XML 437 R54.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Cyber security risk exposures are managed
consistent with the Group risk management
process, which can be described as a plan-do-
check-act cycle. See “Our approach to risk
management” on pages 88-90. The following
steps of our Group risk management process
are applicable to cyber security:
Set strategy, objectives and risk
appetite
We review our Cyber Security Strategy,
objectives and risk appetite after
improvements in controls and actions.
Risk analysis
Managers delivering our business
objectives must identify potential risks
against a common risk taxonomy, which
includes a category for information and
cyber security. Where exposure is
identified, the accountable manager uses
a universal evaluation scheme to assess
the potential impact of a cyber security
event.
Risk management
Where material consequences are
identified, there is a common set of 8
Group controls that the risk owner is
responsible for implementing, with
support from Cyber Security as required.
These governance controls ensure a
considered level of engagement and
collaboration with the Cyber Security
team and the services they offer,
commensurate with the risk.
Assurance
Cyber Security, as owner of the Group
controls, will oversee and support their
implementation and operation in line with
the Group control framework. Where we
have material exposure, the first line of
assurance and verification of these
controls will be incorporated into first-line
assurance plans. Risk profiles and trends
inform second- and third-line assurance.
Communication
Cyber security risk exposure is
communicated as part of integrated
risk reporting processes and can be
escalated through standard risk
escalation channels. Beyond this,
there is extensive monitoring of the
performance of critical controls,
which is communicated to control owners
and the CSSC.
Improvement
Where exposure to cyber security risk is
outside of tolerance, as highlighted in risk
profiles or through assurance activity,
Cyber Security will support or sponsor
improvement initiatives through the
business planning process.
Cyber security risk
management framework
The management of cyber security is a focus
across all IT operations and projects for our
business and the third parties we rely on. Our
cyber security risk management framework is
based on the globally recognised NIST CSF. In
aligning to this framework, we maintain a
control environment supported by dedicated
functions covering identification, protection and
control, detection, response and recovery from
cyber incidents. We also inspect and assure
on an ongoing basis to improve our internal
and external cyber security environment.
Identify risk
Our overall risk management process and
evaluation scheme supports the
assessment of cyber security risks. To
ensure awareness and consistency in
understanding cyber risk, IT relationship
managers partner with the leaders of our
businesses to identify critical enterprise
systems and assets, completing business
impact assessments as required. We
assess the consequence should the
confidentiality, integrity or availability of
our information systems be breached.
Our Threat Intelligence function maintains
relationships with government, industry,
professional bodies, and educational
institutions, to ensure we remain aware
and vigilant of the external threat
landscape. Where threats are identified,
this function will investigate our exposure
(triggering an overall risk assessment
where required), drive awareness and
education to enhance vigilance and
recommend control improvements. The
Threat Intelligence function tests our
vulnerability to key threats through
penetration testing (ethical hacking) and
simulating incidents such as the receipt of
phishing emails. Finally, the function also
consults with other IT and cyber functions
to ensure we are designing our controls
with knowledge of the latest threats.
To identify new risks which may arise
from technology changes, and from the
evolution or ageing of technology
environments, we maintain a dedicated
capability in cyber risk analysis. This
function conducts security risk
assessments for IT projects and change
requests, including for all third parties
which impact our cyber security posture.
They also deliver a program of risk-based
deep-dive assessments of established
technology environments to identify any
emergent exposures.
Protect and control
Cyber Security, in collaboration with IT
operations, operates a suite of IT controls
that protect our information systems
through access control, change
governance, back-up, and continuous
vulnerability management. We use a
variety of tools to continuously scan for,
patch and monitor security vulnerabilities.
To ensure an appropriate level of
protection, we maintain a directory of
control requirements and facilitate the
development of technical standards.
Management reporting on control
performance, along with targeted
compliance assessments, enables us to
monitor our conformance to these
standards. To operationalise the
standards effectively, we maintain
specialist capability across many security
domains such as application, networks
and secure operations.
We maintain a persistent focus on
developing the vigilance of employees
and third-party users, which is essential
for protection of information systems.
