Cyber Risk

What is Cyber Risk?

Cyber risk is the risk of loss from dependence on computer systems and digital technologies.

Cyber events and cyberattacks are among the top risks cited globally. Cyber risk is more likely to be realized with systemic ramifications than is operational risk generally. For example, if a cyber incident compromises a financial institution's data, the firm's ability to service creditors and counterparties might be impaired. Uncertainty about the nature and extent of an incident may prompt runs on counterparties, competitors, or unaffected segments of a firm's operations.

In 2019, the data of more than 100 million Capital One customers were accessed, after an attacker exploited a vulnerability in the firewall configuration of the bank's cloud-based infrastructure. A cyberattack that affects data at multiple large financial institutions could lead to a broad loss of confidence in the security of the financial sector.

In 2020, a nation-state actor inserted malware into a routine update of network management software sold by SolarWinds, a third-party vendor. SolarWinds customers, which included large financial institutions, were infected by the malware when they installed the software update. The attack opened a backdoor through which attackers could have exploited the customers' computer systems. While financial institutions do not appear to have been the intended targets, if they had been, the outcome for financial stability could have been much worse, as the attackers reportedly had access to the computer systems for some time.

---

G7 - FUNDAMENTAL ELEMENTS OF CYBERSECURITY FOR THE FINANCIAL SECTOR

Increasing in sophistication, frequency, and persistence, cyber risks are growing more dangerous and diverse, threatening to disrupt our interconnected global financial systems and the institutions that operate and support those systems.

To address these risks, the below nonbinding, high-level fundamental elements are designed for financial sector private and public entities to tailor to their specific operational and threat landscape, role in the sector, and legal and regulatory requirements.

The elements serve as the building blocks upon which an entity can design and implement its cybersecurity strategy and operating framework, informed by its approach to risk management and culture.

The elements also provide steps in a dynamic process through which the entity can systematically re-evaluate its cybersecurity strategy and framework as the operational and threat environment evolves. Public authorities within and across jurisdictions can use the elements as well to guide their public policy, regulatory, and supervisory efforts.

Working together, informed by these elements, private and public entities and public authorities can help bolster the overall cybersecurity and resiliency of the international financial system.

Element 1: Cybersecurity Strategy and Framework.

Establish and maintain a cybersecurity strategy and framework tailored to specific cyber risks and appropriately informed by international, national, and industry standards and guidelines. The purpose of a cybersecurity strategy and framework is to specify how to identify, manage, and reduce cyber risks effectively in an integrated and comprehensive manner.

Entities in the financial sector should establish cybersecurity strategies and frameworks tailored to their nature, size, complexity, risk profile, and culture.

Informed by the cyber threat and vulnerability landscape, a jurisdiction can also establish sector-wide cybersecurity strategies and frameworks that outline how cooperation occurs between entities and public authorities in the financial sector, with sectors upon which the financial sector depends, and with other relevant jurisdictions.

Element 2: Governance.

Define and facilitate performance of roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework to ensure accountability; and provide adequate resources, appropriate authority, and access to the governing authority (e.g., board of directors or senior officials at public authorities).

Effective governance structures reinforce accountability by articulating clear responsibilities and lines of reporting and escalation. Effective governance also mediates competing objectives and fosters communication among operating units, information technology, risk, and controlrelated activities.

Consistent with their missions and strategies, boards of directors (or similar oversight bodies for public entities or authorities) should establish the cyber risk tolerance for their entities and oversee the design, implementation, and effectiveness of related cybersecurity programs.

Element 3: Risk and Control Assessment.

Identify functions, activities, products, and services—including interconnections, dependencies, and third parties—prioritize their relative importance, and assess their respective cyber risks.

Identify and implement controls—including systems, policies, procedures, and training—to protect against and manage those risks within the tolerance set by the governing authority.

Ideally as part of an enterprise risk management program, entities should evaluate the inherent cyber risk (or the risk absent any compensating controls) presented by the people, processes, technology, and underlying data that support each identified function, activity, product, and service.

Entities should then identify and assess the existence and effectiveness of controls to protect against the identified risk to arrive at the residual cyber risk. Protection mechanisms can include avoiding or eliminating risk by not engaging in an identified activity. They can also include mitigating the risk through controls or sharing or transferring the risk.

In addition to evaluating an entity’s own cyber risks from its functions, activities, products, and services, risk and control assessments should consider as appropriate any cyber risks the entity presents to others and the financial sector as a whole.

