The main US financial regulator has beefed up its rulebook for companies faced with cyber attacks.
It includes a warning to corporate insiders about trading in shares before the information becomes public.
The Securities and Exchange Commission said firms must provide “timely” disclosure of “material” about cyber risks and incidents.
But critics say the move, which comes after some firms delayed disclosing hack attacks, does not go far enough.
SEC chair Jay Clayton said the guidance should “promote clearer and more robust disclosure” to investors.
But two Democratic commissioners said they had hoped for more progress on the issue. Commissioner Kara M Stein dubbed it a “rebrand” of rules the SEC issued in 2011.
“There is so much more we can and should do,” said Ms Stein.
In the UK, under rules that go into effect in May, companies are required to report certain types of data breaches to authorities within 72 hours.
- Firms face £17m fine if they fail to protect against hackers
- UK data protection laws to be overhauled
Firms must also inform individuals affected if the breach results in things such as loss of control over personal data.
The US does not have such rules at the national level.
The SEC’s move follows massive breaches at several firms, including Equifax.
Equifax waited several weeks after it discovered signs of a breach this summer. It has since said data from more than 145 million people in the US and more than 700,000 in the UK may have been compromised.
Technology companies including Intel, Apple, Google and Amazon, also spent months trying to fix security vulnerabilities in computer chips before revealing the problem in January.
Members of US Congress have questioned the companies over their decisions. The incidents have also led some members to call for earlier disclosure and threaten tougher regulation.
Share sales by executives are among the issues that have drawn scrutiny.
At Equifax, four executives sold stock in the days after the firm discovered the breach.
Equifax has said its investigation of the trades found the executives were not aware of the attack and acted appropriately.
Intel chief executive Brian Krzanich also sold millions in stock after the chip security flaw was discovered, a sale the firm said was tied to a pre-arranged plan.
Source: BBC News