Mandatory training is assigned to all
relevant employees and contractors and
is enhanced by a dedicated Cyber
Security Awareness function. The cyber
awareness training outlines user
responsibilities in protecting Rio Tinto’s
information assets, the acceptable use of
information and electronic resources
(including specific areas such as
information classification and handling,
appropriate internet use, email use and
mobile device protection) and general
awareness regarding specific cyber
security threats. Role-based security
training is also provided to key system
support personnel with assigned
privileged roles and responsibilities. The
training must be completed before they
are authorised to access the information
system, perform assigned duties, or when
key changes have been made to the
information system. All employees and
contractors are required to formally
acknowledge their understanding and
acceptance of the training upon
completion. Our Cyber Security
Awareness function also provides
communications, events, on-demand
materials and presentations, and a suite
of cyber safety shares integrated into
Health, Safety, Environment and Security
processes.
In recognition of the role all employees
play in the cyber security risk
management process, clear expectations
for data privacy, cyber security, and
handling of confidential information are
set out in The Way We Work. These state
that all employees must: i) understand
that cyber security is also their
responsibility and what they do with
electronic devices can weaken or
strengthen Rio Tinto’s cyber security; ii)
adhere to our Acceptable Use of
Information and Electronic Resources
Standard; iii) complete the mandatory
cyber awareness training; iv) remain
vigilant and report anything suspicious to
the Cyber Security team; and v) never
consciously try to bypass any cyber
security control.
To extend protection to third parties, we
conduct security risk assessments upon
engaging a third party. We also share our
policies and expectations with third
parties, and apply standard clauses within
contractual agreements, enabling a
program of risk-based compliance
assessments to be conducted across the
third parties we engage. 
Detect events
We persistently monitor network traffic
and system logs through our monitoring
function. This includes automated alerting
of anomalous events, and the triage and
response initiation for these. A key
capability of the function is to
continuously test, refine and optimise our
monitoring and alerting framework which
we do by simulating cyber events and
leveraging industry datasets and
knowledge. 
In addition to technical monitoring, we
maintain reporting and communication
channels, allowing all users and third
parties to report any anomalies or
incidents they observe. This includes
anonymous reporting via our whistle-
blower processes.
For situations where the first indicator of
an event may be a system issue or
outage, our Critical Incident Management
and Cyber Incident Response functions
have established ways of working to
ensure the earliest detection of any cyber
security events.
Respond
For identified cyber security events, the
24-7 Cyber Incident Response function
will take action to contain, analyse and
remediate. A defined triage process
guides the assessment of the impact to
determine the level and urgency of the
response required, and to trigger the
critical incident management process as
required. Throughout the response, we
maintain incident records which include
an assessment of the scale of potential
and verified impacts. Impact thresholds
trigger disclosures to governance bodies
including the CSSC, Chief Legal Officer
and the Disclosure Committee.
This response function is regularly
exercised to test the speed and
effectiveness of response. Internal
processes and agreements with our
partners enable us to scale the function
rapidly in the case of major events. Our
incident response function also has
defined points of integration with other
functions such as business resilience,
corporate communication and networks.
Cyber Security leverages a combination
of tools for detecting and responding to
incidents across all our operations. These
include, but are not limited to, endpoint
detection and response, network, identity
and access management, email, cloud
platform, and industrial and operational
technology monitoring tools. For incidents
not detected and responded to through
automated means, Cyber Security uses a
security information and event
management solution (Microsoft Sentinel)
for log aggregation and analysis, with
specific rules configured to alert on
anomalous or suspicious behaviour.
Incidents are managed and tracked in
Jira, which integrates with the Microsoft
Security stack. The tooling is supported
by a number of people and process-
related controls that ensure incidents are
identified in an accurate and timely
manner.
Recover
Recovery plans in place for critical
applications cover the steps and actions
required to restore services in the case of
a cyber security incident. In addition to
information system recovery plans, our
overall Business Resilience and
Recovery Program may trigger the
formation of business resilience teams to
execute business continuity and recovery
plans, as well as handling crisis
communications, governance and
disclosures. The business resilience
management plan for our IT function is
tested annually.
To ensure the readiness and
effectiveness of recovery plans, we run
training programs for all accountable
persons and involve them in simulated
events that are run to test and improve
response capability. For any simulation or
actual event, a debrief occurs to capture
lessons learnt. These are then shared
and reported on to ensure the lessons
drive continuous improvement of our
recovery processes.
Assure and improve
Our cyber security risk management
process includes ongoing inspection and
assurance to test the cyber security of our
environment and of our third parties,
which is key to addressing weaknesses
before they are exploited.
