Why incident response plans break the moment a real cyber incident is declared. Ten findings from executive cyber tabletop exercises across 32 industries, with tactical recommendations for security and legal leaders.
32 industries observed10 key findings8-section AAR template included
<20%
of teams could identify the next-expiring regulatory clock at minute 120
70%
of first executive briefings contained a material inaccuracy
4x
coordination uplift from quarterly vs annual tabletops
$9.36M
US average cost of a breach in 2024
Source: IBM Cost of a Data Breach 2024
1. Executive Summary
Most organizations believe they are prepared for a cyber incident. Fewer are. This report documents the gap between documented incident response plans and the reality of executive decision-making during simulated incidents, observed across exercises spanning 32 industries.
The findings are not about technical detection or containment - those capabilities have improved meaningfully in the last five years. The findings are about coordination, judgment, and regulatory awareness under pressure. These are human failures, and they are the reason even well-resourced organizations with mature security programs still struggle during real incidents.
The good news: these failures are fixable. Every pattern documented here has a corresponding intervention that organizations have successfully implemented. The bad news: most organizations do not know these patterns exist in their own programs until a real incident reveals them - often at enormous cost.
$9.36M
The US average cost of a data breach reached $9.36M in 2024, with healthcare averaging $9.77M for the 14th consecutive year. The findings in this report identify the human-coordination failures that drive a meaningful share of that cost - and that are addressable without buying a single new detection tool.
Source: IBM Cost of a Data Breach Report 2024.
"We had a plan. Until the moment we needed to use it, we didn't realize nobody had read it in two years."
Anonymized General Counsel, Public-Company Tabletop
2. Methodology
This research draws on cited current online research and direct observation by multiple facilitators of cyber tabletop exercises conducted across public sector, commercial, and enterprise organizations between 2016 and 2026. A typical exercise ran 90 to 180 minutes, involved 10 to 120 participants from the C-suite, board, legal, IT, compliance, cybersecurity, and their teams. These tabletops were simulated in one of eight incident categories: ransomware, data breach, business email compromise, insider threat, supply-chain compromise, phishing campaign, DDoS attack, and hybrid scenarios that combine multiple vectors.
Observations were captured in real time across four dimensions: role clarity, decision velocity, communication accuracy, and regulatory awareness. Patterns that showed up in at least 40% of observed exercises are included as findings. Patterns that showed up in more than 80% are flagged as critical.
All organizational names, industries, and specific scenario details have been anonymized. Findings are directional observations, not peer-reviewed statistical claims, and should be interpreted as patterns consistent across a large but non-random sample. Public benchmarks from the IBM Cost of a Data Breach Report and Verizon DBIR are cited where comparable.
3. Ten Key Findings
Finding 1 · Critical Pattern (>80%)
Role clarity collapses in the first 30 minutes
Most organizations have documented incident response plans that name roles: Incident Commander, Legal Liaison, Communications Lead, Technical Lead. In practice, when a simulated incident starts, teams cannot answer a basic question within the first 30 minutes: who makes the containment decision right now? The documented plan lists a role. The room does not know who fills it today, who their backup is, or what authority they have without escalating.
Finding 2 · Critical Pattern (>80%)
Regulatory clocks are not tracked during incidents
Most IR plans list applicable regulations (GDPR Article 33, HIPAA 60-day, SEC Item 1.05, state breach laws, cyber insurance reporting). Few teams track these clocks simultaneously during an incident. In exercises where participants were asked which deadline was closest to expiring at minute 120, fewer than 20% could answer correctly without consulting reference material. In real incidents, a missed deadline compounds into regulatory fines and loss of attorney-client privilege.
"The carrier hotline was not in any of our runbooks. It is now."
Anonymized CISO, Mid-Market SaaS Tabletop
Finding 3
Teams call the wrong stakeholder first
When asked "who do you contact first?" after a ransomware simulation, the most common first calls were the CEO, law enforcement, or external legal counsel. The correct first call, per most cyber insurance policies, is the carrier's reporting hotline. That call triggers the panel-vendor relationship and preserves coverage. Calling law enforcement before the carrier can void specific policy terms. Calling legal counsel before the carrier can compromise panel-attorney coverage.
Finding 4
Evidence is contaminated before forensics arrives
In ransomware exercises, well-intentioned IT staff consistently took actions that contaminated forensic evidence: rebooting affected systems, deleting suspicious files, restoring from backup before imaging. These actions eliminated the ability to identify the initial access vector, which is material for both regulatory notification ("was sensitive data accessed?") and cyber insurance claims ("what was the attack method?"). Forensic readiness requires explicit "do not touch" decisions at the outset.
