CYBERSECURITY

TRANSFORMING TO UNLEASH PEOPLE’S POTENTIAL

In the age of digitisation and online working environments, businesses are faced with significant technological challenges due to the dual demands of increasing dependence on remote work and faster digitalisation of information. Widespread cybercrime and cyber insecurity are now one among the top 10 global risks identified by the World Economic Forum.

Cybersecurity is also one of Vedanta's most significant business risks due to the growth of cyber-related threats such as phishing attacks and ransomware. Vedanta's consistent investment in technology and stringent processes has thwarted cyber threats and prevented any major disruption to our business. The Company remains committed to maintaining cybersecurity to protect its technology, confidential information, data integrity, and business continuity.

Robust Leadership & Governance Structure

The cybersecurity governance is overseen by the Audit and Risk Committee of the Board, while the Vedanta Executive Committee (Vedanta ExCo), chaired by the CEO and leaders from all business functions, is responsible for cybersecurity. The Chief Information Officer (CIO) sets the cybersecurity vision and strategy and is accountable to Vedanta ExCo and the Board's Audit and Risk Committee. The Chief Security Officer (CSO) drives the cybersecurity programs to achieve business objectives, and the Chief Information Security Officer (CISO) ensures their operational success. Moreover, the CSO is responsible for physical security, including information assets.

Information Security Management Framework

Vedanta has established a robust Information Security Management Framework, which includes Policies, Standard Operating Procedures (SOP) and Technology Standards. The Information Security Framework is reviewed annually by the Vedanta Information security team.

Vedanta’s Oil & Gas, Zinc-Lead-Silver, Aluminium, Iron Ore, Steel, Copper, Ferro Alloys and Power received Certification ISO 27001 (Information Security), some of the businesses received ISO 22301 (DR & BCP), ISO 31000 (Risk Management) and ISO 27701 (Privacy Management).

The overall Information Security Framework & Governance layer adopted by Vedanta is presented below:

In addition, Vedanta has strong information security policy that aligns with various management frameworks related to information security, risk management, disaster recovery, business continuity management, and data privacy. This policy has been adopted by all business units to ensure compliance with the Vedanta Information Security Policy. Policies adopted by the Company align with national regulations including Information Rules, 2011 and the Information Technology Act, 2000.

Vedanta’s cyber programme focusses on the following seven strategic areas to enhance cybersecurity capabilities:

• Detailed risk management for the entire business
• Annual vulnerability assessment as per the vulnerability management policy
• Tracking information security administration as a part of CIO’s review
• Management of cyber & data incidents through SIEM (Security Incident and Event Management) services, monitoring data movement through DLP (Data Leakage Prevention) tools
• Disaster Recovery & Business Continuity Management Framework to prevent any disruption to critical IT systems
• Consequence management in case of non-compliance
• Incidence Response & Emergency Preparedness Plan to respond to cybersecurity crisis

Cybersecurity Awareness Planning & Training

Vedanta's Cybersecurity Awareness Plan educates employees on IT and OT security and data governance, with a focus on sensitising them to prevailing threats and risks and helping them learn about mitigation aspects. The programme is framed to emphasise the importance of collectively ensuring cybersecurity to protect the organisation from cybercrimes.

Performance

Performance evaluation of Information Security is carried out based on People, Process and Technology aspects. Our workforce has defined KRAs/KPIs aligned with Information Security Goals as part of their Annual Performance Management process, and the performance is measured against these goals.

Escalation Process

In FY 2022-23, Vedanta experienced zero cybersecurity breaches.

Cyber incidents reported through SIEM (Security Incident and Event Management) and by End Users are evaluated by BU CISO. Data incidents reported through DLP and by End Users are evaluated by BU DGPO/BU CISO and are further reviewed by BU CIO. Based on the criticality and impact, these observations and incidents are reported and discussed in following forums for direction and support to address them.

• BU ExCo
• Vedanta Group ExCo
• BU Audit & Risk Committee
• Vedanta Audit & Risk Committee

Compliance to observations as per agreed due dates is reported on a quarterly basis.