Power Station, Isle Maligne, IOC

Cyber Security

Technological advances bring with them both opportunities and threats for our business. For example, digital connectivity has enabled us to conduct essential activities, including assurance work, at remote sites where travel has been restricted due to the COVID-19 pandemic. However, as cyber attacks become more prevalent, we are investing significantly in enhancing our cyber security.

Data Privacy

We respect every person’s privacy and comply with all relevant laws in the collection, use and protection of personal information in connection with our business.

When we work with others who may see or process our data – from business partners to suppliers, to customers – we make clear how important privacy is to us and the standards they must meet in order to work with us. And we only collect and handle personal information when needed, and only for legitimate business purposes.

Employee operating controller

2020 Performance

We had no significant cyber security incidents with a material impact in 2020.

Our use of advanced technology – such as automated trucks, drills and trains, and remotely operated drones – means that we must continually enhance the resilience of our IT systems against cyber attacks that could affect our production, the health and safety of our employees or operations, or the environment. In 2020, this improvement and response work included infrastructure upgrades and enhanced tools for data classification and protection.

As a result of the COVID-19 pandemic, we saw a significant increase in the number of employees working remotely. In response, we expanded our IT capacity – including scaling up secure access to key tools such as email, Microsoft Teams and SharePoint.

In partnership with a third-party expert, we carried out an extensive review of our network to identify potential critical vulnerabilities, extending the initially planned scope to more thoroughly assess areas of risk associated with a larger remote workforce. This review focused on external-facing systems such as internet access and external providers. It identified no critical vulnerabilities.

Despite the COVID-19 travel and site access restrictions, we carried out the assurance work planned for Oyu Tolgoi, in Mongolia.

We also formed a strategic partnership with Microsoft to use emerging technologies that will help us improve security and compliance, enable more effective governance through better visibility, continuous monitoring, and actively prevent risk through technical control measures.

With an increased focus on the controls and practices that protect our digital information and assets, we also updated our Group Standard for Acceptable Use of Information and Electronic Resources and the Group Procedure for Information and Cyber Security. The revised Standard and Procedure align more closely to the Rio Tinto Risk Management Standard, incorporate areas of emerging risk such as social media, and improve compliance by providing clearer accountability and escalation processes.