Monthly Archives: May 2024

What Banks Need to Know About DORA

what banks need to know about dora - findings.co

As of January 16, the enforcement period for the EU’s Digital Operational Resilience Act (DORA) has commenced. This critical regulation, which mandates compliance by January 2025, has a global influence, affecting not only European banks but also financial institutions worldwide, including those in the United States. 

Originating within the European Union, DORA was initiated in September 2020 as part of the EU’s digital finance strategy and was finalized by the European Parliament in November 2022. The regulation aims to standardize security protocols for network and information systems across financial entities and their critical ICT service providers.

Key Provisions of DORA:

  • Risk Management: Financial institutions are mandated to develop robust tools for effective risk management. This includes continuous monitoring and rapid response mechanisms to detect and mitigate unusual activities.

  • Third-Party Risk Management: Banks must collaborate with third-party service providers to ensure that data processing and monitoring frameworks are uniformly applied. Contracts should explicitly specify compliance obligations.

  • Incident Reporting: Institutions need to establish systems to log IT security incidents, classifying them according to criteria set by European supervisory authorities.

  • Information Sharing: Encouraging the exchange of information related to digital threats enhances collective digital resilience and risk awareness.

  • Resilience Testing: Regular testing is required to assess the efficacy of risk management frameworks. This includes conducting red and purple team exercises that help identify and rectify vulnerabilities.

Implications for Banks

For banks, adapting to DORA means revisiting and potentially overhauling their existing security policies and practices. While the 2025 deadline may seem distant, the comprehensive preparations necessary to address potential vulnerabilities and implement effective solutions demand immediate action.

Banks should start with a security maturity assessment to pinpoint current capabilities and deficiencies in relation to DORA standards. This assessment will guide the development of a strategic approach to compliance, highlighting areas needing urgent attention.

Technical Perspectives on Compliance and Vendor Risk Management

For those who weren’t able to attend our live webinar with the London stock exchange, please refer to our youtube video below where you will get all the scoop. However, I will share key talking points that are important for banks to know. 

  1. Continuous Monitoring and Dynamic Risk Assessment:

    • CEO and co-founder of Findings, Kobi Freedman emphasized the shift from periodic risk assessments to continuous monitoring. This change is crucial as the threat landscape evolves rapidly, necessitating real-time insights into potential vulnerabilities within and beyond the immediate vendor base.

    • The idea is to scale up the monitoring and compliance checks from a select group of vendors to nearly all partners in the supply chain, thereby increasing visibility and reducing risks across the board.

  2. Automating Compliance for Efficiency:

    • Leveraging technology to automate compliance processes is critical due to the expansive scope of DORA. Automation helps manage the vast array of data and compliance requirements efficiently, reducing the manual workload and potential for human error.

    • Technologies that facilitate automated monitoring and reporting can significantly streamline the compliance efforts required under DORA, particularly for third-party risk management.

  3. Enhanced Board Involvement and Governance:

    • It was noted that DORA places significant responsibilities on the board and upper management to ensure compliance. This includes adopting and enforcing policies, overseeing the implementation of risk management strategies, and ensuring continuous improvement in digital resilience.

    • The board’s role in setting the risk tolerance, approving budgets for cybersecurity initiatives, and ensuring that governance frameworks are in place and effective, is critical to meeting DORA’s requirements.

  4. Legal and Regulatory Preparedness:

    • From a legal perspective, companies are encouraged to prepare not only for DORA but also for overlapping regulations in different jurisdictions. This requires a holistic approach to compliance that considers various regulatory frameworks and ensures that practices meet the highest standards.

    • Preparing for DORA involves understanding its specific requirements and how they interact with other regulatory frameworks like GDPR or the upcoming regulations on AI and data usage.

  5. Incident Response and Crisis Management:

    • Effective incident response protocols were discussed, stressing the importance of having a clear plan in place before any security breach occurs. This includes defining roles, responsibilities, and communication strategies to ensure a coordinated response to incidents.

    • The need for a structured approach to handling the aftermath of an incident was also highlighted, focusing on minimizing damage, managing communications, and learning from each event to improve future resilience.

Get Prepared

As the adoption of DORA progresses, banks must ensure they meet the regulatory standards by the 2025 deadline. Initiating preparations early will undoubtedly facilitate better compliance and enhanced security outcomes. By incorporating these strategies and aligning with expert service providers, banks can effectively navigate the challenges posed by DORA, ensuring operational resilience in an increasingly digital world.

