Most SEC-registered firms can produce an incident response plan. Far fewer can produce evidence that anyone has ever tested it. That gap is becoming one of the more consequential distinctions in a cybersecurity exam, because the SEC has made clear that it judges incident response by how a firm actually reacts — not by what is written in a binder.
A tabletop exercise is how a firm closes that gap. It is also one of the least understood and most undervalued controls in the entire program.
Why Testing Is Now the Standard
The 2024 amendments to Regulation S-P require covered institutions to maintain a written incident response program capable of assessing the nature and scope of an incident, containing and controlling it, determining whether customer notification is required, and meeting the 30-day notification clock. A plan that can do all of that on paper but has never been exercised is a plan whose first real test will be the incident itself — exactly the wrong moment to discover that the escalation path is unclear, the contact list is stale, or no one knows who decides whether to notify clients.
Rule 206(4)-7 reinforces this. The rule asks whether a control is reasonably designed and whether it operates as designed. An untested incident response plan can be reasonably designed and still fail the second half of that test, because nobody has any evidence it operates. The SEC’s recent enforcement posture has been consistent on this point: incident response is not an MSP, cyber insurance, or a retainer consultant. It is a procedure-driven reaction capability, and a capability that has never been exercised is difficult to call a capability at all.
What a Tabletop Exercise Actually Is
A tabletop exercise is a structured, discussion-based walkthrough of a realistic incident scenario. The relevant people — typically the CCO, ownership or senior leadership, whoever owns the technical environment, and often outside counsel or a forensics contact — sit down and work through a scenario step by step as it unfolds. It is not a technical penetration test and it does not touch production systems. It tests decisions, roles, and communication: the human and procedural machinery that determines whether a real incident is contained in hours or discovered weeks later.
The exercise is driven by a scenario and a facilitator who introduces complications as it progresses. A good scenario mirrors how RIAs are actually compromised rather than a dramatic but improbable event. The most useful scenarios include:
- Business email compromise. An employee’s mailbox is taken over, a malicious forwarding rule is created, and a fraudulent wire-change request goes to a client. This is the single most common and most damaging scenario for an advisory firm.
- Ransomware. Files are encrypted across the environment, backups are in question, and there is pressure to make a fast decision under uncertainty.
- Vendor breach. A service provider notifies the firm — or fails to — that customer information in their environment was exposed, triggering the firm’s own assessment and the 72-hour and 30-day clocks.
- Lost or stolen device. An unlocked phone or laptop with access to firm systems goes missing.
What the Exercise Surfaces
The value of a tabletop is in the gaps it exposes before an attacker does. In practice, the same weaknesses surface again and again: nobody is sure who has authority to declare an incident; the escalation path exists on paper but has never been walked; the contact list includes people who have left the firm; there is confusion about when the 30-day notification clock starts and who decides whether it applies; the MSP’s role and notification obligations are assumed rather than confirmed; and evidence-preservation steps are skipped in the rush to remediate. Each of these is far cheaper to discover in a conference room than in a live incident.
A tabletop also clarifies the decisions that are genuinely hard under pressure — the notification determination in particular. Deciding, calmly and in advance, how the firm will assess whether sensitive customer information was accessed or is reasonably likely to have been, and who signs off on that determination, is worth more than another page of policy language.
The Evidence That Matters
From a compliance standpoint, the exercise is only as valuable as the record it produces. A defensible tabletop generates: the date and the scenario used, a list of participants and their roles, a summary of how the team worked through the scenario, the gaps and weaknesses identified, and — most importantly — the lessons learned and the specific changes made to the plan, the contact list, or the procedures as a result. That last piece closes the loop. It demonstrates not just that the firm tested the plan, but that testing produced improvement, which is exactly what “reviewed and updated” means under both Reg S-P and the annual 206(4)-7 review.
Backup-restore testing belongs in the same discipline. A firm that assumes its backups work, but has never restored from them, is making the same mistake as a firm with an untested plan. Documenting a restoration test is part of demonstrating that the recovery half of incident response actually functions.
How Often
For most firms, a tabletop on an annual cadence, rotating through different scenarios year over year, is appropriate — with an additional exercise after a significant change in systems, vendors, or staffing. Folding the exercise and its lessons-learned record into the annual 206(4)-7 review is the cleanest way to ensure it happens on schedule and that the evidence lands where an examiner expects to find it.
The Bottom Line
An incident response plan is a hypothesis about how the firm will behave under attack. A tabletop is the experiment that tests it. The amended Regulation S-P expects a program that works under real conditions, and the SEC evaluates that program by the firm’s demonstrated ability to detect, contain, decide, notify, and document — not by the existence of the document. The firms that move from “we have a plan” to “we tested it, here is what we found, and here is what we changed” are the ones whose incident response will hold up both in an exam and in the event it is built for.
MTradecraft facilitates incident response tabletop exercises for SEC-registered firms and produces the documented record of testing that examiners look for. If your plan has never been exercised, that is a gap worth closing before it is tested for you.