In 2024, neither Rio Tinto nor any third
parties who operate our IT systems and
processes, were exposed to cyber
security threats or any risk which will or
may be reasonably likely to materially
affect our strategy, performance or
financial position. However, the growing
reliance on technology to underpin
productivity is increasing the breadth and
magnitude of operational disruption
exposures. As a result, we are initiating a
program to simplify cyber security
governance and improve 
the integrity, consistency and monitoring
of key cyber security controls. We will
focus on uplifting the skill and capability of
IT relationship managers and owners of
IT risk, with the goal of improving cross-
functional collaboration in assessing local
exposures to cyber security risk, and
enhancing the breadth and depth of cyber
security business impacts assessments.
We are also investing in strengthening
our core cyber security capabilities such
as our Threat Intelligence function to
ensure we remain aware and vigilant of
the threat landscape.
Third party cyber security
requirements
Each component of our cyber security
risk management framework considers
the role of third parties we engage, and
supports adaptation of our controls for all
third party relationships.
For each third party working with us or
managing our systems and data, cyber
security is considered within the process
of on-boarding and managing the
relationship.
Some of the specific requirements we
make publicly available for any third
parties who engage with us are outlined
below.
Third parties must ensure their
information technology and other
business systems meet the following
general requirements when providing
products or services to the Group, or
otherwise interfacing with Rio Tinto’s
enterprise and industrial and operational
technology systems:
1)Any technology systems used or services
provided by the third party must not
expose Rio Tinto to material cyber
security risk.
2)An appropriate cyber security risk
assessment has been conducted on
relevant own and any third party systems
in particular: identifying key technical, and
compliance measures required to ensure
the confidentiality, integrity and availability
of information is maintained; and ensuring
that control measures applied are
commensurate with assessed risk. The
results of any risk assessment will be
made available to us on request.
3)Key technology systems have response
and recovery plans, with recovery plan
testing being undertaken periodically to
ensure procedures and controls are
effective and services are able to be
restored as soon as possible.
4)On termination of the relationship with us,
third parties must ensure the return, or
the destruction, of Rio Tinto information
being held; any access to the Rio Tinto
environment is terminated; and any Rio
Tinto intellectual property is appropriately
transitioned back to Rio Tinto.
5)If access is required to any Rio Tinto
information technology or business
systems, the third party must ensure: (i)
access must be appropriately restricted to
only the personnel requiring access; (ii)
access procedures must cover
identification, authentication, authorisation
and auditing requirements; (iii) each user
identity requiring access to Rio Tinto
systems is linked to or owned by a
uniquely identifiable individual; (iv) users,
devices, and other assets are
authenticated (e.g., single-factor, multi-
factor) commensurate with the risk of the
transaction; (v) where access is required
from outside the Rio Tinto network, multi-
factor authentication must be used for
client access; and (vi) information related
to, or generated by, account management
activities must be documented and
retained for auditing purposes.
6)If remote access to any of our systems is
required, third parties must ensure: (i)
remote access is securely designed and
managed; (ii) access is provided only to
authorised parties for valid business
reasons; (iii) access is revoked where no
longer required; (iv) they will follow the
required minimum technical controls to
support the secure operation of remote
access as specified by Rio Tinto; and (v)
they will periodically review and monitor
such remote access when no longer
required.
7)Third parties must also do all things
reasonably required to ensure our
network integrity remains protected.
To ensure our information is protected,
third parties must ensure (where
applicable) to:
Establish and maintain effective
change control processes including: (i)
determining the types of changes to
the third parties' information system
that are configuration-controlled, with
explicit consideration for security
impact analyses; (ii) documenting
configuration change decisions
associated with the third parties'
information system; (iii) complying with
Rio Tinto’s applicable change
management processes; and (iv)
retaining adequate records of
configuration-controlled changes to
the third parties' information system, to
be provided to Rio Tinto on request.
Maintain response and recovery plans
incorporating the following: (i) Disaster
Recovery Plans (DRPs) for critical
systems, incorporating essential
service continuity, response and
recovery requirements for these
systems, and taking into consideration
relevant cyber security threats and
scenarios; (ii) DRP testing on a
periodic basis to ensure procedures
and controls are effective, and
services restored are able to be
restored within parameters.