Finding 5 · Critical Pattern (>80%)
The first executive update is usually wrong
When the Incident Commander first briefed the executive participants in the exercise, the briefing contained one or more material inaccuracies in 70%+ of cases: overstated scope, understated scope, incorrect attack vector, or incorrect timeline. Executives then made decisions based on the inaccurate brief. A structured briefing template with explicit "known / unknown / assumed" sections resolved this in nearly every exercise where it was introduced.
"Quarterly tabletops felt excessive when we proposed it. Now they feel essential. We have not had a real incident catch us flat since we started."
Anonymized CIO, Regional Healthcare System
Finding 6
Board communication is not planned in advance
Public-company exercises revealed that executives had no pre-drafted board notification language, no defined threshold for "material incident" reporting, and no clarity on SEC Item 1.05 timing. The same question - "when do we tell the board?" - consumed 15 to 40 minutes of exercise time in most sessions. Pre-drafted board communication templates, tied to incident severity, resolved this immediately.
Finding 7
Tabletops without AARs produce no lasting change
The single strongest predictor of whether a tabletop exercise produced lasting organizational change was whether it was followed by a formal After-Action Report within 14 days, with assigned owners and deadlines for each finding. Exercises without AARs produced enthusiasm in the room and almost no measurable change three months later. Exercises with AARs and tracked remediation produced sustained improvement.
Finding 8
Communications leads are underpowered
The Communications Lead role was the most frequently understaffed and undertrained in exercises. Participants assigned to it often had no pre-drafted holding statements, no working relationship with crisis PR firms, and no clear authority to approve external communications without C-suite sign-off - which created material delays. Organizations that had crisis-communications counsel on retainer and a holding-statement library available resolved this cleanly.
Finding 9
"Hybrid incidents" break single-scenario plans
Most IR plans are organized by incident type: "here is the ransomware playbook, here is the data breach playbook." Real incidents rarely fit one playbook. Ransomware events often involve data exfiltration, which makes them both a ransomware and a breach notification event. DDoS attacks are increasingly used as cover for other intrusions. Teams that had only practiced single-scenario playbooks struggled with hybrids. Teams that had practiced hybrid scenarios adapted quickly.
Finding 10 · Critical Pattern (>80%)
Annual tabletops are insufficient
Organizations that ran tabletops annually showed almost no year-over-year improvement in coordination metrics. Organizations that ran them quarterly, or more, showed substantial improvement, with observed coordination uplift on the order of 4x across the four observation dimensions. Annual is the compliance minimum. Quarterly is the performance target. The improvements were not about repeating the same scenario. They were about building muscle memory for the coordination patterns that every incident shares.
4. The Coordination Problem
Technical detection and containment have improved dramatically since 2018. EDR, SIEM, and SOAR platforms are more capable, and security teams are more sophisticated in using them. This report's findings do not dispute that progress.
What has not improved at the same rate is the human coordination layer. The decisions, communications, and role assignments that connect technical work to executive accountability, legal process, regulatory obligation, and stakeholder trust. This is where incidents actually fail today. It is what the exercises kept revealing, session after session.
The coordination problem has four components:
Role clarity - who does what, and who is their backup when the named owner is unavailable
Decision velocity - how fast the right decision is made with incomplete information
Communication accuracy - whether the stakeholder message matches the technical reality
Regulatory awareness - whether the team is tracking the clocks as they handle the technical work
Organizations that performed well treated these four components as a dedicated discipline, not a byproduct of technical response. They built tools, templates, and runbooks specifically for coordination - not as an afterthought to the technical playbook.
"The first 30 minutes are the only ones that matter for coordination. Everything after that is improvisation built on whatever you set up in those 30 minutes."
Lead Researcher's Note
5. Regulatory Clock Failures
Every modern incident triggers multiple regulatory clocks simultaneously. A single ransomware event affecting a mid-market healthcare organization in California with EU customers can trigger: HIPAA 60-day notification, California Civil Code §1798.82, GDPR Article 33 72-hour notification, SEC Item 1.05 four-business-day disclosure (if public), cyber insurance first-notice reporting (often 48 or 72 hours), and potentially state Attorney General notification in multiple jurisdictions.
In exercises, teams routinely focused on one clock - usually the most visible one - and missed others. The pattern was consistent across sectors:
Public companies tracked the SEC clock and missed the state breach laws
Healthcare organizations tracked HIPAA and missed the insurance clock
EU-exposed organizations tracked GDPR and missed state-level requirements
Financial entities new to DORA tracked NIS2 and missed the four-hour DORA initial
Nearly all organizations forgot the insurance clock until it was too late to preserve coverage
Pattern: The team member tracking the clocks must be different from the team member managing the technical response. When the same person does both, the clocks lose. The single strongest predictor of clock-tracking discipline was assigning a named "clock-watcher" role at the start of every incident.
