The main US financial regulator has beefed up its rulebook for companies faced with cyber attacks.
It includes a warning to corporate insiders about trading in shares before the information becomes public.
The Securities and Exchange Commission said firms must provide “timely” disclosure of “material” about cyber risks and incidents.
But critics say the move, which comes after some firms delayed disclosing hack attacks, does not go far enough.
SEC chair Jay Clayton, who was appointed by US President Donald Trump, said the guidance, should “promote clearer and more robust disclosure” to investors.
The update says companies should adopt clear policies related to cyber risks. It also says ongoing investigation does not on its own provide a basis for delaying disclosure.
Two commissioners appointed by former President Barack Obama, said they had hoped for more progress on the matter. Commissioner Kara M Stein dubbed it a “rebrand” of rules the SEC issued in 2011.
“There is so much more we can and should do,” said Ms Stein.
In the UK, under rules that go into effect in May, companies are required to report certain types of data breaches to authorities within 72 hours.
Firms must also inform individuals affected if the breach results in things such as loss of control over personal data.
The US does not have such rules at the national level.
The SEC’s move follows massive breaches at several firms, including Equifax.
Equifax waited several weeks after it discovered signs of a breach this summer. It has since said data from more than 145 million people in the US and more than 700,000 in the UK may have been compromised.
Technology companies including Intel, Apple, Google and Amazon, also spent months trying to fix security vulnerabilities in computer chips before revealing the problem in January.
Share sales by executives are among the issues that have drawn scrutiny.
At Equifax, four executives sold stock in the days after the firm discovered the breach.
Equifax has said its investigation of the trades found the executives were not aware of the attack and acted appropriately.
A stock sale by Intel chief executive Brian Krzanich after the chip security flaw was discovered also raised questions. The firm said the sale was tied to a pre-arranged plan.