- Key insight: A critical law that gave companies legal protection to share cyber threat information with each other and the government has expired.
- What's at stake: Bankers privately warn that the law's lapse could create opportunities for threat actors to target banks or other critical infrastructure.
- Forward look: Companies will now have closer legal reviews of cyber threat information before sharing it, a process that will slow or completely halt the flow of data.
Overview bullets generated by AI with editorial review
A law that enables companies to share cyber threat intelligence with each other expired on Wednesday, leaving the financial services industry with weakened cyber defenses.
The
Now, information about ongoing cybersecurity threats is expected to flow more slowly because of legal reviews or to even stop completely, leaving banks blind to the threats that their peers are facing.
The law's expiration coincided with the U.S. federal government shutting down due to a lack of a funding resolution from Congress.
Industry leaders react to lapse
Financial sector groups are still assessing how the law's sunset will impact defensive operations across the industry. The initial picture is bleak.
"The Cybersecurity Information Sharing Act's expiration has left the nation's critical infrastructure more vulnerable to attacks and injected uncertainty into the security landscape," said Heather Hogsett, executive vice president and head of the tech policy division at the Bank Policy Institute.
Hogsett told American Banker that the protections of CISA 2015 helped companies and government authorities form a broader view of security threats they face.
Conversely, a spokesperson for the Financial Services Information Sharing and Analysis Center, or FS-ISAC, said Wednesday that the center "does not expect sharing to be affected if the law is not extended," though it does support the law's renewal.
The FS-ISAC spokesperson noted in an email to American Banker that the organization has supported information sharing by financial services companies since 1999, long before CISA 2015 existed. It is widely regarded as the first sector-specific ISAC.
BPI's Hogsett also told American Banker that "financial institutions may continue to share with each other," though she warned that the expiration of CISA 2015 "is likely to cause other industries to pull back on sharing, which will create blind spots in our defenses."
In particular, the financial services industry would face major cyber threats if third-party service providers such as Amazon Web Services, Microsoft, Google or others get cold feet about sharing cyber threat intel.
"We urge Congress to take urgent action to reauthorize the protections outlined in this law because when industry and government are encouraged to share threat-intelligence data, the entire financial system is safer," Hogsett said.
Although BPI and FS-ISAC have encouraged banks to continue sharing threat intelligence and say that the CISA 2015 lapse is not expected to affect these practices, some bankers privately warn that the lapse has created an opportunity for threat actors.
How CISA 2015 protected banks
Banks and their technology vendors relied on CISA 2015 to exchange information about cyber threats and which defensive measures against these threats are most effective.
This information can sometimes contain personally identifying information, or PII, about individuals who have compromised or attempted to compromise a bank's network or other computer system. This type of information can help a company spot and stop threats.
However, sharing such information also raises concerns about the privacy rights of accused cyberattackers, especially if such an attacker is a U.S. citizen who has not been convicted for their actions.
CISA 2015 shielded banks and other companies from liability claims when they shared threat intelligence as long as it only contained PII directly related to the cybersecurity threat.
Now, these companies must re-examine when and how they share this kind of information with other companies and the government, lest they expose themselves to liabilities related to privacy rights.
Why the bipartisan law expired
Congress failed to renew the law before its expiration despite broad bipartisan support, reportedly as a result of last-minute demands by Sen. Rand Paul, a Republican from Kentucky and chair of the Senate Homeland Security Committee, and allies.
According to reports from
On the Senate floor, Sen. Gary Peters, a Democrat from Michigan and proponent of a clean extension, appeared to blame Paul for the lapse, noting that "one of my colleagues" objected to forcing a vote on renewing CISA 2015.
"We are without this critical line of defense," Peters said in a floor speech.
Although the cyber data law shares an acronym with CISA, the agency, a separate law governs the agency's operations. CISA, the agency, has continued with certain essential functions despite CISA 2015, the cyber data sharing law, expiring and the federal government shutting down.
Other than Paul, Republicans and Democrats largely supported renewing CISA 2015.
In the Senate, Peters introduced the Cybersecurity Information Sharing Extension Act, S. 1337, in April. The bill, backed by Republicans including Sen. Susan Collins, a Republican from Maine, and Sen. Mike Rounds, a Republican from South Dakota, would provide a clean reauthorization of the law through 2035 without making any changes.
However, the bill has not made it to a vote on the Senate floor.
Likewise, in the House, Republicans introduced a stopgap bill this week that would have averted a government shutdown and temporarily renewed CISA 2015, alongside a few other sunsetting provisions.
However, spending disagreements between Republicans and Democrats have stalled the continuing resolution in the Senate, and debate over CISA 2015 has been eclipsed by government funding negotiations.
Financial institutions broadly support renewal
Other organizations across the financial sector, including the American Bankers Association, or ABA, have
A coalition of 13 trade associations, including BPI and ABA, issued a letter
The groups cautioned that any chilling effect on this information exchange directly benefits nation-state attackers and cybercriminals seeking to degrade U.S. economic and national security interests.
Other immediate consequences
The sunset of CISA 2015 creates several new challenges beyond injecting uncertainty into the security landscape.
The lapse increases the need for legal counsel to review information more closely to avoid potential liability. Banks are likely to suspend sharing cyber threat information that may violate federal or state laws unless Congress renews CISA 2015.
Organizations have also lost liability protections for sharing threat data with the government and antitrust protections for industry collaboration.
The sunset of CISA 2015 also severely limits CISA's cyber information sharing efforts,
Furthermore, just before the government shutdown, CISA had not finalized plans to maintain its Automated Information Sharing, or AIS, program after the sunset, according to
This potentially puts the program, which shared machine-readable cyber threat indicators and defensive measures, in jeopardy. These automated sources of threat intelligence enable banks to quickly address cyber threats in an automated fashion.
