50 Vodafone Group Plc Annual Report 2025
Strategic report
Governance
Financials
Other information
Our approach continued
To better quantify residual risk, we have created a risk quantification model based on threats, control effectiveness and incident data. The model is due to be launched in early FY26. In addition to this top-down process of risk identification and mitigation, we identify individual cyber risks at the product or system level, for example through our Secure by Design process, operational activities, scanning and monitoring, or through an incident. Risks are evaluated on a common impact and likelihood scale, mitigating actions are agreed and captured in a risk register. Any high risks identified through these processes require senior management oversight and agreement of mitigating actions. Assurance A dedicated technology assurance team reviews and validates the effectiveness of our cyber security controls, and our control environment is subject to regular internal audit. We test the security of our mobile networks every year using a specialist testing company, they also benchmark our security against other telecommunications operators. This provides assurance that we are maintaining the highest standards and our telecommunications controls are operating effectively. We have also appointed external specialists to perform testing on our security controls (‘red teaming’) to uncover any areas for improvement. We maintain externally audited information security certifications, including ISO 27001, which cover our global technology function and 9 local markets. In addition, our markets comply with national information security requirements where applicable. All systems going live and those undergoing change are independently penetration tested. An internal team performs some testing, and we engage third party testers where appropriate. Across Vodafone, we complete over 1,000 penetration tests every year. We also perform adversary testing exercises.
Supply chain As well as monitoring control effectiveness within Vodafone, we oversee the cyber security of our suppliers and third parties. Controls and procedures are embedded in the supplier lifecycle to set requirements, assess risk and monitor each supplier’s security performance. At supplier onboarding, minimum security requirements are written into contracts, and we determine the inherent risk of the supplier based on the service they are providing. We then assess their controls using a questionnaire to understand the residual risk, which informs the frequency of review from annual to every three years. We follow up on open actions and ensure any security incidents are We are seeing an increase in new security regulation as governments respond to the heightened cyber threat landscape, recognising that telecommunications operators provide critical national infrastructure. We engage directly with governments and industry partners to promote proportionate, risk-based and cost-effective solutions to security threats. We look to establish shared approaches to reinforce standardisation and regulatory frameworks that apply equally to all market participants. In the UK, we are implementing the provisions of the Telecommunications Security Act which sets enhanced security requirements for UK network operators and their suppliers. In Europe, we are planning implementation of the NIS2 and DORA requirements. We continue to monitor the tracked and managed. Regulatory landscape forthcoming EU Cyber Resilience Act which aims to ensure that all digital products and services fulfil basic security requirements.
The US Securities and Exchange Commission (‘SEC’) introduced cyber security incident disclosure and reporting requirements in December 2023. We updated our incident management process to include the relevant disclosure steps should a material incident occur; this is described in the Cyber Operations and Incidents section. Where applicable we have expanded these cyber security disclosures in response to the new reporting requirements. Operating model Our approach to cyber security We have implemented a globally consistent cyber security operating model that is based on the leading industry security standards published by the US National Institute of Standards and Technology (‘NIST’). The model is designed to reduce risk by constantly identifying threats, protecting, defending and improving our security. We operate cyber capabilities with an in-house international team of over 900 employees.
We augment our internal capabilities where necessary with third-party specialist technical expertise, such as digital forensics, red teaming and penetration testing. We use specialist resources to perform testing of our telecommunications networks. We also use qualified external resources to help during the implementation of change and improvement projects. Our scale means we benefit from global collaboration, technology sharing and deep expertise, and ultimately have greater visibility of emerging threats. An example would be our global security operations centre which takes inputs and telemetry from all the markets where we operate. Our cyber security approach, explained by our experts, covers the lifecycle: identify, protect, detect, respond, recover and govern. This is summarised in the video linked below. Find out more
Click or scan for more information: – Our cyber security experts summarise our approach to cyber security investors.vodafone.com/videos
Cyber security function Team
Responsibilities
Governance, Risk and Control Strategy and Secure by Design Cyber Prevent
– Cyber risk framework and management across the Group. – Define and track adoption of controls and procedures, and measure effectiveness. – Define cyber strategy aligned to technology and Company strategies. – Products, services and internal systems are secure by design. – Engineer, deliver and operate global security platforms, driving continuous improvement. – Perform threat intelligence & security testing. Detect events and attacks through 24/7 monitoring. – Respond to events and incidents to minimise the impact to business and customers.
Cyber Defence
Investments & Supplier – Manage cyber risk in Vodafone investments portfolio, partner markets, acquisitions and divestments. – Identify and reduce supplier risk. Local Market Teams – Responsible for managing and embedding cyber security in our local markets, including meeting local cyber regulatory and compliance requirements.
Powered by FlippingBook