The intersection of DORA and DMARC

DORA and DMARC
DMARC Report
The intersection of DORA and DMARC
Loading
/

DORA, short for Digital Operational Resilient Act, is a European framework for establishing regulatory compliance for finance organizations. It’s now in force and will be fully applicable from January 2025

DMARC, which is short for Domain-based Message Authentication, Reporting, and Conformance, is an email security technology that prevents phishing and spoofing attempts made by impersonating you or someone from your company. So, if your sending domain has DMARC, and a threat actor sends a potentially fraudulent email from that domain, the email will not land in the recipient’s inbox; it will either be marked as spam or bounce back. In either case, the recipient’s likeliness to get trapped is minimized, and your brand reputation stays unhampered. 

Although DORA and DMARC are not explicitly linked with each other, DMARC helps in the DORA process by maintaining a good email security posture. Let’s get this better. 

The 7 Chapters of DORA

The DORA regulation involves a long list of rules for the protection, detection, containment, recovery, and repair capabilities of organizations belonging to the finance sector against Information Communication Technologies-related risk management, incident reporting, and operational resilience.

Information Communication Technologies

It’s divided into 7 chapters-

1. Subject matter, scope, and definitions

This chapter specifies DORA’s purpose and scope, including which entities are subjected to it (e.g., banks, investment firms, insurance companies).

2. ICT risk management

This includes implementing robust ICT risk management frameworks, ensuring business continuity, and having proper incident response procedures. 

3. ICT-related incident reporting

Sets out the obligations for reporting significant ICT-related incidents to competent authorities while also providing criteria for determining the significance of an incident.

4. Digital operational resilience testing

Requires regular testing of ICT systems to ensure they can handle and recover from disruptions. This includes checking for vulnerabilities, conducting penetration tests, and performing advanced threat-led penetration testing (TLPT) for critical systems.

threat-led penetration testing

5. Management of ICT third-party risk

This DORA chapter discusses the risks associated with outsourcing ICT services to third-party providers. Companies in the finance sector must ensure that third-party services meet regulatory standards and integrate these requirements into their contracts. 

6. Information sharing arrangements

This chapter encourages you to foster cooperation and improve the overall cybersecurity situation of the entire financial sector.

7. Competent authorities and oversight framework

It outlines the powers of competent authorities, including the ability to conduct investigations, impose fines, and take corrective actions.

Chapterwise DORA and DMARC intersections

Here is how these two are indirectly linked to each other-

The second chapter

If your domain has DMARC, you can detect unauthorized and potentially fraudulent email activities, minimizing the email security gap and protecting your business reputation.

email security

The third chapter

Phishing is a common cybercrime, and threat actors often exploit emails to attempt them. They target recipients by sending emails that look like they are coming from a trusted source (like your company) and trick them into sharing sensitive details or transferring money. 

But if you have DMARC in place, such emails will be marked as ‘suspicious’ at the recipient’s end, preventing them from sharing confidential information, downloading malware-infected files, making financial transactions, etc. 

The fourth chapter

DMARC users are capable of detecting and responding to fraudulent emails, encouraging and establishing a comprehensive cybersecurity plan for a company belonging to the finance sector.

The fifth chapter

Including strong DMARC policies in third-party contracts helps maintain communication security and protects against email-based threats.

ransomware attacks

Image Sourced from nuox.io

The sixth chapter

By deploying DMARC across all active and parked domains, you can ensure 360-degree email protection, which ultimately thwarts phishing, spoofing, and ransomware attacks

DMARC reporting is the key

You can leverage the most benefit from DMARC deployment if you use its reporting feature to the fullest. Start receiving and managing aggregate and forensic reports to understand who all are sending emails from your domain and if there is any suspicious movement that you should tackle. 

Well, as much as we encourage receiving these reports, we understand the tedious task of monitoring and managing them. So, we are here to help you with this. Want to know how? Contact us

Similar Posts