Data security is a high priority material topic
Data security
Data security underpins trust in Africa’s digital future
As Africa’s digital economy accelerates, trust is the foundation that enables growth. Millions of customers rely on our networks, platforms and mobile money services every day. Protecting their information and ensuring the resilience of our systems is therefore not only a technical priority, but a strategic responsibility that underpins financial inclusion, enterprise growth and national development across our 14 markets.
Focus areas
Confidentiality
We protect customer, employee and partner information from unauthorised access through robust identity management, encryption, monitoring and layered security controls.
Integrity
We safeguard the accuracy and reliability of our systems and data, preventing unauthorised modification while maintaining visibility and rapid response capability.
Availability
We ensure our networks, platforms and services remain resilient and accessible, supported by business continuity planning and proactive infrastructure protection.
GRI framework
GRI 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data
Greater connectivity and rising mobile money usage bring enormous opportunity – but also expose customers and businesses to increasingly sophisticated cyber risks. AI-enabled fraud, ransomware, SIM-swap attacks and smishing are reshaping the threat landscape, while regulatory expectations around data privacy and retention continue to strengthen across our markets.
Against this backdrop, we see data security as a strategic enabler of trust. It protects our customers' data and money, and it underpins the resilience of national digital infrastructure. Our approach combines strong governance, internationally recognised standards, layered technical controls and a culture of shared accountability – ensuring that innovation and growth are matched by rigorous risk management.
1
Our commitment to data security and privacy underpins the trust placed in us by customers, partners and regulators. We continually strengthen our security frameworks, proactively manage evolving risks and uphold rigorous standards to safeguard information and protect the integrity of our operations.
2
Prashant Nair
Chief information security officer
Our approach to managing data security
We manage data security through a structured Group-wide framework that combines governance, risk management, technology, culture and independent assurance. Security is embedded into our operating model and aligned to international best practice, ensuring consistent standards across all 14 operating companies (OpCos) while meeting local regulatory requirements.
Our data protection and privacy policy and standards
Our data protection and privacy policy sets out our commitment to fair, lawful and transparent processing of personal data. It applies to all subsidiaries and aligns with GDPR principles, covering accountability, data minimisation, privacy by design, consent management and data retention.
The policy governs how we collect, use and protect personal data for our customers, employees, suppliers and website users, setting out clear rights and mechanisms for raising concerns. Every subsidiary maintains a local data privacy policy for its jurisdiction.
In 2025/26, we refreshed our data retention schedule and embedded data privacy as a dedicated domain within our ISO 27001 review processes. We also conducted privacy impact assessments (PIAs) and data protection impact assessments (DPIAs) on critical applications.
Our integrated management systems are certified to ISO 27001:2022 and ISO 22301:2019, providing a disciplined foundation for risk management, resilience testing and continual improvement.
- For more information about our data protection and privacy policy statement, see www.airtel.africa/esg-policies
Risk management and control of the environment
Our risk management framework anticipates, detects and mitigates evolving threats across our networks, mobile money platforms and third-party ecosystems.
We operate a defence-in-depth model spanning identity and access management, network and perimeter security, application-layer controls, endpoint protection and real-time monitoring. During the year, we strengthened cloud-based distributed denial-of-service (DDoS) protection across all OpCos, migrated from legacy proxy environments to next-generation web proxy solutions, enhanced deep network visibility and expanded endpoint detection and response (EDR) capabilities across user devices and critical servers. Active directory monitoring and privileged access oversight were also enhanced to strengthen identity governance.
We conducted 5,526 external penetration tests during the year alongside structured internal testing. These assessments contributed to measurable reductions in threat exposure and strengthened remediation discipline.
We matured third-party risk management by completing a vendor categorisation exercise, strengthening contractual oversight, introducing assurance requirements for critical suppliers and reinforcing offboarding controls to ensure timely removal of access rights.
Training and awareness
People are as important as technology in keeping our systems secure. Data protection and privacy training is mandatory for all employees. Cybersecurity and data privacy training remain a core component of our mandatory learning programmes. All employees are required to complete annual training covering information security, data protection, privacy principles and secure handling of data, ensuring they understand their role in safeguarding our networks, systems and customer information.
In 2025/26, we maintained 100% completion of all mandatory data security and cybersecurity training modules across the organisation. This training is reinforced through ongoing awareness initiatives, including phishing simulations, targeted communications and Group-wide campaigns, helping to embed a strong culture of shared accountability for data protection.
We extended training to third-party vendors and developed a Board awareness programme aligned to UK National Cyber Security Centre (NCSC) principles, ensuring leadership oversight is well-informed and active.
