Weaknesses in Your Cyberattack Resilience Plans? It Might Be Time for a Tabletop Exercise

With cyberattacks on the rise, many companies are conducting breach response drills to assess how quickly they can recover.
By: | March 1, 2023

It’s the first day of a new week. You’re an executive at a private equity firm and you’re putzing around the office kitchen, making a cup of coffee, when your phone starts blowing up.  

You’re getting emails from remote employees saying they can’t access the network. Down the hall, you overhear people panicking, because they can’t access files on their workstations. You sit down to login to your own computer, and there’s a pop up saying you’ve been hacked.    

The infection notice contains a ransom note with a deadline. The attacker will give you a decryption key to regain access to the network if you pay a $2 million ransom within 24 hours. If not, they’ll delete the files — or worse, they’ll leak sensitive data.   

Mondays, am I right?  

What do you do? Should you reply to the threat actor, collect Bitcoin and try to negotiate the ransomware payment? Or should you turn your attention to your network, isolating the affected systems from the rest of the company’s IT infrastructure and assessing the status of any backups?  

Does your company have a physical copy of its cyberattack response plan, or were all the copies saved digitally on the computers that are now under siege? Maybe you need to engage the services of a breach attorney or your cyber insurance carrier.   

This scenario and many of these questions are based on a mock-attack exercise cyber insurer Resilience conducts with its clients. It’s meant to probe them to consider how they would respond in the event of an attack.       

“It’s a scary thing,” said Travis Wong, VP, risk engineering and security services at Resilience.  

Brook Dutcher, vice president of cyber strategic initiatives and FrameWRX, Allied World

“It’s important not only to know what you need to enact your incident response plan but to have information within your incident response plan that outlines scenarios and the steps you need to take or undertake in order to ensure you’re properly assessing the situation and starting the process to recover.” 

Increasingly, companies are conducting full-scale cyberattack response drills, known as tabletop exercises. These tests are meant as a rehearsal of sorts to help companies assess how prepared they are for a cyberattack.    

“Mike Tyson once famously said, ‘Everyone has a plan until they get punched in the mouth,’ ” said Brook Dutcher, vice president of cyber strategic initiatives and FrameWRX for Allied World’s U.S. cyber business. “The cyber tabletop exercise is sort of synonymous with that.” 

With cyber insurance prices continuing to rise — rates increased 48% in the third quarter of 2022, Marsh’s Global Insurance Markets Index found — insureds may view these drills as a way to prove to carriers they’re ready for an attack and any losses would be minimal should a claim occur. Others may turn to these rehearsals to ensure that any business interruption would be minimal in the wake of a breach.  

What Happens in a Tabletop Drill? 

Like fire drills or any other type of emergency response training, tabletop drills are meant to simulate real events. During the exercise, businesses will pretend a particular cyberattack has occurred, and they’ll have to respond accordingly. That way, they’ll be able to see any hiccups in the plan before a real attack.  

“Tabletop exercises are used to help companies identify opportunities to improve their strategy and plan to respond to cyber incidents,” said Derrick H. Lewis, global head of cyber advisory services with Liberty Mutual.  

“It’s really important to not only write down what you plan to do, should an incident occur, but actively test it,” Wong added.  

The drills come in multiple options. Some might test common attacks, like ransomware, phishing or data leaks. The exercises are customizable to different industries, so businesses will have an accurate sense of how they may be affected.  

“They have several hundreds of customizable scenarios that they’re able to apply to specific industries,” Dutcher said. 

“It could be a scenario that’s as serious as a ransomware attack or it could be something on the lower end of things in terms of severity,” added Andrew Lipton, vice president, head of cyber claims at AmTrust. 

The drill may also offer an opportunity to see how vendors would perform in the event of an attack. If a company has a relationship with a particular breach attorney, data recovery specialist or insurance carrier, for instance, they can bring them into the drill to see what guidance they might offer. “If you’ve identified vendors, bring them to that exercise as well,” said John Coletti, head of global cyber, Swiss Re. 

