The Imperative of Cyber Preparedness: The Power of Tabletop Exercises

Long Term Care & Senior Housing Update

Client Alert

Author(s) ,

In an age where digital connectivity is rapidly advancing, cybersecurity has become an inescapable concern for organizations across industries. With cyber threats ranging from data breaches to ransomware attacks, it is paramount that companies remain vigilant and prepared. The sensitivity of much of the patient data retained by long term care providers — including Protected Health Information (PHI) exchanged with health insurers which may be subject to additional and more stringent federal and state data security requirements — amplifies the necessity for long term care providers to implement a thoughtful cybersecurity preparedness program. A recent study[1] by the National Association of Corporate Directors has raised alarms by revealing that a mere 48% of company boards conducted a cyber-themed exercise in the year preceding the survey. This article explores the significance of cyber preparedness and how tabletop exercises can play a vital role in safeguarding corporate assets and reputation.

Understanding Cyber Preparedness

Cyber preparedness refers to an organization's readiness and capability to mitigate, respond to, and recover from cyber incidents. It encompasses a range of activities such as risk assessment, incident response planning, employee training, and security measures implementation. A robust cybersecurity posture protects critical data and systems and reinforces a company’s reputation and stakeholder trust.

The Critical Role of Board Participation and Mitigating Legal Risks

One of the pivotal aspects of cyber preparedness is the active engagement of an organization’s leadership, particularly the board of directors or managers. Board members are entrusted with the oversight of organizational risks. Their understanding of cybersecurity challenges and support in driving relevant initiatives can significantly impact the company's cyber resilience. Board members should be briefed on the evolving cyber threat landscape and be informed about the organization’s preparedness measures.

The board’s participation in cyber preparedness is a strategic necessity and a legal safeguard. Furthermore, it is vital to acknowledge that an active and informed board plays a crucial role in mitigating the risk of litigation in the aftermath of a cybersecurity incident. By actively participating in the cyber readiness process, the board demonstrates its commitment to protecting the company and its stakeholders from cyber risks. Such documented due diligence can be instrumental in defending against shareholder litigation or derivative lawsuits, asserting that the board executed its fiduciary duty in acting in the company's and its shareholders' best interest.

Harnessing the Power of Tabletop Exercises

Tabletop exercises are simulated scenarios that help organizations practice and evaluate their response to a hypothetical cyber incident, for example, responding to a ransomware attack blocking access to the organization's computers for a ransom. These exercises serve as a practical, engaging, and low-risk way for teams to identify vulnerabilities in current plans, improve coordination, and evaluate the decision-making process during a crisis.

Identifying Gaps

Through tabletop exercises, corporate leaders can gain insights into the strengths and weaknesses of their current cybersecurity measures. By simulating an attack or breach, teams can uncover gaps in communication, coordination, and technical defenses. Identifying these gaps is the first step toward reinforcing the company's cyber preparedness.

Enhancing Decision Making, Coordination, and Communication

Tabletop exercises provide a platform for stakeholders from different departments to collaborate and foster a culture of vertical and horizontal communication within an organization. This dual-axis communication is a critical component of effective cyber preparedness.

Vertical communication ensures that directives and strategic insights from senior leadership percolate down to operational levels and, inversely, on-the-ground intelligence and feedback reach decision-makers. Horizontal communication, on the other hand, facilitates cross-functional collaboration. During a cyber incident, different departments — ranging from IT and HR to legal and public relations — need to work in tandem.

Beyond enhancing decision-making and coordination, regularly conducting tabletop exercises can help organizations develop "cybersecurity muscle memory." Just as athletes instinctively train to react in high-pressure situations, organizations can build automated, effective responses to cyber threats through repeated exposure and practice. This muscle memory reduces the reaction time to threats and increases an organization's resilience to cyber incidents.

Regular and varied tabletop exercises help organizations respond promptly and effectively when faced with a real cyber crisis. In the face of increasingly sophisticated cyber threats, improving decision-making, fostering vertical and horizontal communication, and developing a cybersecurity muscle memory through tabletop exercises are non-negotiable components of robust cyber preparedness.

Customization and Scalability

Companies unsure where to start can leverage tabletop exercises tailored to suit an organization’s specific needs and risks. The exercises can be scaled as a company evolves to address more complex scenarios and challenges. Customization ensures the exercises remain relevant and focus on the company’s unique cybersecurity objectives.

The escalation in cyber threats necessitates a proactive approach to cybersecurity. Tabletop exercises are an invaluable tool for corporate leaders and board directors to fortify their cyber preparedness. Through active participation, continuous learning, and adapting to the ever-evolving cyber landscape, organizations can build a resilient cybersecurity posture that safeguards their assets and reputation in an increasingly connected world.



[1] “How Tabletop Exercises Aid Cyber Preparedness”, Leslie Acebo, May 15, 2023, Wall Street Journal: Pro Cybersecurity Research,