Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cyber

Strategy

Our cyber security strategy and global operating model are designed to deliver our vision and goals, and form part of our wider Company strategy. Cyber security remains a Board level priority.

The strategy and operating model are based on an understanding that cyber risk is volatile and attacks will sometimes be successful. Good cyber security requires persistent and continuous effort.

Our refreshed cyber strategy builds on our security foundations and strategic initiatives, with an emphasis on resilience and collaboration in an increasingly unpredictable world. The strategy takes account of future threats and changes in technology so it remains fit for purpose over the next five years and beyond.

We are committed to building and maintaining customer trust against a backdrop of an increasingly uncertain and volatile threat landscape. We cannot control all threats, but we can prepare for them and minimise their impact through cyber resilience. We view cyber resilience as our ability to anticipate, withstand, recover and adapt to unexpected and severe cyber events.

Our strategy is guided by four ambitions; embed security and resilience by design in all that we do; anticipate and reduce critical cyber risks; effective security at pace; and build a trusted and resilient ecosystem for customers, partners and society.

We are delivering the strategy through seven pillars. Together, these enable customer trust in our products and services, deliver our vision of a secure and resilient connected future for everyone, and guide company-wide changes.

Adaptive and accelerated cyber health: Sustaining cyber health with an accelerated pace of protection, detection and response. Adapting to volatile risks, enabling new technology and meeting changing regulations.

Secure connectivity & network defence: Secure by design and resilient connectivity for customers across our fixed and mobile networks, fintech platforms, digital channels and all services.

Dynamic trust: Identity, access and insider controls that provide access aligned to role, timing and need across people, systems and agents.

Real-time threat protection: Visibility through global telemetry and operations enable rapid detection and response. Our people are enabled by responsible AI and automation.

Supply chain and ecosystem security: Security by default and embedded simplified security standards across the supplier and partner ecosystem.

People, capability & cyber culture: Accountability and training deliver a company-security culture. A globally aligned, highly skilled and technically enabled cyber capability.

Cyber resilience:

Risk-led

readiness to withstand changing threats and minimise impact to customers and services.

We continue to review and evolve our strategy. Each year we define and communicate priorities for a three-year period, so all areas of our business are clear on the investment priorities for security. We track progress against these priorities.

Operating model

We have implemented a globally consistent cyber security operating model that is based on the leading industry security standards published by the US National Institute of Standards and Technology (‘NIST’). The model is designed to reduce risk by constantly identifying threats, protecting, defending and improving our security. The model brings together our local capabilities across Europe and Africa with global resources organised in five functional teams. Our

in-house

international team has over 900 employees.

The Governance, Risk and Control team set policies and standards, oversee and measure our

cyber risk across the Group, define and evaluate security controls, and manage information security certifications.

The Strategy and Architecture team define our cyber strategy, aligned to the technology and company strategies. They lead IT and security architecture to deliver secure, resilient and efficient platforms.

The Secure by Design, Investments & Supplier team implement security and privacy by design across all products and services. They manage cyber risk in partner markets, acquisitions and divestments, and identify and reduce supplier risk.

The Cyber Prevent team build, maintain and operate our global security platforms, driving continuous improvement.

The Cyber Defence team gather threat intelligence and perform security testing. They detect events and attacks through 24/7 monitoring and respond to incidents to minimise impact on business and customers.

We have cyber teams in each operating company. They are responsible for managing and embedding cyber security locally, including meeting local cyber regulatory and compliance requirements.

We augment our internal capabilities with third-party specialist technical expertise, such as digital forensics, red teaming and penetration testing. We use specialist resources to perform testing of our telecommunications networks. We also use qualified external resources to help during the implementation of projects.

Our scale means we benefit from global collaboration, technology sharing and deep expertise, and ultimately have greater visibility of emerging threats. An example would be our global security operations centre that takes inputs and telemetry from all markets where we operate to provide global visibility.


		Click to listen to our experts summarise our approach to cyber security at vodafone.com/videos

Governance

The Chief Technology Officer (‘CTO’) and Chief Network Officer (‘CNO’) are the Executive Committee (‘ExCo’) members accountable for managing the risks associated with cyber threats and information security. The Cyber Security, IT Architecture, Data & Analytics and Technology Strategy (‘Cyber’) Director is responsible for managing and overseeing cyber security across Vodafone and reports to the CTO.

