Any security professional who has dealt with a cyberattack can tell you that the early stages are often chaotic, with the extent of the damage and the magnitude of the intrusion difficult to immediately determine.

The stakes will become even higher when new U.S. Securities and Exchange Commission rules take effect in mid-December that demand prompt disclosure of material cyberattacks and annual reports about cyber risks and vulnerabilities. Tired of “generic” disclosures and “gamesmanship” from public companies more concerned with protecting their reputations than their shareholders and customers, the SEC says it’s time to get tough.