Expired Cybersecurity Law Puts U.S. Banking System At Risk Of Cyber Attacks

2

Expired Cybersecurity Law has become a new and urgent risk for U.S. banks and their customers.

With the lapse of a key federal statute, industry leaders fear slower sharing of threat intelligence and weaker legal protections.

As lawmakers debate a fix, the sector faces rising attacks and uncertainty, according to the original report.

Expired Cybersecurity Law: Key Takeaway

• The Expired Cybersecurity Law raises risk across banking, since loss of statutory tools can delay threat sharing and weaken coordinated defense.

---

Why the Expired Cybersecurity Law Matters Now

The Expired Cybersecurity Law removed a central framework that encouraged cross sector sharing of indicators of compromise and tactics used by attackers.

Without clear liability protections and standardized channels, some institutions may hesitate to share data quickly, which can slow collective defense against fast-moving threats.

Bank boards and executives now face practical questions. What legal safe harbors still apply, which contracts with partners or utilities need updates, and how should institutions document sharing decisions during this gap.

The Expired Cybersecurity Law had reinforced trust among participants in the ecosystem. Its absence can raise uncertainty at the exact moment when criminal groups are testing defenses with phishing, credential theft, and supply chain attacks.

Federal agencies continue to provide guidance and voluntary programs that support resilience. The Cybersecurity and Infrastructure Security Agency offers threat advisories and resources on incident reporting for critical infrastructure at CISA.

Risk management teams can also align controls with the NIST Cybersecurity Framework and with supervisory expectations such as the FDIC cybersecurity resources.

Operational risks and a changing threat landscape

Even short gaps in statutory clarity can be exploited by adversaries. Several recent incidents show how quickly attackers pivot.

For example, financial sector breaches like the FinWise Bank data breach remind leaders that exposed data fuels more fraud, more phishing, and more account takeovers.

The Expired Cybersecurity Law may slow the early warnings that help stop this cascade.

• Ransomware groups continue to evolve, which increases the cost of downtime and recovery
• Third party exposure remains a top risk area as vendors connect to core systems
• Emerging tactics such as AI assisted password cracking raise the stakes for identity security, as seen in research on how AI can crack passwords

Institutions can strengthen readiness now. Review incident response plans, practice tabletop exercises, and refresh playbooks with current intelligence. For structured guidance, see proven advice on six steps to defend against ransomware.

These actions reduce the blast radius if sharing slows during the Expired Cybersecurity Law period.

Regulatory obligations and the path to renewal

The Expired Cybersecurity Law intersects with a web of sector rules and expectations. Banks still must report significant incidents to their primary federal regulator within required timelines, and they must maintain safety and soundness controls.

Supervisory agencies will continue to test firms on detection, response, and recovery.

Lawmakers are weighing options to restore or modernize statutory tools. According to the original report, industry groups are pressing for clarity on liability protections around information sharing.

Clear law can encourage faster collaboration, which is essential when attacks hit payment systems or core banking services.

What bank leaders should do this week

• Map where information sharing occurs, and confirm legal, contractual, and technical safeguards
• Reaffirm membership and participation in trusted sharing communities
• Validate backups, segmentation, and identity controls to limit damage
• Update board briefings to explain the Expired Cybersecurity Law and current risk posture

Implications for Banks, Customers, and Markets

The Expired Cybersecurity Law brings disadvantages that deserve urgent attention. The most immediate risk is slower exchange of actionable intelligence, which can give attackers more time to move inside networks.

The loss of clear liability protections can also dampen collaboration, which raises the chance that a local incident becomes a wider event. Customers may experience service delays if institutions need more time to verify indicators and block threats.

There are also potential advantages if Congress uses this pause to modernize the framework. A renewed statute could better address cloud, third party risk, and real time data exchange that uses privacy preserving methods.

It could also align more directly with the NIST framework and with evolving regulatory guidance.

Clearer rules and stronger incentives may strengthen confidence in information sharing over the long term, which would offset the near-term turbulence caused by the Expired Cybersecurity Law.

Conclusion

The Expired Cybersecurity Law has introduced a period of uncertainty at a time when threats are rising. Banks cannot wait for a perfect policy outcome. They must push forward with the controls and partnerships that reduce risk today.

Resilience starts with solid basics, which include identity security, vulnerability management, tested backups, and clear incident response. It also depends on trusted sharing with peers and government partners, which remains vital even during the lapse.

Customers and markets benefit when defenders move first. Clear action and transparent communication can narrow the window of exposure created by the Expired Cybersecurity Law and keep critical services running.

FAQs

What exactly expired

• A key federal statute that supported timely cyber threat information sharing and provided certain legal protections has lapsed.

What risks does the lapse create

• It can slow intel sharing and raise legal uncertainty, which gives attackers more time to operate.

How should banks respond now

• Strengthen controls, review reporting duties, and engage trusted sharing communities while monitoring policy updates.

Where can I find official guidance

• See resources from CISA and the NIST Cybersecurity Framework.

What if a major attack occurs during the lapse

• Follow your incident response plan, coordinate with regulators, and use established reporting channels, including guidance on incident response for DDoS attacks.

About Cybersecurity and Infrastructure Security Agency

The Cybersecurity and Infrastructure Security Agency is the national coordinator for critical infrastructure security and resilience. It supports both public and private sector partners.

CISA shares alerts, advisories, and best practices that help organizations identify, protect, detect, respond, and recover from cyber events. It also offers exercises and assessments.

Financial institutions can use CISA resources to enhance readiness during this Expired Cybersecurity Law period and to stay aligned with evolving risks and standards.

Additional reading that adds context includes research on AI and password risks and practical steps in defending against ransomware.