It has been seven years since the Securities and Exchange Commission first advised public companies to tell investors if they had suffered a cyberattack deemed to be material. But even with the rising number of severe hacks, only a few companies report incidents each year to the S.E.C.