Are You Ready for a Cyber Incident? Lessons from Recent Tabletop Tests

Hello everyone! 

Welcome to the first edition of this blog! My goal is simple: to share insights and lessons I’ve gathered from discussions with professionals like you. After spending years in IT risk management, I’m frequently asked about emerging trends, effective tools, and how others are tackling common challenges. This blog will attempt to address those questions and, where possible, provide real-world examples and templates. 

If there’s a topic you’d like to see covered, let me know—chances are, others are wondering the same thing.

Now, off to our first topic: incident response tabletop testing. 

I recently had the chance to participate in multiple cyber incident responses tests and wanted to provide several of the consistent takeaways from the Bankers present.

Incident Response Tabletop Takeaways:

• In the event of an incident, be ready to call your cyber insurance provider and legal counsel quickly.  The consensus among those that have experienced breaches is to get your cyber insurance provider involved quickly as they have experience dealing with these situations.

• Clearly define roles and responsibilities. Know what each party is expected to do during an incident. Consider:

  • What services your cyber insurance provider offers, such as breach coaching and pre-approved vendors.

  • The availability and response commitments of your managed service provider for immediate assistance.

• Maintain accessible contact information for all critical parties, including cyber insurance providers, legal counsel, regulators, law enforcement, and internal personnel.  You don’t want to be digging through emails looking for contact information in the event of an incident. 

• Implement effective monitoring to detect incidents early. Ensure notifications for events such as user accounts being added to the network and changes to antivirus settings. Consider indicators of compromise and verify that monitoring is in place where possible. If outsourcing, have detailed discussions with your provider about what they are monitoring and what they are not monitoring.    

• Develop a robust communication plan for both internal and external stakeholders:

  • Internal communications: Plans often address Boards and executive management, but it’s equally important to strategize how all employees will be informed. Anticipate leaks and take a proactive rather than reactive approach.

  • External communications: Prepare for customer inquiries in the event of a breach. Define how inbound calls will be routed and ensure clear, consistent messaging.

• Conduct internal tabletop exercises focused on ransomware. Evaluate potential ransom payment scenarios and ensure decision-making frameworks are in place.  I participated in one ransomware test with multiple FI’s and there was a wide variety of thoughts as to when a ransom should or should not be paid.  It’s best to think through these situations in advance. 

• Test backup and recovery plans regularly.  Ensure that full backup recovery tests occur and that backups are isolated from production systems to prevent ransomware encryption.

• Implement proper logging for incidents. Retain logs, endpoint data, and system snapshots to facilitate forensic investigations. Ensure retention policies comply with regulatory requirements in consultation with legal counsel.  Also, remember that in the event of an incident, forensic firms may do a great job of telling you what happened; however, it typically takes time for this to happen.  So don’t count on them to provide information fast.

I hope this helps and please let us know if Hark Advisors can assist you.

Jim