|
½ÃÀ庸°í¼
»óÇ°ÄÚµå
1354227
SECÀÇ 4ÀÏ°£ º¸°í ±ÔÁ¤ÀÌ Á߿伺 Á¤ÀÇ¿¡ »õ·Î¿î Á߿伺 ºÎ¿©The SEC¢¥s Four-Day Reporting Rule Presents a Critical New Need to Define Materiality |
||||||
À̹ø IDC Àü¸Á¿¡¼´Â Áß¿äµµ¸¦ Á¤ÀÇÇÏ´Â Áß¿äÇÑ »õ·Î¿î Çʿ伺À» Á¦½ÃÇÏ´Â SECÀÇ 4ÀÏ º¸°í ±ÔÄ¢¿¡ ´ëÇØ ¼³¸íÇÕ´Ï´Ù. ¿ù°¡ÀÇ ÃÖ°í ±ÔÁ¦ ±â°üÀÎ ¹Ì±¹ Áõ±Ç°Å·¡À§¿øȸ(SEC)´Â ±â¾÷ÀÌ Áß´ëÇÑ »çÀ̹ö ħÇØ°¡ ¹ß»ýÇß´Ù°í ÆÇ´ÜÇÑ ÈÄ 4ÀÏ À̳»¿¡ À̸¦ °ø°³Çϵµ·Ï ÇÏ´Â »õ·Î¿î »çÀ̹ö º¸¾È ±ÔÁ¤À» äÅÃÇß½À´Ï´Ù. Áö±Ý±îÁö Á¤º¸ À¯Ãâ¿¡ ´ëÇÑ Å뺸´Â ÁÖ·Î "ºÒÇÕ¸®ÇÑ Áö¿¬ ¾øÀÌ" ÅëÁöÇϵµ·Ï ¿ä±¸ÇÏ´Â ±ÔÁ¤°ú ¾÷°è ±ÔÄ¢¿¡ ÀÇÇØ ÁøÇàµÇ¾î ¿ÔÀ¸¸ç, SECÀÇ »õ·Î¿î ±ÔÄ¢Àº °ø°³ ±â¾÷¿¡ ´ëÇÑ ±âÁØÀ» ³ôÀÌ°í, »ç°Ç ¹ß»ý »ç½ÇÀ» ¾Ë ¼ö ÀÖµµ·Ï ¿ä±¸ÇÒ »Ó¸¸ ¾Æ´Ï¶ó ȸ»çÀÇ À繫 »óÅÂ, ¿î¿µ, °í°´ °ü°è, ÆòÆÇ¿¡ Áß´ëÇÑ ¿µÇâÀ» ¹ÌÄ¡´Â °ü°è, ÆòÆÇ¿¡ Áß´ëÇÑ ¿µÇâÀ» ¹ÌÄ¥ ¼ö ÀÖ´Â °æ¿ì, ÀÌ»çȸ°¡ »ç½Ç¿¡ ±Ù°ÅÇØ ½Å¼ÓÇÏ°Ô ÆľÇÇÒ °ÍÀ» ¿ä±¸ÇÏ°í ÀÖ½À´Ï´Ù. IDCÀÇ IT ÀÓ¿ø ÇÁ·Î±×·¥(IEP)ÀÇ ºñ»ó±Ù ¸®¼Ä¡ ¾îµå¹ÙÀÌÀúÀÎ ¾Ë¸®»çº£½º Ä®´õ(Alisabeth Calder)´Â "»ç°íÀÇ Áß¿äµµ¿¡ µû¸¥ Æò°¡¿Í º¸°í´Â »óÀå ±â¾÷ÀÇ CIO¿Í CISO¿¡°Ô »õ·Î¿î Áß¿äÇÑ ºÐ¼® ¼öÁØÀ» Ãß°¡ÇÏ´Â °ÍÀÔ´Ï´Ù. 96½Ã°£ ±ÔÁ¤ÀÌ ½ÇÁ¦·Î Áß¿äÇÏ°í º¸°í ´ë»óÀÎÁö¿¡ ´ëÇÑ ½ÅÁßÇÑ ÆÇ´ÜÀ» ÈѼÕÇÏ´Â ºñ»ó»çÅ¿¡ ÈÖ¸»¸®Áö ¾Êµµ·Ï »ç°Ç ¹ß»ý Àü¿¡ ÃÖ¼±ÀÇ Çؼ®°ú °¡µå·¹ÀÏ·Î ¹«ÀåÇØ¾ß ÇÕ´Ï´Ù. ´õ ¸¹Àº Âü°íÀÚ·á°¡ ³ª¿À±â¸¦ ±â´ëÇϸç, ¼¼ºÎÀûÀÎ ³»¿ëÀÌ ¹àÇôÁú¼ö·Ï ¿ì¸®ÀÇ »ý°¢°ú ÁöħÀ» ´õ¿í ¸íÈ®È÷ ÇÒ °ÍÀÔ´Ï´Ù."°í ¸»Çß½À´Ï´Ù
ÁÖ¿ä ¿ä¾à
»óȲ °³¿ä
Å×Å©³î·¯Áö ±¸ÀÔÀÚ¿¡ ´ëÇÑ ¾îµå¹ÙÀ̽º
- ¹«¾ùÀ» º¸°íÇÒ ÇÊ¿ä°¡ ÀÖÀ»±î¸¦ ¸íÈ®ÇÏ°Ô ÇÏ´Â : ¸®½ºÅ© ¼±È£
- ½ÂÀÎµÈ ¸®½ºÅ© Çã¿ëµµ¿¡ ±â¹ÝÇØ Æò°¡, °¨½Ã, º¸°íÇϱâ À§ÇÑ µ¥ÀÌÅÍ°¡ ÀÖ´Â °ÍÀ» È®ÀÎÇÑ´Ù
- ÀνôøÆ®ÀÇ ¿µÇâÀ» Á¤ÀÇ ¹× ÃøÁ¤ÇÏ´Â ¹æ¹ý
- ÀνôøÆ®¸¦ º¸°íÇÏ´Â ¹æ¹ý
- »çÀü¿¡ °èȹÀ» ¼¼¿ö ħÇØ ÅëÁö¿Í ÄÄÇöóÀ̾ð½ºÀÇ ¿µÇâÀ» °æ°¨ÇÑ´Ù
Âü°í ÀÚ·á
- °ü·Ã Á¶»ç
- ¿ä¾à
