they likely aren't under an obligation to tell investors about it immediately and simply putting something in their quarterly report about it will probably be fine.
That being said if they put something in some communication that said "we take security seriously" or something that would probably be grounds to sue as this obviously shows they aren't serious or something. The barriers to shareholder lawsuits for securities fraud are pretty low.
The SEC says they have 4 business days
"An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing." (from https://www.sec.gov/newsroom/press-releases/2023-139)