Tactical Exercises For Managing Corporate Risk

By Adele Hogan
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Securities newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!



Law360 (March 9, 2020, 4:50 PM EDT )
Adele Hogan
There are many areas where tabletop exercises by management and boards can provide strategic advantages, and three of them are data privacy, cybersecurity breaches and random incidents, such as the coronavirus outbreak.

Officers at companies who run tabletop risk scenarios, often with outside advisers, can obtain insights into their preparedness, gaps and vulnerabilities. They then have an opportunity to do a gap analysis, remediate and provide demonstrated and documented evidence that they took reasonable steps to have a state-of-the-art risk management program. This can go a long way to protect the company as current and future risks arise.

General Tabletop Methodology

To prepare a group of individuals for a tabletop exercise, a facilitator should be selected. That person, sometimes working confidentially, could hijack a meeting where individuals are called to discuss pricing strategies or board projects, and switch the topic to the tabletop crisis scenario.

The individuals in the meeting may or may not be told this scenario is a drill. The facilitator should outline the scenario and then stand back, take observation notes to help identify gaps and the root causes of them, and let the designated leader of whatever crisis is part of the tabletop exercise to try to run the work streams of crisis management and execute on decision and communication decision trees that should already be in place.

The room should be locked down and there should be no leaks. Individuals should know who should be notified, what each stakeholders' responsibilities are, and the order of timing for notifications to various stakeholders and regulators and for public disclosures.

For example, there should be a readily accessible working group list that includes names, emails and phone numbers, including cell numbers, for inside and outside lawyers, a public relations firm, press contacts, regulators that need to be notified for various types of incidents, auditors, bankers, business partners, board members, officers of the company, etc.

The timing and nature of disclosures to stakeholders — such as employees, customers, suppliers and others — should be considered. There may need to be a cascading roll out of disclosures. The robustness of the planning and preparedness should be evaluated.

The working group list and notifications will vary depending on the type of crisis. Environmental, social and governance factors should be covered by the internal crisis policies of the company. Alternative parties should be included in the working group list in case a party has a conflict or is unavailable to work on a particular crisis.

Things to consider might include ranking the threat level by type of incident, likely impact — monetarily and reputationally — and threat level. The facilitator can prepare and submit throughout the tabletop exercise statements about the initial threat, and then periodic updates as new scenario information becomes available, just like a real crisis might unfold.

There is likely to be a cascade of insiders being brought into the fold, and confidentiality measures should be tested as part of the tabletop exercises.

The facilitator should consider whether and to what extent the tabletop planning, execution and lessons learned are documented, and any remediation steps noted in light of the document retention policies of the company. This may prove helpful in subsequent challenges by litigants or regulators. The facilitator may consider involving third-party vendors such as law firms and PR firms to ensure the team is adequately prepared and cohesive and a fair assessment occurs.

Not only should for-profit companies run tabletop exercises, but nonprofits and governmental organizations should consider running them too. Below are some suggestions for different types of issues to be included depending on the type of tabletop scenario that is being run.

Examples of Tabletop Exercises

Data Privacy and CCPA Compliance

A company that concluded that the California Consumer Privacy Act does not apply could run a tabletop exercise where a position is challenged and threats of substantial penalties are made. This tabletop exercise might include defenses, such as the applicability of other privacy regulations that officers of the company believe preempt parts of these other privacy regulations, such as the Health Insurance Portability and Accountability Act or federal banking regulations.

The tabletop exercises should include an analysis of coverage and applicability of those regulations, how to handle claims that disclosure and transparency are inadequate, as well as claims that rights of individuals to data access and to be forgotten have been violated.

The tabletop exercise should also cover claims that the right to opt out of selling information were breached and claims of discrimination, not equal treatment, for selecting opt-outs. The ability to locate data maps that cover how and why data was collected should be tested.

Cybersecurity

Cybersecurity breach tabletop exercises related to cybersecurity should include various types of breaches —phishing and spear phishing attacks, denial of service and distributed denial-of-service attacks, password and drive-by attacks, eavesdropping, cross-site scripting, etc. Participants should be familiar with the cybersecurity attack terminology.

Coronavirus

One of many good reasons to run tabletop exercises is that the heightened skills that come out of those exercises are applicable to new threats, such as the coronavirus situation. Supply chain interruptions, customer and sales interruptions, insurance coverage, labor law matters, U.S. Securities and Exchange Commission disclosure, and other issues may arise, not to mention the humanitarian and ESG concerns.

Conclusion

Tabletop exercises can be an excellent way to demonstrate that the tone at the top of companies is one of strong risk management and compliance.

They can also be used to bring along transformation initiatives that have stalled for lack of support or funding. Tabletop exercises can highlight areas where engagement, strategic thinking and funding are necessary to properly manage known and unknown risks corporations face.



Adele Hogan is a partner at Nelson Mullins Riley & Scarborough LLP.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!