Every modern business runs on a digital foundation, and we (corporate leaders and board members) invest heavily in protecting it from market shifts, supply chain disruptions, and financial volatility. Yet a systemic risk to this foundation has crept up with little fanfare, and a crucial deadline is suddenly upon us. If we don’t act fast, the looming expiration of the Cybersecurity Information Sharing Act of 2015 (CISA), on September 30, could have grave consequences for our businesses, and the nation.
As a CEO who also serves on corporate boards, I see this not as a remote policy debate in Washington, but as an impending crisis that will impact every consumer. Allowing this law to expire—or even renewing it without significant updates—would be a profound failure of risk management, leaving our companies dangerously exposed to the next generation of threats.
The "Chilling Effect" That Will Blindside Business
For a decade, CISA 2015 has been the invisible utility powering our collective cyber defense. Its genius was creating a legal safe harbor, a shield from liability that gave companies the confidence to share information about cyberthreats with each other and the government. It replaced fear of litigation with a framework for trust, transforming our national defense from a series of isolated fortresses into a more collaborative network.
This legal certainty is now so embedded in our risk calculations that we take it for granted. The law’s expiration would vaporize that trust overnight. The default advice from every general counsel would be immediate and absolute: stop sharing. This chilling effect is not a theoretical risk; it's a direct threat to business continuity. The flow of vital threat intelligence that allows us to anticipate and block emerging attacks would freeze, and every company would be left to fight alone, blind to the threats gathering at the gates.
From Legal Certainty to Regulatory Chaos
The expiration of CISA 2015 would create a dangerous regulatory paradox with the new Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). In essence, the government will be demanding that companies share more sensitive information about breaches under CIRCIA, while simultaneously stripping away the foundational liability protections that make such sharing palatable.
This translates directly to increased legal liability for every public company. Without CISA's protections, sharing information becomes a risky legal gamble. This regulatory chaos will force companies into a malicious compliance posture—reporting only the bare minimum required by law, and stifling the rich, contextual intelligence that is the lifeblood of effective defense.
But simply renewing the law is not a viable solution, it must be expanded as well. The battlefield has changed so dramatically since 2015 that just renewing the old law would be like choosing to fight a modern war with vintage equipment. Two new fronts have opened that the original law is utterly unprepared to address.
First, the AI revolution has introduced a new, opaque, and deeply vulnerable layer to our technology supply chain. We are all racing to deploy AI tools to drive productivity and innovation. But our own research reveals a chilling reality. Our State of LLM Security Report found that 32% of findings in AI-specific penetration tests are of high or critical risk, the highest of any technology we test. Worse, only 21% of these serious flaws are ever fixed, often because they are embedded in third-party models beyond our direct control.
These datapoints align with what we heard from security leaders we surveyed in our CISO Perspectives Report: 68% are already deeply concerned about the risks from third-party software. The AI tools we are adopting are a new, insecure supply chain, and the existing CISA law has no mechanism for sharing intelligence about the vulnerabilities within these black-box systems.
Second, our adversaries are burrowing deeper into our infrastructure. Nation-state actors are no longer just attacking our networks; they are targeting the foundational firmware in our hardware. These ghost-in-the-machine attacks are stealthy, persistent, and capable of causing catastrophic damage. The intelligence needed to identify and defend against these deep-stack threats is far more complex than the simple indicators the 2015 law was designed to handle.
A Modernization Mandate for the Board
A clean renewal of CISA 2015 would willfully ignore these new realities, locking in a legal framework that is blind to our greatest risks. This is why the conversation among security professionals, business leaders, and lawmakers must shift from simple renewal to strategic modernization. A CISA 2.0 must include three critical upgrades:
- Grant authority to share AI-scale intelligence. The law must be updated to protect the sharing of intelligence about the vulnerabilities within AI models themselves—the manipulative prompts, the data leakage patterns, the behavioral anomalies. This is the only way to create a collective defense for the AI supply chain.
- Secure the full tech stack. The liability shield must be expanded to cover the sharing of complex, technical intelligence about deep-stack threats, including firmware. We need to be able to warn each other about vulnerabilities in the very foundation of our digital infrastructure.
- Unify crisis response. The law's protections must be broadened to cover seamless collaboration with all our federal partners in a crisis, from the Department of Homeland Security to the FBI. When a multi-stage attack hits, legal ambiguity cannot be the reason for a delayed response.
This is not just a technical debate for IT departments, or a liability issue for the boardroom. It is a fundamental question of business resilience and national security. Allowing our foundational framework for collaborative defense to crumble is a direct threat to the health of every American enterprise and the security of citizens. I urge my fellow CEOs and board members to engage on this issue and use their influential voices to demand that Congress not just renew this law, but upgrade it for the AI era. The clock is ticking.
