A condition of GDPR law with EU member states is that the company must report a data breach within 72 hours to their country comptroller but with the proviso of “where feasible” 
So it is not technically a binding legal commitment but more a code of conduct. But failure to do so could lead to a fine of up to 4% of turnover by the ICO in the UK if steps were found not to have been taken to protect personal data.
Before GDPR the maximum penalty was just half a million pounds sterling.
There are no examples of debate of GDPR fines of 4% yet and several issues of whether this has been effective or the level of the fine is still insufficient for companies to act and behave seriously to protect data.
There are also Company Director liabilities which internationality in some countries are making board-level directors personally responsible such as in German law and Australian Law .
In the UK there is the Companies act 2006 that places board's responsibility to understand and mitigate cyber risk, for example by failing to implement appropriate cybersecurity measures, could equate to a breach of these duties. failure to do could be legally determined as a breach of directors' duties that might lead to a claim being brought against the directors by the company or by shareholders through a derivative action.
While liability and indemnity insurance for cyberattacks can be purchased, this issue of direct level personal accountability is perhaps the most interesting one that hits home particularly with cases such as facebook and CEO Zuckerberg. The problem here is country jurisdiction and being able to pursue these issues internationally.