Recent years have witnessed a spate of high-profile data breaches and cybersecurity events at global companies. This has triggered many corporate crises, transforming cybersecurity and cyber risks into a corporate governance issue for Boards. With regulators making it clear that cybersecurity is not merely an IT issue, companies worldwide have started embracing it as an integral component of their enterprise-wide risk management structure. Against this backdrop, cyber risk oversight has become explicitly material to the investor’s ability to understand a company’s strategy.
Amid this transforming business eco-system, we, at Hindustan Zinc, have forged ahead aggressively and responsibly towards enhancing our cybersecurity risk posture. Our efforts have yielded tangible outcomes, with the Company being ranked the highest in the metals and mining sector in the Corporate Sustainability Assessment 2023 by Standard & Poor Global. This award also endorses our success on the cybersecurity front. Maintaining tight cybersecurity across our operations is an ongoing process, and we remain committed to ensuring that our technology and control systems are protected from attacks. We shall continue to ensure that confidential information remains safe, data integrity is protected, and business continuity is maintained in the Company in case of any disastrous event.
To ensure the highest levels of cybersecurity and to drive continuous strengthening of the same, we have in place a robust enterprise risk management framework.
Our leadership and governance structure, as provided below, is crafted to strategise, execute and monitor the cybersecuirty function at Hindustan Zinc.
We are cognisant of the need for effective and agile management of cybersecurity risks for the protection of the confidentiality, integrity and availability of all technology and data assets in the Company. These include the assets on which we rely for our smooth operations. To this end, we have adopted a clearly defined principle/standard and an objective-based approach. The details of these are contained in our cybersecurity framework, which focusses on the risks and critical controls around our assets. The framework’s standard applies strictly to all assets, particularly those that are critical for business and operational resilience, as well as stability and regulatory compliance.
The framework is well supported by several other standards and guidelines, which govern our information technology and cybersecurity practices. These include information security management and personal data privacy standards, disaster recovery and business continuity management, and risk management.
To manage the information security in the Company, we have a well-entrenched and comprehensive Information Security Management Framework as part of our Enterprise Risk Management (ERM) framework. The framework for managing information security effectively covers the various relevant policies, standard operating procedures (SOPs) and technology standards. We have also established an effective security assessment and audit process for preventing cyber-attacks. Implementation of security-by-design in our business and technology landscape has further strengthened the framework.
The framework guides the formulation of our information security strategy, as well as our long-term roadmap and annual information security plan. The IT and Cyber Security Steering Committee reviews the framework annually, in consultation with external expert agencies. This helps in incorporating applicable regulatory requirements and prevailing industry knowledge, and also enables consideration of newer threats and risks.
Hindustan Zinc has defined and rolled out an ambitious privacy compliance and readiness programme to ensure alignment to the Digital Personal Data Protection Act, 2023 (DPDPA). As a part of this programme, we will identify privacy risks/footprint across business processes and/or business applications, perform gap assessment, and prepare privacy policies, procedures and templates to address the gaps in alignment with DPDPA requirements and globally best privacy practices. We plan to conduct trainings and assist in introducing privacy policies and procedures, and in implementing privacy notices/cookie banners. We will also undertake technical implementations, such as data masking, encryption, consent management, etc., to meet the requirements of DPDPA rules and best privacy practices. Hindustan Zinc, being a leader in the metals and mining industry, aims to be ahead of the curve in complying to the various regulatory requirements.
Our information security and data governance policies help in creating a strong security framework. We incorporate various management frameworks in the process of defining these policies. To keep pace with the transforming security environment, the CIO, CISO and other competent personnel in our information security function review the policies and procedures every year. We ensure that all approved and enforced policies are made available to all employees and business partners (BPs) through impactful communication across media.
In line with the identified strategic areas, we regularly undertake various cybersecurity initiatives to enhance our cybersecurity capabilities across the business and minimise the related risks.
Our end-to-end cyber resilience programme covers 24X7 security incident monitoring plan, incident detection, response and recovery playbooks, hand-shake with the organisation crisis management plan, and associated decision/communication matrix for cross-functional stakeholders, such as human resources, corporate communications, legal, business and information security. We have put in place cyber insurance and incident response retainer services to protect from any low-probability high-impact cyber-attacks. We conduct annual executive cyber drills and purple teaming for continuous improvement of the cyber resilience programme.
A privacy information management system (PIMS) is in place in the Company, and we also conduct data discovery to identify personally identifiable information (PII) collection, storage, processing, transfer, etc. We have further established privacy policies, procedures, consent management and data subject rights management, to strengthen our data readiness. We conduct privacy impact assessments for business processes involving large-scale personal information, besides conducting privacy awareness for our employees.
To build the team’s capability to identify and report breaches, Hindustan Zinc has prepared a holistic cybersecurity awareness plan, which is executed a continuously throughout the year. All new joiners are mandated to attend the cybersecurity training during their on-boarding process. An online awareness training capsule on self-service mode is available to all users. Our business ethics and Code of Conduct has a cybersecurity element, with which employees must comply as it is also linked with their annual performance evaluation.
