Why Every Law Firm Needs a Tabletop Exercise

It's 9:47am on a Tuesday. Your practice manager call to say that staff can't access the document management system. Then the ransom note appears.

Who makes the call on whether to pay? Who tells clients their matters may be compromised? Who's calling the insurer, the OAIC, the police?

If your firm hasn't answered these questions before the pressure hits, you'll be making critical decisions on the fly. That's where tabletop exercises come in.

What Is a Tabletop Exercise?

A tabletop exercise is a structured discussion-based simulation where your team walks through a realistic cyber incident scenario. No systems are touched—it's a conversation, not a technical test.

The facilitator presents a scenario that unfolds in stages. At each stage, participants discuss what they would do, who would be responsible, and what information they'd need.

Think of it as a fire drill for cyber incidents—except instead of practising where to stand in the car park, you're practising how to make decisions under pressure.

Why Law Firms Are Different

Law firms face unique challenges during cyber incidents that generic corporate playbooks don't address.

Client confidentiality adds complexity.  A breach at a law firm isn't just a data incident—it potentially compromises legal professional privilege across dozens or hundreds of client matters. Notification decisions are more complex.

Partners aren't employees. Decision-making structures in partnerships differ from corporate hierarchies. Who has authority to approve a ransom payment? To notify a major client? To engage external counsel?

Regulators and insurers expect it. Cyber insurers increasingly ask whether firms conduct regular incident response testing. Some professional indemnity policies now factor this into underwriting.

Reputational stakes are higher. Law firms sell trust. A poorly handled breach can damage client relationships in ways that are difficult to recover.

What Happens During a Tabletop Exercise

A typical tabletop runs for 2-3 hours and involves key stakeholders—usually a mix of partners, IT, practice management, HR, and finance.

Phase 1: The scenario begins.
The facilitator presents an initial situation. Perhaps unusual network activity has been detected overnight, or a staff member has clicked a suspicious link.

Phase 2: Escalation.
The scenario develops. Systems become unavailable. A ransom demand appears. Client data may have been accessed.

**Phase 3: External pressure.**
Media enquiries start. A client calls asking if their matter is affected. The insurer wants a briefing.

**Phase 4: Recovery decisions.**
The immediate threat is contained. Now what? Who communicates with clients? What regulatory notifications are required?

At each phase, participants discuss roles, responsibilities, and decision-making processes. The facilitator probes assumptions and identifies gaps.

What You'll Discover

Every tabletop surfaces issues that weren't obvious beforehand. Common findings include:

Unclear escalation paths.  Staff know something is wrong but aren't sure who to call first—IT, the managing partner, or an external provider.

Missing contact details. The incident response plan references "the IT security provider" but nobody has after-hours contact details saved somewhere accessible if email is down.

Decision authority gaps.  Partners assume someone else has authority to make time-critical decisions. In reality, no one does without a full partnership vote.

Communication plan gaps.  There's no pre-drafted client communication. No media holding statement. No internal staff update template.

Insurance process unfamiliarity. The policy requires insurer notification within 24 hours, but no one knows the breach hotline number or what information they'll need.

These discoveries are valuable precisely because they happen during a simulation, not a real incident.

How Often Should You Run Tabletop Exercises?

Annual tabletops are reasonable for most firms. More frequent exercises—every six months—make sense for larger firms, those with elevated threat profiles, or those recovering from a recent incident.

You should also run a tabletop after significant changes: new practice management system, office relocation, leadership changes, or merger activity.

Running Your Own vs External Facilitation

Some firms run tabletops internally. This works if you have someone with incident response experience who can facilitate objectively and challenge assumptions.

External facilitation has advantages. An independent facilitator asks uncomfortable questions that internal staff may avoid. They bring experience from incidents at other firms—patterns that help anticipate what you'll actually face.

External facilitators also free your senior people to participate fully rather than splitting attention between running the exercise and engaging with the scenario.

Getting Started

If your firm hasn't conducted a tabletop exercise, start with a simple scenario—ransomware is the most common and easiest to make realistic. Focus on decision-making and communication rather than technical response.

If you want to discuss how a tabletop exercise might work for your firm, we're happy to talk through options.

[Discuss Incident Response →]