Exxon & Hess Vendor Protocols: The Cybersecurity Checklist for Local Partners

Major operators require Tier-1 digital security. See the 5-point checklist your business website must pass to survive the Vendor Risk Assessment (VRA).

1. The New Barrier to Entry: The “Digital Supply Chain” Audit

For decades, the barrier to working with International Oil Companies (IOCs) like ExxonMobil and Hess was financial capacity and safety records.

Today, a new barrier has emerged: Cybersecurity Hygiene.

IOCs view their local vendors as “Entry Points” for hackers. A breach in your small logistics firm’s email server can be the gateway for a phishing attack on Exxon’s procurement database.

As a result, major operators now enforce a strict Vendor Risk Assessment (VRA).

If your digital infrastructure triggers a “High Risk” rating during the automated background scan, your vendor application can be silently deprioritized or rejected. This ties directly into the hidden “Risk Score” algorithm that determines contract eligibility.

2. The Threat: “Supply Chain Attacks”

ExxonMobil’s 2025 Supplier Communication explicitly states that vendors must maintain cybersecurity measures “consistent with industry best practices” and warns against “phishing attacks that rely on personal inattention.”

The “Shared Hosting” Problem

If you are using cheap, shared hosting (e.g., GoDaddy, Bluehost), you are sharing a server IP address with thousands of other websites—including gambling sites and spam blogs.

• The Risk: If one of your “neighbors” gets blacklisted for spam, your corporate email lands in the Exxon junk folder.
• The Fix: You need Sovereign, Dedicated Infrastructure where you own the IP reputation.

3. The 5-Point “IOC-Ready” Checklist

To survive the Vendor Risk Assessment, your digital presence must pass these 5 technical checks used by automated procurement scanners (like SAP Ariba and Coupa).

(For more on why these scanners can’t read traditional documents, see The Ariba Barrier guide).

1. Encryption in Transit (TLS 1.3)

Your site must do more than just “have the padlock.” It must enforce TLS 1.3 encryption protocols. Older SSL versions (TLS 1.0/1.1) are flagged as vulnerabilities by Hess’s security scanners.

2. Data Sovereignty (Residency)

Where does your data live? If you handle employee data (for payroll/crewing), storing it on non-compliant servers violates data protection clauses in standard IOC contracts. Your infrastructure should utilize Tier-1 Cloud Providers (AWS/Google Cloud) with clear data residency protocols.

3. OWASP Top 10 Mitigation

Hackers use SQL Injection and Cross-Site Scripting (XSS) to breach vendor forms. Your website must be built on a secure framework (like React/Next.js) that automatically sanitizes inputs, rather than vulnerable PHP templates.

4. The “No-Gmail” Rule

Submitting a tender with a @gmail.com or @yahoo.com address is an automatic “Professionalism Red Flag.” It signals a lack of internal IT controls. You must have a secure, domain-authenticated email infrastructure (SPF/DKIM/DMARC).

5. 99.99% Uptime SLA

“Best Effort” uptime is unacceptable for critical logistics. If your site goes down during a tender submission window, you lose the bid. You need an infrastructure backed by a Service Level Agreement (SLA).

4. The “Penetration Test” Reality: When Hess Hacks You (Legally)

Most vendors assume an audit is just “sending PDF documents.” This is dangerous. Hess Corporation’s vendor terms explicitly reserve the right to “investigate any improper use” and enforce security rules. In 2026, this often translates to an automated Penetration Test (Ethical Hack).

Once you submit your URL to the vendor portal, their security bots may launch a “Grey Box” attack against your website to see if it crumbles.

The 3 Most Common Ways Vendors Fail this Test:

• 1. The “Open Book” Failure (Directory Indexing): If the bot navigates to www.yourcompany.gy/wp-content/uploads/ and sees a raw list of PDF files and images instead of a “403 Forbidden” error, you fail immediately. This is called “Directory Browsing,” and it allows hackers to map your entire server structure to find sensitive documents you thought were hidden.
• 2. The “Zombie Software” Flag: The bot checks your source code. If it detects you are running WordPress 5.8 when the current version is 6.7, it flags your site as “Vulnerable to Known Exploits.” You cannot get a Tier-1 contract if your digital front door has 3-year-old rusty locks.
• 3. The “Admin Door” Exposure: If the bot can access your login page at the standard /wp-admin or /login URL, it records a “Brute Force Risk.” Tier-1 compliant sites hide their login URLs (e.g., moving them to /staff-portal-access) and enforce Two-Factor Authentication (2FA).

The Consequence: If you fail the Pen-Test, you do not get a phone call to “fix it.” You are silently tagged as “Cyber-High-Risk,” which often triggers an automatic disqualification from sensitive tender lists.

5. Conclusion

A secure website is not an IT expense; it is a Contractual Asset.

If you cannot prove you can protect your own data, Exxon will never trust you with theirs.

Action Item: Request a “VRA Pre-Scan” from the Global Technical Centre to see if your current site would pass or fail an IOC audit.

• Reference: ExxonMobil – 2025 Supplier Communication Standards
• Reference: Hess Corporation – Vendor Security Requirements