Like many industries, the mining sector has undergone rapid digitalization, with companies deploying cutting-edge technologies and advanced data analytics in pursuit of higher efficiency and productivity.
Much of this shift has involved retrofitting specialized, legacy machinery with sensors and control systems connected to the internet. With so much linked equipment—and mining companies’ growing use of the cloud and artificial intelligence—their “attack surface” has increased dramatically. An attack surface refers to the number of points in a network that are open to compromise or exploit via a vulnerability.
Although the sector does not hold large volumes of personal data, criminal threat actors are recognizing that there is much to target in the mining sector. These criminal gangs, state-sponsored hackers, and individual threat actors (including disgruntled employees and hacktivists) are a growing threat, driven by motives including the desire to disrupt geopolitically important supply chains, exploit companies for ransom, and engage in espionage.
Over the past two years, major cyber attacks including ransomware strikes, payroll leaks, IT system hacks, and unauthorized access attempts have been launched against mining companies across the world, from Canada to Mexico, Australia, the U.S., and South Africa.
New tools such as AI may aid efforts to improve cybersecurity by analyzing large volumes of data to flag vulnerabilities and detect threats. However, threat actors are also deploying the latest AI tools, which can impersonate executives, spread malware, and inject false data into large language models (LLMs). Moreover, evaluating and triaging a security alert remains a painfully human task.
In addition, companies must monitor their risk across all third-party services such as critical technology providers, software vendors, and original equipment manufacturers (OEMs). This requires diligence and coordination among operations, information technology, and legal departments.
The consequences of a cyber breach
Businesses hit by a cyber attack, particularly in this space, are almost certain to face operational disruptions and incur incident response costs. Indeed, for mining companies, the former is what tends to motivate an attack.
Research from IBM reveals that the global average direct immediate expenses to address a data breach in 2024 rose to USD4.88 million, up by 10% year-on-year. In the immediate aftermath of an attack, businesses will need to engage legal, technical, and forensics experts, and in the case of a ransomware attack, specialist negotiators. Companies may have to rebuild their entire IT and operational technology (OT) stacks unless they can locate and eradicate the threat. On average, full recovery takes more than 100 days.
Then there are further costs incurred in responding to regulatory investigations and follow-on litigation. For listed businesses, material attacks will trigger mandatory disclosure obligations that may impact share price. Disruptions to operations and cash flow may affect the company’s credit rating and its ability to pay employees and vendors. Affected counterparties and regulatory authorities may also demand the business upskills its staff, upgrades cyber protections, and/or submits to additional audits.
Pricing this risk will involve a detailed understanding of daily, and even hourly, revenues from individual mines and processing facilities, which in turn will inform decisions about appropriate cyber insurance and, in the event of an attack, whether to pay a ransom.
Understanding operational technology
Historically, information technology (IT) infrastructure has been the target. But threat actors are increasingly focused on OT systems, which control and monitor equipment that interacts with the physical environment. Many of these systems are easy prey because they are outdated and harder to monitor.
Legacy devices are frequently retrofitted to connect to the internet and may therefore rely on less secure technologies such as low-bandwidth telecoms infrastructure or even general WiFi networks. Moreover, many of these devices date back to the “security through obscurity” era, in which professionals believed that older or air-gapped technology was less vulnerable to attack.
The integration of IT and OT has also increased mining companies’ attack surface, with more points of vulnerability where an unauthorized user can compromise a system or exploit a weak control.
This threat can be exacerbated by the fact that IT and OT security require different skills and expertise, and are sometimes managed by different job functions.
IT is typically led at the enterprise level by a central team that will set and enforce policies, processes, and standards. OT, meanwhile, is generally managed at the asset level by a site manager, who will adapt processes around local staff, machinery, and digital connections according to daily conditions.
IT security programs focus on the confidentiality, integrity, and availability of information for an entire organization, whereas those deployed across OT infrastructure tend to prioritize the safety of people and the immediate environment.
