Can Cyber Threat Intelligence Sharing Continue After CISA 2015’s Lapse?

The expiration of the Cybersecurity Information Sharing Act of 2015 (CISA 2015 or the Act) on September 30, 2025 has quietly reshaped how organizations should approach cyber threat intelligence sharing. For the past decade, CISA 2015 provided the legal foundation on which many public and private entities relied to collaborate against common cyber threats. CISA 2015 offered key liability protections, authorizations, and confidentiality assurances that were designed to encourage companies share critical threat intelligence without fear of legal exposure.

As companies enter the beginning of a new liability landscape, the fundamental value of sharing cyber threat intelligence has not changed, but the risk calculus has.

What Is Different Now That CISA 2015 Lapsed

CISA 2015 was enacted to strengthen the U.S. cybersecurity posture by promoting timely and robust cyber threat information sharing between the public and private sectors. The Act included important protections for sharing cyber threat indicators and defensive measures, both among private companies and also with government agencies. Under the Act, companies were expressly permitted to monitor their own networks and those of consenting partners, take defensive measures against cyber threats, and share threat indicators with peers and the U.S. government for legitimate cybersecurity purposes, while enjoying statutory safe harbor from civil liability. CISA 2015 also provided antitrust and privilege protections, designed to encourage competitors to exchange threat intelligence without violating competition laws or waiving legal privilege or confidentiality.

With the Act’s expiration, those protections no longer apply, so the potential for legal and reputational risk has increased, particularly for information sharing by and among private sector companies.

Balancing Collaboration and Legal Risk

Below we highlight potential impacts of the Act’s lapse in three key contexts:

• Law Enforcement Engagement: The expiration of CISA 2015 does not mean organizations should stop engaging with U.S. federal law enforcement partners. Cybersecurity incident-related engagement with federal law enforcement—such as the FBI, Secret Service, or CISA—can continue. It is especially important for this information sharing to persist where doing so could help bolster national cybersecurity defense and resilience, impede cybercrime, or mitigate or respond to active threats. Even while the Act was in effect, it was prudent to take a strategic approach to law enforcement disclosures, in particular to ensure legal compliance and mitigate legal exposure. However, it is now even more important to take additional precautions to protect sensitive data and to clarify the limits on how the federal government may use and disclose such information. For example, organizations may seek to take additional steps to ensure sensitive information sharing occurs under clear legal processes (e.g., through a subpoena).
• Private Sector Information-Sharing Groups: Information sharing among private companies has strengthened cybersecurity by providing early warnings of emerging threats, broader visibility into attack trends, and increased access to proven defensive practices. This collaboration enables participating organizations to respond faster and more effectively while enhancing resilience across the broader digital ecosystem.
  
  However, the risks of this type of information sharing are significantly impacted by the lapse of CISA 2015. Without the statute’s safeguards and liability protections, organizations face increased risk of antitrust scrutiny and the potential waiver of privilege or confidentiality protection when sharing cyber threat information.
  
  In particular, sharing detailed threat information with competitors could be viewed as collusion or coordinated anticompetitive behavior, even if cybersecurity defense was the intent. The risks of potential violations of federal antitrust laws include risks of civil enforcement, private civil lawsuits, or even criminal penalties.
  
  Even if the likelihood of near-term regulatory enforcement remains low, mere allegations of antitrust violations (for example, in civil litigation) can cause reputational damage or trigger additional lawsuits (e.g., shareholder litigation).
  
  As a result, organizations that participate in information-sharing groups should take a fresh look at what they choose to share, with whom, and under what terms, ensuring that continued collaboration aligns with both risk tolerance and evolving legal protections (or lack thereof).

• Information Sharing with Other Government Agencies: Beyond engagement with law enforcement, CISA 2015 also provided the basis for cybersecurity information-sharing programs with many U.S. government agencies (e.g., CISA, NSA, Secret Service, Department of Energy, Department of the Treasury). For organizations participating in automated or contractual information sharing with other federal agencies, a measured, risk-based approach is likely the best path forward for now. Organizations should consult with counsel before sharing potentially sensitive material, ensure contracts with government partners are reviewed for confidentiality protections, and weigh the overall benefits of these programs against the potential for increased legal exposure.

Best Practices in an Uncertain Regulatory Environment

CISA 2015’s lapse revives a dormant tension in cybersecurity policy: how to promote collaboration without creating undue legal risk. Until Congress reauthorizes or replaces the law, organizations will need to navigate this gap carefully. Additionally, any reauthorization may add new terms or limitations on information sharing, so organizations should not assume a duplicate information-sharing framework will be revived in the future.

The bottom line: while it remains permissible to keep sharing cyber threat intelligence, companies that choose to continue information sharing should do so thoughtfully, strategically, and with the guidance of legal counsel.

As with any robust cyber risk management program, cross-functional coordination is key. Security teams should align closely with legal, compliance, and business leaders, as appropriate, to ensure that sharing practices are consistent and advance cyber resiliency objectives while staying within existing legal boundaries. Organizations should also document their sharing rationale, ensure appropriate use of legal privilege where possible, and revisit existing information-sharing agreements to reflect the changed legal landscape. Global organizations should also evaluate cross-border implications of sharing cyber threat intelligence, as differing privacy and data sovereignty laws may impose additional restrictions or disclosure risks irrespective of U.S. data sharing frameworks.

Legally compliant data-sharing strategies can help both sustain industry collaboration and reduce individual exposure, even in a changing regulatory landscape. For now, the challenge lies in maintaining meaningful private and public engagement while ensuring that sharing practices remain defensible under existing law.