Yes, I did briefly touch on that in the article. "SEC rules require timely reporting of material cybersecurity incidents."
Looking into this more now I see SEC Rule requiring disclosure within 4 business days of determining a cybersecurity incident is "material"
There is a big list of SEC violations as a result:
1. Late Disclosure (Item 1.05)
If materiality was determinable in January → 4-day rule violated
Penalty: Fines, enforcement actions
2. Misleading Statements/Omissions (Rule 10b-5)
Any public statements about security between Jan-May could be problematic
Omitting known material risks = securities fraud
3. Inadequate Internal Controls (SOX)
Failure to properly investigate and escalate user reports
Inadequate breach detection systems
4. Failure to Maintain Adequate Disclosure Controls
My report should have triggered disclosure review
Going silent suggests broken escalation process
If so and if the US had a sane administration maybe, this would be acted upon, but these days, anything goes as long as you 'donate' to the ballroom.