How do you figure? If a company never reports an incident, how would the government regulator know about it?

They will at some point. A whistleblower, the attackers themselves, the leaked data showing up somewhere on a forum and getting picked up by reporters, etc. etc. At the scale at which any of the popular passwords managers operate, IMO it would be impossible to keep it a secret for long. So taking the risk of jail time only delaying the inevitable... doesn't make sense.