Benefits of N-Tier Monitoring For Your Supply Chain

the benefits of n-tier monitoring for your supply chain findings.co

Hidden Opportunities in Supply Chain Management

Navigating the complexities of global supply chains requires more than just a surface-level understanding of your immediate suppliers. In this blog post, I’ll help you explore the concept of nth tier visibility, delving into the importance of looking beyond your direct suppliers to gain deeper insights into your extended supply network.

Defining Nth Tier Visibility

Nth tier visibility involves monitoring and understanding the activities of suppliers that operate beyond your immediate supply chain. This expanded perspective helps identify potential risks, streamline operations, enhance sustainability, and ensure comprehensive compliance.

The Critical Role of Nth Tier Visibility

Here’s why nth tier visibility is more than just a buzzword:

  • Proactive Risk Management: By tracking the activities of nth tier suppliers, businesses can preemptively address quality issues, ethical concerns, and regulatory non-compliance, thus safeguarding the integrity of the supply chain.

  • Enhanced Agility and Resilience: Comprehensive supply chain visibility allows businesses to swiftly adapt to disruptions such as natural disasters or market fluctuations, enabling informed decision-making and quick adjustments to alternative suppliers.

  • Promoting Sustainability and Ethics: With greater visibility, companies can monitor and enforce environmental and social standards among all suppliers, fostering responsible practices and driving positive change throughout the supply chain.

Steps to Improve Nth Tier Visibility

To enhance visibility across the supply chain, consider implementing these strategic approaches:

  • Thorough Supplier Onboarding: Begin with an in-depth evaluation of new suppliers, focusing on their transparency and supply chain management capabilities. Clearly communicate your visibility requirements to ensure alignment from the start.

  • Continuous Supplier Engagement: Maintain open communication with suppliers at all levels. Regularly exchange data, updates, and performance metrics to foster transparency and early detection of potential issues.

  • Advanced Technological Solutions: Utilize cutting-edge supply chain management software, Internet of Things (IoT) devices, and data analytics tools to collect and analyze real-time data. These technologies provide valuable insights into supplier performance and associated risks.

  • Regular Compliance Audits: Conduct periodic audits to verify supplier adherence to quality and sustainability standards. Consider partnering with third-party auditors for an unbiased assessment.

  • Encouraging Ongoing Improvement: Cultivate a culture of continuous improvement by encouraging knowledge sharing and collaborative problem-solving among suppliers. Highlighting success stories and learning from challenges can motivate suppliers to enhance their visibility efforts.

Broadening Horizons for a Resilient Supply Chain

Enhancing nth tier visibility is essential for building a robust and responsive supply chain. By adopting these best practices, businesses can uncover hidden opportunities, mitigate risks, and promote sustainability. In today’s interconnected world, a resilient supply chain is a strategic advantage, and comprehensive nth tier visibility is key to achieving it.

Remember, a well-informed supply chain is not only about managing known factors but also about discovering and shaping the unknown. Nth tier visibility opens the door to this broader perspective, empowering businesses to make better decisions and strengthen their supply networks.

Understanding Scopes 1, 2 and 3 Emissions Together

Understanding Scopes 1,2, and 3 Together

A Guide to Greenhouse Gas Emissions

Understanding the impact of greenhouse gas (GHG) emissions is crucial for businesses aiming to enhance their sustainability practices. Scopes 1, 2, and 3 emissions are categories defined by the Greenhouse Gas Protocol that differentiate the sources of these emissions in an organization’s supply chain. This blog post will explore each scope in detail, their significance, and strategies for managing them effectively.

Scope 1: Direct Emissions from Owned or Controlled Sources

Scope 1 emissions are direct emissions from sources that are owned or controlled by the company. This includes emissions from combustion in owned or controlled boilers, furnaces, vehicles, etc. For example, if a company owns a fleet of delivery trucks that burn diesel, the emissions from these trucks are considered Scope 1.

Managing Scope 1 emissions is often seen as the most direct method for a company to reduce its carbon footprint. Strategies to reduce these emissions include transitioning to renewable energy sources, upgrading to more efficient machinery, and adopting cleaner vehicle technologies. Companies like Google and Apple have made significant strides in this area by investing in electric vehicle fleets and onsite renewable energy generation.

For a more detailed review of scope 1 emissions, please refer to dedicated scope 1 blog post!

