The rule includes exceptions for cases where public disclosure of a cyber incident could pose significant risks to public safety or national security, allowing companies to work with law enforcement agencies to address secret cybersecurity events.