If an attacker were to threaten a mine’s ventilation system, for example, there would be a risk of injury and death. The local manager would have to evacuate the mine, leading to operational and financial disruption. Any cyber attack targeting OT infrastructure also needs to be carefully managed, given the risk that a shutdown or software patch deployed to address that threat could cause OT systems to malfunction, potentially harming employees on the ground.
An OT cybersecurity team should include IT, control engineers, control system operators, security subject-matter experts, and enterprise risk management teams, according to the U.S. National Institute of Standards and Technology (NIST). Some mining companies have highly specialized central OT teams, but they may not be able to monitor and detect security risks at individual mines and processing facilities whose systems may be separate or federated. They may also not understand how OT infrastructure is connected or designed at the local level.
M&A and private equity roll-ups
Some market observers note that conditions for a rebound in sector M&A remain strong. These include rising demand for metals such as copper that are central to powering AI and clean energy, the opportunity to develop new supplies of minerals, and increased competition for precious metals, iron ore, and coal.
In an acquisition, a buyer risks taking on the threats, vulnerabilities, and liabilities of the target. Identifying these ahead of time where possible can inform the offer price (and indeed whether the deal goes ahead), and prevent future financial, regulatory, and reputational harm. This however may not be possible in the event of a public hostile deal.
For the seller, demonstrating robust cybersecurity practices and accurately disclosing vulnerabilities can make the company more attractive to buyers, and reduce post-closing liabilities.
The M&A process itself is risky. Threat actors know that parties are distracted, sharing valuable data, working closely with multiple third parties, and integrating IT systems and networks—leaving them vulnerable to data breaches, ransomware strikes, supply chain attacks, phishing, and insider threats. They are aware that during this vulnerable time for companies, parties such as buyers, sellers, and investors can be exploited for payment.
Even after a deal completes, those risks remain. During the handover period, parties often share responsibility for systems, technology, sites, and physical architecture, raising the risk of security gaps emerging that threat actors can exploit. Moreover, prior to closing there are antitrust concerns about coordination on any issues, including cyber.
For example, if the buyer and seller host data in different systems, they often use a third-party staging environment as an intermediate step. A detailed transition services agreement (TSA) should set out who owns the environment and who is responsible for securing systems and data during a transition. An attack that takes place in the integration phase can leave the buyer exposed to higher ransom demands commensurate with the now-larger company.
Under GDPR, data protection authorities may also impose administrative fines of up to EUR20m or up to 4% of a company’s global annual turnover. A cyber attack during a merger raises the threat of larger regulatory fines than the legacy businesses alone would have faced. Indeed, U.S. regulators have scrutinized diligence practices that failed to adequately identify cyber risks.
Staff attrition during a merger is another threat, with cyber specialists in high demand across all sectors. In a merger context, technology teams are frequently asked to roll out new systems they may not yet fully understand. These losses can be acute in the mining industry, where knowledge of OT operations tends to be highly specialized.
Once a deal closes, the buyer should identify any data protection, AI, and cybersecurity issues that require immediate attention and implement appropriate mitigation strategies. It must also develop compliance processes to address any issues that arise during integration and deploy robust IT security measures and processes to safeguard newly acquired data sets.
These themes are all apparent in private equity roll-ups, where investors look to acquire and combine multiple companies with different staff, systems and standards—sometimes in quick succession.
Shifting geopolitics
Access to raw materials is increasingly critical for geostrategic superiority, with rare earths and other minerals vital to the development of advanced technologies such as semiconductors, renewable energy infrastructure, and battery storage systems.
The International Energy Agency predicts that over the next 20 years, meeting the goals of the Paris Agreement will trigger rises in demand for copper and rare earths (40%), nickel and cobalt (60–70%), and lithium (90%). As a result, disrupting materials supply chains has become a feature of the struggle for global supremacy, with mining companies under threat from state actors, or criminal gangs operating with tacit support from hostile governments.
In some cases, these gangs may bolster national security efforts by disrupting mining operations, and in others they may act to mask intrusion by a nation state. Earlier this year for example, the rare earth miner Northern Minerals suffered a ransomware attack shortly after the Australian government intervened to force Chinese investors to exit their stake in the company.
