Software giant SAP navigates Russian risks

MOSCOW/WALLDORF, Germany – Most Western technology companies are losing ground in Russia under the weight of restrictive rules and mounting local competition. Germany’s SAP (SAPG.DE) is thriving.

SAP is the clear leader in the Russian business-planning software market, supplying 53 of the top 100 Russian companies by revenue, according to a Reuters analysis of company filings.

Its success has come at a time of intense legal pressure on foreign technology firms, including a law requiring them to allow Russian authorities to hunt for vulnerabilities in their software, which has raised security concerns in Washington.

While the likes of Oracle (ORCL.N), Microsoft (MSFT.O) and Google (GOOGL.O) have been losing market share, Russia is one of SAP’s fastest-growing markets, with revenue rising by about a third to 468 million euros ($565 million) last year.

Part of the reason for this, analysts say, is that its products are entrenched in running the biggest state firms in industries including energy, metals, transport and retail. The German firm has invested heavily in the market, even sponsoring top-tier Saint Petersburg football club Zenit.

It is consequently winning new work with clients, including supplying cloud-based applications that build on its existing software; for example, last month Russia’s largest bank Sberbank (SBER.MM), which is state-owned, said it had put in place a new SAP human resources system covering 230,000 employees.

“The large state companies … all use SAP because of the long-term investment involved, the money already spent and because the software works,” said Moscow-based software analyst Elena Semenovskaia of global tech research firm IDC. “You would have to be insane to rip out SAP and install something else.”

At a time of fraught ties between Russia and the West, SAP has also taken steps to smooth relations with authorities on both sides.

Russia is a small market for SAP, representing just 2 percent of its global revenue, but its actions highlight the complications facing global technology firms operating in a world divided over national security concerns. Balancing the security interests of one country with those of a rival power, when both are using the same software, can be a minefield.

For example, SAP has hired a former general from Russia’s FSB Federal Security Service to help it manage its relationship with the Russian government and security services, according to publicly available records and a source close to the company.

In a move that could help assuage Western security concerns about its exposure to Russian authorities, the company also says it only allows Russian examinations of its products’ inner workings, or source code, to be conducted at a special “clean room” laboratory in Germany.

SAP told Reuters it has complied on rare occasions with Russian software vetting rules while making every effort to ensure the security of products and customers elsewhere.

Asked about the hiring late last year of the ex-FSB general, Vladimir Vladlenovich Skorik, it said: “Such individuals may provide insight into the certification processes that SAP will have to undertake as it sells into the public sector.”

Reuters could not establish Skorik’s exact job title or responsibilities. He did not reply to a message sent to his official SAP email account.

The practice of employing former operatives to give companies insight into state security processes is also common in some Western countries, including the United States.

The Kremlin and FSB did not respond to requests for comment about Skorik’s employment.

INSIDE THE CLEAN ROOM

SAP is Europe’s biggest software company but number four globally behind U.S. rivals Microsoft, Oracle and IBM in terms of annual sales. It focuses on business-planning software while rivals are more diversified.

Microsoft faces a tough road in Russia because its accounting-focused software faces direct competition from the Russian market leader in that area, 1C. Database giant Oracle has also lost ground in the market over the past decade.

Google and Facebook have long struggled with copycat rivals – Yandex in search and VKontakte in social networking – that put them in the unusual position of second-place players. Recent antitrust and data law changes have also increased pressure on both firms.

SAP, by contrast, is the undisputed leader in the Russian business-planning software market, with 50 percent of the market.

Reuters has reported in recent months that SAP and other companies have acceded to demands by Russian authorities, including the FSB, to allow military contractors to review the source code of some of their products.

Moscow says the reviews are necessary to detect flaws in foreign-made software used by Russian state companies which could be exploited by hackers. But U.S. lawmakers fear they pose a security threat as the same software is used by American government agencies.

Cyber security firms Symantec and McAfee no longer allow foreign governments to review the source code of their products because of security concerns. This shuts them out of parts of Russia’s state technology market, but it was unclear how much business either company previously had in those areas.

Reuters was given exclusive access to visit SAP’s “clean room” near its headquarters in the town of Waldorf in the southern German state of Baden-Wuerttemberg.

Visitors descend below ground through three zones of security to enter a metal cargo shipping container equipped to block electromagnetic signals.

Russian code-testers accredited by the Russian security services fly in to conduct the examinations. No outside electronics, notepads or even pencils are allowed into the site. The testers have access to an isolated computer screen, keyboard and nothing else, SAP Global Vice President Stefan Schulz said.

Schulz said there had been a handful of Russian code reviews of SAP software in recent years, and none in the past year. No other government has carried out such reviews, he added.

He said security reviews have turned up only already known issues. “I don’t know of any case where any new vulnerability was found in the context of such a source code review,” he said.

Comments

comments