NEW YORK—Cyberattacks are rising in frequency and cost, putting Fis and fintechs— with their vast data stores and interconnected networks — squarely in hackers’ sights, PYMNTS points out, adding that a key defense for the industry is at risk.
PYMNTS pointed out that at the core of FI and fintech defenses is the Cybersecurity Information Sharing Act of 2015 (CISA), which is set to expire Sept. 30.
CISA was designed to break down barriers to cyber threat intelligence sharing between the private sector and government. It allows banks, fintechs, and other firms to monitor their networks and share “cyber threat indicators” without running afoul of privacy or antitrust laws, PYMNTS noted.
The Department of Homeland Security serves as the clearinghouse, instantly distributing scrubbed threat data across agencies and to private companies. The law also shields firms from liability for good-faith monitoring and disclosure, creating the legal certainty needed for real-time cooperation, PYTMNTS said.
“These features give banks confidence to collaborate against common adversaries. Sector-specific Information Sharing and Analysis Centers (ISACs) collaborate with CISA to relay critical alerts to member banks, card networks and payments processors, knitting together a security fabric that stretches across the financial ecosystem,” PYMNTS said.
The law, PYMNTS pointed out, is relevant to financial services as FIs and fintechs face constant intrusion attempts from ransomware to account-takeover schemes.
“Financial institutions in the United States suffered a double-digit percentage increase in reported data breaches in the first half of 2025 compared to the first half of 2024. Such incidents underscore the need for seamless, liability-protected intelligence sharing,” PYMNTS said, adding that the banking sector’s dependency on this framework has only grown as digital payments, instant settlement and open banking APIs expand the attack surface.
If Congress fails to reauthorize CISA, banks and credit unions could lose key liability and antitrust protections for sharing cyber threat data, leaving them exposed to lawsuits and regulatory conflicts. An uneven patchwork of state laws could emerge, burdening national and cross-border institutions. Lawmakers have yet to outline a clear path forward, PYMNTS said.