The U.S. Securities and Exchange Commission on Wednesday finally adopted stringent new cybersecurity disclosure rules for public companies, 16 months after the agency proposed them.

That lag gave companies an abundance of lead time to prepare for the requirement that has the cybersecurity community most worried: a mandate that companies publicly disclose a breach within four days after determining that it was material.