Improving Cyber Governance in a Shifting Regulatory Environment

The Cybersecurity Information Sharing Act of 2015 (CISA 2015) was enacted to provide procedures and liability protections for the voluntary sharing of cybersecurity threat information between businesses and the federal government. Although the law briefly expired on Oct. 1, a new funding bill proposed on January 20 seeks to extend protections through September. However, the recurring threat of a lapse and the recent history of actual expiration proves that statutory safe harbor is a fragile foundation for an enterprise security strategy, and risk leaders need to address new legal and operational challenges.

Addressing Potential Legal and Compliance Risks

Without a clear safe harbor for information sharing, risk will shift from the security operations center (SOC) to legal teams. What used to be a well-defined sharing channel becomes a gray area. Counsel will ask more complex questions, such as “Who are we sharing with?” “Under what agreements?” and “What is the exposure if an indicator of compromise (IOC) is wrong, sensitive or later discoverable in litigation?” Many companies will default to caution, which will manifest as more reviews, narrower sharing and delays that blunt defensive value.

Companies will need better governance to address these risks. To help preserve resilience and defensibility, organizations should:

1. Update your information-sharing program. Make a simple list of every place the organization shares threat data, including vendors, partners, and information sharing and analysis centers (ISACs/ISAOs). Note what is shared, with whom, and why. Update any agreements to clearly outline what is allowed, how it is sent, how long it is kept, and who can access it. Create legal-approved templates for urgent sharing so teams are not writing ad-hoc emails under pressure. A temporary return of protections does not remove the need to tighten this foundation now.
2. Review and record data monitoring activities. Assume detection and data handling activities will be closely scrutinized. Minimize data to what the control actually needs, enforce role-based access and immutable logging with appropriate retention, and record the rationale for each field collected by mapping detections to a MITRE ATT&CK, a widely used framework that documents real-world adversary tactics and techniques, and clearly defined business-risk scenarios.
3. Keep threat intel flowing. Collect only the data needed to run each control. Limit who can view it, maintain tamper-proof logs, and establish clear retention policies. Write down why each data field is necessary and what risk it addresses. Favor contractual pathways with explicit permissions over informal sharing, and route indicators through vetted clearinghouses, ISACs/ISAOs or reputable commercial providers, when possible. Ongoing staffing losses and weakened partnerships mean that even protected programs may operate with less speed and reach, and programs built solely on statutory shelter will face renewed strain if another lapse occurs.
4. Double down on internal collaboration. Merge data collection from endpoint detection and response (EDR), identity, email, cloud and key vendors into a single risk picture. Automate triage and enrichment with WHOIS, which provides domain registration and ownership details, geolocation and sandbox verdicts, enabling analysts to make faster decisions. Translate exposure into business terms that leadership understands, such as revenue at risk, critical process downtime or regulatory implications. Strengthening internal visibility reduces reliance on external signals that may be delayed, deprioritized or unavailable with shifts in federal programs or the legal landscape.
5. Align with current frameworks that boards and regulators recognize. Use NIST CSF 2.0 for governance and measurement, and ISO/IEC 27001:2022 (and SOC 2, where applicable) for rigorous control. Maintain a living matrix that ties each control to the specific business risk it mitigates, the owner, the test procedure and the evidence source. This provides leaders with continuity.
6. Modernize incident communications and disclosure before you need them. Establish legally approved communication trees for regulators, customers, partners and law enforcement. Pre-draft holding statements and notification templates with placeholders, allowing counsel to approve them quickly. If you operate globally, bake cross-border transfer and notification rules into these playbooks. Recent uncertainty surrounding CISA 2015 highlights the importance of having mature communication plans that are not dependent on a stable regulatory backdrop.
7. Adapt third-party risk management for the new environment. Require suppliers to contractually commit to share indications of compromise (anonymized where necessary), specific logging and retention obligations, and cooperation during investigations. Add downstream notification clauses so you are not waiting days for a critical partner to “check with legal.” Partners may be cautious so contracts must reduce ambiguity.
8. Exercise the system. Run tabletops for “no-safe-harbor” scenarios, including contested sharing, delayed intelligence, multi-party incidents and counsel-driven go/no-go decisions to score speed, accuracy and documentation. Brief the board on clear thresholds for when legal risk justifies slower external sharing and when mission risk takes precedence.

Key Takeaways for Organizations

Put simply, you cannot outsource your risk picture to federal regulations. Even before the CISA 2015 lapse, participation in some government programs was uneven, and recent workforce cuts, program disruptions and strained relationships have further limited consistency and coverage. Companies with stronger governance will experience less future volatility than those that rely on external early warnings.

There are also critical business relationship considerations. If your sharing slows and a partner is blindsided by an indicator of compromise (IOC) that you could have provided and prevented, the relationship may suffer, even if you had good reasons. Balancing mission need and legal exposure is the new test. The board should expect and fund programs that preserve speed while remaining defensible.

With the long-term status of CISA 2015 still in flux, it is important to keep detection, decision and disclosure moving as if the liability shield may shift again. In parallel, tighten governance and contracts so that they remain effective even if the law takes on a different form. This process begins with GRC discipline, which involves centralizing oversight, automating attestations and control testing, aligning controls with recognized frameworks, and providing leaders with real-time views of exposure and remediation. Those steps cut manual effort, preserve institutional knowledge and keep operations moving even when legal review takes on a bigger role.

Cyberthreats will not wait for a legislative fix. Treat the safe-harbor gap as a stress test. If intelligence sharing were to slow down tomorrow, would detections continue, counsel have clear lanes, partners know what to expect, and the board understand the tradeoffs? If not, it is time to close those gaps.