Aimed toward improving resilience against impending cyberattacks in the financial sector, the Digital Operational Resilience Act (DORA) is a legislative proposal that is still in the works. It’s important to note that this law does not replace existing regulations but rather supplements them by providing a framework for managing operational risk in a digital environment.
The goal of DORA is to ensure that financial institutions are able to withstand cyberattacks by implementing best practices like data protection and incident response planning. This means that companies need to have a plan in place for when an attack happens so they can maintain operations while recovering from any damage caused by an attack.
View: Deloitte’s new rules for DORA compliance
What does the Digital Operational Resilience Act (DORA) mean for your business?
The Digital Operational Resilience Act (DORA) will make significant changes to how financial service companies handle their data security practices. Under DORA, all financial institutions must implement a cybersecurity program that includes policies, procedures, and risk management activities. These policies must be reviewed annually by a third-party financial regulator who will provide an assessment of whether or not they are adequate based on industry standards.
Financial institutions must also implement an incident response plan that describes how they will respond when a cyber breach occurs or when there are indications that one may occur in the near future. This plan must include a strategy for dealing with different types of attacks (e.g., phishing scams), as well as procedures for recovering from an attack.
DORA outlines certain scenarios in which it may be applicable:
For example, all organizations that are directly working with financial institutions and companies as service providers, are subject to DORA as a compulsion and would be directly supervised by a financial regulatory authority.
This would be done to determine whether the supplier’s security protocols and practices are in compliance with DORA-specified standards and whether they are capable of providing a risk-free environment for handling sensitive financial data.
Organizations that are not directly working with any financial institution can voluntarily choose to attain compliance under the DORA act via an independent auditor.
The DORA Act: Principal Conditions & Goals
The Digital Operational Resilience Act (DORA) ensures the financial sector’s ability to operate in a secure and resilient manner. The act has the following primary requirements:
- Companies must have an incident response plan that includes a detailed description of what constitutes a cyberattack, how employees should respond, and how operations will be restored if there is a breach.
- Companies must maintain a cybersecurity program that includes an assessment of the risks posed by cyberattacks and an action plan for mitigating those risks.
- Companies must maintain appropriate security controls over their digital infrastructure. These controls include encryption, authentication, access controls, audit trails, monitoring systems, event management systems, and incident response plans.
- Companies must report incidents when they occur so that regulators can assess their vulnerabilities and make recommendations for improving their security posture.
- Companies should have a plan in place to ensure continuity of service during any disruptions that might occur.
Step closer toward DORA-Compliance with PowerDMARC
Organizations are upscaling their security posture owing to the DORA act, which calls for digital, network, and cloud security, as well as, email security. Since email is the basis of today’s communications and forms the central communication platform for most businesses, securing your email infrastructure is crucial to achieving DORA compliance.
PowerDMARC is a multi-tenant SaaS platform that secures your email channels by leveraging a full-stack email authentication suite. We are ISO 27001, SOC Type 2, and GDPR-compliant, and have successfully worked with various financial organizations to protect their email data and domain against security risks.
We help you:
- Protect your emails against spoofing and impersonation with DMARC
- Defend against cyber eavesdropping and man-in-the-middle attacks with MTA-STS
- Monitor your email’s authentication results and troubleshoot forensic incidents with DMARC reporting
- Stay under the SPF lookup limit to avoid Permerrors with SPF flattening
Contact us today to achieve compliance with your emails!