Public authorities should map critical economic functions in their financial systems as part of their risk and control assessments to identify single points of failure and concentration risk. The sector’s critical economic functions range from deposit taking, lending, and payments to trading, clearing, settlement, and custody.

Element 4: Monitoring.

Establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises.

Effective monitoring helps entities adhere to established risk tolerances and timely enhance or remediate weaknesses in existing controls. Testing and auditing protocols provide essential assurance mechanisms for entities and public authorities alike.

Depending on the nature of an entity and its cyber risk profile and control environment, the testing and auditing functions should be appropriately independent from the personnel responsible for implementing and managing the cybersecurity program.

Through examinations, on-site and other supervisory mechanisms, comparative analysis of entities’ testing results, and joint public-private exercises, public authorities can better understand sector-wide cyber threats and vulnerabilities, as well as individual entities’ relative risk profiles and capabilities.

Element 5: Response.

Timely:

(a) assess the nature, scope, and impact of a cyber incident;

(b) contain the incident and mitigate its impact;

(c) notify internal and external stakeholders (such as law enforcement, regulators, and other public authorities, as well as shareholders, third-party service providers, and customers as appropriate); and

(d) coordinate joint response activities as needed. As part of their risk and control assessments, entities should implement incident response policies and other controls to facilitate effective incident response.

Among other things, these controls should clearly address decision-making responsibilities, define escalation procedures, and establish processes for communicating with internal and external stakeholders. Exercising protocols within and among entities and public authorities contributes to more effective responses. Exercising also enables entities and public authorities to identify how potential decisions could affect each other’s ability to maintain critical and other functions, services, and activities.

Element 6: Recovery.

Resume operations responsibly, while allowing for continued remediation, including by:

(a) eliminating harmful remnants of the incident;

(b) restoring systems and data to normal and confirming normal state;

(c) identifying and mitigating all vulnerabilities that were exploited;

(d) remediating vulnerabilities to prevent similar incidents; and

(e) communicating appropriately internally and externally.

Once operational stability and integrity are assured, prompt and effective recovery of operations should be based on prioritization of critical economic and other functions and in accordance with objectives set by the relevant public authorities.

Maintaining trust and confidence in the financial sector significantly improves when entities and public authorities have the ability to mutually assist each other in the resumption and recovery of critical functions, processes, and activities. Therefore, before an incident occurs, establishing and testing contingency plans for essential activities and key processes, such as funding, can contribute to a faster and more effective recovery.

Element 7: Information Sharing.

Engage in the timely sharing of reliable, actionable cybersecurity information with internal and external stakeholders (including entities and public authorities within and outside the financial sector) on threats, vulnerabilities, incidents, and responses to enhance defenses, limit damage, increase situational awareness, and broaden learning.

Sharing technical information, such as threat indicators or details on how vulnerabilities were exploited, allows entities to remain up-to-date in their defenses and learn about emerging methods used by attackers.

Sharing broader insights among entities, between entities and public authorities, and among public authorities deepens collective understanding of how attackers may exploit sector-wide vulnerabilities that could potentially disrupt critical economic functions and endanger financial stability. Given its importance, entities and public authorities should identify and address impediments to information sharing.

Element 8: Continuous Learning.

Review the cybersecurity strategy and framework regularly and when events warrant—including its governance, risk and control assessment, monitoring, response, recovery, and information sharing components—to address changes in cyber risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.

Cyber threats and vulnerabilities evolve rapidly, as do best practices and technical standards to address them.

The composition of the financial sector also changes over time, as new types of entities, products, and services emerge, and third-party service providers are increasingly relied upon. Entity-specific, as well as sector-wide, cybersecurity strategies and frameworks need periodic review and update to adapt to changes in the threat and control environment, enhance user awareness, and to effectively deploy resources.

Other sectors, such as energy and telecommunications, present external dependencies; therefore, entities and public authorities should consider developments in these sectors as part of any review process.

---

Cyber-resilience: Range of practices, Basel Committee on Banking Supervision

General landscape: Most supervisors leverage previously developed national or international standards – principally the NIST framework, ISO 27000 series and CPMI - IOSCO guidance for cyber-resilience of financial market infrastructures. Published and unpublished supervisory practices converge in some areas, eg governance, testing, information-sharing between banks and regulators, and management of outsourcing arrangements. Despite convergence in high level expectations, the technical specifications and supervisory practices differ across jurisdictions. While this diversity of approaches may result in a complex and somewhat fragmented international regulatory landscape, it may also merely reflect actual differences in BCBS members’ legal frameworks and degree of digitalisation.

