Wall Street's top regulator has adopted new cybersecurity rules that require companies to disclose a material cyber breach within four days of determining that the breach is material. The 96-hour requirement has been on the table for months, but the materiality qualifier puts a critical onus on boards and CISOs to get specific on their cyber-risk tolerance.