Vodafone 2025 Annual Report

52 Vodafone Group Plc Annual Report 2025

Strategic report

Governance

Financials

Other information

Our approach continued

Ransomware and data extortion attacks are common to companies of all sizes. Based on public reporting, some companies are paying ransoms, perpetuating the threat. Attackers are increasingly trying to log in, rather than hack in. Living off the land attacks rely on the same techniques used to manage access systems that are used widely by everyone. Detection of these attacks is more challenging. Social engineering methods are a common means for attackers to gain access. New technologies such as AI are enhancing techniques such as voice phishing and deep fakes. Harvested credentials continue to be sought and shared by threat actors. Attackers can target executives following media announcements and public reporting. The speed of vulnerability exploitation is very fast and common. We have seen continued attacks against our suppliers, and we expect this trend will continue. Cyber operations and incidents As a global connectivity provider, we see a range of cyber threats. We use our layers of controls to identify and mitigate threats in order to reduce business or customer impact. Our global security operations capability handles billions of events and logs from sensors across our footprint, detecting potential threats and events. Low severity issues are dealt with quickly, for example by malware containment or isolating an individual device. More significant events are triaged to our 24/7 incident management and response team. We operate a single global team and capability. Where a security incident occurs, we have a consistent incident management framework to manage our response and recovery. The focus of our incident responders is always fast risk mitigation and customer security.

In the event of a cyber breach we disclose it to the relevant authorities according to local or global regulations and laws. This may include law enforcement as well as regulators. Risk assessment of the threat actor, incident nature and potential impact to customers is important to determine the approach to disclosure. The European Union’s GDPR provides a framework for notifying customers in the event there is a loss of customer data because of a data breach, and this framework is a baseline across all our markets. Our data privacy officers are a key part of the response where incidents impact personal data. We will also make a market disclosure according to SEC requirements if the relevant materiality threshold is met. We classify security incidents on a scale according to severity, measured by potential business and customer impact. The highest severity category of event is called Severity 0 down to the lowest Severity 4. Severity 0 corresponds to a potentially significant data breach or loss of service caused by the incident. If a Severity 0 incident occurs, we notify the Executive Committee, the Board and external auditors and provide regular updates. A crisis group is formed composed of relevant senior management who oversee the response. SEC requirements have been incorporated into our incident management process. In the event of a Severity 0 incident, the crisis group would decide whether a recommendation to the Disclosure Committee (composed of the CFO and General Counsel, among other functional leaders) is warranted. The Committee would decide if a market disclosure is necessary for materiality reasons, that would also trigger disclosure to the SEC. Our total S1 and S2 incident volumes in FY25 were down by 29%, of which 9% is due to not reporting Spain and Italy incidents post divestment. Last year, we reported on the proportion of incidents at suppliers and third parties. In FY25, this proportion incidents were attackers exploiting weak credentials, social engineering, denial of service events and vulnerabilities being rapidly exploited.

When incidents are closed, we complete a post-incident review to learn the lessons from the incident, including the root cause and any improvements needed. Cyber insurance is an important part of our risk management and mitigation approach. Vodafone holds cyber liability insurance alongside business interruption and professional indemnity policies. Should a serious cyber event occur, we could recover the costs in whole or in part through these policies. Click to read more about how we manage risks from technology disruptions in our SASB disclosure: investors.vodafone.com/sasb Asset resilience In the context of international networks, current geopolitical instability poses significant challenges to network stability. Telecommunications networks face bottlenecks, such as the Red Sea, where multiple cables converge. As the frequency of cable cuts increases, whether due to accident or acts of sabotage, a greater level of resilience is required. To mitigate these risks, Vodafone is committed to collaborating with partners to develop and implement new systems and increase diverse routes that enhance resilience. Combined with robust disaster recovery processes and our Instant Network solution from Vodafone Foundation, we aim to minimise the loss of essential telecommunications services even during crises such as the recent adverse weather events in Europe. In Africa, vandalism and theft are prevalent issues impacting how we service our customers. The resale value of copper, batteries, and fuel drives much of the theft. These thefts and acts of vandalism hinder our ability to effectively roll out decarbonisation solutions. To manage this risk, Vodacom has deployed advanced surveillance systems and is working with private security companies to mitigate the impact.

Since 2020 we have organised twice yearly Cyber Connect events for our entire global cyber security team. The events include a recap of our strategy and achievements, messages from senior leadership, external industry speakers, collaborative breakout groups and technical track sessions to learn about cyber topics and best practice. We use technology to enable a hybrid experience with some attending in offices and some remote. The Cyber Code The Vodafone Cyber Code has been designed to simplify and explain basic security controls and procedures to all employees. The Cyber Code is embedded in our Code of Conduct and is the cornerstone of how we expect all employees to behave when it comes to best practice in cyber security. It consists of seven areas where employees must follow good security practice. Click to read more about Vodafone’s Cyber Code in our Code of Conduct: vodafone.com/code-of-conduct Threats and incidents Threat landscape and intelligence An important part of our operating model is to gather intelligence and insights in order to assess threats and drive action. The cyber threat landscape continues to be volatile across all sectors, with wide-ranging threat actors. Our cyber security team use industry and external analysis to help shape our controls and procedures, and drive actions. When specific vendor or new high impact vulnerabilities are reported, we drive global remediation across Vodafone. Geopolitical instability, conflict and tensions are leading to an increase in cyber threats from state-backed and criminal threat actors. Telecommunications companies continue to be the target of state-backed actors, often to conduct government oriented or general espionage. Cross-industry and government collaboration is a key part of mitigating the evolving cyber threats.