Currently viewing Global edition

A current legal view of mining cyber-risk

Mining companies face multifaceted vulnerabilities when it comes to cyber threats. While companies possessing a great deal of consumer data or financial information are often seen as primary targets, mining companies face significant – and arguably more complex – challenges. In additional to infiltration of proprietary, financial and employee information, the potential for an attack on operational systems and infrastructure is of particular concern. Hackers have already targeted such systems across Canada. These attacks will continue and evolve.
A current legal view of mining cyber-risk A current legal view of mining cyber-risk A current legal view of mining cyber-risk A current legal view of mining cyber-risk A current legal view of mining cyber-risk

Alexandra Luchenko*

The stakes of a cyber-attack are incredibly high, often leading to financial, operational and reputational damage. It is crucial to remain vigilant both to prevent attacks where possible, but also to ensure that appropriate protocols are in place to mitigate the damaged cause by these attacks.

Before risks can be mitigated, specific vulnerabilities must be identified. Mining companies face particular challenges by virtue of the nature of operational and international technology overlaid by an often extensive geographical footprint and the concomitant need to rely on third party providers.

Technical elements: vast, complex and multifaceted

The connection between operational technology networks and information technology networks has allowed for great advancements in the mining industry. But these opportunities are not without their challenges.

Once isolated, operational technology is now more vulnerable by virtue of the interconnection.

Moreover, traditional information security tools are not always conducive to use in the operational technology environment. These challenges are exacerbated by the fact that there is a dearth of security specialists generally, and even more so individuals with both operational and information technology knowledge, especially in remote operational sites.

These issues are not always top of mind as mining technology develops. While many heavy industrial companies are in the midst of large digital transformations, companies may overlook the need to manage related security risks. All too often, security is not a major part of technological advancement and security measures are an afterthought, if considered at all. This increases digitisation costs and may compromise the effectiveness of technology products and systems, as after-the-fact security measures may be less effective as those built into products and systems by design. Of course, last-minute security reviews and new security tools will also likely cause delays.

"Once isolated, operational technology is now more vulnerable by virtue of the interconnection"

With multifaceted business functions comes the need to engage third party service providers who may manage certain elements of information technology or operational technology in one or more global locations. Assets managed by separate business units or third parties are far more difficult to oversee than those managed centrally. Allowing third parties physical access to operational technology networks exposes those operations to additional potential vulnerabilities without the ability to meaningfully provide oversight in many cases. 

The human element: diverse and interspersed

Of course, mining companies face similar oversight issues with individual employees. Cyber breach can be, and often are, caused by employees. The human fallibility component of cyber breaches is well-documented. In this regard, companies with decentralised operations - especially those in multiple jurisdictions - face additional issues. International operations often bring an increased level of risk simply because of the challenge presented in monitoring employees and operations as well as the need to ensure compliance with all applicable local laws.

The importance of policies to mitigate the risk of a cybersecurity incident cannot be understated.  However, the existence of a policy is not sufficient. But those policies must also be relevant across the company, regardless of business function or jurisdiction. This means that one or more policies must be drafted and disseminated so as to establish expectations of a company's receptionist in a major financial centre as well as those operating heavy machinery in a remote location.

When it comes to ensuring such policies are communicated throughout a company, training must be delivered. Depending on the location of certain employees, and similar to finding appropriately qualified security experts, mining companies may face challenges finding individuals with requisite expertise to deliver such training.

Finally, policies must be reviewed and updated regularly and it is important that any applicable revisions be made across all business units and locations, a practical task sometimes more difficult than anticipated.

The critical question: prioritising cybersecurity spend

Perhaps most challenging of all is the simple fact that managing cyber risk requires capital outlay. Often, companies prefer to take an ad hoc approach, or worse, simply avoid the issue until it is too late.  Studies suggest that companies investing in cybersecurity at the front end expend far less in a crisis than those without the necessary security in place. This is an issue that should also be of particular interest to company directors, as there will inevitably be further attempts to impose liability for cyber breaches on corporate fiduciaries.

Given the constantly evolving threat of cyber-attack, ignoring the issue is becoming increasingly untenable.

