Attorneys & ProfessionalsView List
Our attorneys have significant experience assisting clients in the development of comprehensive data privacy and security strategies. Preparing for an incident response is the paramount element of these strategies. We train our clients’ employees on relevant privacy and information security issues and use tabletop exercises to simulate crisis situations in order to test plans, identify potential gaps, and refine those plans based on lessons learned.
The benefits of these exercises are many, including effectively revising and reviewing your plan, and discovering and addressing any gaps in your plan. Our exercises require modest commitments in terms of time, costs and resources. Our programs also encourage team building and are a good way to familiarize key stakeholders with their roles and responsibilities so they can effectively facilitate communications if a cybersecurity incident occurs.
Vorys Incident Response Tabletop Exercise
We have facilitated tabletop exercises regarding incident responses for several large corporations. We customize these presentations for each of our clients based upon their goals for the exercise. Goals are typically identified in advance. Considerations for goals of the exercise oftentimes include the following:
- Education: Particularly in large or decentralized organizations, not all stakeholders may be aware of internal capabilities, response plans or designated responsibilities that already exist within the organization. It can be helpful to design an exercise that helps familiarize all stakeholders with these important elements. It can also assist in introducing an enterprise level plan that has not been tested previously.
- Enterprise Level vs. Particular Teams: Another goal may be to test how a particular department or area adheres to its own playbook or incident response plan, if they have one, in addition to an enterprise level plan.
- IT Team Exercises: These exercises may serve to educate how the internal information security team would investigate a potential incident, as well as any outside assistance that may be required.
- Refining the Plan: Exercises can be designed to follow up on identified gaps in the previous plan or exercise.
- We strive to make the experience as realistic as possible. By doing so, we best find gaps in existing response plans, or gaps in processes that assist in drafting a plan, and we are able to more easily recommend and facilitate improvements moving forward.
Below we briefly outline the preparation for, and elements of, our tabletop exercise.
In a short meeting to prepare for the tabletop, we ask a number of questions that allow us to maximize our customization of the program. We also thoroughly vet which participants to include in the tabletop exercise. It has been our experience that clients often neglect to consider inviting a number of necessary and valuable participants. We also discuss the post-exercise deliverable to ensure we mutually understand what Vorys will deliver after the exercise is complete.
Incident Response & Planning Considerations
We start our tabletop exercises with a short primer on considerations for the attendees. We find that providing participants with some basic direction and approach prior to the exercise allows for more meaningful and in-depth review of procedures.
The objectives of our exercises are three-fold. First, we use the scenario to observe your incident response plan in action and discuss revisions. Second, we consider appropriate roles and responsibilities for each of the participants involved. And, finally, we document, discuss and share the lessons we collectively learned in order to make appropriate changes following the exercise. Although completely customizable, our ground rules for the exercise are solely focused on providing the most beneficial environment for the exercise. These rules typically include ensuring all participants are responding to the scenario as if it is a real event; ensuring participation from all corners of the room; and creating an environment where it is understood there are no wrong answers.
We offer a variety of formats to best meet our clients’ goals. This may include half day or full day exercises and discussions. The Vorys team frequently jumps into an incident and injects new facts at regular intervals depending on the length of the exercise. These facts come at different hypothetical points following the incident. Participants should think through how and when they would learn these facts and what they would do with each fact. We can also design exercises where participants are split up into small groups in order to facilitate more discussion. We oftentimes partner with technical experts or moderators to facilitate the exercise. Vorys will record the group’s actions and keep track of issues identified as we progress. At the end, we’ll summarize how the scenario was resolved and discuss lessons learned from the exercise.
Typically the most beneficial aspect of the exercise is the group discussion. We facilitate a discussion following the exercise specifically focused on the lessons learned and recommended changes. Such focus areas include:
- Who are the relevant stakeholders who need to be included in incident response?
- Does the client’s insurance policy require notification of potential events in a certain time frame and/or use of certain vendors?
- Are there other parties that would require notice of a potential event?
- Are all stakeholders aware how to properly invoke attorney-client privilege?
- What is the organization’s risk tolerance in these scenarios?
- What are the appropriate escalation protocols, including escalation to senior management and the board?
- Is the organization fully aware of its potential legal obligations in these situations?
- How can the organization best protect itself during these crises?
Our Post-Exercise Deliverable
As stated, we fully discuss what deliverable you would like from Vorys before commencing the exercise. These deliverables can be as informal or formal as you wish. We always include a review of our takeaways and typically include our recommended changes to strengthen your incident response plan. As previously described, our team has expansive experience implementing these changes and ensuring your company’s response plan stays updated and compliant.