3 ways the Digital Operational Resilience Act relates to email and domain security

The Digital Operational Resilience Act (DORA) is a piece of legislation set to be introduced later this year. Ultimately, it’s a comprehensive rulebook outlining what financial services organizations and third-party software providers must do to become digitally resilient to cyber threats. While DORA primarily affects businesses in the European Union’s financial services sector, it will also apply to any financial organization outside the EU needing access to this market. So, DORA applies to businesses all over the globe. 

To comply with DORA, businesses must make provisions in all areas; from educating board members, to conducting staff training, and reviewing insurance. 

But a key area that shouldn’t be overlooked is email and domain security, or rather how businesses look to mitigate threats relating to this. 

In this blog, we explore three ways DORA relates to email and domain security, and what businesses can do to strengthen resilience in this area.

1. Email is the global medium for business communication and resilience is crucial

Email is the number one medium for business communication worldwide, with over 333 billion emails sent every day in 2022. So it’s no surprise that attackers target organizations through this sensitive threat vector. Business Email Compromise (BEC) attacks such as Vendor Fraud and CEO Fraud threaten business continuity and operational resilience daily. Often what makes these successful is ‘domain spoofing.’ This is when a cybercriminal impersonates a business’ domain to send phishing emails to its customers, employees, and supply chain. The fake emails are hard for the recipient to spot because they come from a legitimate email address.

In preparing for DORA, businesses now need to consider how they’ll strengthen their email and domain defenses for effective risk management and mitigation. Implementing DMARC (Domain-Based Message Authentication, Reporting, and Conformance) is the crucial first step that every organization should take to secure its domain and brand from impersonation. 

2. Business Email Compromise (BEC) is a reasonably identifiable circumstance

The Digital Operational Resilience Act expects affected organizations to recognize and mitigate any reasonably identifiable circumstances that could lead to an event that could compromise the digital operational security of the firm. But what is a reasonably identifiable circumstance?

Any common vulnerability, exposure, or well-known cyber threat could give rise to a reasonably identifiable circumstance. Something is a reasonably identifiable circumstance if the source it’s coming from is a trusted, independent expert that puts you on express notice that a common vulnerability, exposure, or significant cyber threat poses a risk to your business. 

Financial organizations should look to credible agencies for guidance on reasonably identifiable circumstances. These include the National Cyber Security Centre (NCSC), Federal Bureau of Investigations (FBI), Global Cyber Alliance (GCA), and National Institute of Standards and Technology (NIST) to name just a few.

The FBI has been warning of Business Email Compromise in its IC3 Internet Crime Report since 2015. So, affected financial organizations and third-party software providers should accept that BEC attacks are a reasonably identifiable circumstance that they need to be protected against. 

Then, they should look to mitigate these types of attacks as part of their wider preparation for DORA. Just some of the ways organizations can look to mitigate BEC and related disruption include: 

3. DORA instructs firms to be able to detect anomalies 

In a landscape with ever-expanding cyber threats and sophisticated attacks, being able to get ahead of the game and stop zero-day attacks is becoming an increasing priority for businesses. DORA in fact states that ‘financial entities shall have in place mechanisms to promptly detect anomalous activities’. This instruction could be applied to multiple areas within an organization, and domain security is definitely one of them. 

Detection of anomalous activities is integral to the Red Sift platform. Red Sift Brand Trust provides organizations with comprehensive insight into their domain perimeter, plus a reliable phishing takedown service. 

Brand Trust monitors 150 million newly registered domains and subdomains every day. This means that organizations can quickly take down phishing and impersonation sites and even discover and secure legitimate domains that have been forgotten about. It also means they can detect illegitimate use of logos to defend their business’ brand against abuse and reputational damage. 

OnDMARC detects and surfaces information to its users in a variety of ways. For example, it detects misconfigured or missing email protocols, declining reputational scores, uncovers shadow IT, and more. 

Book your Red Sift platform demo today

Red Sift provides gold-standard products that work together to protect your organization’s outbound email communications, as well as your domain perimeter. 

While we can’t provide you with every provision in preparation for DORA, our platform can help you mitigate reasonably identifiable circumstances as they relate to email and domain security. So why not book your free Red Sift Platform Demo today?

PUBLISHED BY

Sean Costigan

17 Aug. 2022

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
BEC

The threat of Business Email Compromise in US healthcare

Jack Lilley

Executive summary: Business Email Compromise is siphoning billions from U.S. healthcare by exploiting human trust instead of software flaws. Spoofed or hijacked messages authorize fraudulent payments, spark ransomware, and expose patient data—causing crippling financial, operational, and compliance damage. Deploying DMARC, MFA, and rigorous multi-person payment checks is now critical. 3 key takeaways Business Email…

Read more
Email

Cloudflare selects Red Sift as a preferred partner to provide DMARC and…

Rebecca Warren

AI-generated email attacks are rapidly growing in scale and sophistication, demanding stronger defenses from at-risk organizations. Starting today, Red Sift is excited to announce a new strategic partnership with Cloudflare, the leading connectivity cloud company, to deliver its market-leading email security application, Red Sift OnDMARC, to a broader global audience.  Today’s alignment enhances Cloudflare’s…

Read more
Cybersecurity

New Zealand moves to mandate DMARC enforcement

Jack Lilley

Executive summary: New Zealand’s Secure Government Email Framework mandates DMARC at p=reject—plus hard-fail SPF, universal DKIM, enforced MTA-STS, and TLS-RPT—by October 2025. The rules replace SEEMail, curb soaring phishing losses, and will affect every organization that emails the public sector. Key takeaways: The New Zealand Government has recently published the Secure Government Email (SGE) Common…

Read more
BEC

DMARC: The best ROI for your organization

Jack Lilley

Executive summary: Implementing DMARC delivers one of the clearest, fastest returns on investment in email security. By authenticating outgoing mail and blocking spoofed messages, DMARC cuts the direct costs of phishing and Business Email Compromise, safeguards brand reputation, and boosts deliverability—ultimately driving revenue and trimming operational workload. Key takeaways: Email is a critical communication tool for…

Read more