Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Jun. 30, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Our approach to managing material risks from cyber threats is integrated into our overall risk management framework. Cybersecurity risks are addressed by BHP’s Risk Framework, a system of control for identifying and managing risks, implemented by the CEO. >For information on our Risk Framework refer to OFR 7 We employ a number of measures designed to protect against, detect and respond to cyber t hr eats, events or attacks, including BHP’s mandatory minimum performance requirements for technology and cybersecurity, cybersecurity performance requirements for suppliers and cybersecurity resilience programs. In addition, cybersecurity standards, cybersecurity risk and control guidance, security awareness programs and training to build capability, security assessments and continuous monitoring, restricted physical access to hardware and crisis management plans (in collaboration with the Crisis Management Team) are also in place to manage cybersecurity. We utilise dedicated internal and external cybersecurity personnel to focus on assessing, detecting, identifying, managing, preventing and responding to cyber threats, events and attacks. We have a dedicated cybersecurity team, which has been in place since 2016 and has 24/7 monitoring and response capability that leverages core in-house capability and expert external service providers. Our assets, functions and projects are responsible for managing localised or project-specific exposure to technology and cyber risks, including risks associated with business-critical technology systems, with guidance provided by our cybersecurity team. Enterprise-level risks that are specific to technology, such as those that pose a greater threat to our wider business and strategic opportunities, are managed by our global Technology team and other relevant stakeholders. To monitor and manage the cybersecurity risk exposure, we also leverage latest technologies, support and input from strategic cybersecurity partners, utilising threat intelligence capabilities and conducting resilience exercises to uplift our response in the instance of a cyber incident. We regularly evaluate and assess the threat landscape and our security controls, including through audits and assessments, regular network and endpoint monitoring, vulnerability testing, penetration testing and tabletop exercises that include members of BHP’s management team. To assess the design and effectiveness of our cybersecurity controls, we engage with assessors, consultants, auditors or other third parties, including through independent third-party reviews of our information technology security program conducted on a periodic basis. We have processes in place to consider and remediate any findings from these reviews and assessments as required. We also have processes to oversee and identify material cybersecurity risks associated with our use of third-party service providers, including performing diligence on certain third parties that have access to our systems, data or facilities that store or process sensitive data and we continually monitor cybersecurity risks identified through such diligence. We also utilise contractual clauses to manage cybersecurity and data privacy risks, including by requiring certain agreements to be subject to periodic cybersecurity audits. We have experienced targeted and non-targeted cybersecurity threats in the past; however, no prior cybersecurity incident has materially affected our business strategy, results of operations or financial condition. >For information on our risk factors refer to OFR 11 Governance The Board, supported by the Risk and Audit Committee (RAC), is responsible for oversight of emerging and principal risks facing the Group. The Board and the RAC receive updates on the Group’s cybersecurity position, and the Group has policies in place through the Group’s disclosure process that are designed to escalate material incidents. >For information on other Board Committee activities that support risk governance at BHP refer to ‘Risk governance’ in 9.1 and , the Corporate Governance Statement 5The CEO is responsible for the effectiveness of BHP’s Risk Framework with oversight from the Board. Primary responsibility for Technology and Innovation risks (which includes cybersecurity risks), rests with the Chief Technical Officer under authority delegated by the CEO. The Vice President (VP) Technology Cybersecurity & Architecture is responsible for overseeing the performance of cybersecurity risks and provides reports concerning these matters to the Chief Technical Officer. Our VP Technology Cybersecurity & Architecture oversees the prevention, detection, m it igation and remediation of cybersecurity incidents through their management of, and participation in, our cybersecurity risk management and cybersecurity strategy processes described earlier. Our VP Technology Cybersecurity & Architecture leads the BHP cybersecurity team involved in monitoring and managing our cyber security threat risk and assurance process. That team includes personnel with significant information technology experience. Our current VP has more than 25 years of experience in the information technology and information security field, including serving as chief information security officer (CISO) and deputy CISO at other large companies. Additionally, our VP holds a number of qualified technical expert certifications, including Certified Information Systems Security Professional (CISSP) since 2001 and various cybersecurity-related technical certifications, in addition to Master in Information Technology (specialising in Information Security) and Master in Business Administration degrees, and is active in various cybersecurity industry collaboration groups internationally. |