Strategy: While regulators generally do not require a specific cyber strategy, all expect institutions to maintain adequate capability in this area as part of their global strategies. Cyber-risks pose growing, evolving and unique challenges to institutions and supervisors that require dedicated attention and resourcing. Regulators expect that institutions will minimise their cyber exposure through ensuring that systems are “secureby-design” and that emphasis is placed on resilience in light of current threats rather than compliance to a standard.

Cyber-risk management: In most jurisdictions, broader IT and operational risk management practices are quite mature and are used to address cyber-risk and supervise cyber-resilience. In particular, jurisdictions expect banks to have a strategy and framework to comprehensively map and actively manage their IT system architecture. Banks nonetheless generally still lack a cyber-strategy that defines clear tolerance and appetite levels for cyber-risk and that has been approved and adequately challenged at board level.

Governance/organisation: Although management models such as the three lines of defence (3LD) model are widely adopted, cyber-resilience is not always clearly articulated across the technical, business and strategic lines. This confusion in roles and responsibilities hampers the effectiveness of the 3LD model.

Workforce: Skills shortage leads to recruitment challenges. Most existing IT frameworks and governance regulations generally provide broadly convergent requirements for cyberrelated functions, but the skills shortage remains a challenge. A few jurisdictions have implemented or leveraged specific cyber-certifications to address this.

Testing: Protection and detection testing is evolving and prevalent; response and recovery less so. Incident response and recovery testing is typically done through tabletop exercises, and broader continuity testing.

Incident response capabilities: Although an incident management framework is not required, incident response plans are. Supervisors in all jurisdictions expect banks to prepare an incident response plan to deal with material cyber-incidents. Most supervisors expect banks to classify their information assets and services according to their operational sensitivity and business criticality.

Assessment metrics: Although some forward-looking indicators of cyber-resilience are being picked up through the most widespread supervisory practices, no standard set of metrics has emerged yet. This makes it more difficult for supervisors and banks to articulate and engage on cyber-resilience.

Information-sharing: Most observed information-sharing mechanisms involve bank-tobank and bank-to-regulator communications, with the former being mostly done on a voluntary basis. Despite common features, the content and use of information collected or shared by banks and supervisors varies widely across jurisdictions. Other types of information-sharing – especially regulator-to-regulator, domestically and cross-border – are less documented or systematic, but do take place on ad hoc and bilateral bases. Although the sharing of information among regulators can use existing channels – such as memoranda of understanding and supervisory colleges – the speed, latitude, security and fluidity of communications required to cope with a cross-border cyber-incident has led a few jurisdictions to take specific formal steps in this area.

Third-party risk: Regulatory frameworks for outsourcing activities across jurisdictions are quite established and share substantial commonalities. Supervisors are using these frameworks to spell out expectations with regard to their banks’ management of third party dependencies. However, there is no common approach regarding third parties beyond outsourced services, which implies different scopes of regulation and supervisory actions. While third parties may provide cost-effective solutions to increase resilience levels, the onus remains on the banks to demonstrate adequate understanding and active management of the third-party dependencies and concentration across the value chain. A balanced accountability model remains to be found, especially in the case of third parties not subject to banking supervision prerogatives.

In March 2017, the G20 Finance Ministers and Central Bank Governors noted that “the malicious use of information and communication technologies (ICT) could disrupt financial services crucial to both national and international financial systems, undermine security and confidence, and endanger financial stability”.

Regulated institutions’ use of technology includes greater levels of automation and integration with third-party service providers and customers. This results in an attack surface that is growing and is accessible from anywhere, and it incentivises cyber-adversaries to increase their capabilities. Increased use of third-party providers means that the perimeter of interest to financial sector regulators has gotten bigger, and greater use of cloud services means that the perimeter is also shared. Shared service models require regulated institutions to think differently about how they build and maintain their cyberresilience in partnership with third parties.

Given the increase in the frequency, severity and sophistication of cyber-incidents in recent years, a number of legislative, regulatory and supervisory initiatives have been taken to increase cyberresilience. At the international level, the G7 issued Fundamental Elements of Cyber-security for the financial sector, and the Committee on Payments and Market Infrastructures (CPMI) issued, jointly with the International Organization of Securities Commissions (IOSCO), guidance on cyber-resilience for financial market infrastructures (FMIs) in June 2016.