6. The Board Communication Gap
Board-level communication failures fell into three categories in the exercises:
Timing. Executives disagreed about when to brief the board, and most had not pre-defined a threshold. The common default - "when we know more" - turned out to be the wrong threshold, because by the time a board is briefed reactively, the SEC, regulators, or media have often already learned of the incident.
Language. First board briefings routinely used technical language that obscured rather than clarified. Boards do not need to know the CVE exploited. They need to know whether material information was accessed, whether regulatory notification is required, what the remediation cost will be, and whether the insurance carrier has been engaged.
Commitment discipline. Executives often committed to specific remediation outcomes before technical reality supported the commitment. "We will have this contained by end of day" is rarely accurate at hour 4. Boards need honest uncertainty ranges, not false precision.
"My board chair stopped asking for ad-hoc updates because the briefing she needs is one click away. The audit committee conversation changed character entirely."
Organizations with cyber insurance often performed worse than organizations without, because they believed coverage meant preparedness. It does not. Coverage means a claim is possible if the policy terms are followed precisely. Most policies require:
Carrier notification within 48 or 72 hours of incident awareness
Use of panel-approved vendors (breach counsel, forensics, notification) for coverage
Specific documentation preserved before remediation
No public statements without carrier or panel-counsel coordination
In exercises, executives routinely violated one or more of these terms within the first two hours - calling general counsel instead of panel counsel, engaging their usual forensics vendor instead of the panel vendor, or authorizing public statements that panel counsel would not have approved.
The correct first phone call in most cyber policies is the carrier's 24/7 reporting hotline. This call triggers the panel-vendor relationship and starts the carrier's clock. Everything else waits.
8. Industries Observed
The 32 industries observed for this research span every segment of the modern economy where cyber incident response is governed by regulator, carrier, board, or contractual obligation. Patterns held across sectors with two exceptions: critical-infrastructure operators and regulated healthcare carriers showed materially better regulatory-clock awareness, and growth-stage technology firms showed materially worse insurance-policy fluency.
Critical Infrastructure
Energy & Utilities · Water & Wastewater · Telecommunications · Transportation & Logistics · Aviation · Maritime
Healthcare & Life Sciences
Hospitals & Health Systems · Medical Devices · Pharmaceuticals · Biotechnology · Health-Insurance Payers · Health Tech / Digital Health
State & Local Government · Federal Agencies · Higher Education · K-12 Education · Defense & Aerospace
Industrial & Manufacturing
Discrete Manufacturing · Process Manufacturing · Chemicals · Automotive
Commercial & Consumer
Retail · Hospitality · Media & Entertainment · Legal Services · Professional Services · Real Estate
Industry-specific differences existed at the margins. HIPAA-regulated entities tracked HIPAA better. SEC registrants tracked Item 1.05 better. Beyond that, the four core coordination failures showed up the same way across every sector. The findings in this report are not really industry-specific. They are condition-specific to the moment a cyber incident is declared and the executive war room comes together.
9. The Performance Gap
High-performing teams were not necessarily larger, better funded, or more technically sophisticated than low-performing teams. They were more practiced and better organized. Across the four observation dimensions, the gap between top-quartile and bottom-quartile teams looked like this:
Ranges are observational, not statistical. Observed across 4 to 8 high-quartile and 4 to 8 low-quartile teams per dimension. Reported as the typical range, not the extremes.
10. What This Means For Your Role
Most IR research is written for the security team and assumes everyone else will catch up. The findings here apply to the whole executive room. Here is the short version, written for each seat at the table.
CISO and IR Lead
Stop scoring tabletops on technical accuracy
Your team has invested in detection. The gap this report points at is not in your stack. It is in the eight hours after the alert, when the room you are in has to make decisions that your tools cannot make for you. The win is not another tool. It is fewer surprises in the after-action and a better story for the board on Day 30.
What to do: Score your next tabletop on coordination, not on whether the team got the technical answer right. Add a named clock-watcher to your IRC. Ask your team to find the carrier hotline from memory.
General Counsel and DPO
Privilege has to be a structure, not a sticker
Most IR plans say drafts are privileged when prepared at the direction of counsel. That language does not survive discovery if your team cannot show how privilege was actually asserted, by whom, and when. The same goes for regulator-facing artifacts. The timeline you produce on Day 30 is the artifact, and it has to be defensible on its own.
What to do: Define privilege scope at the org level, not message by message. Make sure the record system you rely on can prove the chain of custody to a regulator without you in the room.
CFO and Controller
Your cyber policy is a contract, and most teams break it in the first two hours
Cyber insurance is not a safety net. It is a contract with strict terms, and the easiest way to find out where your team is going to break it is a tabletop with the broker in the room. The second-fastest way is to read the policy with a stopwatch and your runbook side by side.
What to do: Get the carrier hotline into every runbook, every wallet card, and every onboarding deck. Verify the panel firms are reachable. Walk through one ransomware scenario with the broker before your renewal.
