Are You Conducting Cyber Breach Fire Drills Yet?

When I was a kid growing up in Chicago, our school would have periodic "atomic bomb" drills – which really was just another fire drill under another name. We would line up and dutifully head outside into the snow. It wasn't until I got a little older that I started to wonder, "how is going outside going to protect me from a nuclear blast?" Meaning it's silly to conduct a drill just for the sake of conducting a drill. But if you know the threat is real – and you can be better prepared by conducting a drill – isn't that a good idea? When it comes to cyber breaches, it certainly seems like it's more of a matter of time for a breach to occur, rather than a question of "will it ever happen to our company?" Given that, it sure seems like a good idea to be as well-prepared as possible so that going into crisis mode doesn't overwhelm you. And with the SEC bringing this enforcement action recently against a company for allegedly deficient disclosure controls related to a cyber breach, the time is ripe to kick the tires on your procedures. In that case, a big factor for the SEC's action appears to be a lack of communication between those that discovered the breach – and those responsible for making public disclosures about matters of importance to the company. That's why planning a fire drill is so critical. A tabletop exercise. The people in your company most likely to uncover a breach aren't accustomed to dealing with folks in the C-suite. They're not attuned to public disclosure obligations. And drafting protocols and conducting training is a good start to propelling them up the learning curve, but it really is no substitute for doing a dry run and seeing if it works in practice. With a dry run, you'll find out whether those down below can find the courage to tell their superiors that a breach might have happened on their watch. You'll find out if those superiors do the right thing themselves. Are senior managers asking the right questions? How about members of the board? You'll also be forced into learning what your weaknesses are within your current disclosure controls. You'll perhaps draft some documents that you'll need on an emergency basis when that dark day arrives. You'll find out whether you need to bring in some advisors to learn more about how to handle a breach. And perhaps after you conduct your first planned fire drill, you'll be brave enough one day to conduct an unplanned drill to really test your colleagues…