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Our approach to managing material risks from cyber threats is integrated into our overall risk management framework. Cybersecurity risks are addressed by BHP’s Risk Framework, a system of control for identifying and managing risks, implemented by the CEO. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] | We also have processes to oversee and identify material cybersecurity risks associated with our use of third-party service providers, including performing diligence on certain third parties that have access to our systems, data or facilities that store or process sensitive data and we continually monitor cybersecurity risks identified through such diligence. We also utilise contractual clauses to manage cybersecurity and data privacy risks, including by requiring certain agreements to be subject to periodic cybersecurity audits. We have experienced targeted and
non-targeted cybersecurity threats in the past; however, no prior cybersecurity incident has materially affected our business strategy, results of operations or financial condition. |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | The Board, supported by the Risk and Audit Committee (RAC), is responsible for oversight of emerging and principal risks facing the Group. The Board and the RAC receive updates on the Group’s cybersecurity position, and the Group has policies in place through the Group’s disclosure process that are designed to escalate material incidents. |
| Cybersecurity Risk Role of Management [Text Block] | The CEO is responsible for the effectiveness of BHP’s Risk Framework with oversight from the Board. Primary responsibility for Technology and Innovation risks (which includes cybersecurity risks), rests with the Chief Technical Officer under authority delegated by the CEO. The Vice President (VP) Technology Cybersecurity & Architecture is responsible for overseeing the performance of cybersecurity risks and provides reports concerning these matters to the Chief Technical Officer. Our VP Technology Cybersecurity & Architecture oversees the prevention, detection, m it igation and remediation of cybersecurity incidents through their management of, and participation in, our cybersecurity risk management and cybersecurity strategy processes described earlier. Our VP Technology Cybersecurity & Architecture leads the BHP cybersecurity team involved in monitoring and managing our cyber security threat risk and assurance process. That team includes personnel with significant information technology experience. Our current VP has more than 25 years of experience in the information technology and information security field, including serving as chief information security officer (CISO) and deputy CISO at other large companies. Additionally, our VP holds a number of qualified technical expert certifications, including Certified Information Systems Security Professional (CISSP) since 2001 and various cybersecurity-related technical certifications, in addition to Master in Information Technology (specialising in Information Security) and Master in Business Administration degrees, and is active in various cybersecurity industry collaboration groups internationally. |
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | The CEO is responsible for the effectiveness of BHP’s Risk Framework with oversight from the Board. Primary responsibility for Technology and Innovation risks (which includes cybersecurity risks), rests with the Chief Technical Officer under authority delegated by the CEO. The Vice President (VP) Technology Cybersecurity & Architecture is responsible for overseeing the performance of cybersecurity risks and provides reports concerning these matters to the Chief Technical Officer. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our VP Technology Cybersecurity & Architecture leads the BHP cybersecurity team involved in monitoring and managing our cyber security threat risk and assurance process. That team includes personnel with significant information technology experience. Our current VP has more than 25 years of experience in the information technology and information security field, including serving as chief information security officer (CISO) and deputy CISO at other large companies. Additionally, our VP holds a number of qualified technical expert certifications, including Certified Information Systems Security Professional (CISSP) since 2001 and various cybersecurity-related technical certifications, in addition to Master in Information Technology (specialising in Information Security) and Master in Business Administration degrees, and is active in various cybersecurity industry collaboration groups internationally. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The Board, supported by the Risk and Audit Committee (RAC), is responsible for oversight of emerging and principal risks facing the Group. The Board and the RAC receive updates on the Group’s cybersecurity position, and the Group has policies in place through the Group’s disclosure process that are designed to escalate material incidents. The Vice President (VP) Technology Cybersecurity & Architecture is responsible for overseeing the performance of cybersecurity risks and provides reports concerning these matters to the Chief Technical Officer. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |