4 MANAGEMENT DISCUSSION AND ANALYSIS 69 Description Cybersecurity risks encompass the potential loss of confidentiality, integrity, or availability of critical information, data, and operational control systems. Such risks may materially impact our operational efficiency, service delivery reliability, regulatory compliance, reputation, and overall enterprise value. These risks are intrinsically linked to our expanding digital and IT footprint, ongoing digital transformation initiatives, and increasing reliance on interconnected systems, cloud platforms, and internet-based services. The rise in remote and hybrid working arrangements, together with greater offsite and third-party network access, further enlarges our attack surface. In addition, the accelerating adoption of AI and data-driven technologies introduces new categories of cyber risk. These include model manipulation and data poisoning, unauthorised access to AI systems, leakage of sensitive data through AI interfaces, adversarial attacks, overreliance on automated decision-making, and vulnerabilities within AI supply chains and open-source components. As AI becomes embedded within operational and decision-support workflows, any compromise may have amplified and systemic consequences. Any significant infrastructure failure, cyberattack, data breach, or AI-related system compromise could disrupt operational continuity, erode stakeholder trust, and expose the Group to financial and legal liabilities. This underscores the imperative for robust, forward-looking cybersecurity and AI governance measures to safeguard the Group’s assets, resilience, and long-term interests. R6 CYBERSECURITY RISK Context Mitigation Across the Group, technology is positioned not merely as an enabler, but as a structural driver of transformation. It underpins the productisation of proprietary solutions, the development of digital capabilities, optimisation of resources, cost efficiency, productivity gains, and differentiated service offerings that improve both customer and operational outcomes. As digital integration deepens, systems become more interconnected across cloud, on-premise, operational technology (OT), and third-party ecosystems. This increased connectivity expands the attack surface and heightens exposure to cyber threats, including targeted intrusions, supply chain vulnerabilities, cloud misconfigurations, insider risks, and prolonged service disruption across critical IT and OT environments. Furthermore, the integration of artificial intelligence into business workflows, analytics, and decision-support systems introduces additional risk vectors. These include unauthorised access to AI models, exposure of sensitive data through AI interfaces, manipulation of training data or model outputs, reliance on opaque algorithms, and vulnerabilities arising from external AI platforms or open-source dependencies. As AI capabilities scale across operational environments, the potential impact of compromise becomes more systemic and consequential. • Adopting a defence-in-depth and zero-trust approach to safeguard our expanding digital and AI landscape. • Implementing core controls including continuous threat detection and response across network, endpoint, cloud, and application layers, strong identity and access governance, proactive vulnerability management, secure configuration baselines, and regular penetration and adversarial testing. • Reinforcing cloud environments through posture management, encryption standards, and strict access controls. • Addressing AI-related risks through controlled access to AI systems, monitoring of AI usage and outputs, validation of data sources, structured model evaluations, and third-party risk assessments for external AI platforms and open-source components, with clear accountability established for AI-assisted decisions. • Conducting ongoing employee awareness programmes and phishing simulations, alongside continuous executive oversight, to ensure that cybersecurity and AI governance remain embedded within operational discipline and aligned to the Group’s risk appetite.
RkJQdWJsaXNoZXIy NDgzMzc=