Government threat actors, while not financially motivated, regularly carry out covert reconnaissance in a bid to steal mining companies’ trade secrets and sensitive data. In many cases the blurring of the lines between criminal gangs and nation states makes it hard to distinguish who is ultimately behind an attack.
Cyber attacks are already a feature of the standoff between China and the U.S., and may become more prevalent as trade hostilities escalate.
In February 2024, U.S. authorities found that Volt Typhoon, a Chinese state-sponsored cyber actor, had sought “to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the U.S.”
That led agencies from the U.K., U.S., Australia, Canada, and New Zealand to warn critical infrastructure operators that threat actors were using “sophisticated techniques” to camouflage their activity on victims’ networks, and “exploiting native tools and processes built into computer systems to gain persistent access and avoid detection.”
Boards and management must be knowledgeable
To combat these growing threats, mining companies require specialist knowledge at the staff, executive, and board levels.
A board that acknowledges the cyber risks posed by operational technology will insist on regular reporting, robust risk management, and an operational health and safety-led approach that protects both the business and its people. They will also ensure sufficient investment, insist on full-staff training and upskilling, and be better prepared to navigate geopolitical developments around the world.
Across sectors, businesses are appointing more directors with cybersecurity experience. A&O Shearman’s Annual Corporate Governance and Executive Compensation Survey found that as of 2024, 88 of the top 100 NYSE and Nasdaq-listed companies in the U.S. by market capitalization and revenue had added cyber expertise to their boards, up from 56 in 2022 and 70 in 2023.
At the same time, 51 of the companies had two or more members of management responsible for cybersecurity and data security/privacy. Across the 100 companies, those with the main authority include chief information security officers (71), chief information officers (24), chief security officers (12), and chief technology officers (11).
Lower down the ranks, however, companies are struggling to find the right staff. Some 67% of global cyber practitioners polled by industry training group ISC2 said their organizations faced staff shortages within their cyber teams, while 35% noted a lack of qualified talent.
At all levels, specialist support is needed to target exposures and liabilities arising from specific markets and operational contexts. Managing cyber risks requires detailed processes to gather and act on threat intelligence, including during M&A diligence and post-deal integration.
Global regulators hold boards responsible for cybersecurity
As lawmakers across the U.S., Australia, and Europe tighten their cybersecurity rules, boards and management teams are expected to demonstrate specialist expertise—and in some cases will be held accountable for any failures.
Europe
The NIS2 Directive (2023) is an update to EU cybersecurity rules introduced in 2016 to help new sectors and entities keep up with increased digitization and an evolving cybersecurity threat landscape. It includes a requirement that boards and CEOs have the “knowledge and skills necessary to assess cybersecurity risks, challenge security plans, discuss activities, formulate opinions, and evaluate policies and solutions that protect the assets of their organization.” Any failure to maintain adequate risk oversight “can expose companies, officers, and directors to liability.”
GDPR, which covers data protection and privacy, requires companies to safeguard certain types of data and report any breaches within 72 hours.
Regarding the U.K. version of the legislation, the Information Commissioner’s Office (ICO) says: “The board, or highest senior management level, has overall responsibility for data protection and information governance.”
The Cyber Resilience Act (2024) also places mandatory cybersecurity requirements on products that include digital elements.
Australia
The Cyber Security Act 2024 is part of a legislative package of reforms that includes amendments to the Intelligence Services Act 2001 and the Security of Critical Infrastructure Act 2018. Organizations should determine whether they are subject to the Cyber Security Act, and if so, implement relevant security standards and comply with ransomware reporting obligations.
According to the Australian Institute of Company Directors, “it is not the role of the board to manage cyber risk directly” and “there is no strict rule on where responsibility for cyber security leadership should sit at the management level.” However, it recommends that all businesses formally assign these duties, and that leaders take part in training to enable them to monitor cyber measures.
U.S.
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (2022) and the SEC's cyber-disclosure rule (2023) have significantly impacted board-level responsibilities regarding cybersecurity. In addition, federal agencies such as the Transportation Security Administration (TSA) and Department of Defense (DoD) are introducing new regulations and contracting requirements, which can be the basis of a False Claims Act (FCA) claim.