Against this backdrop, the Basel Committee on Banking Supervision (BCBS) recognised the merits of approaching operational resilience beyond the purview of operational risk management and minimum capital requirements, and established the Operational Resilience Working Group (ORG) with the intention of contributing to, inter alia, the international effort related to cyber-risk in close coordination with the other international bodies involved. The Committee therefore requested that the ORG provide this first assessment of observed cyber-resilience practices at authorities and firms.

Cyber-risk awareness culture

An awareness of cyber-risk by staff at individual banks and a common risk culture across the banking industry are prerequisites for maintaining cyber-resilience within the sector. Regulators in most jurisdictions have published guidance emphasising the importance of risk awareness and risk culture for staff and management at all levels, including BoDs and third-party employees. Regulatory requirements include increasing cyber-security awareness and cyber-related staffing at regulated entities. In some jurisdictions, regulators require cyber-security awareness training during each phase of the employment process, from recruitment to termination.

Regulated entities may be required to include non-disclosure clauses within staff agreements. To mitigate insider threats, some jurisdictions require new employees to complete a screening and background verification process, while existing employees undergo a mandatory reverification process at regular intervals. In some jurisdictions, regulators assess whether banks have robust processes and controls in place to ensure their employees, contractors and third-party vendors understand their responsibilities, are suitable for their roles and have the requisite skills to reduce the risk of theft, fraud or misuse of facilities.

The majority of the regulators encourage the development of a common risk culture sufficient to ensure effective cyber-risk management. In some jurisdictions, regulators assess each bank’s cyber-risk appetite, considering such factors as the bank’s business model, core business strategy and key technologies. Some jurisdictions view cyber-security as a critical business function, since a cyber-attack could lead to the insolvency of individual entities or even to widespread disruption of the entire sector.

Sharing from banks to regulators

The sharing of cyber-security information from a bank to its regulator(s)/supervisor(s) is generally limited to cyber-incidents based on regulatory reporting requirements. Such requirements are mainly established to:

(i) enable systemic risk monitoring of the financial industry by regulator(s);

(ii) enhance regulatory requirements or issue recommendations by regulator(s) to adjust policies and strategies based on information collected;

(iii) allow appropriate oversight of incident resolution by regulator(s); and

(iv) facilitate further sharing of information with industry and regulators to develop a cyber-risk response framework.

Reporting requirements are established by different authorities for specific purposes depending on their mandate (eg supervisory and regulatory functions, consumer protection and further distribution of information to national cyber-security agencies for systemic operators).

Incident reporting by banks to regulator(s) is a mandatory requirement in many jurisdictions, with different scopes of requirements and ranges of application. For jurisdictions already enforcing the requirement in the past, the reporting obligation has a broader operational incident scope, including cyber-incidents.

The perimeter can include all supervised institutions but is more often limited to systemically important institutions. Nearly all institutions regulated in the EU are required to report cyber-security incidents to the competent authorities. The requirements stem from supervisory frameworks (such as the Single Supervisory Mechanism (SSM) cyber-incident reporting framework), EU directives (PSD2, NIS) and local law. Some requirements also include the obligation to submit a root cause analysis for the incident, or a full post-mortem or lessons learnt after the incident.

Different scopes and perimeters may depend on the type of authority (eg supervisors, regulators, national security) and their mandate (ie national cyber-security agencies, consumer protection, banking supervision, etc), sector(s) involved (eg multisector or specific: banks, significant banks, systemic operators, payment) and geographical range (eg national, multiregional).

While many of the supervisors focus only on reporting and tracking incidents that have already taken place, some require proactive monitoring and tracking of potential cyber-threats because concerns about reputational risk may lead to a delay in incident reporting by the regulated entity. Based on these considerations, different reporting frameworks are also observed. These range from formal communications to informal communications (eg free-text updates via email or verbal updates over the phone).

Differences are noted in:

(i) taxonomy for reporting;

(ii) reporting time frame (immediately, after two hours, after four hours and after 72 hours are examples of practices observed);

(iii) templates; and

(iv) threshold to trigger an incident reporting.

These differences highlight the fragmentation issue facing the banks operating in multiple jurisdictions or supervised by different authorities, as these banks are likely to be obliged to fill in various templates with different taxonomy, reporting time frame and threshold. This may increase their regulatory burden, consuming significant resources to ensure compliance. It may be possible for an authority with multiple functions to receive from a bank multiple reports with distinct formats for multiple times.