Scope 2: Indirect Emissions from the Generation of Purchased Electricity, Steam, Heating, and Cooling

Scope 2 covers indirect emissions from the generation of purchased electricity, steam, heating, and cooling consumed by the reporting company. These emissions physically occur at the facility where electricity is generated but are passed on to the company that purchases and uses the electricity.

The most effective strategy for reducing Scope 2 emissions is by purchasing renewable energy. Many companies achieve this through renewable energy certificates (RECs) or direct investment in renewable projects. This not only helps reduce emissions but can also result in lower energy costs over time. Companies like Microsoft have committed to being carbon negative by 2030, heavily focusing on reducing Scope 2 emissions through these methods.

For a more detailed review of scope 2 emissions, please refer to our dedicated scope 2 blog post!

Scope 3: All Other Indirect Emissions

Scope 3 emissions are the result of activities from assets not owned or directly controlled by the reporting company but that the company indirectly impacts in its value chain. These include emissions associated with the production of purchased goods and services, business travel, employee commuting, waste disposal, etc.

Scope 3 emissions can be the most challenging to measure and reduce due to their indirect nature and the multitude of sources. However, they often represent the largest share of a company’s carbon footprint. Strategies to reduce Scope 3 emissions include engaging with suppliers to reduce upstream emissions, redesigning products to use less carbon-intensive materials, and encouraging more sustainable consumer behavior.

For a more detailed review of scope 3 emissions, please refer to our dedicated scope 3 blog post!

Why Understanding All Three Scopes Is Crucial

It seems as though companies are under a microscope nowadays. So, a ddressing all three scopes of GHG emissions is vital for companies not only to truly understand their environmental impact but also to meet regulatory requirements and build a sustainable business model. Investors and customers increasingly demand transparency in how companies are addressing climate change. Reports on Scopes 1, 2, and 3 emissions can help businesses gain a competitive edge, improve sustainability rankings, and attract eco-conscious consumers.  

Challenges in Measuring and Reporting Scopes 1, 2, and 3

Despite the clear benefits of measuring and managing these emissions, companies face several challenges. These include difficulties in collecting accurate data, especially for Scope 3 emissions, lack of standardization in reporting, and ensuring that all data is up-to-date and relevant.

Advances in technology and increasing standardization of reporting practices are making it easier for companies to overcome these challenges. Tools like carbon accounting software are becoming more sophisticated, allowing companies to track their emissions more accurately and efficiently.

The Future of Corporate Sustainability

As we move forward, the integration of Scope 1, 2, and 3 emissions into corporate sustainability strategies will become the norm rather than the exception. The global push towards net-zero targets and the increasing importance of ESG (Environmental, Social, and Governance) criteria in investment decisions underscore the necessity of comprehensive GHG emissions management.

All in all, understanding and managing Scopes 1, 2, and 3 emissions is not only crucial for environmental improvement but also for corporate survival in the 21st century. By embracing these challenges, companies can lead the way in sustainability, enhance their market position, and contribute to a healthier planet for future generations.

April 2024 Data Breach Round Up

april 2024 data breaches

In April 2024, numerous cybersecurity incidents occurred, mirroring previous occurrences. These incidents, yet again, serve as a reminder of the ongoing threat landscape that organizations across various sectors face. From retail giants to healthcare conglomerates, no entity appears to be immune to the ever-changing tactics employed by malicious actors in the digital sphere.

Let’s explore these breaches in detail, uncovering the stories that underscore the critical need for continuous monitoring and proactive risk management strategies in today’s interconnected world.


  1. Giant Tiger

    Giant Tiger, a prominent Canadian discount retailer, suffered a data breach that affected approximately 2.8 million of its customers. This breach came to light when an anonymous hacker posted the stolen data, including email addresses, names, phone numbers, and physical addresses, on a cybercrime forum. The breach data has since been added to the HaveIBeenPwned website, enabling users to check if their information has been compromised. The source of the breach was traced to a third-party vendor responsible for handling Giant Tiger’s customer interactions and communications. Although the leak did not include payment details or passwords, it poses a significant risk of phishing and identity theft. Giant Tiger has informed all affected customers and is actively managing the fallout from the disclosure.