The Cyber Director has led cyber security in Vodafone since 2015. Prior to joining Vodafone, the Cyber Director was chief security officer at a large UK bank, after previously holding security and technology audit leadership roles in financial services and the UK postal service.

The global cyber leadership team reporting to the Cyber Director consists of the leaders of global cyber security functions, European and African markets, and Group functions. This leadership team is responsible for directing, managing and reducing cyber risk across Vodafone. Market and regional cyber security leaders are also part of their local management teams, with a dotted matrix reporting line to local chief information officers. Leadership team members have significant cyber security and technology risk experience across business sectors including telecommunications, financial services and professional services.

Cyber security risk is overseen and monitored by a number of senior level committees. These include the Group Risk and Compliance Committee, chaired by the Chief Financial Officer; and the Technology Audit and Risk Committee, chaired by Finance and led by Internal Audit. The Cyber Director attends both of those committees to provide updates as required.

Operational risk governance is provided by a quarterly Cyber Risk Council meeting, chaired by the Head of Cyber Governance Risk and Control, and attended by senior cyber security leaders. The meeting reviews and approves cyber policies and

standards, monitors and oversees cyber risk and threat.

Regular management reporting is provided to the Technology Leadership Team and ExCo. This is supplemented by control status reports that track targets and are discussed in regular meetings with local market leadership teams.

We produce dashboards of key risk indicators (‘KRIs’) for our most important controls. Examples of KRIs include results of independent network testing by third parties, vulnerability management, patching, hardening and endpoint security status, network controls and incident metrics. This reporting provides a detailed view of risk reduction. If markets are consistently not achieving targets, they are expected to have plans in place to remediate . We continue to expand our KRI coverage to provide timely, accurate and comprehensive reporting.

Board

The Group Audit and Risk Committee (‘ARC’) is the responsible Board committee for the oversight and effective governance of the Group’s management of cyber security risks. The Committee receives updates from Internal Audit throughout the year. The ARC reviews the risk tolerance, risk position and mitigating actions for the Group’s principal and emerging risks, including cyber threat.

In addition, the Committee reviews cyber risk based on deep dive papers and presentations from the CTO and Cyber Director. The papers typically include threat landscape, incidents, security position, residual risk, strategy and programme progress across the Company. Cyber security is also discussed at the Board Technology Committee which assists the Board by overseeing how technology underpins company strategy.

Risk management

Cyber attacks are part of the technology landscape today and will be in the future. All organisations, governments and people are subject to cyber attacks and some will be successful. The telecommunications industry is

faced with a unique set of risks as we provide connectivity services and handle private communication data.

A successful cyber attack could cause serious harm to our customers, including unavailability of services or a data breach leading to disclosure or misuse of customer personal data. The consequences could include, but are not limited to, exposure to contractual liability, litigation, regulatory action, or damage to the company’s reputation and brand and loss of market share. In the worst case, the cyber security incident could cause material impact.

There is increasing regulatory focus on telecommunications providers to improve their cyber security practices. We are subject to GDPR and equivalent legislation in many countries in which we operate. In addition, there are local and regional laws and regulations which impact cyber security, for example the Telecommunications Security Act in the UK and Network & Information Security 2 (‘NIS2’) and the Digital Operational Resilience Act (‘DORA’) in the EU. A cyber incident may lead to regulatory fines and other enforcement activities if deemed to be due to inadequate security. Measures to meet these laws and regulations will also result in increased compliance costs.

We dedicate significant resources to reducing cyber security risks, however due to the nature of the threats, we cannot provide absolute security and some cyber security incidents will occur.

Risk and threat management are fundamental to maintaining the security of our services across every aspect of our business. We separate cyber security risk into three main areas of risk.

External: A wide variety of attackers, including criminals and state-backed groups, target our networks, systems and people using a range of techniques. They seek to gain unauthorised access to steal or manipulate data or disrupt our services. Geopolitical factors also increase the threat of an external attack.

Insider: Our employees may accidentally leak information or maliciously misuse their privileges to steal confidential data or to cause disruption. In addition, external attacks increasingly resemble insider activity following credential theft. Agentic AI will further blur boundaries.

Supply chain: We use a range of third-party service providers to support our operations. Although we mandate security requirements contractually and undertake continuing oversight, a cyber incident affecting a supplier could cause services to be unavailable or enable a data breach to occur.

We conduct regular reviews of the most significant security risks affecting our business and develop strategies and policies to detect, prevent and respond to them. Our cyber security strategy focuses on minimising the risk of cyber incidents that affect our networks and services. When incidents do occur, we identify the root causes and use them to improve our controls and procedures.

