Battles Need Plans - So Why Face A Cyberattack Without one?

For centuries, military leaders prepared for battle long before the first shot was fired. They gathered around maps and tables, debated scenarios, challenged assumptions and pressure-tested decisions under hypothetical conditions. These tabletop war exercises were designed to prevent confusion, hesitation and catastrophic mistakes when real conflict arrived.

Business leaders face a different battlefield today, but the principle is similar.

Today’s adversaries are cybercriminals, ransomware syndicates and nation-state actors. The terrain is digital. For wealth management and financial services firms in particular—custodians of highly sensitive information—the cost of being unprepared is not theoretical. It shows up as regulatory scrutiny, reputational damage, client attrition and leadership credibility under fire.

In an era when the average U.S. data breach now costs $10.22 million and cybercrime is projected to drain more than $10.5 trillion globally—making it the third-largest economy in the world if it were a country—failing to rehearse your response is no longer a gap in IT planning. It is a failure of governance.

Yet many organizations still approach cybersecurity as a technology investment rather than a leadership discipline.

They buy tools. They deploy monitoring. They outsource detection. What they fail to do is practice how executives, legal counsel, compliance officers, IT leaders and client-facing teams will actually work together when a cyber incident forces real-time decisions under pressure.

That is the gap that cybersecurity tabletop exercises are meant to close.

Treat tabletop exercises as a leadership responsibility.

A cybersecurity tabletop exercise is a structured, discussion-based simulation in which key stakeholders walk through a realistic cyber incident—ransomware, data breach or third-party compromise—and make decisions as events unfold.

For leaders, the value is not technical. It is organizational.

Tabletop exercises reveal whether your leadership team:

Knows who has decision authority under pressure

• Understands regulatory and disclosure obligations

• Can communicate clearly across legal, compliance, IT and client teams

• Has aligned expectations before emotions and uncertainty take over

If executives are not in the room, the exercise will likely fail. Incident response breaks down at the leadership level, not the firewall level.

Advice: Require executive participation. If the CEO, COO or managing partners are not involved, the exercise becomes theoretical and loses its value.

Use tabletop exercises to expose assumptions.

One of the most important outcomes of a tabletop exercise is not confirmation—it is discomfort.

When running simulations, look for issues such as incident response plans that appear complete but are outdated or unworkable; escalation paths that assume availability or authority that do not exist; gaps between regulatory expectations and operational reality; and conflicting priorities among legal risk, client communication and speed of response.

Without rehearsal, organizations rely on assumptions. During an actual incident, assumptions become delays—and delays increase cost, damage and scrutiny.

Advice: Design exercises to challenge confidence, not validate it. Choose scenarios that stress your weakest areas, not your best-prepared ones.

Validate your incident response plan in practice.

Most financial services firms maintain an incident response plan to satisfy regulatory requirements from bodies such as FINRA, the SEC or under frameworks like DORA. But documentation alone does not equal readiness.

Tabletop exercises help answer the only question that matters: Does the plan actually work when people must use it?

Leaders need to confront practical realities:

• Are response steps clear and executable?

• Do teams know when to escalate and to whom?

• Can decisions be made quickly without confusion or overlap?

• Does the plan support coordinated action across functions?

Advice: After every tabletop exercise, update the incident response plan immediately. Assign ownership. Track remediation actions. Treat gaps as operational risks, not learning opportunities.

Use exercises to coordinate legal, compliance and client communication.

Cyber incidents do not unfold inside IT alone. They trigger legal exposure, regulatory reporting, insurance coordination and client communication—often simultaneously.

Leaders should use tabletop exercises to test how and when clients will be notified, who approves external messaging, how regulators are engaged and how third parties such as insurers and forensic firms are brought in.

These decisions cannot be improvised during a live incident.

Advice: Require legal, compliance and communications leaders to actively participate and speak during the exercise. Silence in rehearsal becomes confusion in reality.

Build muscle memory, not just awareness.

In a real cyber crisis, the pressure is intense, and decisions must be made quickly. Teams that have never practiced together often hesitate, duplicate effort or work at cross purposes.

Leaders can use tabletop exercises build muscle memory—the ability to move from uncertainty to coordinated action without waiting for perfect information.

Advice: Run tabletop exercises at least annually, and more often after major system changes, acquisitions or regulatory shifts.

Strengthen compliance posture and client confidence.

Regulators increasingly expect firms to demonstrate not only that they have cybersecurity plans, but that those plans are exercised and improved. Tabletop exercises provide tangible evidence of operational maturity.

Preparing also equips leaders with confidence when speaking to clients. Firms that can articulate how they prepare for cyber incidents signal discipline, foresight and professionalism.

Advice: Document exercises, outcomes and improvements. Treat them as board-level risk management artifacts.

What should leaders do next?

To implement effective cybersecurity tabletop exercises:

1. Involve cross-functional leadership, not just IT.

2. Use realistic scenarios aligned to your threat profile.

3. Challenge your assumptions.

4. Capture lessons learned and assign accountability.

5. Integrate results into governance, not just security operations.

The Cybersecurity and Infrastructure Security Agency (CISA) provides tabletop exercise tips and frameworks, but I've found that leadership commitment determines effectiveness.

Preparedness is a competitive advantage.

For wealth management and financial services firms, cybersecurity tabletop exercises are not a defensive exercise. They are a differentiator. In my experience, firms that rehearse their response move faster, recover sooner and communicate more credibly.

You would never enter a battlefield without a plan—or a rehearsal.

Facing a cyberattack without one is not just risky. It is a leadership failure.

‍