A New Cyber Reality: The CISA 2015 Sunset, Critical Infrastructure, and Cyber Insurance



 By Dara Gibson

Today, the Cybersecurity Information Sharing Act of 2015 (CISA 2015) has officially sunset, leaving a significant gap in the legal landscape that has governed cyber information sharing for a decade. If you are a leader in critical infrastructure, whether in the energy grid, water sector, or financial services, this is a pivotal moment for your organization and your cyber risk posture.

As a longtime partner in the InfraGard community, I’ve seen firsthand how public-private collaboration can turn the tide against cyber threats. We’ve relied on that collaboration to understand emerging threats and prepare for the inevitable. Now, without the broad liability protections CISA 2015 provided, that sharing dynamic is fundamentally changed.

What does this mean for your organization?

1. A potential chilling effect on threat intelligence sharing
CISA 2015 offered companies a "safe harbor," shielding them from civil lawsuits, antitrust actions, and regulatory penalties when they voluntarily shared cyber threat indicators. Without that specific, explicit protection, some legal departments may become more cautious about sharing sensitive—and potentially proprietary—threat information with the government or peers. For critical infrastructure, where interconnectedness is both a strength and a vulnerability, a decline in timely intelligence sharing could leave organizations more exposed to emerging threats.

2. Increased uncertainty for claims and underwriting
From a cyber insurance perspective, the sunset of CISA 2015 introduces new complexities. When insurance companies underwrite policies, they assess the organization’s risk profile, which includes the security controls, incident response plans, and participation in threat sharing communities. A decline in robust information sharing across critical sectors could increase systemic risk, the risk that a widespread attack on one sector could trigger catastrophic failures across others. This uncertainty may influence future underwriting standards and even policy terms, particularly concerning exclusions related to catastrophic or systemic events.

3. Heightened focus on proactive measures and partnerships
The sunset of CISA 2015 is a forceful reminder that no single legal act or policy can replace robust, proactive risk management. For InfraGard members and other critical infrastructure owners and operators, the path forward is clear:

  • Reinforce your legal protections: Work closely with legal counsel to understand your exposure when sharing threat data. Update privacy notices, employee acceptable use policies, and system access banners to ensure monitoring and sharing activities are clearly authorized.
  • Leverage non-CISA sharing mechanisms: Remember, InfraGard and other Information Sharing and Analysis Centers (ISACs) have always operated with their own robust frameworks for collaboration. Their value, built on trust and sector-specific expertise, is more important than ever. Continue to actively participate in these communities.
  • Harden your own defenses: A robust information-sharing environment is a valuable supplement, not a replacement, for strong internal security. Underwriters will place an even greater emphasis on your organization’s implementation of foundational security controls, such as multi-factor authentication (MFA), endpoint detection and response (EDR), and robust backup solutions.
  • Engage with your broker: Have a frank conversation with your cyber insurance broker about how the CISA 2015 sunset might affect your policy. Discuss coverage for third-party risk, particularly for outsourced providers who may alter their information-sharing practices.

The sun may have set on CISA 2015, but the threat to our critical infrastructure has not. This new reality demands renewed vigilance, strategic action, and a redoubled commitment to collaboration. Don’t wait for the next incident to find out if you were prepared.

Comments

Post a Comment

Popular posts from this blog

January 2026 Cyber Risk Brief: What Insurers Are Watching Closely

Image
By Dara Gibson, Cybersecurity Readiness Advisors As we enter 2026, cyber insurers are tracking a clear escalation in both the sophistication and speed of attacks. January’s top cybersecurity developments reinforce why underwriters are shifting from checkbox security to validated controls and resilience focused risk management. AI-Powered Deepfakes Fuel Social Engineering Losses Threat actors are rapidly adopting AI-generated deepfake audio and video to impersonate executives and public officials. These attacks are driving a surge in fraudulent wire transfers and credential theft, often bypassing MFA and traditional identity checks. From an insurance perspective, organizations without strong payment verification, call back controls, and employee training are increasingly viewed as high-risk exposures. Supply Chain Breaches Threaten Critical Infrastructure A recent breach at an engineering firm with ties to major U.S. utilities highlights the persistent danger of third-party risk. ...
Read more

Is Your Business Ready? Why Cyber Insurance is No Longer Optional in 2026

Image
  In today’s hyper-connected world, a cyberattack isn't just a technical glitch, it’s a major business, financial, and operational crisis. According to the FBI’s 2025 Internet Crime Report, losses from cyber-enabled crime that were reported have shattered records, surpassing $20.8 billion! At Cybersecurity Readiness Advisors, we believe that true resilience comes from a combination of robust defense and a safety net that works. Here is why your business needs a dedicated cyber insurance policy to stay ahead of today’s sophisticated threats. 1. Financial Reality: High-Loss Crimes The cost of a breach is no longer a "budget line item”. It can be a business-ending event. Cyber-enabled fraud accounted for 85% of all reported losses in 2025. The most frequent "financial killers" for businesses include: Business Email Compromise (BEC): Criminals are becoming experts at impersonating vendors or executives. In 2025 alone, BEC resulted in over $3 billion...
Read more