Cyber security risk is aligned with our global enterprise risk management framework. The most important risks to the company are referred to as principal risks, of which Cyber risk is one. The risk owner produces a formal line of sight document that describes the risk, the risk tolerance, current position against tolerance, controls and actions to move to tolerance if required. Second line assurance and third line audit information is also included in the document.

The global Cyber and Information Security policy sets out overall objectives, roles and responsibilities that apply to all Vodafone-controlled entities. The policy is approved annually by the CTO.

Each underlying security area has a supporting global standard document that defines detailed control objectives. The global standards are underpinned by a layer of technical security standards which provide more detailed specifications to aid control implementation.

Security controls and procedures define the requirements which allow our policies to be met. These controls and procedures are designed to prevent, detect or respond to threats. Most risks and threats are prevented from occ^urring and we expect most will be detected before they cause harm and need a response.

We use a global methodology for cyber security risk management which we call the Cyber Health and Adaptive Risk Method or CHARM. The targeted goals of this approach include:

Cyber Health: providing a continuous view of security based on automated key risk indicators (‘KRIs’);

Adaptive: our framework responds to changing threats, technology evolution and regulation; and

Risk Method: managing and quantifying risk to provide better decision-making and prioritisation.

This approach is focused on risk and threats and underpinned by a structured control framework and common targets for control effectiveness across all our markets and entities. Effectiveness is based on the completeness of the control implementation and coverage of the relevant assets. Cyber security controls need to be continuously evolved and enhanced to mitigate risks and threats, Each year we set new annual targets, progress against the targets is monitored and reported quarterly to the senior leadership in each market and Group.

We update our framework with changes, including any necessary new controls. The control framework will continue to evolve based on changing threats, technology developments, our strategic and business priorities, and regulation.

To adapt to the changing threat landscape, we have defined threat and risk scenarios. The threats and associated attack techniques are mapped to the controls that most significantly reduce risk, allowing gaps to be highlighted.

We are in progress to automate the capture and reporting of KRI data from source systems. This reduces manual effort, is more timely and accurate and provides stronger assurance of effectiveness. We plan to complete the automation of all controls for which KRIs can be defined over the next two years.

We have created a risk quantification model based on threats, control effectiveness and incident data. We used this model with our internal insurance team to estimate losses in various scenarios as part of annual planning to obtain cyber insurance cover. We are exploring future use cases to increase the value we can obtain from the model.

In addition to this

top-down

process of risk identification and mitigation, we identify individual cyber risks at the product or system level, for example through our Secure by Design process, operational activities, scanning and monitoring, or through an incident. Risks are evaluated on a common impact and likelihood scale, mitigating actions are agreed and captured in a risk register. Any high risks identified through these processes require senior management oversight and agreement of mitigating actions.

A dedicated technology assurance team reviews and validates the effectiveness of our cyber security controls, and our control environment is subject to regular internal audits. We test the security of our mobile networks annually using a specialist testing company, they also benchmark our security against other telecommunications operators. This provides assurance that we are maintaining high standards and our telecommunications controls are operating effectively. We have also appointed external specialists to perform testing on our security controls (‘red teaming’) to uncover any areas for improvement. We maintain externally audited information security certifications, including ISO 27001, which cover our global technology function and 11 local markets. An additional market is currently undergoing recertification. Our markets also aim to comply with national information

security requirements where applicable. All systems going live are independently penetration tested and regular

follow-up

testing is done on a risk basis. An internal team performs some of the testing, and we engage third party testers where appropriate. Across Vodafone, we complete over 1,000 penetration tests every year.

As well as monitoring control effectiveness within Vodafone, we oversee the cyber security of our suppliers and third parties. Controls and procedures are embedded in the supplier lifecycle to set requirements, assess risk and monitor each supplier’s security performance. At supplier onboarding, minimum security requirements are written into contracts, and we determine the inherent risk of the supplier based on the service they are providing. We then assess their controls using a questionnaire to understand the residual risk, which informs the frequency of review from annual to every three years. We follow up on open actions and ensure any security incidents are tracked and managed.


		Read more about our approach to Responsible supply chain on page 48

Cyber insurance is an important part of our risk management and mitigation approach. Vodafone holds cyber liability insurance alongside business interruption and professional indemnity policies. Should a serious cyber event occur, we could recover the costs in whole or in part through these policies.

