Saudi Aramco Hires KPMG To Oversee Cybersecurity Compliance Among Suppliers


Companies will need certificates to make sure they have met security standards

Saudi Aramco, the world’s largest oil-exporting company, signed an agreement with KPMG to examine cybersecurity compliance among its third-party suppliers.

The company is stepping up protection of its critical Middle Eastern oil and gas facilities, which have been targets of cyber warfare in the past.

Suppliers including general vendors and those specialising in outsourced infrastructure, customised software, network connectivity and critical data processors need to obtain Saudi Aramco’s cybersecurity standard certification.

‘Based on our analysis of minute-by-minute technological disruptions and ever-changing cybersecurity needs, we believe that vital national assets such as Aramco need to be fully protected with state-of-the-art and seamless cybersecurity systems’, said Abdulaziz Alnaim, managing partner of KPMG’s Eastern Province office.

The financial fallout from cyber-attacks in the Arabian Gulf in 2017 was estimated at more than $1 billion, according to a 2018 report by Siemens. The pandemic and remote working model have further intensified the threat across the world and in the Middle East.

The cost of data breach among a selected sample of companies in the UAE and Saudi Arabia rose 9.4 per cent, costing them $6.53 million per breach, according to a 2020 study by IBM Security.

Also Read: Emerging AI and ML Trends You Must Know in 2021

While the financial services sector suffered the most cyber attacks, the Middle East’s oil and gas facilities have also been targeted.

Three out of four oil and gas companies in the Middle East suffered at least one security breach resulting in the loss of confidential information or disruption to operations, according to a report on the cyber threat landscape for oil and gas, published by Microsoft in 2018.

One of the most prominent breaches was the Shamoon virus attack on Saudi Aramco systems in 2012, which wiped the hard drives of some 30,000 computers clean.

In 2017, a $20bn petrochemical project joint venture between Saudi Aramco and Dow Chemicals also experienced a spate of hacking attacks.

‘Third-party risk is a key risk in the area of cybersecurity, managing this risk will improve the cyber posture of organisations who heavily depend on external parties or suppliers. More organisations should follow the direction which Aramco has taken’, said Ton Diemont, head of cybersecurity for KPMG Saudi Arabia, Jordan, Iraq and Lebanon.

Certificates issued by KPMG will be valid for two years. However, if a supplier is awarded a contract that has specifications not included in the certificate then a new one will need to be issued.