The phrase "Without reasonable delay" sorta seems like it should be "Without UNreasonable delay". The timeline is also exceptionally tight if there is a reason that delaying means needing to get permission from any Attorney General's office. They don't often check their emails and it's hard to find a valid address for them in the first place that won't just generate a form letter in response and naught else.
The other question is what they should report. Teams would first want to identify the path that somebody used to get in, get that patched right away, sort out what might have been compromised and get notifications to affected parties before all of this hits the news. I get it, companies have been waiting months and months before a news of a big exploit is leaked and the company is forced to own up. But, 4 days?