G-Company-specific: cybersecurity

ESRS 2 SBM-3 G-Company-specific – Material impacts, risks, and opportunities and their interaction with strategy and business model

In our double materiality assessment, we considered possible impacts, risks, and opportunities in relation to cybersecurity.

The following overview illustrates Deutsche Telekom’s material risks and their financial effects on our financial position, financial performance, and cash flows.

For further information on risks and opportunities that represent a top risk or top opportunity in the next two years, please refer to the section “Risk and opportunity management.”

G-Company-specific – Policies related to cybersecurity

We put a security organization in place at both corporate headquarters and in all Group units based on our Security Strategy and its six action areas. Our strategy for managing cybersecurity risks is incorporated into the risk management system and the related governance structures, Group rules and regulations, and processes.

To ensure a high level of security for our customers and employees, as well as our products and services, we (excluding T‑Mobile US) rolled out the Group Security Policy based on the requirements of ISO 27001. The Policy lays down Deutsche Telekom’s essential requirements in relation to the following security dimensions: people; information; technology and products; buildings and infrastructure; property and assets; and business continuity. It also describes the following ten security principles:

• Lawful conduct
• Protection of personal data
• Customer trust
• Security culture
• Transparent and active responsibility
• Protect and share
• Leading security
• Appropriateness and profitability
• Value creation from integrated security
• International security standards

The Group Security Policy is communicated to all employees and is additionally available to all units in the policy databases. The management team from each business unit formally introduces the requirements set out in the Policy and makes compliance with these obligatory. Corporate headquarters oversees the mandatory introduction and communication of these requirements and reviews the status of implementation in the units. As ultimate responsibility for cybersecurity rests with the Product and Technology Board of Management department, the Group Security Policy is also within its remit. The Policy includes a set of controls in which the requirements are fleshed out and control levels are defined. The Security Policy and the control set are regularly reviewed and updated as required.

T‑Mobile US has its own security policy, which is regularly reviewed to adapt to the evolving risks and strengthen overall security. At T‑Mobile US the cybersecurity approach is also integrated into the risk management system and the corresponding processes. At T‑Mobile US, risks related to T‑Mobile US’ information security programs, including cybersecurity, are overseen at Board level of the company by the Nominating, Corporate Governance, and Compliance Committee.

G-Company-specific – Actions and resources in relation to cybersecurity

To fend off cyberattacks and protect our infrastructure as well as our customers’ data, we are constantly developing new processes and continuously improving our sensor technology. Our Cyber Defense Center monitors the security of the Group worldwide (excluding T‑Mobile US) with the help of internationally oriented Cyber Security Incident Management and also offers services for business customers. In our Security Operations Centers (SOCs), we keep an eye on the security situation for ourselves and our customers 24 hours a day. With the help of artificial intelligence (AI), our security specialists evaluate security-related data in real time, detect attacks straight away, and avert them. All alerts registered at these centers are handled in a multi-stage process and escalated, if necessary, all the way to our Cyber Emergency Response Team (CERT). CERT also develops mechanisms to detect attacks on internally and externally accessible systems at an early stage. At the same time, our threat intelligence team analyzes how the perpetrators proceeded and exchanges the latest scientific findings. T‑Mobile US has established a similar process with their Cyber Incident Response Team (CIRT). CIRT is continuously working to investigate and respond to confirmed, suspected, or potentially serious cybersecurity incidents.

As an additional tool, Deutsche Telekom offers rewards to external security experts who identify vulnerabilities and report them to us. This “bug bounty program” helps to identify potential risks at an early stage and to prevent security incidents.

In software development, we (excluding T‑Mobile US) use the Privacy and Security Assessment (PSA) process to incorporate data protection and IT security requirements from the outset. The PSA testing process, which is now completely digital, is designed to ensure a uniformly high level of security and data privacy. T‑Mobile US has also incorporated controls throughout its product development pipeline to improve security as it enhances new products and brings them to market.

We provide our employees with a variety of context-specific tools to protect our systems and data. For example, we specifically developed innovative smart cards for the all-important topic of multi-factor authentication. As carriers of electronic identities through the encryption and signing of information in the form of certificates and associated key material, these cards enable electronic access to our buildings via a wireless interface in addition to contact-based login on company devices. For other areas, modern authentication apps are installed on employees’ smartphones. Our goal is to gradually implement a zero-trust model that requires authentication, authorization, and validation any time company resources are accessed.

Our employees are required to take part in regular cybersecurity training, supplemented by short courses and awareness campaigns tailored to specific target groups. Content ranges from identifying phishing attempts and deepfakes to safe use of digital technologies. To raise awareness, we also use innovative learning formats that are periodically refined and promoted in internal communication campaigns throughout the Group.

Adopting a hybrid zero trust model has been key to implementing T‑Mobile US’s cybersecurity strategy. Across the workforce, T‑Mobile US rolled out enhanced multi-factor authentication to better verify user identities and help prevent unauthorized credential use by bad actors. T‑Mobile US also deployed role-based controls to provide secure and direct access to applications and resources. Taking it one step further, T‑Mobile US partners with CLEAR, a company specializing in identity verification and certified by the U.S. Department of Homeland Security, to transition to “passwordless” authentication so employees can more easily verify their identities to gain access to resources while also reducing phishing attempts.

Deutsche Telekom continuously invests in enhancing its cybersecurity program. In so doing, we adhere to public standards and share best practices with industry and government representatives in order to jointly combat cyber threats.

All actions described in this topical standard for mitigating cybersecurity risks are ongoing and have no fixed end date.

G-Company-specific – Targets related to cybersecurity

We review the effectiveness of our policies and actions related to cybersecurity through the security systems and features described in detail in this topical standard. We aim to manage cybersecurity risks appropriately by continuously honing our skills and technologies. Over and above this, we have not defined any specific time-bound or outcome-based targets that apply to the entire Group.