“These exercises are collaborative learning opportunities used to help measure how an organization can respond to incidents and to make sure stakeholders within the organization follow the plan and protocols,” Lewis added. 

“That could be how to respond to ransomware attacks, how to respond to insider threats, or other types of attacks. It could also include how to engage with key external stakeholders, like the public sector. In that case, it could be working with law enforcement. It could be the need to engage with customers or it can be the need to engage with internal stakeholders and how to respond in the event of an incident.” 

If a business wants to conduct a tabletop drill, they’ll often work with a cyber risk management consultant, a breach attorney or their insurer. Having an expert involved helps ensure the scenario is realistic and it enables companies to get expert feedback on their response skills.   

“You want someone there to help run the tabletop exercise, who’s well versed in what the recent and emerging risks are,” Lipton said.  

What Are the Advantages? 

Because participants are asked to treat the drill as if an actual breach were occurring, tabletop exercises can expose any weaknesses in a company’s breach response. “If you’re doing a true tabletop exercise, the simulation is being treated as real,” Lipton said. “Decisions are made as to what steps to take to respond to the incident, who has control over what, and what to do next.”   

Often, tabletop drills expose breaks in the chain-of-command during incident response. Participants may assume someone else in the company will manage tasks like contacting a cyber insurer or obtain breach counsel.   

“The first thing that always comes up is who’s in charge here?” Lipton said.   

Miscommunication between different parts of the business is another area where companies sometimes struggle during the drills. “There are inevitably communication gaps among the different business units or operational units,” Wong said.  

In addition to these communication challenges, tabletop drills tend to expose the fact that companies tend to rely on digital storage and may not have the proper backup. Wong said one thing Resilience tries to reinforce with clients is having a physical copy of the breach response plan, so that it doesn’t get locked when a hacker seizes files.   

“Make sure you have physical copies of your response plan for all those key parties who will need to be taking action,” Wong said.  

Another advantage of the drills: Companies that have conducted these exercises tend to recover faster after a breach occurs. 

“The organizations that have this plan in place and have conducted tabletop exercises are the ones that have less of a negative impact to their business,” Coletti said. “Their operations are impacted for a shorter period of time. They’re up and running much quicker.” 

For some companies, doing a tabletop exercise with the guidance of a breach attorney or risk management consultant might help them understand the need to make a formal cyberattack response plan. A 2018 survey by IBM found that 77% of businesses don’t have a formal plan, should their business suffer an attack. While that number is likely improving, Dutcher said that it’s still too low.    

“A large portion of businesses still don’t actually have a formalized plan,” he said. “There are many far reaching aspects of those infrastructures that are difficult to monitor.” 

 A Hard Market  

While building resilience and limiting business interruption in the wake of a cyberattack is critical, in today’s hard market many insureds may be wondering whether conducting tabletop drills can help limit rate increases.    

“Those that haven’t conducted these exercises to mature their playbook or plan will be less prepared in the event of an incident,” Lewis said. “When we execute our cyber underwriting process, and we hear that tabletop exercises do occur, it certainly helps us have more confidence that the company has the ability to respond to a cyber incident.” 

 The exercises are becoming such a crucial part of planning for cyberattacks, cyber insurers are starting to include tabletop drills as part of their risk management services. Dutcher cited Allied World’s FrameWRX platform as an example.   

Experts recommended larger companies conduct tabletop drills at least annually and preferably once per quarter for larger companies. That’s because cyber exposures and company structures are constantly shifting, meaning action plans constantly need to be updated.   

“Operations change quickly, especially if you’re doing any kind of M&A activity,” Wong said.   

Smaller companies might balk at that level of frequency: “If I went to small businesses, and I said you should run tabletops once a quarter, the first thing they would say is ‘what’s the tabletop and how are we supposed to do that?’ ” Lipton said. Still, with cyber threats increasing for small businesses it’s important to work with an insurer or a breach attorney to create an action plan.   

“If you’re not looking for threats, if you’re not looking for that knowledge, you will probably fall behind in your endeavor to protect your organization,” Wong said. &  

Courtney DuChene is a freelance journalist based in Philadelphia. She can be reached at [email protected].