- What's at stake: If Congress fails to reauthorize CISA 2015, the legal protections banks use to share information about cyber threats will disappear.
- Supporting data: While many cybersecurity leaders support renewing the act, participation in one of the information sharing programs it enables fell from 304 in 2020 to 135 in 2022.
- Forward look: Multiple bipartisan efforts to renew (and reform) the bill are underway, most recently with a unanimous vote of support from a 25-person committee on Wednesday.
With a critical cybersecurity law set to expire on Sept. 30, 2025, financial industry groups are urging Congress to act swiftly to renew the Cybersecurity Information Sharing Act of 2015, or CISA 2015.
The bipartisan legislation established a voluntary framework for sharing cyber threat information between the private sector and government agencies, a tool that banking leaders say has become essential for defending the nation's financial system.
Passed a decade ago after the Office of Personnel Management data breach, CISA 2015 provides liability protections and an antitrust exemption that encourage banks and other companies to share cyber threat indicators with each other and the government.
Why does CISA 2015 matter to banks?
The financial sector has consistently advocated for the law's renewal, emphasizing its role in safeguarding the industry.
"Without the protections codified by this statute, businesses may be less willing to share cyber threat information for fear of legal exposure," a coalition of 13 trade associations, including the American Bankers Association, Bank Policy Institute, and Independent Community Bankers of America, wrote in a letter to Congress on Thursday.
"Any chilling effect on this information exchange directly benefits the nation-state attackers and cybercriminals seeking to degrade U.S. economic and national security interests," the letter said.
Heather Hogsett of the Bank Policy Institute, or BPI, said, "This law has helped protect the American financial system for over a decade by enabling banks to confidentially share threat information with industry and government partners."
CISA 2015 provides crucial antitrust exemptions and liability protections that encourage companies to share cyber threat indicators with each other and the government. Without these protections, organizations could face frivolous litigation under federal and state laws like the Wiretap Act for engaging in necessary cyber defense activities. The potential for expensive lawsuits could create a "chilling effect" on information sharing, leaving defenders with less timely intelligence to fortify security and protect customer data.
Nation-state adversaries continue to target U.S. critical infrastructure, as seen in the Salt Typhoon campaign that raised alarms at banks last year following a data breach at casino chains MGM and Caesars.
What happens if the law expires?
If Congress fails to reauthorize the law, the legal protections that facilitate this information sharing will disappear.
Organizations would lose liability protections for sharing threat data with the government, antitrust protections for industry collaboration and exemptions from federal and state disclosure laws.
In turn, this would reduce the amount and quality of cybersecurity intelligence that banks get both from each other and from other companies, making it harder to track and predict threats.
What's the debate?
While support for reauthorization is broad, the program CISA 2015 enables is not without its challenges.
A September 2024 report from the DHS Office of Inspector General found that participation in the Automated Indicator Sharing program, CISA's primary mechanism for implementing the law, has declined to its lowest level since 2017.
The number of AIS participants fell from 304 in 2020 to 135 in 2022. Over the same period, the sharing of cyber threat indicators through AIS dropped by 93%, largely because a key federal agency stopped sharing data due to security concerns.
The OIG report attributed the decline in participation to CISA's lack of an outreach strategy to recruit and retain data producers.
Some critics also argue the law needs updates to address modern threats like supply chain attacks and to improve reciprocal information sharing from the government.
However, most stakeholders agree that renewal should come first to avoid creating security gaps. As the Information Technology Industry Council noted, a swift, "clean" extension is preferable to a lapse in authority.
Is congress going to reauthorize CISA 2015?
Multiple legislative efforts are in motion to prevent the law from sunsetting.
In the House, the Homeland Security Committee unanimously approved the Widespread Information Management for the Welfare of Infrastructure and Government Act, or WIMWIG Act, H.R. 5079, on Wednesday. That bill now awaits consideration before the full House.
Sponsored by Rep. Andrew Garbarino, a Republican from New York and chair of the committee, the bill would extend CISA 2015 through 2035 while making several reforms, including changes to government information sharing and requiring an outreach plan to ensure entities such as small or rural critical infrastructure owners are aware of the program.
BPI's Hogsett said the institute was "grateful to Chairman Garbarino for his work to renew" the act.
In the Senate, Sen. Gary Peters, a Democrat from Michigan, introduced the Cybersecurity Information Sharing Extension Act, S. 1337, in April.
This bill, backed by Republicans including Sen. Susan Collins, a Republican from Maine, and Sen. Mike Rounds, a Republican from South Dakota, would provide a clean reauthorization of the law through 2035 without making any changes.
Some industry leaders support this approach to avoid a lapse in authority, arguing that even well-intentioned reforms could slow down the process.
That bill languished for weeks in committee, but in July, the Senate Select Committee on Intelligence passed a clean 10-year reauthorization of CISA 2015 as part of a larger funding authorization bill. That bill passed the committee on July 15 by a 15-2 vote and now awaits consideration by the full Senate.
Does this affect CISA, the agency?
The potential expiration of the Cybersecurity Information Sharing Act of 2015 does not threaten the existence of the Cybersecurity and Infrastructure Security Agency, or CISA.
Though they share an acronym, a separate law established the agency. The agency helps implement the information-sharing law but would continue to operate even if the act is not reauthorized.
