As of September 30, 2025, the Cybersecurity Information Sharing Act of 2015 (CISA) has expired without reauthorization. This cyber threat sharing law previously enabled and protected the voluntary sharing of cyber threat indicators between private entities and the federal government.
Key Implications for Organizations
- Loss of Liability Protections: Organizations no longer have legal immunity when sharing cyber threat data with the government or peers. This increases the risk of litigation related to data privacy, misuse or breach of contract.
- FOIA and Privacy Concerns: Shared information is no longer exempt from Freedom of Information Act (FOIA) requests. Sensitive business or customer data could be exposed if shared with federal agencies.
- Reduced Collaboration: The CISA expiration removes antitrust exemptions, potentially discouraging inter-company cooperation on cyber defense. Many firms may scale back or halt participation in information-sharing programs.
- Impact on National Cybersecurity: The Department of Homeland Security (DHS) and CISA may face reduced visibility into emerging threats. This could delay coordinated responses to large-scale cyber incidents.
- Critical Infrastructure at Risk: Sectors such as energy, healthcare, and finance, which are heavily reliant on private operators, are now less protected and more vulnerable to cyberattacks.
Key Legal and Compliance Risks
The expiration introduces a complex web of legal and compliance challenges that companies must navigate carefully to avoid unintended exposure.
- Increased Exposure to Civil Litigation: Without statutory liability protection, companies may face lawsuits from customers, partners or regulators if shared data is misused or leads to harm.
- Regulatory Compliance Conflicts: Sharing threat indicators may now conflict with data protection laws (e.g., GDPR, CCPA), particularly when personal or sensitive data is involved.
- Contractual Breach Risks: Data sharing without explicit contractual authorization may violate vendor, client or partner agreements, triggering breach of contract claims.
- FOIA-Related Reputational Risk: Information shared with federal agencies could be subject to public disclosure, potentially exposing internal security practices or vulnerabilities.
- Antitrust Scrutiny: Collaborative cyber defense efforts between competitors may now raise antitrust concerns, especially in regulated or concentrated industries.
Recommended Actions for Businesses
- Review internal policies on cyber threat data sharing and consult legal counsel.
- Reassess participation in government-led programs like CISA's Automated Indicator Sharing (AIS).
- Enhance internal threat intelligence capabilities and consider private-sector threat-sharing alliances.
- Monitor legislative developments for potential reauthorization or replacement frameworks.
- Reauthorization is likely; however, the timeline for action is uncertain given the current government shutdown. It is also unclear whether reauthorization would be retroactive.
Final Note
This development introduces legal and operational uncertainty at a time of heightened cyber risk. Organizations should take a proactive stance to mitigate exposure and maintain resilience.
Contact Us
Unsure how the CISA expiration impacts your organization? Reach out to Withum’s Cyber and Information Security Services Team for guidance.
