“We Have a Plan” Is Not the Same as “We Tested It”: Incident Response Tabletops for RIAs

Most SEC-registered firms can produce an incident response plan. Far fewer can produce evidence that anyone has ever tested it. That gap is becoming one of the more consequential distinctions in a cybersecurity exam, because the SEC has made clear that it judges incident response by how a firm actually reacts — not by what is written in a binder.

A tabletop exercise is how a firm closes that gap. It is also one of the least understood and most undervalued controls in the entire program.

The rest of this article is free to read with a BrainTrust membership — joining takes about a minute, and no credit card is required.

Join the BrainTrust   Already a member? Sign in