Cybersecurity is also one of Vedanta's most significant business risks due to the growth of cyber-related threats such as phishing attacks and ransomware. Vedanta's consistent investment in technology and stringent processes has thwarted cyber threats and prevented any major disruption to our business. The Company remains committed to maintaining cybersecurity to protect its technology, confidential information, data integrity, and business continuity.
The cybersecurity governance is overseen by the Audit and Risk Committee of the Board, while the Vedanta Executive Committee (Vedanta ExCo), chaired by the CEO and leaders from all business functions, is responsible for cybersecurity. The Chief Information Officer (CIO) sets the cybersecurity vision and strategy and is accountable to Vedanta ExCo and the Board's Audit and Risk Committee. The Chief Security Officer (CSO) drives the cybersecurity programs to achieve business objectives, and the Chief Information Security Officer (CISO) ensures their operational success. Moreover, the CSO is responsible for physical security, including information assets.
Vedanta has established a robust Information Security Management Framework, which includes Policies, Standard Operating Procedures (SOP) and Technology Standards. The Information Security Framework is reviewed annually by the Vedanta Information security team.
Vedanta’s Oil & Gas, Zinc-Lead-Silver, Aluminium, Iron Ore, Steel, Copper, Ferro Alloys and Power received Certification ISO 27001 (Information Security), some of the businesses received ISO 22301 (DR & BCP), ISO 31000 (Risk Management) and ISO 27701 (Privacy Management).
The overall Information Security Framework & Governance layer adopted by Vedanta is presented below:
In addition, Vedanta has strong information security policy that aligns with various management frameworks related to information security, risk management, disaster recovery, business continuity management, and data privacy. This policy has been adopted by all business units to ensure compliance with the Vedanta Information Security Policy. Policies adopted by the Company align with national regulations including Information Rules, 2011 and the Information Technology Act, 2000.
Vedanta’s cyber programme focusses on the following seven strategic areas to enhance cybersecurity capabilities:
Vedanta's Cybersecurity Awareness Plan educates employees on IT and OT security and data governance, with a focus on sensitising them to prevailing threats and risks and helping them learn about mitigation aspects. The programme is framed to emphasise the importance of collectively ensuring cybersecurity to protect the organisation from cybercrimes.
Performance evaluation of Information Security is carried out based on People, Process and Technology aspects. Our workforce has defined KRAs/KPIs aligned with Information Security Goals as part of their Annual Performance Management process, and the performance is measured against these goals.
In FY 2022-23, Vedanta experienced zero cybersecurity breaches.
Cyber incidents reported through SIEM (Security Incident and Event Management) and by End Users are evaluated by BU CISO. Data incidents reported through DLP and by End Users are evaluated by BU DGPO/BU CISO and are further reviewed by BU CIO. Based on the criticality and impact, these observations and incidents are reported and discussed in following forums for direction and support to address them.
Compliance to observations as per agreed due dates is reported on a quarterly basis.