Get DORA Ready: How Resilient is your Mobile Security approach?

While digitalization overall has helped to increase productivity and facilitate greater competition in financial and many other markets for goods and services, the benefits of interconnectedness are not without risks.  The downside of digitalization can be greater vulnerability to cyber-attacks as reliance on digital infrastructures increases. As the German Federal Office for Information Security (BSI) put it in its BSI Situation Report (published on 25 October 2022): ‘The threat environment in cyberspace is tense, dynamic and diverse, and is therefore higher than ever’.

There are more than 20,000 financial institutions in the EU alone, all of which are likely to offer digital channels. If just a few of them are vulnerable and suffer cyber-attacks (e.g., a Mobile Banking App as such), they become a systemic risk, leading to a general loss of confidence in financial markets.

And now uniform resilience requirements have been brought together in a single regulatory framework called DORA.

What is DORA?

 

DORA is the acronym for the Digital Operational Resilience Act (EU DORA; Regulation (EU) 2022/2554), which recently came into force on 16 January 2023.

DORA is intended to address the growing cyber risks and takes the approach of targeting all financial market participants, including banks, payment institutions, investment firms, crypto asset service providers and others, as well as critical third parties providing ICT (information and communication technology) services, such as cloud platforms or data analytics services.

The EU-wide legal framework for digital business continuity aims to ensure that businesses are able to respond appropriately to ICT-related disruptions and threats. It also introduces a holistic framework for effective risk management, ICT and cybersecurity capabilities for the management of third-party providers, ensuring consistent service delivery across the value chain.

This should prevent successful cyber-attacks or minimise their impact.

DORA aims at a high common level of digital operational resilience

 

DORA encompasses five fundamental pillars that tackle diverse aspects and domains of ICT and especially cybersecurity, offering a comprehensive framework for digital resiliency to relevant entities across the whole value chain.

The following DORA information has been condensed while maintaining the essence of the original content, making it more concise and easier to understand. The five pillars are as follows:

  1. ICT risk management requires the establishment of mechanisms for the timely detection of anomalous activity within the ICT system, among other measures for comprehensive ICT risk management.
  2. ICT incident reporting requires, among other things, that organisations establish a process for monitoring and logging ICT-related incidents for effective ICT risk management.
  3. Digital operational resilience testing requires periodic testing of elements within the ICT risk management framework, including Threat Led Penetration Testing (TLTP) to address higher levels of risk exposure.
  4. ICT Third Party Risk Management requires that contracts with ICT Third Party Providers include all necessary monitoring and access details, such as a description of the level of service and indication of data processing locations, etc.
  5. Information sharing aims to minimise the proliferation of ICT threats and support firms’ defence and detection techniques, mitigation strategies, and response and recovery phases by promoting collaboration between financial firms. They encourage the sharing of cyber threat information and intelligence in a secure manner to enhance digital operational resilience and raise awareness of ICT risks.

DORA and Mobile App Resilience

 

The DORA regulation is quite broad and general and will affect many players in the financial ecosystem, as their service offering is crucial for operational resilience and for providing cyber-security.

Cybersecurity starts with protecting the Mobile App, which can be compared to the display window of a jewellery shop: if the glass is broken, the jewellery is easily accessible and can be stolen.

For example, Mobile App security and Mobile In-App protection vendors are third party solution providers to European financial institutions and therefore may be subject to DORA regulation. As such, these vendors must comply with DORA and their solutions must support the five fundamental pillars of DORA. 

Build38: Delivering Mobile operational resilience

 

Build38 is a highly respected Mobile In-App protection vendor with customers that include some of Europe’s top banks and financial service providers. Already today, Build38 and its Trusted Application Kit (T.A.K) solution support DORA’s five pillars in various ways:

  1. Build38’s T.A.K detects and mitigates malicious use of Mobile Apps and reports attacks to service providers.
  2. Build38’s T.A.K captures and provides insights into attack attempts for incident reporting.
  3. Build38 supports threat-led and grey box penetration testing. Build38’s customers got their solutions PCI and VISA certified.
  4. Build38 provides transparent information on third-party risk management to customers.
  5. Build38 shares collected information to enhance digital resilience and risk awareness.

Don’t wait until it’s too late! Get DORA ready today and ensure your Mobile security approach is as resilient as it needs to be. Contact Build38 to learn more about our T.A.K solution.

Sources:

Facebook
Twitter
LinkedIn
Email