A critical US cyber law that had lapsed in September 2025 has received a short-term extension as part of the effort by lawmakers to reopen the US government following the prolonged shutdown.
The Cybersecurity Information Sharing Act (CISA 2015), which shields companies from legal liability when sharing cyber threat intelligence, is key in supporting cyber information sharing in the US and beyond.
At its core, the legislation protects businesses from lawsuits when exchanging cyber threat data through a voluntary program called the Automated Indicator Sharing Program (AIS).
It brought clarity in what can be shared with partners and government agencies in a secure way.
This clarity is critical, as a new CISO survey by automated incident response platform provider Binalyze showed that just an hour of cyber incident response delays costs $114,000 on average to any US victim organization.
The Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs and Extensions Act, 2026 was adopted by the US Senate on November 9, temporarily ending the government shutdown. It included a clause extending CISA 2015 until January 30, 2026.
Despite this extension, it remains unclear whether Congress will reauthorize the law before the new sunset date.
CISA 2025 Short-Term Extension, Just A “Temporary Patch”
This three-month reauthorization was generally welcomed by cybersecurity professionals, but some urged a longer-term if not permanent extension.
Speaking to Infosecurity, Errol Weiss, CSO of the Health Information-Sharing Analysis Center (Health-ISAC), said it was “a good sign” that the CISA 2015 extension clause was included in the continuing resolution as it proved that “there is definitely support for the law.”
“When CISA 2015 expired on September 30 and we knew the budget wasn’t going to get passed, I feared that it was going to get lost in the more ‘serious’ issues of the budget. Now the two are tied together, we are back at it again until January,” Weiss said.
However, he also described the move as “a temporary patch” and urged the US Congress to “look at extending CISA 2015 permanently or at least for another 10 years.”
Weiss said that Act’s lapse at the end of September had almost no effect on the rate of information sharing within members of Health-ISAC, which he characterized as “in steady growth for years.”
However, he added, “The real hit we have seen has been with organizations’ willingness to share cyber threat information with the federal government.”
“I feel that we are seeing less coming from government partners, such as the FBI, the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). This is due to several factors, which include the lapse of CISA 2015,” he explained.
Cyber-Attack Remediation Hampered by Lack of Talent
Some of these factors include US federal agencies reducing its staff. Weiss said this impacted people that cybersecurity professionals know, trust and have developed relationships with.
Meanwhile, CISOs are also understaffed and already face a combination of heightened cyber threats and internal issues. This makes dealing with a lack of clarity regarding what they can share with governments even more challenging.
Today, 84% of CISOs believe a successful cyber-attack targeting their organization is “inevitable”, according to the State of Cybersecurity Investigations 2025, a report published on November 18 by Binalyze.
Internally, many of the 200 US-based CISOs surveyed for the report said they were ill-prepared for these threats, with respondents admitting they can only respond to 36% of cyber-attacks on average.
Additionally, 70% said they have struggled to remediate or recover from an attack in the past year.
The struggle does not stop after one incident, with 75% of CISOs saying there is “no guarantee” that the exact same attack won’t succeed again and 65% admitting their organizations “haven’t always” learned the right lessons.
The primary challenge cited by the surveyed CISOs is talent, with nine in ten (90%) respondents pointing to lack of skills as the top reason for incident response difficulties.
This gap is in part due their organizations’ budget priorities, with 79% of organizations favoring cyber-attack prevention over incident response, with budgets averaging a 2:1 ratio towards prevention ($3.02m to $1.54m).
While the impact of a cyber-attack can be daunting, a bad response can also add to the organization’s burden. The Binalyze survey respondents estimated the cost of a single hour of delay in cyber incident response was around $114,000.
Incident Response’s Lack of Clear Policy Costs US Enterprises $48.1bn
Moreover, a lack of clarity in information sharing also hampers incident response. Most CISOs (68%) have “inaccurately reported” a breach to regulators because a lack of forensic clarity and 74% have claimed less from their insurance provider than entitled to because of a lack of confidence in the claim.
Over the past five years, CISOs estimated that the lack of clarity has incurred a $1.1m cost for US organization, on average. Scaled up to the national level, it would mean the lack of clarity in cyber investigations has cost US enterprises $48.1bn in total over the past five years.
Weiss told Infosecurity he would like to see in a future longer-term extension of CISA 2015 “more explicit language” protecting organizations that are sharing cyber incident information, not only cyber threat information.
“One of the big issues that internal counsel would bring up is that if they were to share incident information more broadly, more publicly, it could be used against them in any potential class action lawsuit. And these seem to be the norm, these days,” he explained.
Findings from the Binalyze report are based on a survey of 200 US CISOs and others with sole responsibility for IT cybersecurity decision-making at enterprises with 500 or more employees. Research was performed in September 2025.
The $48.1bn figure is based on multiplying the number of US businesses with over 500 employees, (43,779, per the NAICS Association), by the average $1.1m cost each business has incurred over the past five years due to a lack of clarity in cyber investigations.