It can be contrary to a company's interest not to disclose a hacking event. I note that the SEC can impose hefty fines on publicly-traded companies which fail to timely disclose hacking incidents which can substantially affect customers:

https://www.cybersecuritydive.com/ne...attack/716962/

("SEC fines NYSE’s parent $10M for failing to report cyberattack.")