Ypê, the Brazilian consumer goods manufacturer whose products reach over 95% of Brazilian households, operates its SAP enterprise resource planning system on third-party support from Rimini Street rather than official SAP maintenance.
The arrangement exposes the company's core operational systems to known cybersecurity vulnerabilities. SAP releases security patches for documented Common Vulnerabilities and Exposures (CVEs) through its standard support channels. Third-party support providers like Rimini Street may not replicate these patches at the same speed or with the same coverage.
ERP systems control critical business functions including financial reporting, supply chain operations, inventory management, and customer data. A compromised ERP environment can halt production, expose proprietary formulas, or leak customer information.
Companies choose third-party ERP support to reduce costs. Rimini Street charges roughly 50% less than SAP's standard maintenance fees. For large enterprises running complex SAP installations, this can mean annual savings of several million dollars.
The trade-off comes in security patch delivery. SAP releases monthly security notes and emergency patches for critical vulnerabilities. Third-party providers typically focus on break-fix support rather than proactive security updates. They may provide custom code fixes for specific issues but don't automatically deliver SAP's full patch catalog.
The risk calculus shifts as threat actors increasingly target ERP systems. The 2025 Onapsis ERP Threat Report documented a 34% increase in attacks specifically targeting SAP vulnerabilities. Attackers know that companies on third-party support often run outdated patch levels.
Brazil's General Data Protection Law (LGPD) requires companies to implement appropriate security measures for personal data. A breach stemming from known but unpatched vulnerabilities could trigger regulatory action and fines up to 2% of revenue.
Ypê operates in a competitive fast-moving consumer goods market where operational continuity directly impacts market share. Any ERP downtime ripples through production schedules, retail distribution, and cash flow management.
The company faces a decision point: accept ongoing security risk to preserve cost savings, or return to vendor support to close the vulnerability gap.