The U.S. Securities and Exchange Commission has adopted new rules requiring publicly traded companies to disclose cyberattacks within four business days after determining they’re material incidents.
Just never make it a material incident and then you don’t have to worry.
Concealing liabilities from investors it’s a pretty big deal. Keep in mind, the reason this targets publicly traded companies is that they want to protect investors, not the customers of the company.
In fact, if it’s something that affects the customers generally, I looks like disclosure might no longer be so important, since they seem to allow delaying the disclosure if it risks “public safety”.
In some instances, the disclosure timeline may also be postponed if the U.S. Attorney General determines that an immediate disclosure would pose a significant risk to national security or public safety.
So a company might keep a backdoor secret if it’s for the sake of national security / surveillance.