The person who built the government's most effective ransomware defense program quit last month. David Stern, the driving force behind CISA's Pre-Ransomware Notification Initiative, resigned December 19 rather than accept a forced reassignment to FEMA in Boston. Since late 2022, his program has sent over 4,300 warnings to organizations about to be encrypted, saving an estimated $9 billion in potential damage. Hospitals. Utilities. Schools. Water treatment plants. All got a heads-up, often within hours, that ransomware actors had breached their networks.
That program now faces a leadership transition at a critical moment. And if your incident response plan assumed the federal government would help you detect attacks early, it's time to revisit that assumption.
What Happened
CISA's Pre-Ransomware Notification Initiative has been the quiet success story of federal cybersecurity since 2023. The program works because ransomware attacks don't happen instantly. Attackers often spend hours or days inside a network before encrypting data, a window that CISA used to warn potential victims.
The intelligence came from an unusual coalition: cybersecurity researchers, threat intelligence firms, and infrastructure providers who shared tips with CISA's Joint Cyber Defense Collaborative. When CISA received credible intelligence that an organization was about to be hit, it moved fast. Sometimes notifying victims within the same hour the tip came in.
The numbers tell the story. CISA sent 1,200 warnings in 2023. That jumped to more than 2,100 in 2024. Recipients included over 60 foreign governments and hundreds of high-risk organizations: K-12 school districts, hospitals, state agencies, and utilities. In 2023 alone, early alerts prevented ransomware encryption in at least 154 healthcare organizations.
But here's the catch: the program depended heavily on Stern's trusted relationships with the companies and researchers who provided the intelligence. As one person familiar with the program told Cybersecurity Dive, "Dave has relationships that won't be portable to someone new."
CISA says it's preparing several staffers to take over. But partners are already reassessing their engagement. The trust that made the program work took years to build. It won't transfer overnight.
The Broader Context: CISA Under Strain
Stern's departure didn't happen in isolation. It's the latest in a systematic erosion of CISA's capabilities that should concern anyone responsible for enterprise technology and cybersecurity.
By June 2025, roughly 1,000 people had left CISA, cutting the agency's workforce by nearly a third. The Cybersecurity Division, CISA's largest, lost close to 200 people. An internal memo acknowledged the agency faces a "40% vacancy rate across key mission areas".
The October 2025 federal shutdown made things worse. Only about one-third of CISA employees remained on the job while the government was closed. The Trump administration's proposed FY2026 budget would further reduce CISA's workforce from 3,292 to 2,324.
Mark Montgomery of the Foundation for Defense of Democracies wasn't subtle about the stakes: the cuts "are actually harming national security on a daily basis."
Why This Matters to You
Here's the operational reality: half of all ransomware attacks in 2025 targeted critical infrastructure. KELA's research documented 4,701 incidents globally between January and September 2025, a 34% increase from 2024. Manufacturing attacks surged 61%. Healthcare saw 477 entities affected, with average downtime costs of $1.9 million per day.
The attackers aren't waiting for CISA to rebuild. Fifty-seven new ransomware groups emerged in 2025. Medusa, Black Basta, and others have encrypted data from at least 12 of 16 critical infrastructure sectors.
If you were counting on CISA to give you advance notice, that safety net now has significant holes.
The Legal Exposure
The CISA program's diminished capacity creates three distinct legal risks that boards and executives need to understand.
SEC Disclosure Timing: Public companies must file an 8-K within four business days of determining that a cybersecurity incident is material. Note: that's four days after the materiality determination, not four days after discovery. Under securities law, information is "material" if a reasonable investor would consider it important when making an investment decision. The SEC has made clear this includes not just financial impact, but reputational harm, customer relationships, and litigation risk. Paying a ransom or having insurance coverage doesn't by itself make an incident immaterial. If you were relying on CISA warnings to give you extra time to assess an attack before it became material, that buffer is gone.
Cyber Insurance Requirements: Insurers are tightening requirements significantly for 2026. MFA deployment, endpoint detection and response, and tested immutable backups are now table stakes for coverage. More concerning: approximately 30% of data breach claims are either not paid or only partially paid due to policy exclusions. If your incident response plan references government early warning programs, your insurer may ask hard questions about how you'll detect attacks now.
Board Oversight: Directors face increasing pressure to demonstrate adequate cybersecurity oversight. Your next board meeting should include a straightforward question: if CISA can't warn us about incoming attacks anymore, what's our detection strategy? If the answer involves hoping someone else catches it first, that's a governance gap.
What Your Incident Response Plan Now Needs
The good news: the PRNI program's success proved that early detection works. The bad news: you can't outsource it anymore. Here's what that means operationally.
Build your own threat intelligence. The organizations that fed intelligence to CISA? They didn't go anywhere. Threat intelligence providers like Recorded Future, Mandiant, CrowdStrike, and others offer early warning services. The information CISA aggregated for free now needs to come through commercial channels or industry-specific ISACs.
Assume faster attack timelines. CISA's program worked because attackers typically dwell in networks for hours or days before encryption. But that window is shrinking. AI is accelerating attack sophistication. Your detection and response capabilities need to match. If your mean time to detect is measured in weeks, you've already lost.
Test your backups. Actually test them. Immutable, encrypted, offline backups with documented testing aren't optional anymore. They're insurance policy requirements. Many cyber insurance claims get denied because organizations couldn't prove their backups worked before the incident.
Practical Takeaways
Building a sound cybersecurity compliance program now requires taking ownership of functions that government once provided. Here's where to start:
Audit your incident response plan this week for any dependencies on government early warning programs and identify replacement capabilities.
Establish relationships with at least two commercial threat intelligence providers before you need them in a crisis.
Join your sector's ISAC (Information Sharing and Analysis Center); these groups share threat intelligence that CISA used to aggregate.
Conduct a tabletop exercise in Q1 2026 that simulates a ransomware attack without prior warning.
Review your cyber insurance policy for exclusions related to detection capabilities and update your security controls to match requirements.
Brief your board on CISA's reduced capabilities and document your organization's independent detection strategy.
Test backup restoration procedures and document the results before your next insurance renewal.
Pre-negotiate relationships with digital forensics firms and outside counsel; don't wait until you're encrypted.
What We're Watching
CISA PRNI staffing: The agency says it's preparing replacements for Stern. We'll monitor whether the program maintains its notification volume and speed.
Threat intelligence partner engagement: Early signs suggest some researchers are reconsidering how much they share with a diminished CISA. If information flow drops, warning quality will follow.
FY2026 budget finalization: Further cuts could gut remaining capabilities. The House has proposed $135 million in cuts, less than the White House's $495 million proposal, but still substantial.
Insurance renewal season: Watch for denied claims in Q1-Q2 2026 as insurers tighten enforcement of security control requirements.
SEC CETU priorities: The SEC's new Cyber and Emerging Technologies Unit remains focused on cybersecurity disclosure fraud. Expect continued scrutiny of materiality determinations.
The federal government's most effective ransomware defense just lost its architect. CISA insists the program continues, but the relationships that made it work don't transfer by memo. The organizations that stayed ahead of ransomware in 2024 did so because someone gave them a few hours' warning. In 2026, that someone needs to be you.