Does your technical environment support optimal security measures?

Understanding your company's operational and information technology is critical to being able to increase cyber preparedness. Security solutions must be developed having regard to the specific systems in place at any given time. For many mining companies, the use of older existing technologies (especially in the operational sphere) will mean that security solutions are less than optimal. Regular review of available security measures should take place as new technologies to address security issues are being developed.

For companies undergoing technological overhauls, there is an opportunity to enhance security measures from the front end and enhance security systems. Ideally this will involve integrated security that covers both operation technology and information technology given that particular risk factor in the mining industry.

Does your cybersecurity policy work in a practical sense?

In order to address the challenges that come with decentralised governance structures and expansive geographical footprints, mining companies need to integrate security into all areas where technology decisions are made, as well as into various functions and business units.

Those setting policy must also be involved in deployment at the ground-level to ensure functional policies. Local security-review task forces should be considered, with security officers assigned to business units. And, a company-wide cyber governance committee which reports to the board, allowing for metrics and reporting structures to be managed, and ensuring that the board is fully apprised and able to discharge its fiduciary duties in the context of cybersecurity.

Policies can only be effective if they are understood by every potential audience member having regard to business function, language and education. The same is true for any training to be delivered, which should be delivered regularly. Remedial action for non-compliance should also be considered. Mechanisms to identify non-compliance should also exist, with tangible remediation measures. One of the largest litigation risks in the area of cybersecurity is a company with cybersecurity policies in place that are not being followed or which have identified cyber risk and subsequently ignored it.

For mining companies with disparate operations, a certain degree of rigour must be undertaken to ensure that protocols, policies and controls are not only in place and intelligible, but also updated and tested regularly.

Does your company have a plan in the event of a cyber-breach?

While cyber-attacks cannot be prevented entirely, a company's ability to respond effectively is critical. Every mining company should have an accessible and easily-understood cyber incident plan that dictates what to do in case of an attack. The function of an effective cyber incident plan will not only minimize the damage of an attack to a company's systems, but also do so in a manner that protects the company and its personnel from any future litigation and reputational damage.

Those protocols must then be tested to assess their effectiveness. Cybersecurity experts can be a significant asset in such testing and undertaking such assessment with the oversight of legal counsel for the purposes of ensuring legal compliance is advisable in certain jurisdictions so as to protect the results of such audit from disclosure should a cyberattack take place.

Are your vendors being as vigilant?

It is not uncommon for companies to fall behind on their responsibility of assessing security compliance by vendors, both on a regular basis and before entering into a contract. This is often due to resource issues - both cost and time. However, companies are only as protected as their weakest link - if a third party service provider is lax in its security measures, your company may be at risk. 

To avoid this, any due diligence on third parties should include a cybersecurity element. Agreements should include provisions both (a) confirming the third party's fitness from a cybersecurity perspective; and (b) setting out protocols in the event of a cyber-incident.

To ensure the third party has appropriate cybersecurity practices in place, agreements should include:

-              Relevant representations and warranties.

-              System management obligations.

-              Acknowledgments that the third party will follow all applicable company policies.

-              Contractual indemnities for non-compliance with company policies, ideally excluding any limitations of liability.

Audit rights of third party operations can also be considered, but only where such audits can realistically be undertaken.

In respect of cyber-incident response protocols, third party agreements should include:

-              Notification procedures to ensure the company receives information from the vendor promptly in the event of a cyber-incident.

-              Cooperation obligations, including agreements relating to notification of regulators (depending on the jurisdiction in question) and media relations.

Perhaps the most notable example - and one that requires specific mention - are situations in which mining companies contract out their information technology needs to a third party.

This is one circumstance where it is critically important for companies to understand precisely what services are being delivered by the third party and the protocols in place to address any cyber-incident given the degree of dependence a company will have on such third party information technology provider in the event of a cyber-incident.

*Alexandra Luchenko is a partner in the Blakes Litigation & Dispute Resolution group. She regularly assists clients with investigations and crisis management, including in the event of data breaches or cybersecurity incidents. Luchenko has extensive experience working with mining and resource companies.