• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

Red Sift Blog

Red Sift Blog
  • redsift.com
  • Featured
  • Who are we?
  • Get in touch
You are here: Home / Cybersecurity / The case for embracing DORA

The case for embracing DORA

by Rois Ni Thuama
February 11, 2021August 31, 2022Filed under:
  • Cybersecurity

In 2008 as the global financial crisis started to bite and giants like Lehmans and Bear Stearns collapsed owing billions, the world learned rather painfully that the ‘high level of interconnectedness across financial entities, financial markets and financial market infrastructures’ constituted a systemic vulnerability. 

The Financial Crisis Inquiry Commission (FCIC) looked into the causes of the crash. The FCIC reviewed ‘millions of pages of documents, interviewed more than 700 witnesses, and held 19 days of public hearings’. With an abundance of evidence their findings are not in dispute. They concluded in their report that this crisis was foreseeable and indeed had been foreseen. Warnings were ignored.  It was they reasoned the ‘result of human action and inaction’. They also concluded the captains of finance…ignored warnings and failed to question, understand, and manage evolving risks’1.

Credible warnings ignored 

In 2004, the FBI held a news conference at their headquarters in Washington, D.C., warning about high levels of mortgage fraud, when Chris Swecker, an assistant director, said ‘it has the potential to be an epidemic’2. A full four years in advance of the collapse, a credible warning was issued by trusted experts. Surely, warnings from the FBI wouldn’t be ignored again.

The relevance of the ignored warnings strikes me as particularly important in today’s world. After all, would management really ignore the warnings from credible, trusted intelligence agencies? Would it not be the case that management would learn the lessons from the financial crisis. 

Fast forward to September 2019 

On the 10th of September 2019 the FBI’s reporting unit Ic3 issued a public service announcement calling Business Email Compromise (BEC) the $26 billion scam3.

Similarly, in the UK, the National Cyber Security Centre (NCSC) which is part of GCHQ, have taken the trouble to warn and educate industry that phishing/BEC is one of the most significant cyber threats. Other credible sources, albeit private endeavours, estimate that 70% of data breaches and 90% of ransomware attacks begin with a phishing/BEC attack. The scale of this problem cannot be overstated.  

Given that BEC is a well known, significant cyber threat you might suppose, nearly ten years after it was devised, that businesses would have universally moved to adopt DMARC, the global industry standard protocol considered layer 1 protection to defend against it. 

You would be only partly correct. Large global banks did indeed move swiftly to implement DMARC and ensure that they were able to secure their domains from email impersonation. However, smaller regional banks have been less disciplined about deploying DMARC and other fundamentals of cyber security. This however is about to change. Meet DORA. 

DORA, not who, what.  

DORA stands for Digital Operational Resilience Act; it is the EU proposal to tackle digital risks and build operational resilience in the financial sector. 

DORA exists because the reforms that followed the 2008 financial crisis did not extend to mitigating cyber risks. It is recognised that this failure to address this risk poses a challenge to the ‘operational resilience, performance and stability of the EU financial system.’. 

The absence of detailed comprehensive rules has seen member states seek to address and resolve this individually, which has led to a layer of complexity resulting in ‘overlaps, inconsistencies…high administrative and compliance costs’. DORA addresses that.

DORA applies to financial entities, from banks i.e. credit institutions to investment & payment institutions,  electronic money institutions, pension, audit firms, credit rating agencies, insurance and reinsurance undertakings and intermediaries4. Beyond that it also applies to providers of digital and data services, including providers of cloud computing services, data analytics, & data centres. 

DORA – what is it good for?

It should go without saying that I’m already a huge fan of DORA. It runs to 102 pages and so much of it is sensible, valuable and inarguable. The upsides are considerable, these immediately sprang to mind:

  1. By providing a definition of ICT risk, the financial sector will have much needed clarity. ICT risk is ‘any reasonably identifiable circumstance in relation to the use of network and information systems.’ This means that warnings issued by credible agencies, like the FBI or NCSC will need to be addressed. Starting with the most significant cyber threats and working down through the known risks can only serve to strengthen the financial services sector protecting the sector, investors, clients and consumers. Warnings cannot be ignored. 
  1. It creates an impetus for producing new policies to address the need for an accelerated process for known ICT risks. It could be that FE’s will create a fast lane for ICT risks so that the time between awareness of an ICT risk and the deployment of solutions is reduced. Whatever happens: warnings cannot be ignored. 
  1. It specifically calls out the importance of the NIST Cybersecurity framework. It reads: 

‘Inspired by relevant international, national and industry-set standards, guidelines, recommendations or approaches towards the management of cyber risk,* this Regulation promotes a set of functions facilitating the overall structuring of the ICT risk management. 

NIST is referenced in the footnote. It goes on to recognise that other standards are permissible provided they meet the conditions set out in the Regulation but for my money and what it’s worth, when a standard is called out, there is no downside to abiding by it, only considerable upside. Best practice cannot be ignored.

  1. The requirement to manage 3rd party risk means that FE’s must be able to exit contractual arrangements without disruption to their business activities. DORA will eliminate the commercial stickiness that arises when a vendor truculent that their service is no longer required is able to  punish the client by disrupting their business with lengthy and messy exits.  

This is fantastic news. This provision alone will allow FE’s to consign old, clunky products no longer fit for purpose to the delete bin. They can no longer be held captive by outdated kit and this allows the financial sector to access stronger, smarter, more robust solutions. 

While we can’t provide you with every provision in preparation for DORA, our platform can help you mitigate reasonably identifiable circumstances as they relate to email and domain security. So why not book your free Red Sift Platform Demo today?

Footnotes

  1. Financial Crisis Inquiry Report, Final Report of the National Commission of the Causes of the Financial &Economic Crisis in the United States. Official Government Addition, January 2011. Available to download from https://www.govinfo.gov/content/pkg/GPO-FCIC/pdf/GPO-FCIC.pdf
  2. https://edition.cnn.com/2004/LAW/09/17/mortgage.fraud/
  3. https://www.ic3.gov/Media/Y2019/PSA190910
  4. For a fuller list check out Chapter 1 General Provisions Article 2. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Post navigation

Previous Post Closing the Net on the Phishing Problem
Next Post OnDMARC wins “Best-Of DMARC” award on review platform Expert Insights

Primary Sidebar

Subscribe to our blog and be the first to get updates!

Categories

  • AI
  • BEC
  • BIMI
  • Brand Protection
  • Coronavirus
  • Cybersecurity
  • Deliverability
  • DMARC
  • DORA
  • Email
  • Finance
  • Labs
  • News
  • OnINBOX
  • Partner Program
  • Red Sift Tools
  • Work at Red Sift
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • October 2016

Copyright © 2023 · Milan Pro on Genesis Framework · WordPress · Log in