Cyber Security Factsheet

Vodafone Group Plc Cyber Security Factsheet 2023

Introduction

Strategy

Governance

Risk management

Events

Governance continued

Governance Management

Cyber governance structure

The Chief Technology Officer and Chief Network Officer are the Executive Committee members responsible for managing the risks associated with cyber threats and information security. The Cyber Security, Technology Assurance and Strategy (‘CTAS’) Director is responsible for managing and overseeing the cyber security programme on a day-to-day basis and reports to the Chief Technology Officer. Reporting to the CTAS Director are the heads of the global cyber security functions and markets or regions. The local cyber security leads are part of their local management teams and responsible for the cyber agenda in their market or region. The Cyber Risk Council Governance meeting (‘CRC’) takes place quarterly, is attended by the cyber security leads from each market and function and is chaired by the CTAS Director. The CRC approves policies and standards, monitors cyber risk and threat and oversees key programmes. The CRC is part of a wider governance structure which includes the Technology Audit and Risk Committee and ultimately the Board’s Audit and Risk Committee. Key risk indicators (‘KRIs’) for our most important controls and our security baseline are reported to senior management and the Executive Committee every month. Examples of KRIs include the results of independent network testing, aged vulnerabilities, patching, hardening and endpoint security status and incident metrics. This reporting provides a granular view of progress and risk reduction. The reports also include detail on the threat landscape, policy and risk updates, vulnerability and incident data, and programme updates. Board Cyber threats and information security are a major area of focus for the Board’s Audit and Risk Committee and detailed updates including threat landscape, incidents, security position, residual risk and security strategy and programme progress were provided by the CTAS Director twice during the year, most recently in March 2023. Several new Non-Executive Directors joined our Board over the last 12 months and as part of their induction process, the Chair and the new Board members visited our global Cyber Security Centre in the UK in March 2023. During the visit, the Non-Executive Directors met our cyber security experts and learned more about our strategy, approach, and how we reduce cyber risk through our operating model. They also received demonstrations of the systems and tools used by the cyber security team. Read more about the Audit and Risk Committee’s oversight of cyber security on pages 42 to 43 and 77 to 82 of our FY23 Annual Report

Management structure

Risk governance

Updated via ARC

Twice in FY23

Board

Audit & Risk Committee (‘ARC’)

Monthly

As required

Executive Committee

Group Risk & Compliance Committee

2-3 times per month

Quarterly

Technology leadership team

Technology Audit & Risk Committee

Weekly

Quarterly

Cyber Risk Council (includes all market & entity Heads of Cyber)

CTAS leadership team

The governance structure chart above shows the different teams and committees responsible for the management and oversight of cyber security risk at Vodafone. The white boxes in the top right of each red box indicate the typical frequency of cyber security updates provided to that particular team or committee during the year. The Cyber Security, Technology Assurance and Strategy (‘CTAS’) Director is responsible for managing and overseeing the cyber security programme on a day-to-day basis. Board-level committees provide effective oversight and review of processes to identify, manage and mitigate cyber security risk.