  2. Home Depot

    On April 8, Home Depot confirmed a data breach involving a third-party SaaS vendor, which accidentally exposed names, work email addresses, and user IDs of some employees during system tests. This breach was disclosed after threat actor IntelBroker leaked data about 10,000 employees on a hacking forum. Security experts stress the importance of robust third-party risk management and the need for uniform security protocols across business ecosystems to mitigate such breaches, which could lead to targeted phishing attacks and further security compromises.

  3. Roku

    In a recent statement, Roku disclosed that its security systems detected unauthorized access to approximately 15,000 user accounts earlier this year through credential stuffing—using stolen login details from other sources. Despite these intrusions, Roku confirmed there was no compromise within their systems. A second incident involved around 576,000 accounts, but again, no sensitive information or full payment details were accessed. In response, Roku has reset passwords for affected accounts, implemented refunds for unauthorized transactions, and introduced two-factor authentication for all accounts to enhance security. Roku urges customers to create strong, unique passwords and remain vigilant against suspicious communications to further protect their accounts.

  4. Nextperia

    On April 12, 2024, Nexperia announced that an unauthorized party had accessed certain IT servers in March. The company quickly isolated the compromised systems and cut off internet access to contain the breach. With the help of cybersecurity firm FoxIT, Nexperia is actively investigating the breach’s scope and has taken significant steps to terminate the unauthorized access. The incident has been reported to the relevant authorities, including the ‘Autoriteit Persoonsgegevens’ and the police, who are being updated on the investigation’s progress. Due to the ongoing investigation, Nexperia has stated that further details cannot be disclosed at this time. Nexperia, headquartered in the Netherlands, is a leading global semiconductor company, noted for its significant contributions to electronic components across various industries.

  5. MITRE

    On April 19, 2024, MITRE acknowledged a cybersecurity breach within its Networked Experimentation, Research, and Virtualization Environment (NERVE), a platform used for collaborative research and development. Despite robust security measures, a foreign nation-state was identified as the perpetrator of this breach. Immediate steps were taken to contain the breach by disconnecting the NERVE environment and launching a comprehensive investigation with both in-house and external cybersecurity experts. MITRE has informed the relevant authorities and those affected, and is working on secure alternatives for collaboration. Jason Providakes, president and CEO of MITRE, emphasized the organization’s commitment to transparency and the advancement of cybersecurity practices across the industry. MITRE, known for its contributions to cybersecurity standards and tools, continues to share insights gained from this incident to aid the broader security community.

  6. Kaiser

    Kaiser, a prominent U.S. health conglomerate, is informing millions of current and former members about a data breach that occurred when the company inadvertently shared patients’ data with third-party advertisers, including tech giants like Google and Microsoft. The breach was identified after an investigation revealed that certain online technologies used by Kaiser transmitted personal information to external vendors. The compromised data includes member names, IP addresses, and details indicating usage of Kaiser’s services and websites. Kaiser promptly removed the tracking code from its platforms. This incident underscores a concerning trend in the healthcare sector, where online tracking codes have been used to share sensitive patient information with advertisers. Kaiser plans to notify approximately 13.4 million affected individuals and has fulfilled legal requirements by reporting the breach to relevant authorities. This breach marks one of the largest health-related data breaches of 2024, as listed by the U.S. Department of Health and Human Services.

  7. FBI Warning

On April 12, the FBI issued a warning regarding a significant surge in SMS phishing attacks aimed at Americans concerning unpaid road toll fees. Beginning last month, thousands of individuals reported being targeted by scammers. The FBI’s Internet Crime Complaint Center received over 2,000 complaints since early March, indicating a widespread campaign across at least three states. The malicious texts claim recipients owe money for outstanding tolls, with identical language across reports. The phishing messages contain hyperlinks impersonating state toll services, with phone numbers varying between states. Although the FBI did not mention E-ZPass in their warning, it’s noted that the scam also targets E-ZPass customers. The FBI advises recipients to report the scam, avoid clicking links, verify their accounts through legitimate websites, contact customer service, delete any phishing texts, and take measures to secure personal and financial information if they’ve interacted with the messages.


As April comes to a close, these data breaches serve as powerful reminders of the urgent need to strengthen our systems. Each breach brings new insights, pushing everyone involved to take a hard look at their security measures, beef up their defenses, and stay sharp against emerging threats.


In our quest for cyber resilience, teamwork and sharing what we know are key. By working together and staying committed to protecting our digital world, we can tackle the challenges of cyberspace head-on, with confidence and resolve.


Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Chat

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!