8)Third parties must ensure appropriate
encryption standards are applied to Rio
Tinto information, including: (i) information
classified by Rio Tinto as “Confidential” or
“Highly Confidential” when stored on
computer storage devices designed to be
inserted and removed from a computer or
system, including but not limited to optical
discs and USB flash drives (removable
media), or back-up media at off-site
premises; and (ii) information exchanged
through the internet, irrespective of its
classification.
9)Third parties must: (i) ensure that all
removable media is protected and its use
restricted only to relevant personnel; (ii)
maintain documented procedures for the
management of removable media,
including the specification of approved
media, processes of handling and
disposal, as well as the technical
enforcement of controls; and (iii) comply
with any security controls for removable
media reasonably required by us, and
provide details of such compliance to us.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Cyber security risk exposure is
communicated as part of integrated
risk reporting processes and can be
escalated through standard risk
escalation channels. Beyond this,
there is extensive monitoring of the
performance of critical controls,
which is communicated to control owners
and the CSSC.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] The Board, supported by the Audit & Risk
Committee, is responsible for overseeing our
material risks, including those related to
cyber security.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board, supported by the Audit & Risk
Committee, is responsible for overseeing our
material risks, including those related to
cyber security.
The Audit & Risk Committee receives
periodic updates on cyber security from
management. Cyber security is also subject
to a comprehensive assurance program, the
rules of which are reported to the Audit &
Risk Committee in line with standard
processes for reporting assurance findings.
This annual update is also reviewed by the
Board.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board, supported by the Audit & Risk
Committee, is responsible for overseeing our
material risks, including those related to
cyber security.
The Audit & Risk Committee receives
periodic updates on cyber security from
management. Cyber security is also subject
to a comprehensive assurance program, the
rules of which are reported to the Audit &
Risk Committee in line with standard
processes for reporting assurance findings.
This annual update is also reviewed by the
Board.
Cybersecurity Risk Role of Management [Text Block] Our Cyber Security function operates
under the direction of our Chief Information
Security Officer (CISO), who executes
strategic direction and leads the function.
The CISO reports directly to the Chief
Information Officer (CIO) who is accountable
to the Chief Financial Officer. Additional
oversight is provided by the CSSC.
Our CISO leads a management team that
oversees delivery of the capabilities listed in
the table on the previous page.
The CSSC is our primary governing body for
operational management, responsible for
cyber security and the oversight of Group-wide
cyber security, reporting regularly to the
Executive Committee. The objective of the
CSSC is to ensure proper steps are taken to
proactively manage cyber security risk and
protect our most valuable information assets,
process control systems and users.
The CSSC also helps drive appropriate
behaviours, and ensures high-priority initiatives
receive executive support across the Group.
In the event of a cyber security incident, our
Cyber Incident Response team takes action
to contain, analyse and remediate the
incident. Impact thresholds trigger
disclosures to governance bodies, including
the CSSC and the Disclosure Committee,
who may consult with external legal counsel.
See “Disclosure Committee” on page 101.
The following table lists the members of the
CSSC as well as their relevant experience.
Name
Title
Relevant experience
Peter Cunningham
Chief Financial Officer
Peter joined Rio Tinto in March 1993 and was appointed Chief Financial Officer
and Executive Director in June 2021. As Chair of the Cyber Security Steering
Committee, he has presided over regular cyber security threat intelligence
briefings, the active monitoring of key cyber risks, and progress of our cyber
security improvement and assurance initiatives since assuming the duties of the
Chair of the CSSC in 2021. With his leadership of our IT, Group Risk and Group
Internal Audit functions, he maintains strong oversight of our broader risk
management processes and internal controls.
Daniel Evans
Chief Information Officer
Daniel has 13 years' cyber security leadership experience in senior, cyber
intelligence and operational leadership roles.
Scott Brown
Chief Information Security Officer
Scott has more than 15 years' cyber security experience in both senior leadership
and operational roles.
Isabelle Deschamps
Chief Legal Officer, Governance and
Corporate Affairs
Isabelle, Mark, Alex and Richard bring operational and business risk expertise that
is relevant to cyber security and their respective roles on the CSSC.
Mark Davies
Chief Technical Officer
Alex Markovski
Head of Group Risk
Richard Cohen
Operational Managing Director from a
product group (currently Rio Tinto
Iron Ore).
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our Cyber Security function operates
under the direction of our Chief Information
Security Officer (CISO), who executes
strategic direction and leads the function.