Industry and government collaboration

We actively engage with stakeholders across industry, including regulators, standard-setting bodies and governments. Collaboration is vital to protect our organisation and workforce, build safe online and digital spaces for customers and society, and respond to threats. We use our expertise and experience to help improve cyber security practice. We contribute to public policy, technical standards, information sharing, risk assessment, and governance. Within our sector we collaborate with European and international

telecommunications companies. We engage in cross-industry collaboration through the European Round Table of large European based companies, where we chair the CISO committee.

Cyber security is increasingly integral to national security strategies. We collaborate with governments and national cyber security bodies including the UK National Cyber Security Centre and the German Federal Office for Information Security on topics such as sharing intelligence, engaging on emerging risks and contributing to collective resilience. The Cyber Director is an appointed member on the National Cyber Advisory Board in the UK.

We actively engage in security standards working groups such as the OpenRAN Alliance and GSMA Fraud and Security Group. We have a research programme working on security topics with the German Federal Ministry of Education & Research, for example on securing future generations of mobile technology.

Awareness & training

Our cyber security awareness approach is to educate our employees to protect themselves and our customers from cyber threats. Cyber security training is mandatory for all employees. The training module is designed by the cyber security team to inform employees of key threats and how to avoid them. The corporate security function lead on all employee security training and they deliver the programme and materials. If the employee fails the knowledge check which is part of the training, they are required to retake the full cyber security training module. A training manual has been produced for

non-employees,

so they also receive the same level of awareness. Training on cyber security is also included in our induction process for new employees. We track completion rates to ensure every employee completes the mandatory training.


		Read more about our approach to mandatory Doing What’s Right training on page 44

Cyber security training is reinforced by regular digital communications via our internal social media platform, videos and webinars. When new threats arise or become more prevalent we provide targeted advice. Examples include reminders on the use of multi-factor authentication, and how to avoid social engineering.

We perform quarterly phishing simulations across all markets and Group functions to raise awareness and train employees. Those who click on the link in the phishing message or share their credentials receive immediate training.

NIS2 requires additional security role-specific training. We are developing such training aimed at roles designated as higher risk, that will be launched next year.

We enable employees in our cyber teams to maintain and grow their skills to better protect our customers. Our company learning platform hosts cyber training on technical topics, platforms and frameworks. Employees can study towards recognised information security and cyber certifications aligned to their learning plans.

We organise regular Cyber Connect events for our entire global cyber security team. These events include a recap of our strategy and achievements, messages from senior leadership, external industry speakers, collaborative breakout groups and technical track sessions to learn about cyber topics and best practice. We use technology to enable a hybrid experience with some attending in offices and some remote.

The Vodafone Cyber Code has been designed to simplify and explain basic security controls and procedures to all employees. The Cyber Code is part of our company Code of Conduct and is the cornerstone of how we expect all employees to behave when it comes to best practice in cyber security. It consists of seven areas where employees must follow good security practice.


		Click to read more about Vodafone’s Cyber Code in our Code of Conduct: vodafone.com/code-of-conduct

Cyber operations and incidents

An important part of our operating model is to gather intelligence and insights in order to assess threats and drive action. Our cyber security team use industry and external analysis to help shape our controls and procedures, and drive actions. When specific vendor or new high impact vulnerabilities are reported, we drive global remediation across Vodafone.

As a global connectivity provider, we see a range of cyber threats. We have visibility of these threats through our global telemetry. We use our layers of controls to identify and mitigate threats in order to reduce business or customer impact.

We operate a single global security operations capability. We handle billions of events and logs from sensors across our footprint, detecting potential threats and events. Low severity issues are dealt with quickly, for example by malware containment or isolating an individual device. More significant events are triaged to our 24/7 incident management and response team.

When a security incident occurs, we have a consistent incident management framework to manage our response and recovery. The focus of our incident responders is always fast risk mitigation and customer security.

In the event of a cyber breach we disclose it to the relevant authorities according to local or regional regulations and laws. This may include law enforcement as well as regulators. Risk assessment of the threat actor, incident nature and potential impact to customers is important to determine the approach to disclosure. The European Union’s GDPR provides a framework for notifying customers in the event there is a loss of customer data because of a data breach, and this framework is a baseline across all our markets. Our data privacy officers are a key part of the response where incidents impact personal data. We will also make a market disclosure according to US Securities and Exchange Commission (SEC) requirements if the relevant materiality threshold is met.

