KPMG to AssessCybersecurity Posture forEnergy Giant Aramco’sSuppliers

News Highlights

  1. Aramco hasImplemented 3rd-party Cybersecurity Compliance Certificate (CCC) Programme
  2. KPMG to Ensure Cybersecurity Compliance of Aramco Suppliers
  3. The vendors who need to obtain the CCC are general, outsourced infrastructure, software, network connectivity and critical data processors

(RIYADH, DUBAI) April25, 2021:  KPMG Professional Services in Saudi Arabia has signed anagreement with Aramco, one of the largest energy and chemicals companies in the world,to examine and strengthen the cybersecurity compliancechecks across Aramco’sthird-parties and suppliers.

Aramco has recently implemented the Third-Party Cybersecurity Compliance Certificate (CCC) Programme, a strategic initiativeto certify existing and new third-parties and suppliers before conducting business. An MoU was signed by Hossain Alshedoki, Manager of Cybersecurity Advisory and ENR Cybersecurity Sector Lead at KPMG Professional Services, and witnessed by Abdulaziz Alnaim, KPMG Office Managing Partner in the Eastern Provinceof Saudi Arabia.

“Based on our analysis of minute-by-minute technological disruptions and ever-changing cybersecurity needs,we believe thatvital national assets such as Aramco need to be fully protected with state-of-the-art and seamless cybersecurity systems,” said Alnaim during the ceremony. “We are grateful for the trust that Aramco has bestowed upon us, which will go a long way in the continuity of supplying vital resources to the world.”

The agreement stipulates that KPMG is to assessAramco’sthird-parties and suppliers,as per theCCC framework,andto issue certificates verifying theirfull adherence to the Saudi Aramco Third-Party Cybersecurity Standard (SACS-002).

The types of suppliers who need to obtain the certificate include generalvendors, outsourced infrastructure, customized software, network connectivity and criticaldata processors. Successful suppliers will submit theCCC, along with the detailed report from KPMG,to Aramco’se-marketplace system.“Third-party risk is a key risk in the area of cybersecurity, managing this risk will improve the cyber posture of organizations who heavily depend on external parties or suppliers. More organizations should follow the direction which Aramco has taken,”said Ton Diemont, Head of Cybersecurity for KPMG Saudi Arabia, Jordan, Iraq and Lebanon.

Issued certificates will be valid for two years. If a supplier is awarded a new contract that involves a cybersecurity classification type that is not covered in the specifications of the valid certificate, a new certificate will need to be obtained and submitted.

The requirements for a new contract with Aramco will depend on the category of a bidder’s cybersecurity classification. If the bidder falls under the standard cybersecurity classification, there is no requirement to apply for a new certificate. If the bidder does not fall under this classification, then it needs to contact KPMG to conduct a cybersecurity compliance assessment based on updated classifications that cover the original and new categories.

More updates regarding the certification process will be communicated to suppliers as required.