Some 16 months after first proposing rules for public companies and investment advisors, the SEC adopted new rules, chief among them that public companies disclose material cybersecurity breaches to investors within four days.