i Table of contents 246

Vodafone 2025 Annual Report

Vodafone Group Plc Annual Report 2025 51

Strategic report

Governance

Financials

Other information

Our approach continued

third parties, vulnerability management, patching, hardening and endpoint security status, and incident metrics. Internal reporting provides a detailed view of progress and risk reduction. If markets are consistently not achieving targets, they are expected to have plans in place to recover. Quarterly summary management reporting is provided to the technology leadership team and Executive Committee. This is supplemented by monthly control status reports which track targets and are discussed in regular meetings with local market leadership teams. The top level Cyber and Information Security policy is approved annually by the CTO. Risk governance is provided by a quarterly Cyber Risk Council meeting, chaired by the Head of Cyber Governance Risk and Control, and attended by the Cyber Director, the Cyber leadership team and cyber security leaders from each market. The meeting reviews and approves detailed cyber policies and standards, monitors cyber risk and threat, and oversees key strategic programmes. Cyber security risk is also reported to and monitored by more senior committees including the Technology Audit and Risk Committee, chaired by Internal Audit and the Vodafone Group Risk and Compliance committee, chaired by the Chief Financial Officer (‘CFO’). The Cyber Director attends both of those committees to provide updates as required. Board The Group Audit and Risk Committee (‘ARC’) is the responsible committee for the oversight of risks from cyber security threats. The Committee receives updates from Internal Audit throughout the year. The ARC reviews the risk tolerance, risk position and mitigating actions for each principal risk of the company, including cyber threat.

In addition, the Committee reviews cyber risk based on papers and presentation from the CTO and Cyber Director. The report collates the data that covers all local markets’ security status. The paper also typically includes threat landscape, incidents, security position, residual risk, strategy and programme progress across the Company. The Chair of the Board’s Audit and Risk Committee is the Senior Independent Director of the Board. A former CEO at a UK financial services company, he has significant experience of overseeing technology and cyber issues. Cyber security is also discussed at the Board Technology Committee which assists the Board by overseeing how technology underpins company strategy. In total, Cyber topics were covered three times at Board-level committees in FY25. Read more about the Audit and Risk Committee’s oversight of cyber security on pages 86 to 91

has been produced for non-employees, so they also receive the same level of awareness. Training on cyber security is also included in our induction process for new employees. We track completion rates to ensure every employee completes the mandatory training. Read more about our approach to mandatory Doing What’s Right training on page 42 Cyber security training is reinforced by regular digital communications delivered via our internal social media platform, through videos and webinars. When new threats arise or become more prevalent we provide targeted advice. Examples include reminders on the use of multi-factor authentication and not to share credentials. We perform phishing simulations across all markets and functions to raise awareness and train employees. We target at least two exercises per market or function per year. We also run multi- market simulations to allow us to compare responses consistently – these simulations cover European and African markets and Group functions. Those who click on the link in the phishing message or share their credentials receive immediate training. We have continued to undertake incident simulations for local executive committees. In the last year we have covered seven markets including the UK, Albania, Czechia, Ireland, Romania, Portugal and Türkiye. The simulations provide CEOs and their teams a realistic and tailored experience of managing a cyber incident and exercising their responsibilities in accordance with our common approach. Growing our skills We enable employees in our cyber teams to maintain and grow their skills to better protect our customers. Our company learning platform hosts cyber training on technical topics, platforms and frameworks. Employees can study towards recognised information security and cyber certifications aligned to their learning plans.

Governance Management The Chief Technology Officer (‘CTO’) and Chief Network Officer (‘CNO’)are the Executive Committee members accountable for managing the risks associated with cyber threats and information security. The Cyber Security and Technology Strategy & Governance (‘Cyber’) Director is responsible for managing and overseeing cyber security across Vodafone and reports to the CTO. Within the cyber security organisation, led by the Cyber Director, we have heads of global cyber security functions, local markets and regional cyber security leaders. This global leadership team is responsible for directing, managing and reducing cyber risk across Vodafone. Market and regional cyber security leaders are also part of their local management teams, with a dotted matrix reporting line to local chief information officers. The Cyber Director has led cyber security in Vodafone since 2015. Prior to joining Vodafone, the Cyber Director was chief security officer at a large UK bank, after previously holding security and technology audit leadership roles in financial services and the UK postal service. The Cyber Director is an independent advisor for a large UK retail company, a member of the UK Cabinet Office National Cyber Advisory Board and holds several other industry advisory and committee roles. Our broader cyber leadership team has significant cyber security and technology risk experience across business sectors including telecommunications, financial services and professional services. The cyber security leadership team reviews detailed metrics monthly covering security controls status, updates about the threat landscape, and specific key risk indicators (‘KRIs’) for our most important controls. Examples of KRIs include results of independent network testing by

Find out more Click or scan for more information: – W atch our Chair of the Technology Committee talk more about his role investors.vodafone.com/videos

Culture, training and awareness Training and awareness Our cyber security awareness approach is to educate our employees to protect themselves and our customers from cyber threats. Cyber security training is mandatory as part of our Doing What’s Right programme. The training module is designed by the cyber security team to inform employees of key threats and how to avoid them. The cyber leadership team are actively involved in shaping the approach and in specific employee communication. The corporate security function lead on all employee security training and they deliver the programme and materials. If the employee fails the knowledge check which is part of the training, they are required to retake the full cyber security training module. A training manual

Powered by