Corporate security is an essential element of sustainable development for the Group companies. As a leader in the metals and mining industry and a strategically important business, Nornickel seeks to ensure uninterrupted operations, including through strong information security.
The Company’s Corporate Security Unit is in charge of developing and implementing comprehensive corporate security measures and acts in line with the Russian laws, applicable international regulations, internal standards and guidelines. To strengthen corporate security, the Company continues expanding its system of analytical situation centres.
The Management Board, and all of Nornickel’s governance levels are involved in drafting internal regulations and methodologies and implementing corporate security measures. Their responsibilities include creating an information security risk management system along with reviewing and approving budgets for relevant programmes and projects.
Nornickel has developed a comprehensive corporate security management system. We pay special attention to supporting strategic investment and environmental projects.
Ensuring information security
As information is one of the most valuable resources today, Nornickel is developing its own Information Security Management System (ISMS). The ISMS covers day-to-day production management, supplies of feedstock and process materials, as well as control over production and finished product shipment targets.
To support robust information security and streamline it, the Company is subject to regular audits for compliance with personal data and critical infrastructure protection requirements and international standards on cybersecurity management, testing and assessment of data protection, vetting inspections to check information security in river and marine navigation, and other control procedures.
The last three years saw the ISO/IEC 27001:2013-compliant ISMS introduced at Nadezhda Metallurgical Plant, Copper Plant of Polar Division, and at Murmansk Transport Division. The external entities which conducted the certification audits noted Nornickel’s strong competence and conformity of its information security management systems to international standards and global best practices.
The Company operates an Information Security Incident Response Centre that leverages advanced technological solutions and relies on national and international best practices in cyber security management. Seamless information security processes and procedures have been developed and documented to ensure Nornickel’s business continuity in the event of incidents and emergencies. These procedures are tested for relevance at least once a quarter.
Information security training
Nornickel developed and approved the Rules of Raising Awareness in Information Security. On top of that, there are annual staff training plans based on current trends and newly identified risks and cyber threats. Furthermore, employees of Nornickel’s Head Office and facilities operating in the regions of its operation take regular knowledge tests.
To audit the systems’ performance, drill response to information security threats, and enhance the corporate information security system, the Company arranges recurrent training and workshop sessions dealing, among other things, with simulated phishing attacks and other threats to IT infrastructure. Analysis of training session results helps us revise existing and develop new instructions for employees. Information updated after training sessions is included in a quarterly newsletter sent to heads of the Company’s units. Employees are informed of what to do via by-laws pertaining to information security if suspicious activity is detected.
Corporate security: engagement with stakeholders and best practice sharing
In Russia, Nornickel is actively engaged in public-private partnerships to maintain high security levels and enhance social stability at its facilities and in the regions of operation. We administer more than 30 federal regulations on transport security, combating terrorism, and other security aspects.
In 2021, we made an emphasis on ongoing cooperation with:
- the Ministry of Internal Affairs of Russia to prevent stealing of products and materials containing precious and non-ferrous metals, prevent drug addiction and combat illegal drug trafficking, as well as maintain security at public events;
- the Federal Customs Service of Russia to prevent cross-border smuggling of metal-bearing materials;
- the Ministry of the Russian Federation for Civil Defence, Emergencies and Elimination of Consequences of Natural Disasters (EMERCOM) to drill emergency responses and disaster relief operations.
Our collaboration with law enforcement and regulatory authorities includes our representatives’ participation in public and advisory boards of the Ministry of Internal Affairs, Investigative Committee, Transport Prosecutor’s Office, and in interagency working groups.
Each year, Nornickel takes an active part in major national and international forums and conferences in information and transport security.
In September 2021, together with representatives of the Russian Ministry of Transport, federal agencies for various types of transport, and ministries of transport of the country’s constituent entities, heads of Nornickel’s relevant functions participated in the 10th National Conference of Transport Security and Anti-Terrorism Technologies-2021. Participants made proposals as regards amendments to the transport security legislation and certain aspects of complying with it.
Anti-money laundering and counter-terrorist financing initiatives
As required under the Federal Law On Anti-Money Laundering and Combating the Financing of Terrorism, the Company implements initiatives to combat money laundering and financing of terrorism and proliferation of weapons of mass destruction.
The key principle of internal control for AML/CFT purposes is the risk-based approach. It primarily concerns assessing the risks of customer transactions related to money laundering, and financing of terrorism and proliferation of weapons of mass destruction. Secondly, it directly relates to taking measures to mitigate money laundering and terrorist financing risks and their potential effects, among other things, by engaging all employees, within their competences, in identifying signs of the breach of law.
Depending on the risk exposure, the Company may take different measures, such as due diligence of customers prior to entering into contracts, identification of beneficial owners, analysis of customers’ business reputation and other reasonable and available measures.