This IDC Perspective discusses SEC's four-day reporting rule that presents a critical new need to define materiality. Wall Street's top regulator, the U.S. Securities and Exchange Commission, has adopted new cybersecurity rules that require companies to disclose a material cyberbreach within four days of determining that the breach is material. Until now, breach notification has been driven primarily by regulations or industry rules requiring notification "without unreasonable delay," which affords a fair amount of bandwidth within which to understand and assess a situation and then determine the most appropriate path forward. The new SEC rules raise the bar for publicly traded companies, not only demanding that they know that an incident has occurred but also requiring their boards to quickly get fact based regarding where there is significant potential impact on the company's financial position, operations, customer relationships, or reputation. "Assessing and reporting based on materiality of an incident adds a new and critical level of analysis for CIOs and CISOs in publicly traded companies," says Alizabeth Calder, adjunct research advisor for IDC's IT Executive Programs (IEP). "We need to arm ourselves with the best possible interpretation and guardrails in advance of an incident, so we don't get caught in situational urgency where the 96-hour rule undermines prudent decisions about whether the incident is actually material and thus reportable. We look forward to learning more as the SEC rules are absorbed and will sharpen our thoughts and guidance as more details emerge."
Executive Snapshot
Situation Overview
Advice for the Technology Buyer
- Have Clarity on What Needs to Be Reported: The Risk Appetite
- Ensure That You Have the Data to Assess, Monitor, and Report in the Context of the Approved Risk Tolerance
- How to Define and Measure the Incident Impact
- How to Report an Incident
- Reduce the Impact of Breach Notification and Compliance by Planning Ahead
Learn More
- Related Research
- Synopsis