All incident reporting processes have a single direction flow, by a bank to an authority, although an informal flow back can be used for alerting firms in case of an incoming threat. By normalising the prompt exchange of information between banks and supervisors, reciprocal flow mechanisms can help remove the possible stigma associated with incident reporting by banks, thereby fostering effective and timely incident reporting.

---

Learning from the Annual Reports

Cyber risk, important parts from the 2021 Annual Report, Vodafone Group Plc

Cyber security

Our purpose is to enable connectivity in society and as a provider of critical national infrastructure we recognise the importance of cyber and information security. No organisation, government or person will ever be fully immune to cyber-attacks; however, the telecommunci ations industry is faced with a unique set of risks as we provide connectivity services and handle private communication data.

Our networks connect millions of people, homes, businesses and things to each other and the internet. The security of our networks, systems and customers is a top priority and a fundamental part of our purpose. Our customers use Vodafone products and services because of our next-generation connectivity, but also because they trust that their information is secure.

Identification of vulnerabilities & risks

Cyber security is a principal risk. We recognise that if not managed effectively, there could be major customer, financial, reputation or regulatory impacts. Risk and threat management are fundamental to maintaining the security of our services across every aspect of our business. We separate cyber security risk into three main areas of risk:

– External: Attackers and criminals targeting our systems, networks, or people to conduct malicious attacks;

– Insider: Accidental leakage of information or malicious misuse of access privileges by our employees; and

– Supply chain: A supplier is breached or used as a conduit to gain access to our systems, data or people.

To help us identify and manage emerging and evolving risks, wec onstantly evaluate and challenge our business strategy, new technologies, government policies and regulation, and cyber threats. We conduct regular reviews of the most significant security risks affecting our business and develop strategies to detect, prevent and respond to them. Our cyber security approach focuses on minimising the risk of cyber incidents that affect our networks and services.

Understanding the threat landscape is key to managing cyber risk. Over the course of the year, two of the biggest cyber securityt hreats faced by all organisations significantly increased – phishing and ransomware attacks.

Cyber criminals exploited the emotion and uncertainty associated with the pandemic to deceive users into engaging with malicious emails or pay a sum of money to regain access to systems. Cyber criminals also increasingly targeted smaller suppliers to large organisations as a way to more easily compromise their targets.

Organisations across all industries also continued to experience other forms of threats, such as sophisticated espionage attempts and the exploitation of unpatched vulnerabilities.

Controls

Controls can prevent, detect or respond to risks. Most risks and threats are prevented from occurring and most will be detected before they cause harm and need a response. A small minority will need recovery actions.

We use a common global framework called the Cyber Security Baseline and it is mandatory across the entire Group. The baseline includes key security controls which significantly reduce cyber security risk, by preventing, detecting or responding to events and attacks. Our framework was initially developed based on an international standard mapped to our key risks in the way that provides the most comprehensive protection. Each year, we review the framework in the light of changing therats and create new or enhanced controls to counter these threats.

A dedicated assurance team reviews and validates the effectiveness of our security controls, and our control environment is subject to regular internal audit. The security of our global networks is also independently tested every year to assure we are maintaining the highest standards and our controls are operating effectively.

We maintain independently audited information security certifications, including ISO 27001, which cover our global technology function and 15 local markets. We also comply with local requirements or certifications and actively contribute to consultations and debates with regard to laws and regulations that aim to improve and assure the security of communications networks.

New technologies

We adopt new technologies to better serve our customers and gain operational efficiency. For every technology programme, new or existing, we follow our Security by Design process, evaluating suppliers ’hardware and software, modelling threats and understanding the risks before designing and implementing the necessary security controls and testing them.

Every new mobile network generation has brought increased performance and capability, along with new opportunities in security. 5G improves existing security, with additional protection against threats such as location tracking, call or message interception and modification of network traffic. Similarly, 5G includes enhanced features to protect signalling between different operators’ networks, which helps prevent tracking or interception while roaming. Vodafone is working atp ace to embed these new security features into our 5G network deployments. Getting the right security by design across all operators is vital as 5G and other mobile technologies will connect billions of devices.

Vodafone has helped establish the GSMA IoT Security Guidelines , and the accompanying self-assessment scheme. Where we work with partners or third parties to build and deploy IoT solutions, we also advocate the approach co-developed between Vodafone and Consumers International, as seen in their publication of the Consumer IoT Trust by Design Guidelines.

We also track and monitor potential future threats to our networks, systems and customers, such as quantum computing and its effect on encryption. While such a risk is not specific to Vodafone, we have started work to address the potential negative effects and maintain a robust level of encryption that is quantum safe within our network and systems.