In April 2025, we ran an immersive ransomware simulation with ExCo at Group headquarters. The exercise tested incident response, cross-functional coordination and executive readiness – clarifying roles and strengthening accountability. We’ll roll out similar exercises across our top six OpCos in the coming months. Cybersecurity insurance was also renewed with enhanced coverage.
We also launched a structured customer awareness programme in May 2025. GSM customers received SMS advisories and Airtel Money users were engaged via in-app notifications covering phishing, fraud and digital threats. This has now been established as a monthly programme and is helping to strengthen digital resilience and trust across the communities we serve.
Artificial intelligence (AI) and responsible innovation
At Airtel Africa, AI and digital solutions are transforming customer experience and operational efficiency in a secure, ethical and transparent manner. AI is embedded across the business to enable simpler, faster and more personalised interactions while streamlining core operations.
AI capabilities analyse large volumes of network, usage and service data to anticipate customer needs, reduce friction and enable proactive service. This is reflected in personalised offers, smarter routing and automated assistance, improving satisfaction, reducing wait times and optimising costs. Business processes are being digitally re-engineered to support faster, data-driven decision-making.
Responsible adoption is guided by defined AI governance principles, ensuring outputs are accurate, explainable and traceable. Employees are required to use approved tools, maintain confidentiality and follow data protection standards.
AI-related risks are managed through governance, security controls and monitoring, while AI-driven detection strengthens protection against spam, fraud and suspicious activity, ensuring secure, reliable services and sustained stakeholder value.
Operational resilience
Operational resilience is central to serving customers reliably – especially the millions who depend on Airtel Money for everyday financial transactions.
In 2025/26, we harmonised recovery objectives across OpCos, enhanced data centre security standards, introduced structured recovery handbooks and conducted monthly disaster recovery drills and annual tabletop exercises.
Governance
Strong governance ensures accountability at every level of the organisation.
Group-level governance
The ARC oversees our data protection programme and approves policy updates. The Executive Risk Committee, chaired by the CEO, oversees cybersecurity risks. Both the chief compliance officer (CCO) and the chief information security officer (CISO) report formally to these committees, ensuring clear accountability from Board level through to OpCo teams.
Monthly security reviews and Key Risk Indicators (KRIs) dashboards strengthen executive visibility, with formalised escalation pathways to OpCo managing directors.
OpCo-level governance
Each OpCo has a dedicated information security and business continuity working group, chaired by the managing director, responsible for implementing Group standards, monitoring remediation and ensuring regulatory compliance.
Information security (IS) and business continuity (BC) governance structure
Group-level
Chief information officer (CIO) – chair
Information security and business continuity Steering Committee
Chief information security officer (CISO)
Chief compliance officer (CCO)
Chief technology officer (CTO)
Chief information officer (CIO, mobile services)
Chief information officer (CIO, Airtel Money)
Chief information officer (CIO, Enterprise)
Chief information officer (CIO, Digital Labs)
Managing directors (all 14 OpCos)
OpCo, representatives, including specialists in application security, vulnerability management, third-party risk, network security, endpoint security, security operations, identity and access governance, threat intelligence and risk compliance (by invitation)
Policies updated and introduced in 2025/26
In 2025/26, we reviewed and strengthened several policies to reflect the evolving threat environment:
- Group information security policy (updated)
- Data protection and privacy policy (updated)
- Third-party risk management framework (updated)
- Password guidelines (updated)
- Audit management process (new)
- IS-BC management system cloud security policy (new)
- IS-BC management system responsible AI usage guidelines (new)
- Business continuity management policy (updated)
- IS-BC management system cybersecurity strategy (new)
Key performance indicators (KPIs)
5,526
external penetration tests
(1,478 in 2024/25)
30
ISO certifications across 14 OpCos
(30 in 2024/25)
58%
increase in number of security applications and platforms
(44% in 2024/25)
0
successful breaches of our security platforms
(0 in 2024/25)
Progress against our targets
Best tools and technologies
During the year, we rolled out cloud-based DDoS protection across all OpCos (completed June 2025), migrated to next-generation web proxy solutions, expanded EDR capabilities and deployed advanced deep file inspection with high availability (December 2025). Deep network visibility solutions were also rolled out and single sign-on portals launched in five OpCos.
In addition, we completed the enterprise-wide rollout of AI-based spam protection across 14 markets by December 2025, significantly reducing fraudulent and unsolicited communications and strengthening customer digital safety at scale.
Active security platforms grew by 58% year on year, from 64 to 101, with no end-of-life solutions remaining in operation.
