Three Gaps an Annual Ransomware Tabletop Exposed

The Challenge

A mid-market insurance carrier runs annual tabletop exercises as a core part of its incident response readiness program. State departments of insurance expect it. Their reinsurance partners expect it. Their own cyber-insurance customers expect evidence of it. The carrier had the exercise on the calendar every year. The question was whether the exercise was actually surfacing gaps or whether it had become a compliance formality where the team walked through a familiar scenario, took some notes, and filed an after-action report that repeated last year’s recommendations.

Leadership wanted a different kind of exercise this year. They wanted a scenario tailored to their actual technology stack and business operations, realistic injects that forced their team to make decisions under pressure instead of discussing them comfortably, and a facilitator who would push when the room tried to drift toward the clean answer instead of the honest one. They wanted findings they could act on, not “improve communication” and “clarify escalation paths” as standalone recommendations.

Their existing IR plan looked good on paper. Escalation tree documented. Decision authority defined. Playbooks for common incident types. Communications templates. Legal notification timelines aligned to applicable state breach laws. On first review, it was a mature document. The question was whether it would hold up under the actual pressure of a scenario where the clock was ticking and the team had to make decisions that mattered.

The Approach

We built a ransomware scenario tailored to the carrier’s stack, the kinds of data they hold, and the operational realities of a mid-market insurance business. The scenario opened with an initial detection at an unexpected hour, progressed through containment decisions, complicated itself with customer-service implications as claims processing came under pressure, and introduced realistic secondary events that mirrored how a real incident unfolds, not the idealized sequence an IR plan assumes.

Participants included IT security, IT operations, legal counsel, communications and PR, executive leadership, and representatives from claims operations and customer service. The cross-functional participation mattered. Insurance carriers are not single-function organizations in an incident; the people who have to execute the response span departments, and the coordination between them is exactly what a tabletop has to test.

Injects drove the scenario forward. The ransom deadline got moved up. A customer posted screenshots of the outage. Primary counsel was unavailable for a critical window. Executive leadership was out of town for part of the incident. The team’s ability to execute the plan under those pressures was the actual test.

The post-exercise hot wash captured observations while they were fresh. The full after-action report documented what we saw, mapped findings to CIS Top 18 controls where applicable, and recommended specific remediations with owners and timelines rather than generic NIST SP 800-61-style advice.

The Outcomes

Three specific gaps emerged from the exercise that would have materially impaired the carrier’s response to a real incident.

First, threat-hunting and detailed logging features in their existing security tooling were not enabled. The capability was licensed, installed, and available. The configuration to actually use those features had never been turned on. In the scenario, the team reached for data they expected to have and could not produce it. In a real incident, that gap would have created investigation delays that could have cascaded into delayed notifications, missed containment windows, and incomplete scope determination. Remediation was straightforward and inexpensive: enable the features, tune them for the environment, and integrate the resulting telemetry into their existing monitoring. The gap had existed for some time not because the fix was hard, but because no one had realized the capability was sitting unused until the exercise forced the question.

Second, the escalation and communications plan assumed primary communication channels would still work. The written plan was built around email and the primary chat platform. The scenario introduced the case where the incident itself disrupted those channels (which ransomware and business email compromise incidents routinely do), and the team had no out-of-band plan. They had no pre-agreed backup channel, no phone tree that did not depend on the compromised platform, no shared understanding of where the team would regroup if the primary tools were unavailable. In a real incident, this would create coordination collapse at the exact moment coordination mattered most. Remediation required adding an out-of-band communications plan with specific backup channels, pre-tested and documented, and making sure every participant in the incident response knew how to use it.

Third, specific platforms and processes had centralized, undocumented knowledge in one or two individuals. If either of those individuals was unavailable during an incident (vacation, illness, conflicting travel, unreachable phone), the team would be materially impaired in their ability to execute on portions of the response plan. The exercise revealed that what looked like a mature program on paper depended on human availability that could not be guaranteed. Remediation required documentation of the specific workflows, cross-training within the team, and in some cases reconfiguring tooling so its operation did not depend on individual institutional memory.

Each gap was documented with a recommended remediation, an owner, and a tracked-into-continuous-improvement timeline. The carrier’s leadership walked away with findings they could act on this quarter rather than an abstract call for better coordination. The three gaps were concrete enough that remediating them produced measurable change. None of them required a budget request. All of them would have been invisible without the exercise.

This is why we run tabletops as a core discipline rather than a compliance formality. A plan that looks good on paper is not the same as a plan that works under pressure. The distance between the two is where real incidents produce real damage, and annual tabletops (when they are designed to actually stress the plan) are the most efficient way to close that distance without having a real incident teach the same lessons the hard way.