They've lost all credibility at this point. You can't say "we didn't get breached, nobody got owned" and then turn around and say "actually a lot of our customers did get owned" after you get called out on it.
They lost all credibility when they failed to do the one single thing companies trust them to do, on a massive and severe scale, with long-lasting financial repercussions for AT LEAST 250 of the worlds biggest companies (I believe it's more than they're letting on).
It is a shame that the new DHS 72 hour reporting requirement was not in effect when this breach occurred, but it is extremely evident why it is required. Regarding business classification, I don't think it's too difficult to argue that commercial identity providers are critical infra.
That law is modelled on laws in the EU, Australia and other countries. I know if my employer is one of the affected companies they are in breach of our notification laws.
GDPR already covers this. If companies with EU employees were among the 2.5% ( not unlikely), they should have disclosed this, first to the ICO and customers, then the public.