Industry-to-CISA trust requires rebuilding, assert experts
The Cybersecurity Information Sharing Act of 2015 (CISA 2015) is currently active but set to expire on September 30, 2025. This law, which facilitates the sharing of cyber threat indicators and defensive measures between federal agencies and private sector entities, has been instrumental in improving cybersecurity collaboration.
Efforts to reauthorize or extend CISA 2015 are actively underway in Congress as of mid-2025. There is growing consensus among lawmakers to pursue a straight reauthorization to avoid disrupting the established cyber threat information sharing framework critical to national security. However, the legislative calendar is tight with only weeks remaining before the September expiration, putting pressure on Congress to act swiftly.
CISA 2015 has been credited with supporting the development of Information Sharing and Analysis Centers (ISACs) across sectors. These centres enhance collective response capabilities and help deter malicious cyber actors. Federal agencies have complied with the act’s privacy and civil liberties requirements and continue to use automated and other channels for sharing cyber threat data.
JPMorgan Chase's chief information security officer, Pat Opet, emphasizes the importance of establishing strong relationships during changes in government leadership or with new industry partners. Similarly, Marci McCarthy, the director of public affairs at CISA, defends the administration's efforts to work with the private sector and mentions $100 million in grant funding offered by CISA and FEMA to support state, local, and tribal communities.
The financial industry, despite being subject to stricter cyber regulations, values specialized threat intelligence. The Treasury Department's T-Suite program involves sharing critical information through its Office of Intelligence and Analysis. The majority of critical infrastructure in the U.S. is owned by the private sector, making the federal government dependent on industry to share insights about security concerns and immediate threats.
CISA has collaborated with industry partners and other agencies during the Microsoft SharePoint exploitation campaign in July, using public-private collaboration to inform companies like Microsoft of the situation. U.S. authorities are working to restore trust with their industry partners following months of upheaval under President Donald Trump.
However, senior officials at CISA, the NSA, and other agencies either resigned, took buyout offers, or were fired as part of a downsizing program. Rob Joyce, a former director of cybersecurity at the National Security Agency (NSA), stated that the federal government backslid during the transition, losing leadership and operational capability at various departments and agencies.
Corporate stakeholders are seeking to understand the risk calculus of their technology stacks, addressing the question: Are we a target? The financial industry is not mentioned as a key source of cybersecurity support for local governments in the context of the $100 million grant funding. McCarthy references the Cybersecurity Information Sharing Act of 2015, which provides liability protections for organizations sharing cyber-threat information with each other and government agencies. CISA hopes to see the act reauthorized without changes.
In summary, CISA 2015 remains in effect but will sunset soon unless Congress reauthorizes it. Current indications show bipartisan inclination toward renewal, though the window for action is narrow. The law has been instrumental in improving cybersecurity collaboration and supporting the development of ISACs across sectors. The financial industry, as well as other private sector entities, play a crucial role in sharing critical threat information with the federal government.
- The proposed reauthorization of the Cybersecurity Information Sharing Act (CISA) aims to maintain the current cyber threat information sharing framework critical to national security.
- The financial industry values specialized threat intelligence and is actively participating in sharing critical information with federal agencies, such as the Treasury Department's T-Suite program.
- Regulations for the financial industry are stricter, but companies are keen on understanding their technology stack's risk calculus to determine if they are a potential target for cyber-attacks.
