Tabletop exercises testing an organization’s cybersecurity plan can help reveal weaknesses. And they’re also prized by state authorities investigating breaches. Cozen O’Connor attorneys Meghan Stoppel and Hannah Cornett talk about the importance of interactive simulations and share best practices that could help firms avoid harsh penalties.
In the context of data breaches, time is money, and the mantra “practice makes perfect” holds particular relevance. Tabletop exercises, interactive simulations of cyber threat scenarios, are a valuable tool in a company’s cybersecurity arsenal, offering the potential to save millions.
According to IBM’s 2022 Cost of a Data Breach Report, organizations regularly practicing their incident response plan can decrease data breach costs by an average of $2.66 million — a significant savings given the average U.S. data breach costs $9.44 million.
We’ll explore the importance of tabletop exercises in preparing for a cybersecurity incident response, including their benefits, best practices, recommended frequency and role as a proactive safeguard against potential regulatory scrutiny, including from state attorneys general.
State attorneys general value tabletop exercises
State attorneys general, entrusted with protecting consumers, play an essential role in investigating companies implicated in data breaches that result in the exposure of consumers’ personal information. They often look to identify and address consumer harm arising from a breach, while seeking to mitigate risks that could cause consumer harm in the future.
Consequently, state AGs regularly ask about the existence and strength of a company’s incident response plan (IRP), recognizing how an effective plan can empower companies to anticipate, prepare for and respond more effectively to cybersecurity incidents. AGs also appreciate, however, that the effectiveness of any IRP should never be tested for the first time in a real-world scenario. Rather, companies must test their response plans through a regular regimen of tabletop exercises, especially as organizations grow and evolve in their data collection practices.
From an AG’s perspective, these proactive efforts are essential to ensuring affected consumers are notified in a timely manner, thereby reducing consumer harm. And in light of the SEC’s new cybersecurity reporting rules affecting public companies, they could even help companies stay in the good graces of federal authorities.
Exercises improve planning and sharpen skills
In addition to improving an organization’s ability to provide timely consumer notifications, tabletop exercises can offer organizations several benefits, including:
- Improved response planning: These exercises help organizations identify weaknesses in their response plan and develop strategies for improvement. This could include, for example, identifying vendors or subject-matter experts that may need to be engaged in the event of an incident.
- Enhanced employee training: By allowing employees to practice their roles and responsibilities during a cyber breach incident, tabletop exercises provide hands-on experience that sharpens their skills and familiarizes them with necessary protocols. This reduces the likelihood of errors and enhances overall response capabilities.
- Minimized business disruption: By preparing in advance, organizations can minimize the impact of a cybersecurity incident, reducing downtime and lost revenue.
- Better communication: Tabletop exercises help identify gaps in communication and collaboration between departments, helping to improve response coordination.
Best practices for tabletop exercises
Tabletop exercises for cybersecurity incident response planning should include several best practices, such as:
- Cross-functional participation: Data breaches affect the entire organization, and everyone should know their role in the response. Organizations should therefore ensure participation from all relevant departments, not just the IT team. This could include legal, public relations, human resources,and c-suite executives, among others.
- Defined objectives: Organizations should establish clear goals for each exercise. These could range from testing communication channels, measuring response times or evaluating the effectiveness of specific response protocols, to gauging overall organizational readiness.
- Realistic environment: Simulating a real-life attack scenario that is relevant to a business’s industry can help participants understand the gravity of the situation and respond more realistically. This may include engaging third parties outside of the organization to participate in the simulation.
- Structured but flexible exercise: While it is important to have a structured plan for the exercise, organizations should be prepared for (and even embrace) the unexpected. Part of the value of these exercises is to see how the team adapts to changes and unplanned developments.
- Reflect and refine: Organizations should conduct a thorough review at the conclusion of each exercise, assessing the successes and shortcomings, and make plans to address any identified security gaps.
(More best practices can be found here.)
Rinse and repeat
Organizations should not view tabletop exercises as a one-time event: Regularly scheduled exercises ensure an organization’s response team stays sharp and the response plan stays relevant in an evolving threat landscape. The frequency of tabletop exercises depends on several factors, including the organization’s risk profile, regulatory requirements and the evolving cyber threat landscape. However, per NIST guidance, most organizations should conduct tabletop exercises at least annually, and after any major changes to their incident response plan or infrastructure. (See NIST SP 800-84, ES-2.) For organizations with higher risk profiles, more frequent exercises may be beneficial — perhaps quarterly or even monthly.
AG settlements are increasingly demanding that regular exercises be conducted
State AG investigations can be complex, costly and expensive. This is especially true for multistate investigations that, more often than not, culminate in headline-grabbing settlements. While the severity of an AG settlement is typically tied to a variety of factors, including the organization’s data security protocols, response speed, notification procedures and the extent of the data breach, these settlements increasingly require organizations to conduct regular tabletop exercises.
For example, recent multistate settlements with Equifax and Experian both mandated regular tabletop exercises to assess the companies’ readiness and response to security events. The Equifax settlement included particularly prescriptive requirements, mandating that the company execute biannual exercises addressing a range of factors, from staffing levels to multi-language consumer communication.
Companies seeking to avoid a state AG investigation should establish a schedule for their tabletop exercises now, before a breach occurs. As discussed above, conducting these exercises has the potential to significantly improve a company’s response time and therefore reduce any potential harm caused to consumers by a data breach. In doing so, these exercises decrease the likelihood of, and any potential costs associated with, an AG inquiry.
In conclusion, the relentless rise of cyber threats requires every company take a proactive approach to both security and preparedness, and from a state AG’s perspective, tabletop exercises are vital to protecting consumers. They spotlight potential weak spots in a company’s incident response plan, encourage cross-departmental collaboration, hone employee skills and can significantly cut the financial fallout of a breach.
Just as fire drills are essential for safety, tabletop exercises are crucial for cyber resilience. Amid the high-risk landscape of data security, organizations should see these exercises not as mere compliance, but as key practices for survival and success in a world driven by digital connections.