TL;DR: The lapse of CISA 2015 weakened real-time threat intelligence sharing, cut shared indicators by about 70%, and coincided with a 12% rise in healthcare ransomware activity, according to SecurityScorecard’s webinar discussion. Speed, legal protection, and automated coordination now matter as much as detection itself.
NHIMG editorial — based on content published by SecurityScorecard: CISA expiration, threat sharing, and AI-driven cyber risk
By the numbers:
- Cyber threat indicators shared across sectors dropped by approximately 70%.
- Healthcare saw a 12% increase in ransomware activity starting in October 2025.
Questions worth separating out
Q: How should organisations handle threat intelligence sharing when legal protections change?
A: They should predefine what can be shared, who approves it, and how quickly it moves.
Q: Why does AI make coordinated cyber defense harder?
A: AI compresses the attacker timeline by automating reconnaissance, phishing, and repeated probing.
Q: What breaks when organisations rely on stolen credentials as trusted identity signals?
A: A single reused credential or token can unlock mail, finance, or third-party systems without triggering obvious alarms.
Practitioner guidance
- Map intelligence-sharing decision rights Document who can approve rapid disclosure of indicators, credential abuse, and fraud signals when legal uncertainty rises.
- Automate cross-sector indicator handling Route high-confidence phishing, token abuse, and C2 indicators into pre-approved workflows so they can be shared and blocked without waiting for manual case closure.
- Correlate credential abuse with identity telemetry Join authentication events, token usage, and downstream privilege changes so stolen credentials are detected as identity abuse rather than isolated login anomalies.
What's in the full article
SecurityScorecard's full article covers the operational detail this post intentionally leaves for the source:
- The webinar discussion on how legal liability changes the speed and quality of threat sharing across sectors.
- The examples of phishing, BEC, and ransomware coordination that show why identity signals need faster handling.
- The policy recommendations for modernising real-time sharing, including automated analytics and cross-border collaboration.
- The live discussion format with Mike Centrella and Dr. Aleksandr Yampolskiy, which adds context the summary cannot reproduce.
👉 Read SecurityScorecard's discussion on CISA expiration and cyber threat sharing →
CISA threat-sharing lapse: what it means for security teams?
Explore further
Threat-sharing lapse is a governance failure, not just a policy lapse: when legal protection disappears, organisations stop sharing at the speed the threat landscape requires. That creates a visibility gap across sectors, especially where indicators need to move before they are reused. The practitioner conclusion is that intelligence-sharing design must include liability, escalation, and disclosure workflows, not only feeds and tools.
A question worth separating out:
Q: Who is accountable when threat sharing slows during a national cyber event?
A: Accountability sits with the organisations that own disclosure decisions, operational coordination, and legal sign-off. If those responsibilities are unclear, sharing stalls even when the threat is obvious. Mature programmes assign ownership before an incident and rehearse escalation paths with internal and external partners.
👉 Read our full editorial: CISA expiration exposes threat-sharing gaps in cyber defense