Best security experts and security partners
We strengthened assurance capability through two key partnerships: SecGen for comprehensive telecoms security assessments (April 2025) and Xtelify for end-to-end security services and continuous threat monitoring (September 2025).
We also advanced third-party assurance expectations by introducing Systems and Organization Controls (SOC) 2 requirements for critical sub-service organisations and strengthening vendor governance processes, reinforcing accountability across our supply chain.
Security in software development processes
We embedded automated security testing for in-house mobile applications (October 2025), onboarding all relevant apps onto our enterprise testing platform and training development teams to remediate vulnerabilities – increasing coverage and accelerating remediation timelines.
Enhanced monitoring of directory services for privileged accounts was tightened and protections for critical financial platforms were reinforced, enhancing the ability to detect and respond to sophisticated threats.
360° awareness and data privacy certification programmes
Cybersecurity awareness month (October 2025) anchored our annual campaign, featuring three quizzes, three newsletters and leadership communications. Phishing simulations were conducted across all OpCos, and mandatory annual training was maintained for all employees and extended to third-party vendors.
Independent certification and assurance remained a core component. ISO 27001 and ISO 22301 certifications were maintained across all OpCos. We successfully completed the second surveillance audits for both standards, reaffirming the continued maturity of our Information Security Management System (ISMS) and Business Continuity Management System (BCMS). International Standard on Assurance Engagements (ISAE) 3402 / SOC 2 Type 1 assessments were successfully completed for the Group with Type 2 assessments underway.
Resilience of our processes to handle unforeseen circumstances
We strengthened our operational resilience across governance, technology and culture during the year. Our Group business continuity management policy was enhanced in September 2025 with clearer crisis governance, defined roles and refreshed recovery teams across OpCos. Business impact analyses and continuity plans were standardised, supported by harmonised Recovery Time Objective (RTOs) and Recovery Point Objective (RPOs) and structured recovery runbooks.
Monthly disaster recovery drills and annual tabletop exercises validated preparedness across simulated scenarios. These measures collectively demonstrate that our resilience is not a contingency – it is an operational discipline.
Looking ahead: our data security strategy for 2027-2032
As our current data security targets come to an end on 31 march 2026, our 2027–2032 strategy will address the security challenges of an increasingly AI-driven, cloud-native and interconnected digital landscape across sub-Saharan Africa. We will update on progress against our new targets in 2026/27.
Certification, assurance and independent validation
Independent certification and assurance reinforce the strength of our governance and control environment.
As of 31 March 2026, we held 30 ISO certifications across the Group and SmartCash PSB. We successfully completed ISAE 3402 / SOC 2 Type 1 for the Group with Type 2 assessments underway. SmartCash PSB Nigeria completed recertification to PCI DSS v4.0.1, demonstrating continued adherence to global payment security standards.
These certifications, combined with extensive penetration testing and independent external assessments, provide objective validation of our information security and business continuity frameworks. They strengthen confidence among customers, regulators, investors and partners that data security remains embedded at the heart of our strategy.
Data security in action
Data privacy and protection month
Our annual data privacy and protection awareness programme emphasises core privacy principles – lawful processing, consent, data minimisation and secure handling – across the whole organisation. In October this was further integrated with cybersecurity awareness month, extending its reach and reinforcing privacy as a key dimension of customer trust. Together, these campaigns help embed a culture where every employee understands their personal responsibility in protecting the information we hold.
Data security in action
Cybersecurity awareness month
Every October, our Group-wide cybersecurity awareness month campaign deepens understanding of cyber risks and promotes safe digital behaviour among employees and customers across all 14 markets. The 2025 campaign focused on practical education about common threats – phishing, malware and social engineering – as well as guidance on secure use of AI tools, password hygiene and device protection. Activities included e-learning, interactive quizzes, leadership mailers, phishing simulations and customer-facing communications. Tailored newsletters and quizzes were distributed Group-wide, significantly exceeding engagement targets.
Data security in action
Stress-testing to prepare our executive leadership for crisis management
In April 2025, we conducted an immersive cyber war game simulation with ExCo members at Group headquarters. Built around a realistic ransomware attack scenario, the exercise evaluated the effectiveness and speed of our incident response arrangements, tested cross-functional coordination under pressure and assessed the readiness of leadership to communicate, decide and act in a crisis.
The simulation strengthened executive preparedness, clarified roles and responsibilities and reinforced the governance structures needed to protect our customers and our business in the most challenging circumstances. We will roll out similar exercises across our top six OpCos, ensuring leadership readiness is embedded across the Group.