On Friday Marriott International, the world’s largest hotel company, told the public that a data breach in its Starwood reservation system may have exposed personal information of up to 500 million guests and has been going on since 2014.

Did Marriott MAR, -5.72% inform its investors soon enough, based on updated guidance for companies on cybersecurity disclosures, issued by the Securities and Exchange Commission in February?

An SEC spokeswoman declined comment on the timeliness of Marriott’s disclosures.

Related : Marriott says up to 500 million guests affected by Starwood data breach

In April the SEC fined the company formerly known as Yahoo! Inc. $35 million for misleading investors by failing to disclose one of the world’s largest data breaches to the investing public until more than two years later, in 2016, when Yahoo was in the process of being bought by Verizon Communications, Inc.. VZ, +1.09%

Yahoo filed several quarterly and annual reports during the two-year period following the breach, and only mentioned the risk of, and negative effects that might flow from, data breaches but not the 2014 breach.

Marriott’s filing with the SEC on Friday said it was alerted by an internal security tool on Sept. 8 of a potential breach to its U.S. database. The company began an investigation that found the Starwood guest database may have been compromised since 2014. Marriott acquired Starwood in September, 2016.

The hacker had copied and encrypted information from the database, and had attempted to steal it but Marriott was unable to decrypt the information and find out what the contents of the breach were until Nov. 19.

This is not the first cyber breach at Starwood. Hackers stole payment-card information during a data breach in 2015 that lasted nearly eight months at 54 locations.

Marriott filed its most recent quarterly report with the SEC on Nov. 6 for the period ending Sep 30, 2018. The company’s filing occurred after it was alerted of a potential breach on Sept. 8 and began an investigation, but it did not contain any mention of the breach, only a description of generic cyber risk factors.

The SEC’s updated 24-page interpretive release on cybersecurity disclosures acknowledges that there is no existing requirement in the securities laws that explicitly refers to cybersecurity risks and cyber incidents. However, “companies nonetheless may be obligated to disclose such risks and incidents.”

SEC Chairman Jay Clayton, in a statement at the time emphasized that, “Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.”

The updated guidance says that companies are required to disclose “material” information, that may be necessary to make the required financial statements, “not misleading.”

The SEC would consider omitted information to be material if “there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”

Marriott shares were hammered on Friday, dropping 6%, indicating clear materiality.

Marriott’s timeline for disclosure does look reasonable, said Gary Roboff, a senior advisor for the Santa Fe Group, a risk consulting firm, “especially if you believe Marriott notified authorities as soon as they were able to understand what data had been compromised.”

Marriott’s press release says it reported the incident to law enforcement and is supporting their ongoing investigations. The company said it has also already begun notifying additional regulatory authorities.

David Chase, a former attorney with the SEC’s division of enforcement who now leads his own law firm, told MarketWatch that companies like Marriott have to weigh the desire to disclose material information to investors on a timely basis with disclosing accurate and complete information. “It’s a judgment call, based on the specific facts,” said Chase.

“However, the breach was going on at Starwood since 2014 and Marriott did not see it until two years after its acquisition,” said Chase. The two-year delay in becoming aware of the breach does raise a question, Chase told MarketWatch, about Marriott’s controls and approach for integrating Starwood’s systems and data after the acquisition.

Robroff made a similar point. “How could a breach like this continue for 4 years? If diligence isn’t constant and systematic, the potential for compromise, with all that implies, increases significantly,” Robroff told MarketWatch.

Francine McKenna Francine McKenna is a MarketWatch reporter based in Washington, covering financial regulation and legislation from a transparency perspective. She has written about accounting, audit, fraud and corporate governance for publications including Forbes, the Financial Times, Accountancy and the American Banker. McKenna had 30 years of experience at banks and professional-services firms, including at PwC and KPMG, before becoming a full-time writer.