USA – NEW YORK Trends and Developments Contributed by: Evan Roberts and Meredith Griffanti, FTI Consulting, Inc.
sorts after a tabletop versus during a live crisis. • The board is “inform-only” until it is not. Cybersecurity tabletop exercises can be a great way for a board member or mem- bers to observe their management team in action in a controlled environment. And most organisations have boards that intend to take a passive role in incident response, content to receive reports on progress on a regular basis. But this is not a universal truth. In another recent exercise, one organisation learned that while they thought of their board as an “inform-only” stakeholder, the board actually thought of itself as both “reviewer” and “approver” in fact, line-editing an 8-K before it was filed with a fictional Securities and Exchange Commission (SEC). Learning this in advance of an incident as a result of a tabletop, makes for a much smoother and faster approval process during a live incident. If this comes up in an exercise, there is time to step away and design a flow chart for board engagement. If it happens during a live crisis, there is a risk of slowing down a key regulatory filing, or even worse, creating mis- alignment between the board and the execu- tive team, which can be a recipe for disaster. • Fundamental communications challenges can be solvable action items – rather than litigated when the clock is ticking. Nailing the com- munications approach to a cyber crisis can often be the most difficult element of incident response, and it is not the sole responsibil- ity of the communications or external crisis communications experts. Certain communi- cations decisions can have real implications for the business writ large. For example, if a company experiences a very public ransom- ware attack, should they say “ransomware” or “cybersecurity incident” or “technical disruption” in their internal or external com-
munications? One organisation recently spent 45 minutes of a 90-minute tabletop exercise debating that very question. By aligning on details such as this prior to the onset of a cyber crisis, the business will fare much bet- ter than trying to answer the same question while the clock is ticking. Many similar issues – and communications decision points – may come up through a well-designed exercise. • Invest now – save later. The lively discussion that accompanies a cyber tabletop exercise can often surface opportunities for invest- ment – in time, money or both – that may never come up when designing incident response or cyber crisis communications plans. For example, a recent tabletop exer- cise uncovered the fact that it was the CEO’s first time considering their company’s cyber insurance tower, and whether investment in further coverage might be a worthwhile busi- ness expense. Another example and learning – after an exercise that required heavy B2B customer communications and engagement, a Chief Information Security Officer came to the conclusion upfront that it would behoove them to be building and investing in warm relationships with their counterpart CISOs at customer organisations – so that the first time they were meeting was not during a live incident. These are just a few of the hidden gems that might surface during a tabletop exercise – issues or opportunities that were not sought out nor expected but can add meaningfully to an organisation’s cyber resilience. And these are in addition to the fundamental building blocks and education that come out of a well-run exercise. Conducting regular tabletop exercises is some- thing that every organisation can benefit from – but not all exercises are created equal. By fol-
183 CHAMBERS.COM
Powered by FlippingBook