Although organisations face an increasingly challenging cyber security landscape, the mining sector has historically shown less concern in relation to cyber risk than other sectors. This is likely due to underestimating the cyber risk associated with mining operations on the assumption that not holding consumer-facing information equates with 'staying under the radar' from cyber threats.
Following on from the release of MinterEllison's 2022 cyber risk report, Paul Kallenbach spoke on the panel, How Mining and Resources can Better Mitigate Physical and Cyber Threats to its Organisations, as part of MinterEllison's role as Legal Partner for IMARC 2022. On the panel, he discussed how the mining sector needs to give greater attention to protecting against cybersecurity threats due to both the ever increasing risk of cyber attacks and the heightened regulator proactivity around privacy and data breach enforcement. In addition to those reflections, in this article, Paul also provides two key suggestions to help mining companies become more cyber resilient.
The mining sector faces increased risks of cyber attacks
The two trends of increasingly regular and more sophisticated cyber attacks and the 'technologisation' of mining operations expose mining companies to ever greater cyber risk.
State-sponsored cyber attacks fuelled by growing geopolitical tensions, and sophisticated cyber criminal enterprises, are actively targeting critical infrastructure, including in the resources sector. For instance, a 2019 internet security threat report by Symantec highlighted that the mining sector was the largest recipient of malicious (i.e. ‘phishing’) emails that year. The Colonial Pipeline ransomware attack in May 2021 is a stark example of how a cyber attack on critical infrastructure can disrupt operations and cause economic mayhem.
Cyber risks for the mining sector will continue to increase with the updating of legacy IT systems and the integrating of new technologies into existing operational environments via the 'internet of things' (IoT). This increased 'technologisation' creates new entry points into mining companies' IT systems, which cyber criminals are increasingly exploiting to compromise production and supply chains, potentially jeopardising human safety.
Mining companies have a particular threat layer that arises because of their operational technologies, which are increasingly connected to the internet and cloud-based systems.”
Regulators are increasing their proactivity around privacy and cyber risk enforcement
The more proactive stance regulators are taking in relation to privacy and cyber risk should encourage the mining sector to increase its cyber resilience. Companies may attempt to seek comfort in there never having been a civil penalty levied against a company for a ‘serious or repeated’ breach of the Privacy Act. This comfort may be short lived, as the first potential prosecution, namely of Facebook in connection with the Cambridge Analytica scandal, is currently before the courts.
The Office of the Australian Privacy Commissioner, which has traditionally been an under-resourced regulator, is now signalling that it will have sufficient resources to consider when it should seek civil penalties against organisations that have breached their privacy obligations. Just last week, these penalties significantly increased, to the greater of $50 million, three times the value of any benefit obtained through the misuse of the information or 30% of the company’s adjusted turnover in the relevant period.
In addition to the Australian Privacy Commissioner, the ACCC is also on the lookout for misleading and deceptive conduct by companies regarding their approach to cyber security and privacy, such as in statements made in their annual reports or privacy policies. It has also flagged an aggressive role in privacy-related enforcement.
Strengthening cyber resilience in the mining sector
Mining companies can strengthen their cyber resilience with an effective cyber risk management framework and through their approach to managing cyber incidents.
An effective cyber risk management framework addresses people, process and technology:
- People – sufficient personnel resources are available and trained to respond to a major cyber incident
- Process – the organisation has a cyber incident response plan with clear policies and processes, and which is regularly tested and updated
- Technology – the organisation understands where its information assets are, has appropriate detection and response technologies in place, and knows what it must do to respond effectively if it is subject to a cyber incident
While cyber risk is an important risk to manage, it is still only one of many elements within a company's risk management framework. An effective cyber risk management framework needs to be integrated into a company's overall risk management framework that governs broader business resilience issues and crisis management.
A company's approach to managing a cyber incident also contributes to its cyber resilience. Should a cyber incident occur, mining companies need to be transparent with their stakeholders about the incident, its impact on them, and the steps they are taking to remedy it. There is a risk that the company might be too transparent too early before there it has sufficient information about the incident to share with its stakeholders. There is also a risk that it might wait too long before sharing information with its stakeholders as it collates further information about the incident. As a guiding principle, companies should err on the side of transparency with their stakeholders and with regulators in the event of a cyber incident.