Most SEC-registered firms can produce an incident response plan. Far fewer can produce evidence that anyone has ever tested it. That gap is becoming one of the more consequential distinctions in a cybersecurity exam, because the SEC has made clear that it judges incident response by how a firm actually reacts — not by what is written in a binder.
A tabletop exercise is how a firm closes that gap. It is also one of the least understood and most undervalued controls in the entire program.
The rest of this article is free to read with a BrainTrust membership — joining takes about a minute, and no credit card is required.