A key tool in the nation’s defense against cybersecurity threats has lapsed effective October 1, 2025. For the past decade, the Cybersecurity Information Sharing Act of 2015 (“CISA[1]”) has fostered information sharing between public and private sectors by providing critical safe harbors and liability protections for the businesses and individuals sharing information about cyber threats. CISA established a framework to allow private sector organizations and government agencies to collaborate in real time and share information to prevent and mitigate cyber attacks—a partnership that is essential in a capitalist society where the private sector owns critical infrastructure. U.S. critical infrastructure comprises physical and virtual assets, systems, and networks considered so vital that their destruction or incapacitation would have a debilitating impact on national security, economic security, or public health and safety. The loss of this important collaborative framework disrupts a decade of progress building trust across sector specific Information Sharing and Analysis Centers (ISACs) that help businesses in critical infrastructure share threat intelligence to protect against cyber and physical threats.
Background
CISA was enacted in 2015 to foster robust cooperation between the private sector and the federal government as cyber threats increased in sophistication and impact. Prior to the law taking effect, general counsels were reluctant to share cyber threat intelligence and information for fear of litigation exposure or regulatory scrutiny. CISA broke down those barriers by providing critical liability and antitrust protections for companies that voluntarily shared cyber threat intelligence with government agencies and other participants. CISA, as originally enacted, was effective from the date of its enactment until September 30, 2025.
CISA established key protections to address barriers to information sharing:
Liability Shield: Cybersecurity incidents targeting private organizations often lead to civil lawsuits seeking to hold the targeted organization liable for the disclosure of personal or other sensitive information. The liability shield protected organizations from lawsuits arising from the act of sharing information on cyber threat indicators and defensive measures, even if that data revealed their own security shortcomings, as long as the information was provided in accordance with processes set out by CISA.
Antitrust Safe Harbor: CISA confirmed that sharing cyber threat information would not be considered collusion or anti-competitive behavior under antitrust laws. Given the sector specific nature of information sharing (often through ISACs) businesses sharing information are often competitors. Under antitrust laws it is risky to share sensitive information among rivals, as it could be interpreted as a form of collusion.
FOIA Exemption: CISA exempted information shared pursuant to its terms from disclosure under freedom of information requests. This gave businesses some assurances that information shared (indicators of compromise, tactics/techniques) would not be attributed back to the individual business or discoverable in a FOIA request.
Regulatory Enforcement Limitation: Per CISA’s terms, information shared under the framework could not be used by states to bring regulatory enforcement actions. As state regulators increase scrutiny over businesses cybersecurity practices, this protection was designed to encourage private sector organizations to voluntarily share cyber threat information with the government.
Privilege Protection: CISA provided that sharing information pursuant to its terms would not constitute a waiver of the attorney-client privilege or work product doctrine – a key concern for many organizations conducting privileged forensic investigations into cyber attacks.
CISA also expressly allowed companies to monitor their own networks and, with consent, networks of other private entities, activities which could otherwise have exposed them to liability under laws like the Electronic Communications Privacy Act.
By removing these legal risks, CISA encouraged organizations to conduct defensive measures and share threat intelligence data with other businesses, as well as government agencies. This, in turn, helped the security community respond to threats in real time and share information with other businesses to prevent attacks from spreading across digital supply chains and sectors.
Legislative Outlook: Efforts to Extend CISA
Despite widespread support across industry and government for extending the law, efforts to reauthorize CISA have faltered amid wider partisan disputes. The House Homeland Security Committee approved a revised bill in early September, adding updated language to address new threats such as AI-powered attacks. The House bill maintained the liability protections introduced by CISA: the liability shield and the antitrust safe harbor. House Democrats had called for a 10-year renewal, but the final proposal passed in the House was a short-term extension aligned with the timing of the short-term extension House Republican are seeking for funding extensions.
In the Senate, Homeland Security Chair, Rand Paul introduced a bill with significant changes, including removing liability protections for companies whose incidents violate user agreements or privacy policies. These changes have drawn sharp opposition from members of the security community as well as business leaders, who argue they would significantly undermine the program’s effectiveness.
A markup of the Senate bill in the week preceding CISA’s expiration was canceled, and negotiations have stalled. Senate aides had hoped for a one-year extension to allow more time for debate, but the government shutdown has put even this temporary fix in jeopardy. The White House included a short-term extension in its funding proposal, but its passage depends on resolving broader budget disputes.
The Impact of Expiration
The failure to renew CISA means that as of October 1, 2025, the key protections codified by the law, including the liability shield and safe harbor, have lapsed. Unfortunately, threat actors will not stop their attacks during the shutdown, and the loss of these important legal protections will have an immediate chilling effect on sharing information and public-private partnership. According to a Wall Street Journal report, Tony Monell, a former senior cyber policy adviser at the Department of Defense, predicts that “information sharing [will] almost cease to exist overnight.”
Without CISA’s liability and antitrust protections, companies must now weigh the risk of lawsuits, regulatory scrutiny and antitrust liability before sharing or receiving threat intelligence. These considerations are especially acute for sectors where sharing may be misconstrued as anti-competitive, such as financial services or energy, or in a litigious environment where plaintiffs’ counsel aggressively scrutinize organizations that are candid about their cybersecurity activities. Businesses should not need to choose between taking actions to deter and mitigate cybersecurity threats and avoiding legal liability—but this is the impossible choice that general counsel, CISOs, and other organizational leaders now face.
Antitrust Consequences for ISACs and ISAOs
The expiration of CISA means that participants in ISACs and ISAOs must now consider the antitrust implications of sharing cyber threat information. The removal of a statutory safe harbor raises the specter of enforcement actions by state attorneys general and federal agencies or private litigation. Legal counsel will need to carefully review any information-sharing arrangements to ensure compliance with antitrust laws. Even where suitable avenues to share information are identified, it is inevitable that the lapse of CISA protections will slow or curtail the flow of vital threat intelligence.
What’s Next?
If Congress cannot reach agreement, the U.S. faces a period of heightened vulnerability. Companies may revert to sharing limited, cherry-picked, or obsolete information, if they share at all. While some states may step in to attempt to create their own information-sharing programs, such approaches would likely result in fragmentation and at best would function as a stopgap solution. The expiration of CISA marks a turning point in U.S. cybersecurity readiness and resilience. Information sharing is crucial for collective defense against sophisticated threats and critical infrastructure—the businesses that are exempt.
What can Businesses Do Now that CISA Has Expired?
Companies can take steps to mitigate the impact of CISA’s expiration, including:
- Consider other sources of cyber threat intelligence;
- Evaluate your legal risk based on the type of information and methods of information sharing used by the business;
- Legal and InfoSec should discuss what current information sharing is happening and whether there are specific data sharing agreements and confidentiality agreements that may offer additional protections;
- Participate in less formal information-sharing initiatives, like CISO roundtables or in person forums;
- Review and update privacy policies and terms and conditions to ensure there is a legal basis for any defensive measures being taken;
- Ensure strong data minimization practices whenever cyber threat data is being shared, to ensure personal identifying information is removed.
[1] The Cybersecurity Information Sharing Act shares an acronym with the Cybersecurity and Infrastructure Security Agency, which is tasked with implementing many of the law’s directives.