We classify security incidents on a scale according to severity, measured by potential business and customer impact. The highest severity category of event is called Severity 0 down to the lowest Severity 4. Severity 0 corresponds to a potentially significant data breach or loss of service caused by the incident. If a Severity 0 incident occurs, we notify the ExCo, the Board and external auditors and provide regular updates to all. A crisis group is formed composed of relevant senior leaders who oversee the response.

Vodafone is in scope of the SEC cybersecurity rule for incident disclosure and reporting. We have updated our incident management process to include the relevant disclosure steps should a material incident occur. Where applicable we have expanded these cyber security disclosures in response to the reporting requirements.

In the event of a Severity 0 incident, the crisis group would decide whether a recommendation to the Disclosure Committee (composed of the CFO and General Counsel, and other senior management) is warranted. The Committee would decide if a market disclosure is necessary for materiality reasons, that would also trigger disclosure to the SEC.

When incidents are closed, we complete a post-incident review to learn the lessons from the incident, including the root cause and any improvements needed.

This Year

We evolved our organisation to better support our security ambitions. This included embedding Privacy engineering to create a Security and Privacy by design capability, and bringing together IT and security architecture to provide consistency across our systems.

We continue to build strong partnerships across industry and government. One of the cyber leadership team was appointed to the ENISA Advisory Group. In the UK we

co-hosted

an industry and government workshop on post-quantum cryptography migration, bringing

together security leaders across industry and government.

We made progress across our cyber strategy, including refreshing policies; implementing Key Risk Indicators for security controls; launching a new supplier security schedule and simplified requirements; and refreshing our strategy with a focus on resilience. We also increased the use of automation and AI, delivering more operational efficiency and automated response.

Vodafone Germany launched a new Cyber Security Centre in Düsseldorf, aiming to support and protect SMEs in the digital world. The Centre will employ more than 100 security experts, working around the clock to protect, monitor, analyse and resolve cyber security issues for companies throughout the country.

We have continued to organise cyber incident simulations for local ExCos. Covering five markets this year. This provide CEOs and their teams a realistic experience of managing a cyber incident and exercising their responsibilities.

Cyber risk remains a standing topic for senior leadership. Cyber topics were covered three times at Board-level committees during the year.

People and culture are central to our cyber capability, We set targets and track diversity and inclusion measures. We recognise deep technical expertise through our Technical Career Path, with several cyber specialists ratified.

During the year no cyber incident met the threshold for disclosure to the SEC. About

one-third

of incidents we managed were in our supply chain. Ransomware and extortion attacks were the most prevalent in the supply chain.

Third party companies producing third party software developer packages have been attacked. In March, we identified that one of these compromised third party software packages was used to gain unauthorised access to some Vodafone Business code repositories. The impact

of the attack was limited access to source code, which was contained and investigated at the time. We did not identify any impact to customer personal data or production systems.

Generally we see that the most common root causes are exploitation of vulnerabilities and user account compromise. The pace of vulnerability exploitation post-release is rapid.

Looking Ahead

The threat landscape continues to be volatile across all sectors, with wide-ranging threat actors.

Geopolitical instability, conflict and tensions are leading to an increase in cyber threats. Telecommunications companies continue to be the target of state-backed actors, often to conduct government oriented or general espionage. Cross-industry and government collaboration is a key part of mitigating the evolving cyber threats. Ransomware and data extortion attacks are common to companies of all sizes. We can see from public reporting that some companies are paying ransoms, perpetuating the threat.

Attackers are increasingly trying to log in, rather than hack in.

So-called

Living off the Land attacks rely on the same techniques used to manage access systems that are used widely by everyone. Detection of these attacks is more challenging. Social engineering methods are a common means for attackers to gain access. New technologies such as AI are enhancing techniques such as voice phishing and deepfakes. Harvested credentials continue to be sought and shared by threat actors. Attackers can target executives following media announcements and public reporting.

The speed of vulnerability exploitation is fast and common. We have seen continued attacks against our suppliers, and expect this trend to continue. To respond to the heightened cyber threat landscape we are investing in further strengthening the security of our networks, cloud-based systems, AI and detection and response capability.

Governments are also responding to increasing cyber threats with new security regulations, recognising that telecommunications operators provide critical national infrastructure. We engage with governments and industry partners to promote proportionate, risk-based and cost-effective solutions to security threats. We look to establish shared approaches to reinforce standardisation and regulatory frameworks that apply equally to all market participants.

