UpGuard Updates KPMG Vendor-Risk Profile, Flags and Scores External Security Posture

UpGuard’s public vendor-risk profile for KPMG shows recent updates to the firm’s external security posture on or around February 19, 2026 and presents KPMG’s security rating as "X / 950" while the profile UI also shows "Last updated today." The vendor report capture supplied to this story includes the literal rating slot but no numeric score, and multiple page elements read as placeholders rather than concrete findings.

UpGuard frames the report with its standard methodology: "This vendor risk report is based on UpGuard’s continuous monitoring of KPMG's security posture using open-source, commercial, and proprietary threat intelligence feeds. The results are summarized into a security rating based on the analysis of hundreds of individual checks across five risk categories: website security, email security, phishing & malware, brand & reputation risk, and network security." That language appears verbatim in the KPMG profile and describes the five named categories used to produce the aggregate rating.

The public capture contains multiple UI placeholders instead of itemized checks. The page text includes "#### Category title," "##### Failed item title," "Failed item description," "##### Success item title," and a repeated "Failed item description." The profile also contains marketing prompts such as "Free trial" and "Start a free trial to get a more in-depth risk assessment for KPMG," indicating some details may be gated behind a trial or authenticated view.

Company details shown on the UpGuard profile list KPMG's location as Amstelveen, Netherlands and the CEO as William B. Thomas, with the industry labeled "Professional Services." The profile repeats KPMG's business description: "KPMG is a professional services company that provides consulting, assurance, tax, and strategy and transactions services, and technology and security. The company has a global network of professionals and operates in over 150 countries. KPMG is one of the "Big Four" accounting firms, along with Deloitte, EY, and PwC." The "Employees" field appears as a label with no headcount provided in the supplied capture.

The page's incidents section remains sparse in the captured view. Under "## KPMG Data Breaches, Cybersecurity Incidents and News" the profile reads "Coming soon." and "No recent security news. [...]" which suggests no public incident entries are included in the extract provided. UpGuard’s Security Profile product documentation text is also present on the page: "Security Profile on Vendor Risk gives you an overall snapshot of your vendor’s security posture by assessing evidence against specified controls. [...] From here, you’ll work through the evaluation and take stock of the vendor’s security posture. You can make any necessary adjustments, kick-off a remediation workflow for risks, request additional evidence and ultimately run an assessment." The report capture further cites product mechanics including tiering, four pre-built control templates, and a "library of 500+ checks" used when customers upload evidence.

UpGuard’s own description of its analysis appears in the capture: "UpGuard’s AI parses the evidence, comparing it to the designated controls. Security Profile flags risks and highlights where controls are: not, partially, or fully implemented (or where there’s no evidence)." Given the literal "X / 950" rating slot, the placeholder check titles, and the presence of "Last updated today" labels alongside an assignment-level update date of Feb 19, 2026, several gaps remain: the numeric score value, item-level failed or successful checks, a timestamped "Last updated" date, and a populated incident history. Until UpGuard or KPMG supplies the full report, API export, or an authenticated view with those values, the public snapshot functions as a high-level, partially gated record of KPMG’s external attack surface rather than a complete, timestamped inventory of specific security findings.