We conduct extensive security awareness for all employees and business partners’ employees who have access to Hindustan Zinc’s systems or are working on the Company’s premises. We engage with them quarterly through security awareness communications as well as end-to-end social engineering simulations, including various scenarios such as phishing, baiting, pretexting, quid-pro-quo, scare-ware/fraud-ware, etc. Our efforts are geared towards making these security awareness communications informative and engaging. We also conduct monthly stand-up sessions and executive briefings on cybersecurity at various locations.
We have made large investments in phased upgradation of our operational technology systems/plant technical systems to the latest versions. This is aimed at preventing cyber attackers from exploiting any vulnerabilities that may exist in legacy systems. We further intend to conduct vulnerability scanning of operational technology systems to ensure that known vulnerabilities declared by original equipment manufacturers (OEMs) are identified and remediated.
At Hindustan Zinc, we take cloud security very seriously and perform risk-based remediation of security issues related to our assets (be it virtual machines, applications, services, etc.) hosted in corporate IaaS (Infrastructure as a Service) cloud or SaaS (Software as a Service) applications. We further ensure that all cloud-hosted assets are integrated with security operations centre (SOC) for 24X7 security monitoring. We have implemented a web application firewall, which ensures that our crown jewel applications have an automated protection layer against web-based attacks.
We have performed detailed data flow analysis (DFA) along with our business/functional teams, to identify critical data and crown jewels. Based on this analysis, we have implemented a comprehensive data leakage prevention (DLP) capability, covering various communication channels such as web, email, mobile devices, etc. We conduct regular DLP rule-based review and fine-tuning to ensure alignment with DFA. Our 24X7 DLP monitoring desk monitors and manages all data leakage incidents.
We have identified the third parties that pose cybersecurity related risks to the organisation, and have put in place the required governance structure to address and mitigate the same. We annually perform risk assessment of high-risk third parties (including any new third-party vendors getting introduced to Hindustan Zinc’s environment) to ensure that the risks are measured and mitigated, and appropriate security clauses are incorporated in third-party contracts.
As a risk-driven organisation, we carry out detailed risk assessment across the organisation. We have successfully implemented a robust risk management framework, which helps the organisation to consider the full range of risks it faces. Hindustan Zinc is certified in the ISO 31000:2018 risk management framework.
At Hindustan Zinc, we detect information security and data incidents mainly through monitoring with security information and event management (SIEM) services, data leakage prevention (DLP) desk operations, incidents reported by information security function and end users. A system is in place to track and monitor all security incidents till their logical closure. This includes root cause analysis and action plan to mitigate similar incidents in the future, under the incident management and data breach policy. We also have in place a platform through which any employee can raise the incident when something suspicious is noticed. Incident response testing is conducted twice a year as part of our business continuity plan (BCP)/disaster recovery (DR) drills.
We have in place a robust vulnerability management policy, which allows us to effectively identify and address the risks and vulnerabilities across the information technology (IT), operational technology (OT) and digital landscape. We arrange for annual internal and external vulnerability assessment and penetrating testing (VAPT) programme, surveillance audit, as well as assessment of IT general controls (ITGC), to be carried out by globally reputed and recognised third-party agencies. In-depth structuring of the Company’s vulnerability management programme across all the layers of defence ensures adequate coverage to policy & framework, physical, perimeter, network, application, and data security. Vulnerability identification, monitoring and tracking of mitigation actions and continuous compliance are ensured through various assessments conducted during the year. These assessments are aimed at identifying vulnerabilities, threats, shortcomings, and associated risk/ impact. They include governance & framework review, red teaming exercise as part of physical security assessment, data governance and compliance assessment, surveillance audit under various ISO frameworks and assessment of ITGC by Statutory Auditor under applicable financial compliance frameworks.
In addition, we conduct VAPT, including simulated hacker attacks, at least twice a year. The exercise is put together by Hindustan Zinc’s information security function and group management assurance services (MAS) function. It is conducted for defining, identifying, classifying, and prioritising vulnerabilities in computer systems, applications, and network infrastructures. It helps in equipping us with the necessary knowledge, awareness, and risk background to understand the threats to our environment and react appropriately. We also conduct simulated hacker attacks as part of third-party vulnerability analysis. After each assessment, an observation tracker is prepared for all identified vulnerabilities with clear-cut mitigation timelines and ownership, based on criticality of observation. This is rigorously monitored, reviewed, and reported at various forums.
An escalation process has been developed by the Company as part of its IT security framework. It facilitates employees in reporting on anything that is suspicious or a threat to the organisation, our intellectual property, other business documentation, our people, or our finances. As part of the escalation process, all information security incidents are reported to the relevant team members. These incidents are then reviewed and analysed by the Information Security Team. The escalation process is also regularly monitored by the Risk Committee. Besides this, provision for reporting phishing mails has been given via a “Report Phishing” option in the mail menu itself.
At Hindustan Zinc, performance evaluation of information security is a multi-faceted process, covering various aspects. The goals and performance of each employee are aligned with the Company’s information security goals for the workforce in the IT/OT function. Various internal and external vulnerability assessments, management reviews under information security administration, and reported incidents are used to measure the effectiveness of processes and technologies. Further, as part of the social engineering simulation exercises, offenders are issued advisory letters from the CHRO’s office, sensitising them about the risks, and warning them about further punitive action in case of repeat offence.
