working on security topics with the German Federal Ministry of Education & Research, for example on securing future generations of mobile technology. Risk management Identification of vulnerabilities and risks Cyber attacks are part of the technology landscape today and will be in the future. All organisations, governments and people are subject to cyber attacks and some will be successful. The telecommunications industry is faced with a unique set of risks as we provide connectivity services and handle private communication data. A successful cyber attack could cause serious harm to ourselves or our customers, including unavailability of services or a data breach leading to disclosure or misuse of customer personal data. The consequences could include, but are not limited to, exposure to contractual liability, litigation, regulatory action, or damage to the company’s reputation and brand and loss of
Powered by FlippingBook