Communications and PR Lead
The library you build before an incident is the only thing that saves you on Day 1
You will be asked to draft a holding statement faster than any of the lawyers in the room can review one. Templates do not need to be fancy. They need to exist, be approved, and be reachable in minutes. The teams that struggled the most were the ones still drafting from a blank page two hours in.
What to do: Build a holding-statement library now. Get counsel approval now. Run a drill where the only deliverable is a one-page statement out the door inside thirty minutes.
CEO and Board
The gap between what the team knows and what you have been told is what compounds
False precision in early briefings is the single most common cause of bad governance decisions during a cyber incident. The board needs honest uncertainty, not a clean story that turns out to be wrong. The teams that briefed well used a simple structure: known, unknown, assumed.
What to do: Insist on the known, unknown, and assumed structure for every executive update during an incident. Reject precision the situation does not yet support, and ask for the carrier and counsel status by name.
GRC and Internal Audit
A tabletop without a tracked after-action is theater
The strongest predictor of whether an exercise produces lasting change is whether each finding has an owner, a deadline, and a tracking mechanism inside fourteen days. The compliance team owns that loop. Without it, the exercise produces enthusiasm and almost no measurable change three months later.
What to do: Refuse to close out any exercise without a fourteen-day after-action with assigned owners. Push the findings into the same backlog the engineering and IT teams already work from. Track them like any other audit finding.
10. What Works
The patterns that distinguished high-performing teams were consistent:
Quarterly tabletops, not annual. Teams that practiced four times a year outperformed teams that practiced once on every observed dimension.
Formal AARs within 14 days. Every finding had an owner, a deadline, and a tracking mechanism.
Two IRC teams, not one. A primary team and a backup team with overlapping training meant vacations and illness did not compromise response.
A dedicated clock-watcher role. One person tracks regulatory deadlines, and that person does not also manage the technical response.
Pre-drafted templates for everything. Board notifications, press holding statements, customer communications, regulator notifications - all pre-drafted, all reviewed by counsel in advance.
Carrier-first reporting as the trained reflex. Insurance carrier hotline memorized, tested, practiced.
Hash-chained defensible record. Organizations that kept tamper-evident records of their decision-making had meaningfully better regulatory and litigation outcomes.
Hybrid scenario practice. Ransomware + breach, DDoS + intrusion, BEC + data exfiltration - all practiced in combination, not just isolation.
11. Recommendations
Based on the patterns observed, organizations that want to materially improve their IR readiness should consider the following sequence:
In the next 30 days: Run an exercise focused exclusively on role clarity and regulatory clock tracking. Do not test technical containment. Test the coordination layer.
In the next 60 days: Pre-draft five executive templates: board notification, press holding statement, customer breach letter, regulator notification (top three applicable), insurance first-notice. Have counsel review each.
In the next 90 days: Build a regulatory clock dashboard that tracks every applicable deadline in real time during an incident. Assign a named owner and a named backup.
In the next 6 months: Establish a quarterly tabletop cadence with formal AAR process. Each AAR must have tracked remediation flowing into the engineering or GRC backlog.
Ongoing: Build coordination as a discipline equal to technical response. Allocate budget, training, and tooling accordingly. Treat the human-coordination layer as a product, not as an afterthought.
12. About This Research
This report is published by IR-OS Research. Every pattern documented here is addressed directly in the IR-OS platform: pre-defined IRC roles for instant role clarity, parallel regulatory clocks, holding-statement libraries under privilege, a hash-chained defensible record, and a quarterly tabletop cadence built into the product. The findings describe what good looks like. The platform makes good the default.
The research is ongoing. Future editions will include anonymized pattern data drawn from the IR-OS platform (with customer consent) and updated analysis of emerging incident categories.
Citations to this report are welcome. Suggested citation:
IR-OS Research (2026). State of Incident Response Readiness 2026. https://ir-os.com/reports/state-of-ir-readiness-2026
Sources and references. Public benchmarks: IBM Cost of a Data Breach Report 2024, Verizon DBIR 2024, SEC Final Rule 33-11216 (Item 1.05), NIST SP 800-61 Rev. 3, ISO/IEC 27035-1:2023, EU Directive 2022/2555 (NIS2), EU Regulation 2022/2554 (DORA), GDPR Article 33, HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), and NY DFS Part 500.17. Field observations compiled by IR-OS Staff from cyber tabletop exercises conducted across public-sector, commercial, and enterprise organizations between 2016 and 2026.
For questions, media inquiries, or to contribute observations from your own exercises, contact [email protected].
Run Your Next Tabletop on IR-OS
Every pattern in this report is addressed directly in the IR-OS platform - role clarity, regulatory clocks, pre-drafted templates, hash-chained record, and quarterly cadence. 7-day free trial. 30-day money-back guarantee.