An incident response plan is a critical component of a cybersecurity program. A tabletop exercise can be used to test whether a response plan functions as desired and to identify gaps and other weaknesses in a firm’s cyber preparedness. The Hedge Fund Law Report and the Cybersecurity Law Report recently presented a seminar, entitled “Conducting an Effective Tabletop Exercise
,” which delved into the appropriate development and conduct of tabletop exercises. Shaw Horton, Associate Editor of the Hedge Fund Law Report, moderated the panel, which featured Luke Dembosky, partner at Debevoise & Plimpton and former DOJ prosecutor; John “Four” Flynn, chief information security officer of Uber; and Jill Abitbol, Senior Editor of the Cybersecurity Law Report. This article, the first in a two-part series, addresses how fund managers can effectively develop tabletop exercises, including whether they should be conducted in-house or externally; who should participate; what role counsel should play; and how frequent and long they should be. The second article
will outline ways advisers can successfully conduct tabletop exercises, including their content and scope; participant engagement; common errors; and follow-up. For further commentary from Dembosky on this subject, see “How Fund Managers Can Establish Effective Incident Response Plans
” (Jul. 18, 2019). See also our three-part series on how fund managers should structure their cybersecurity programs: “Background and Best Practices
” (Mar. 22, 2018); “CISO Hiring, Governance Structures and the Role of the CCO
” (Apr. 5, 2018); and “Stakeholder Communication, Outsourcing, Co-Sourcing and Managing Third Parties
” (Apr. 12, 2018).