Why Cybersecurity Is at a Crossroads for Banks and FinTechs

Stakes are high for the banking and FinTech sectors as cyberattacks grow more frequent and costly.

These firms sit on oceans of sensitive data and operate interconnected networks that attract sophisticated hackers.

At the center of their defense strategy is the Cybersecurity Information Sharing Act of 2015 (CISA), a law that outlines how private companies share cyber threat information with federal agencies and each other. Now, as the statute approaches its Sept. 30 sunset, questions over its renewal are adding fresh uncertainty for financial services firms.

CISA was enacted to break down barriers to sharing cyber threat intelligence across the public and private sectors. As is germane to financial services, it allows banks, FinTechs and other “non-Federal entities” to monitor their own networks and share “cyber threat indicators,” or technical data about malicious activity, with peers or the federal government without violating privacy, antitrust or other laws.

The Department of Homeland Security acts as the primary hub to distribute threat indicators instantly across agencies and to private firms, while requiring companies to scrub personal data not directly related to a cybersecurity threat before sharing.

The act also shields firms from lawsuits over good-faith monitoring or disclosure, creating the legal certainty that enables real-time cooperation.

These features give banks confidence to collaborate against common adversaries. Sector-specific Information Sharing and Analysis Centers (ISACs) collaborate with CISA to relay critical alerts to member banks, card networks and payments processors, knitting together a security fabric that stretches across the financial ecosystem.

The law is relevant to financial services as banks and FinTechs face constant intrusion attempts from ransomware to account-takeover schemes. Financial institutions in the United States suffered a double-digit percentage increase in reported data breaches in the first half of 2025 compared to the first half of 2024. Such incidents underscore the need for seamless, liability-protected intelligence sharing.

The banking sector’s dependency on this framework has only grown as digital payments, instant settlement and open banking APIs expand the attack surface. FinTechs and traditional banks have integrated automated CISA-compliant sharing into their security operations centers, creating near-real-time exchanges of indicators that can identify a breach in one corner of the system and inoculate others within minutes.

If Congress fails to reauthorize CISA, key protections could conceivably vanish. Banks sharing threat data might lose the antitrust and liability safe harbors they now enjoy, exposing them to lawsuits or regulatory conflicts. State laws might fill the void unevenly, creating a patchwork of requirements that would be especially burdensome for national and cross-border financial institutions.

Lawmakers have yet to signal a clear path for reauthorization.

“Both the private sector and the government need certainty, including the ability to allocate resources for long-term cybersecurity planning and implementation,” said Matthew Eggers, vice president of cybersecurity policy at the U.S. Chamber of Commerce, according to a Friday (Sept. 19) report by The Wall Street Journal.

As the 2025 deadline approaches, the financial sector’s ability to respond to cyber threats could hinge on whether lawmakers act in time.

The post Why Cybersecurity Is at a Crossroads for Banks and FinTechs appeared first on PYMNTS.com.