Landmark cybersecurity information sharing legislation that provided both affirmative authorizations and liability protections expired on September 30, 2025, creating uncertainties about future sharing activities. When it was passed 10 years ago, the Cybersecurity Information Sharing Act of 2015 (CISA 2015) reflected a bipartisan decision to provide much-needed clarity in cybersecurity about the lawfulness of information sharing, deployment of defensive measures, and network monitoring activities. As we explained in our previous post as the reauthorization deadline loomed, CISA 2015 provided liability protection for sharing cyber threat information and defensive measures for a cybersecurity purpose with the U.S. Department of Homeland Security, law enforcement, and between private sector entities. The law included privacy protections, an antitrust exemption, protection of attorney-client privilege, confidential treatment for commercial, financial, and proprietary information shared with the government, and federal preemption. The expiration of CISA 2015 has created uncertainty for companies who relied on the statute’s protections and could have a chilling effect on the sharing of cyber information at a time when ransomware and nation-state attacks have been escalating.