The U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection held a hearing on May 15 to weigh the reauthorization of the Cybersecurity Information Sharing Act of 2015, which is set to expire in September 2025, and to discuss opportunities for reform.
Subcommittee chairman Rep. Andrew Garbarino (R-NY) said the law has provided liability and privacy protections and he supports its reauthorization. The law has also facilitated better information sharing, helped secure networks, and improved the nation’s overall cybersecurity posture.
“Information sharing is a critical component of our nation’s defense against global cyber threats. From utility companies in rural areas to major banks on Wall Street, the private sector is on the frontlines of the digital battlefield, frequently defending itself from malicious cyber actors,” Garbarino said. “Securing the United States in cyberspace requires a whole-of-society approach—strong partnerships and close coordination between industry and government at all levels. Our national resilience against cyber threats is reinforced by sharing threat information and best practices among all stakeholders.”
Garbarino added that the Cybersecurity and Infrastructure Security Agency (CISA) has played a critical role in fostering these information-sharing partnerships.
Among the experts who testified at the hearing was Karl Schimmeck, executive vice president and chief information security officer of Northern Trust, on behalf of SIFMA. Schimmeck spoke in strong support of reauthorizing the law.
“SIFMA and the financial services industry remain committed to strengthening the cybersecurity of our nation’s critical infrastructure. CISA 2015 has been a vital tool in building the trust, structure, and legal certainty needed for effective, real-time collaboration between the private sector and government,” Schimmeck said. “It has made our institutions more resilient, our responses more coordinated, and our defenses more adaptive. Allowing the Act to lapse would weaken one of the most constructive public-private partnerships in cybersecurity policy to date. We respectfully urge this Subcommittee and Congress to act swiftly to reauthorize CISA 2015.”
Schimmeck laid out several reasons why timely reauthorization is essential. Among them, he said:
- The U.S. Government and the private sector face daily cyber threats that require cross-sector information sharing to capably combat.
- Legal protections under CISA 2015 are necessary to facilitate information sharing by and among private companies.
- CISA 2015 provides legal and liability protection for entities that share cyber threat indicators pursuant to the Act. Prior to CISA 2015, existing laws did not clearly shield private entities from regulatory enforcement actions, civil actions, or antitrust enforcement actions when sharing cyber threat information. Such protections encourage voluntary information sharing, which has become necessary for defending against cyber threats.
- Public-private information sharing has been beneficial to the financial services industry’s cybersecurity programs.
- A lapse in the legal framework provided in the Act could discourage essential information sharing.
SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the United States and around the world.