KPMG to check cybersecurity compliance across Saudi Aramco’s suppliers

By Shilpa Annie Joseph, Official Reporter
  • Follow author on
Saudi Aramco
Representational Image

Saudi Arabia’s multinational petroleum and natural gas company, Saudi Aramco has signed an agreement with Anglo-Dutch multinational professional services network KPMG in order to examine and strengthen the cybersecurity compliance checks across Aramco’s third parties and suppliers.

Through this deal, the company is intended to increase the security at its critical Middle Eastern oil and gas facilities, which have previously been targets of cyber warfare.

Mr. Abdulaziz Alnaim, Managing Partner of KPMG’s Eastern Province office said, “Based on our analysis of minute-by-minute technological disruptions and ever-changing cybersecurity needs, we believe that vital national assets such as Aramco need to be fully protected with state-of-the-art and seamless cybersecurity systems.”

According to the agreement, KPMG will assess Aramco’s third-party and supplier partners following the Cybersecurity Compliance Certificate (CCC) framework and issue certificates confirming their full compliance with the Saudi Aramco Third-Party Cybersecurity Standard.

Suppliers including general vendors and those specializing in outsourced infrastructure, customized software, network connectivity, and critical data processors need to obtain Saudi Aramco’s cybersecurity standard certification. Successful suppliers will submit the CCC, along with the detailed report from KPMG, to Aramco’s e-marketplace system.

“Third-party risk is a key risk in the area of cybersecurity, managing this risk will improve the cyber posture of organizations who heavily depend on external parties or suppliers. More organizations should follow the direction which Aramco has taken,” commented Mr. Ton Diemont, Head of Cybersecurity for KPMG Saudi Arabia, Jordan, Iraq, and Lebanon.

Certificates issued by KPMG will be valid for two years. Furthermore, a new certificate must be obtained and submitted, if a supplier is awarded a new contract that requires a cybersecurity classification type that is not covered by the specifications of the current certificate.

Related: Aramco sells 49% stake of its newly formed subsidiary to EIG-led group