In the UK, we are implementing the provisions of the Telecommunications Security Act which sets detailed security requirements for UK network operators and their suppliers. In Europe, we are implementing key provisions of NIS2 based on transposition of the directive into local laws. We are also responding to DORA requirements from our financial services customers. We continue to monitor future EU regulations and directives including the forthcoming Cyber Resilience Act which aims to ensure that all digital products and services fulfil basic security requirements, and the Cyber Security Act which will impact how we manage suppliers and

cross-EU

certifications.

Particularly in Europe, governments, regulators and customers will expect companies to demonstrate control over where data is stored, who can access it and under which legal jurisdictions it is governed. This is referred to as sovereignty. There is a balance to be struck between national sovereignty and the ability to defend against global threats that do not respect borders. As new regulatory requirements evolve, we are well positioned with a

pan-European

and African security capability, including Europe-based security operations.

Technology evolution

We are adopting new technologies to better serve our customers and gain operational efficiency. For every technology programme we follow our Secure by Design process, evaluating suppliers’ hardware and software, modelling threats and understanding the risks before designing,

implementing and testing the necessary security controls and procedures.

Every new mobile network generation has brought increased performance and capability, along with new opportunities in security. As we deploy 5G core networks alongside our 5G radio networks, often described as 5G Standalone, we have updated our security standards to implement the latest 5G features.

Open RAN is a new way of building and managing radio access network (‘RAN’) components within telecommunication infrastructure. Instead of purchasing all the components from one supplier, we use hardware and software components from multiple vendors and integrate these via open interfaces. Over time, this will create a more competitive landscape for telecommunications equipment. We continue to collaborate with other players in the Open RAN ecosystem to improve security through the

O-RAN

Alliance and

bi-annual

benchmarking of vendors.

We are expanding our Open RAN sites into Germany and increasing the speed of deployment through automation. The operation of the sites will be optimised by enabling power management and traffic steering that increase their performance and reduce operating cost.

As satellite communications play an increasingly important role in our networks, we are embedding cyber security from the beginning. Satellites are used to connect base stations to the network where traditional connectivity is difficult or uneconomical, and direct to device to provide coverage where base stations cannot be deployed. These services are assessed and validated that they meet security requirements set by standards groups, and our own policies and standards.

We continue to prepare for a time when quantum computers able to break certain cryptography are available at scale. Governments have published recommendations for post-quantum cryptography migration for high priority use cases, and to

complete migration by 2035. Through our joint research with IBM, we have developed a risk-based approach to mitigate the risks of existing cryptography. We are identifying where we are using cryptography that is potentially vulnerable to attack from quantum computers, defining supplier requirements and developing the ability to update our cryptography when new threats emerge. We have set up a long-term Quantum Safe programme and have planned migration activities in the next year in collaboration with our suppliers. We

co-chairs

the telecommunications industry-wide task force on this issue.

We are committed to Responsible AI – AI that is ethical, lawful, trustworthy and safe. Our AI requirements mandate risk assessment, designing for transparency, lack of bias and providing the right degree of human oversight of results. If the AI model could have a high impact on people, we require human input on the final decision. .


		Read more about AI governance on page 51

Our cyber security approach seeks to balance the opportunities and security risks associated with AI. We work with strategic partners to leverage AI that is embedded into products. We apply governance and security controls to the use of AI proportionate to the associated risks, and monitor for emerging threats, including the misuse of AI by malicious actors.

We enable our workforce to access AI through controlled access to LLMs from our technology partners. We provide training including online sessions and self-help materials to accelerate AI usage, while continuing to restrict access to public LLMs and remind employees that confidential data must not be shared with public AI services.

We are using AI to enhance our security. An example is augmenting our security operations capabilities using

AI-enabled

detection rules and

AI-assisted

compromise assessments. These will evolve towards agentic AI workflows and ultimately autonomous detection and response.

Cybersecurity Risk Management Processes Integrated [Text Block]

Cyber security is increasingly integral to national security strategies. We collaborate with governments and national cyber security bodies including the UK National Cyber Security Centre and the German Federal Office for Information Security on topics such as sharing intelligence, engaging on emerging risks and contributing to collective resilience. The Cyber Director is an appointed member on the National Cyber Advisory Board in the UK.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

the cyber security incident could cause material impact.

Cybersecurity Risk Role of Management [Text Block]