Most incident response plans fail not because they are technically wrong but because they were never tested under realistic conditions.
The Plan That Lives in a Document Folder
An incident response plan that has never been exercised is not a plan — it is a document that describes what the author hoped would happen. Plans written by security teams without input from IT operations, legal, HR, and communications fail when those teams need to act. Plans that describe notification chains without validating that the out-of-hours contact numbers work fail at 2am. Plans that reference systems as the communication channel — 'use Teams to coordinate response' — fail when the compromise has affected those systems. Exercise the plan before you need it.
Tabletop Exercises Done Well
A tabletop exercise is a structured discussion where key stakeholders walk through a realistic incident scenario and make the decisions they would make if it were real. The value is in the discussion, not the role-play. A facilitator presents an incident (ransomware, data breach, prolonged outage) and asks: who makes this decision? What information do we need? Who do we call? What do we tell customers? The questions that the group cannot answer clearly reveal the gaps in the plan. Run a tabletop exercise annually at minimum; quarterly for organisations with active cyber insurance or regulatory obligations.
The Communication Plan Is Half the Plan
Security teams focus on technical response; executives focus on communication. Both are right to prioritise their domain. A complete incident response plan addresses both: technical containment, eradication, and recovery AND customer notification templates, regulatory notification procedures, internal communications, and media response protocols. Companies that manage the technical response well but communicate poorly suffer more long-term damage than the breach itself causes. Draft notification templates before an incident — approving communications under pressure produces errors.
What Cyber Insurance Actually Requires
Cyber insurance carriers increasingly require evidence of an incident response plan, tabletop exercise history, and specific security controls as a condition of coverage or for premium rates. A plan document alone is often insufficient — carriers want evidence of testing and plan updates in the past 12 months. Some policies require the insured to use the carrier's approved incident response firm. Understanding your policy's incident reporting requirements — the timeline for notifying the carrier after a suspected breach — is critical: many policies require notification within 24-72 hours of an incident, regardless of whether it is confirmed.
- An untested plan is a document — test your IR plan with a tabletop exercise before you need to use it
- Tabletop exercises reveal the decisions that cannot be made and the contacts that do not exist — those are the plan's real gaps
- Draft customer notification templates before an incident — communications approved under pressure contain errors
- Know your cyber insurance policy's incident notification requirements — most require carrier notification within 24-72 hours