Tom Ricketts, Cyber Practice Leader of the Professional Services Practice at Aon, discusses how indispensable tabletop simulations are in allowing professional service firms to better prepare and respond to cyber-attacks.

Setting the Table

Tabletop simulations are strongly recommended by insurers and are a consideration in underwriting. A cyber incident is an enterprise event that can impair the firm’s ability to service clients in multiple ways and potentially impact clients directly. It is essential that the firm’s leadership team understands and prepares for these events and be ready to implement the actions required to respond.

Difficult decisions will need to be made quickly and under pressure – for instance, should a ransom be paid? Who can authorize and make such a payment in an emergency?

In the words of Mike Tyson, “Everyone has a plan until they get punched in the mouth.” A cyber-attack is a metaphorical punch in the mouth. Written plans should be stress tested, via tabletop simulations, to ensure that roles, responsibilities and authority are clear and to give leaders experience with role-played scenarios to prepare them to better deal with the unexpected.

The IBM-Ponemon “Cost of a data breach 2023” found that not only was incident response planning and testing a top 3 cost mitigator, but also that organizations with high levels of these countermeasures saved $1.49 million in data breach costs compared to organizations with low levels or none, and they resolved incidents 54 days faster.

What’s on the Menu?

Tabletop exercises can be structured to fit different purposes and can take many forms. They can be on-site or remote, be brief or intensive, can involve different constituencies within the firm as well as external vendors.

But whatever the purpose or form, the most important issue is planning. A cheap and quick tabletop that is well-planned will have more value than an expensive one that is just “delivered” with no planning.

For a professional service firm to get the most value, the tabletop and the expectations behind it should be planned in detail, with leaders spending time with the vendor or staff member, understanding and agreeing on what is needed, expectations and objectives, required pre-work, and what product, deliverables, and post-exercise reports (if any) are expected.

Each of these would be a very different exercise and depending on the maturity and level of preparedness within the firm there may be value in holding several tabletops as part of an overall development process, using different vendors, and engaging different constituencies within the firm.

Involving the firm’s selected, insurer-approved service providers helps the firm understand their role and their expected actions and what assistance and cooperation they will need from the firm.

Prix-Fixe or à la Carte

Our feedback and experience indicate that, broadly speaking, you get what you pay for with tabletop exercises.

However, the most important point is that paying for an exercise that is not responsive to your firm’s cyber-maturity, organizational structure and specific objectives will have a very low return on investment and could be counter-productive, especially if participants feel their time was wasted.

Pricing will vary depending on duration and the number of facilitators and vendors involved. Other factors include the amount of preparation and post-work that the facilitator will be required to do, as well as whether it is conducted as a remote or on-site exercise. So, before purchasing a “fixed-price, set-piece” tabletop it is important to understand what is being offered to ensure it meets the firm’s objectives.

A “canned” exercise that is delivered remotely with no tailoring to the firm’s needs will be much less expensive than a custom-built exercise delivered on-site over several days, but the value realized will depend on whether the exercise meets the firm’s needs and expectations.

Ways to Save

There are many vendors who can facilitate a tabletop and, as with any investment, the economics are important. It is worth considering options that might offer savings when sourcing a facilitator for a simulation:

• Many cyber insurers and their panels of approved vendors offer tabletops and may offer discounts because of the insurer relationship.
• Security services vendors are often able to provide tabletops and again, may provide discounts to firms with existing relationships. The vendor’s familiarity with the firm’s network, security and team may also be helpful (although rotating vendors periodically to keep the exercises fresh and different is also important).
• Many independent vendors offer tabletops – consulting firms, law firms with data privacy and breach counsel practices, technology vendors (particularly those in security), cybersecurity firms, et.al. These firms may offer different pricing structures depending on the delivery structure and format of the exercise.

Conclusion

Tabletop simulations can make an enormous difference to the firm’s cyber-resilience. They can materially mitigate the impact and ultimate cost of a cyber-attack.

• Insurers recommend holding tabletop simulations regularly.
• Varying the scenarios helps test different aspects of the response and ensures that teams learn to be flexible. Including extortion in scenarios is important, as this is the most common outcome of attacks.
• Careful planning and collaboration with the facilitator will add a lot of value to the exercise.
• Leveraging relationships with vendors can help save money.
• Rotating vendors periodically is recommended.

Field Marshal Helmuth von Moltke observed, in the heat of battle the plan rarely survives the first encounter; but being prepared and having run through many scenarios, the participants learn the flexibility and develop the “muscle memory” that helps them to respond effectively.

Read more articles by Tom Ricketts here.