In a move to prevent public companies from delaying news about cyberattacks, the US Security and Exchange Commission has set a four-day deadline to disclose "material cybersecurity incidents." A US attorney general could potentially delay that disclosure if doing so would lead to "substantial risk to national security or public safety." Otherwise, the rules will serve as a stiff new guidepost — albeit, one that's slightly less restrictive than the EU's GDPR cyberattack deadline of just three days.