The CISO reports directly to the Chief
Information Officer (CIO) who is accountable
to the Chief Financial Officer. Additional
oversight is provided by the CSSC.
Our CISO leads a management team that
oversees delivery of the capabilities listed in
the table on the previous page.
The CSSC is our primary governing body for
operational management, responsible for
cyber security and the oversight of Group-wide
cyber security, reporting regularly to the
Executive Committee. The objective of the
CSSC is to ensure proper steps are taken to
proactively manage cyber security risk and
protect our most valuable information assets,
process control systems and users.
The CSSC also helps drive appropriate
behaviours, and ensures high-priority initiatives
receive executive support across the Group.
In the event of a cyber security incident, our
Cyber Incident Response team takes action
to contain, analyse and remediate the
incident. Impact thresholds trigger
disclosures to governance bodies, including
the CSSC and the Disclosure Committee,
who may consult with external legal counsel.
See “Disclosure Committee” on page 101.
The following table lists the members of the
CSSC as well as their relevant experience.
Name
Title
Relevant experience
Peter Cunningham
Chief Financial Officer
Peter joined Rio Tinto in March 1993 and was appointed Chief Financial Officer
and Executive Director in June 2021. As Chair of the Cyber Security Steering
Committee, he has presided over regular cyber security threat intelligence
briefings, the active monitoring of key cyber risks, and progress of our cyber
security improvement and assurance initiatives since assuming the duties of the
Chair of the CSSC in 2021. With his leadership of our IT, Group Risk and Group
Internal Audit functions, he maintains strong oversight of our broader risk
management processes and internal controls.
Daniel Evans
Chief Information Officer
Daniel has 13 years' cyber security leadership experience in senior, cyber
intelligence and operational leadership roles.
Scott Brown
Chief Information Security Officer
Scott has more than 15 years' cyber security experience in both senior leadership
and operational roles.
Isabelle Deschamps
Chief Legal Officer, Governance and
Corporate Affairs
Isabelle, Mark, Alex and Richard bring operational and business risk expertise that
is relevant to cyber security and their respective roles on the CSSC.
Mark Davies
Chief Technical Officer
Alex Markovski
Head of Group Risk
Richard Cohen
Operational Managing Director from a
product group (currently Rio Tinto
Iron Ore).
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The following table lists the members of the
CSSC as well as their relevant experience.
Name
Title
Relevant experience
Peter Cunningham
Chief Financial Officer
Peter joined Rio Tinto in March 1993 and was appointed Chief Financial Officer
and Executive Director in June 2021. As Chair of the Cyber Security Steering
Committee, he has presided over regular cyber security threat intelligence
briefings, the active monitoring of key cyber risks, and progress of our cyber
security improvement and assurance initiatives since assuming the duties of the
Chair of the CSSC in 2021. With his leadership of our IT, Group Risk and Group
Internal Audit functions, he maintains strong oversight of our broader risk
management processes and internal controls.
Daniel Evans
Chief Information Officer
Daniel has 13 years' cyber security leadership experience in senior, cyber
intelligence and operational leadership roles.
Scott Brown
Chief Information Security Officer
Scott has more than 15 years' cyber security experience in both senior leadership
and operational roles.
Isabelle Deschamps
Chief Legal Officer, Governance and
Corporate Affairs
Isabelle, Mark, Alex and Richard bring operational and business risk expertise that
is relevant to cyber security and their respective roles on the CSSC.
Mark Davies
Chief Technical Officer
Alex Markovski
Head of Group Risk
Richard Cohen
Operational Managing Director from a
product group (currently Rio Tinto
Iron Ore).
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our CISO leads a management team that
oversees delivery of the capabilities listed in
the table on the previous page.
The CSSC is our primary governing body for
operational management, responsible for
cyber security and the oversight of Group-wide
cyber security, reporting regularly to the
Executive Committee. The objective of the
CSSC is to ensure proper steps are taken to
proactively manage cyber security risk and
protect our most valuable information assets,
process control systems and users.
The CSSC also helps drive appropriate
behaviours, and ensures high-priority initiatives
receive executive support across the Group.
In the event of a cyber security incident, our
Cyber Incident Response team takes action
to contain, analyse and remediate the
incident. Impact thresholds trigger
disclosures to governance bodies, including
the CSSC and the Disclosure Committee,
who may consult with external legal counsel.
See “Disclosure Committee” on page 101.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true