ICBA continues working with Congress to advance an extension of a law that strengthens public-private cybersecurity coordination before the law expires next week.
State of Play: The Cybersecurity Information Sharing Act of 2015, which helps ensure community banks have timely access to actionable cyber threat information, is slated to expire this Tuesday, Sept. 30, unless Congress passes an extension.
Liability Protections: The CISA law provides liability protections for all community banks that share threat intelligence with other banks, businesses, and the U.S. government. While FS-ISAC is working on a contingency plan, voluntary threat information sharing is expected to decline by 80-90% if the law lapses.
What it Means for Community Bankers: The lapse in liability protections increases the risk of legal action against banks that share threat intelligence. Without liability protections, each bank needs to assess its risk appetite for continuing voluntary threat information sharing with government and other institutions.
Background on CISA: The bipartisan CISA legislation—enacted after an Office of Personnel Management breach in 2015—provides private-sector entities with information and liability protections for sharing cyber threats. It also includes an antitrust exemption that provides similar protections for sharing between private companies.
Ongoing ICBA Advocacy: In a recent letter to congressional leaders, ICBA and the other groups said that the current cyber threat landscape highlights the need for consistent public-private collaboration and that without the protections codified by CISA, businesses may be less willing to share cyber threat information for fear of legal exposure. The groups previously urged Congress to reauthorize CISA, warning that failure to act could eliminate a valuable tool used to protect U.S. critical infrastructure sectors.
ICBA Resources: Cyber and data security resources for community bankers are available on the ICBA website.
