A recent article in the American Lawyer highlights the growing relevance of lawyer-led “tabletop” exercises, where companies engage in half-day or full-day drills designed to test their response plans for various crisis scenarios.
Executives are increasingly utilizing these exercises to hone their emergency policies, procedures, and decision-making. Originally developed to help oil and gas companies prepare to respond to environmental disasters, tabletops are now commonly used for cyber breach trainings and, increasingly, other kinds of crisis-management preparations.
Some regulators are actively encouraging companies to conduct tabletops, including the U.S. Treasury. In recent years, Treasury has conducted cybersecurity tabletops with global financial firms and developed a robust “Hamilton series” of exercises with other federal and state regulators. Treasury has also created a tabletop exercise template for small and mid-size financial institutions that wish to conduct their own internal drills.
Companies that have conducted these exercises often find them very helpful for dealing effectively with the lightning pace of today’s corporate crises in the era of ubiquitous smartphones and social media, as well as with the shortened 72-hour cyber breach notification window required by the GDPR and other cybersecurity regulators. The FBI is also encouraging companies who are the victims of cyber attacks to contact the Bureau promptly.
In the American Lawyer article, we explain the crucial role that lawyers play in developing and utilizing these tabletop exercises: “Lawyers are naturally the right people to lead these exercises because they can spot issues that may get overlooked, like insider trading risks during an undisclosed cyber event, and mandatory breach notification obligations, which are likely to affect the overall communications strategy.”
Please feel free to reach out to us with any questions.
The authors gratefully acknowledge the assistance of summer associate Chris Combs in preparing this entry