A tabletop exercise can be used to test whether an incident response plan – a crucial part of any cybersecurity program – functions as desired. The exercise can also identify gaps and other weaknesses in a firm’s cyber preparedness. The Cybersecurity Law Report and the Hedge Fund Law Report recently presented a seminar that delved into the appropriate development and conduct of tabletop exercises. Shaw Horton, Associate Editor of the Hedge Fund Law Report, moderated the panel, which featured Luke Dembosky, a partner at Debevoise & Plimpton and former DOJ prosecutor, John “Four” Flynn, chief information security officer of Uber, and Jill Abitbol, Senior Editor of the Cybersecurity Law Report. This article, the first in a two-part series, contains their advice on how to effectively develop tabletop exercises, including insight on whether they should be conducted in-house or externally, who should participate, what role counsel should play and how frequent and long they should be. The second article
will outline ways advisers can successfully conduct tabletop exercises, including their content and scope, participant engagement, common errors and follow-up. For further commentary from Dembosky on this subject, see “How to Establish an Efficient Incident Response Plan
” (Jul. 17, 2019).