Operating model

We have implemented an operating model based on the leading industry security standards published by the US Department of Commerce, specifically the National Institute of Standards and Technology. We have an international team of over 800 employees who are focused on constantly monitoring, protecting and defending our systems and our customers’ data.

We also work with third-party experts and consultants, to maintain specialist skills and continue to follow leading practice. Our scale means we benefit from global collaboration, technology sharing, deep expertise and ultimately have greater visibility of emerging threats. Although the Cyber team leads on detect, respond and recover, preventative and protectvie controls are embedded across all of our technology and throughout the entire business.

Every employee has responsibility for cyber security and must of llow the Vodafone Cyber Code, be sensitive to threats and report suspicious activity. Embedded in our Code of Conduct, the Cyber Code is the cornerstone of how we expect all employees to behave when it comes to best practice in cyber security. It consists of seven areas where employees need to follow security good practice.

Our cyber security awareness programme is delivered digitally via our internal social media platform, videos and webinars. In addition, we perform regular phishing simulations to raise awareness and train employees. In the last year we sent 161,000 simulated phishing emails across 23 markets and Group functions, and employee reporting improved during 2020.

We have also performed incident simulations for the senior management team in all markets and the main Group functions. These simulaitons allowed the CEOs and their teams to experience what a real incdient is like and exercise their responsibilities, as well as identifying areas for improvement in internal processes.

Cyber incidents

As a global connectivity provider, we are subject to cyber threats, which we work to identify, block and mitigate with our robust control environment without any impact. Where a security incident occurs, we have a consistent incident management framework and an experienced team to manage our response. The focus of our incident responders is always fast risk mitigation and customer security.

We actively engage with stakeholders, including academic institutions, industry and government, in order to protect Vodafone, respondt o cyber threats and work together to share best practice. Given our expertise and extensive experience, we also engage with a wide range of organisations to help improve the understanding of cyber security thinking and practice, and contribute to public policy, technical standards, information sharing and analysis, risk assessment, and governance.

In the event of a cyber breach, disclosure is made in line with local regulations and laws, and based on a risk assessment considering customers, law enforcement, relevant authorities and our external auditor. The European Union’s General Data Protection Regulation (‘GDPR’) provides a framework for notifying customers in the event there is a loss of customer data as a result of a data breach and this framework is a baseline across all our markets.

Vodafone holds cyber liability and professional indemnity insurance policies and these policies may cover the costs of an information security breach, in whole or in part.

In December 2020, ho. Mobile, a second brand in Italy, suffered a data breach and part of a database holding customer data was accessed by a third-party; no financial information, passwords, or mobile traffic data relating to calls, texts or web activity was involved.

We utilised our existing global incident management framework. Ho. Mobile took a proactvie approach and immediately informed affected customers and regulators, enhanced security protections, remotely reissued SIM serial numbers to prevent any misuse, and offered free replacement SIMs to the entire customer base. Ho. Mobile also notified local law enforcement and made the required disclosures to the Italian Data Protection Authority. Ho. Mobile uses distinct and separate IT systems to Vodafone Italy and the rest of the Vodafone Group.

Vodafone classifies security incidents according to severity, measured by business and customer impact. The highest severity category corresponds to a significant data breach or loss of service caused by the incident. In the past financial year, the only such incident was the ho. Mobile incident discussed above.

---

You may also visit:

The Role of the Risk Officer: https://www.risk-officer.com/Role_Of_Risk_Officer.html

Credit Risk: https://www.risk-officer.com/Credit_Risk.htm

Market Risk: https://www.risk-officer.com/Market_Risk.htm

Operational Risk: https://www.risk-officer.com/Operational_Risk.htm

Systemic Risk: https://www.risk-officer.com/Systemic_Risk.htm

Political Risk: https://www.risk-officer.com/Political_Risk.htm

Strategic Risk: https://www.risk-officer.com/Strategic_Risk.htm

Conduct Risk: https://www.risk-officer.com/Conduct_Risk.htm

Reputation Risk: https://www.risk-officer.com/Reputation_Risk.htm

Liquidity Risk: https://www.risk-officer.com/Liquidity_Risk.htm

Cyber Risk: https://www.risk-officer.com/Cyber_Risk.htm

Climate Risk: https://www.risk-officer.com/Climate_Risk.htm

Emerging Risk: https://www.risk-officer.com/Emerging_Risk.htm

---