Cyber Security Factsheet

Vodafone Group Plc Cyber Security Factsheet 2023

Introduction

Strategy

Governance

Risk management

Events

Governance

Operating model We have implemented an operating model based on the leading industry security standards published by the US National Institute of Standards and Technology (‘NIST’). The model is designed to reduce risk through constantly protecting, defending and improving our security. We have an in-house international team of almost 1,000 employees and we also work with third-party experts in specialist areas. Our scale means we benefit from global collaboration, technology sharing and deep expertise, and ultimately have greater visibility of emerging threats. Cyber security function Team Responsibilities Governance, Risk and Control – Oversee cyber risk management across the Group. – Define and ensure adoption of policies and controls and measure control effectiveness. – Identify and minimise supplier cyber risk. Strategy and Secure by Design – Define cyber strategy in line with technology function and Group strategies. – Ensure products, services and internal systems are secure by design. Cyber Prevent – Engineer, deliver and operate global security platforms and controls, driving continuous improvement. Cyber Defence – Perform threat intelligence & security testing, and detect events and attacks through 24/7 monitoring. – Respond to incidents to minimise the impact of security events on our business and customers. Local Market Teams – Responsible for managing and embedding cyber security in our local markets, including meeting local cyber regulatory and compliance requirements. Internal knowledge sharing We make sure that all our cyber security experts understand our cyber security strategy and how it translates to their daily work. As well as monthly all-hands meetings, we organise twice yearly Cyber Connect CyberCon events for our entire global cyber security team. The events include a recap of our strategy and achievements, messages from senior leadership, external industry speakers, collaborative breakout groups and technical track sessions to learn about cyber topics and best practice. We use technology to enable a hybrid experience with some attending in offices and some remote, but anyone from our global cyber security team is able to participate.

Our approach to cyber security

Our approach to cyber security is summarised in the following diagram and the accompanying video linked at the bottom of this page. In the video, cyber security experts from across a number of teams within the cyber security function explain our approach across the lifecycle: identify, protect, detect, and respond and recover.

R i

Measure & Assess Risk

Set Policy & Select Controls

Risk & Threat-based Security

Deploy controls, Maintain Systems

Monitor & Respond to events

Scan or click to watch our cyber security experts summarise our approach to cyber security: investors.vodafone.com/videos