Saudi Aramco hires KPMG to oversee cyber security compliance among suppliers

Companies will need to certificates to make sure they have met security standards

Crude oil storage tanks stand at the oil refinery operated by Saudi Aramco in Ras Tanura, Saudi Arabia, on Monday, Oct. 1, 2018. Saudi Aramco aims to become a global refiner and chemical maker, seeking to profit from parts of the oil industry where demand is growing the fastest while also underpinning the kingdom’s economic diversification. Photographer: Simon Dawson/Bloomberg
Powered by automated translation

Saudi Aramco, the world's largest oil-exporting company, signed an agreement with KPMG to examine cybersecurity compliance among its third-party suppliers.

The company is stepping up protection of its critical Middle Eastern oil and gas facilities, which have been targets of cyber warfare in the past.

Suppliers including general vendors and those specialising in outsourced infrastructure, customised software, network connectivity and critical data processors need to obtain Saudi Aramco's cyber security standard certification.

“Based on our analysis of minute-by-minute technological disruptions and ever-changing cyber security needs, we believe that vital national assets such as Aramco need to be fully protected with state-of-the-art and seamless cybersecurity systems,” said Abdulaziz Alnaim, managing partner of KPMG's Eastern Province office.

The financial fallout from cyber-attacks in the Arabian Gulf in 2017 was estimated at more than $1 billion, according to a 2018 report by Siemens. The pandemic and remote working model have further intensified the threat across the world and in the Middle East.

The cost of data breach among a selected sample of companies in the UAE and Saudi Arabia rose 9.4 per cent, costing them $6.53 million per breach, according to a 2020 study by IBM Security.

While the financial services sector suffered the most cyber attacks, the Middle East's oil and gas facilities have also been targeted.

Three out of four oil and gas companies in the Middle East suffered at least one security breach resulting in the loss of confidential information or disruption to operations, according to a report on the cyber threat landscape for oil and gas, published by Microsoft in 2018.

One of the most prominent breach was the Shamoon virus attack on Saudi Aramco systems in 2012, which wiped hard drives of some some 30,000 computers clean.

The attacks were blamed on Iran, which denied responsibility.

In 2017, a $20bn petrochemical project joint venture between Saudi Aramco and Dow Chemicals also experienced a spate of hacking attacks.

“Third-party risk is a key risk in the area of cyber security, managing this risk will improve the cyber posture of organisations who heavily depend on external parties or suppliers. More organisations should follow the direction which Aramco has taken,” said Ton Diemont, head of cyber security for KPMG Saudi Arabia, Jordan, Iraq and Lebanon.

Certificates issued by KPMG will be valid for two years. However, if a supplier is awarded a contract which has specifications not included in the certificate then a new one will need to be issued.