As the cyber threat to the pensions industry becomes increasingly real, many trustee boards are planning a cyber-attack simulation exercise or “Cybergame” to see how they might fare if they were faced with a major cyber security incident.

When done well, a Cybergame can be an incredibly useful tool, but it can also be a big use of trustee time and training budget. So how do you make sure you are really getting the most out of it?

Here are my five top tips.

  1. Set it up properly

All the best games are cleverly designed and carefully set up and a Cybergame is no different. Preparation is key and the more you put in, the more you’ll get out. For example:

  • is your scenario tailored so it is relevant and realistic for your scheme?
  • do you understand the risks and your responsibilities before you start (or might some introductory training help)?
  • have you gathered together relevant information and materials which would influence your response? This could be:
    • your incident response plan and cyber policy
    • details of your critical services (including any back-ups)
    • details of your available communication channels
    • details of any relevant insurance, and
    • details of any specialist cyber support.

Clearly there is no point deciding that you would email members if you don’t actually hold email addresses. You could also be more relaxed about your standard payroll going down if you have a robust back up which could kick in quickly and allow pensioners to be paid.

Having the right information to hand means you can plan how you would work within your own systems and structures rather than planning a generic response which wouldn’t actually work in practice for your scheme.

  1. Get the right players

Most games have a minimum number of players. For a role play game to work, all the key roles need to be taken.

It therefore makes sense to have representatives from all key stakeholders who would need to be involved in the event of a cyber incident in the room for your Cybergame. For example:

  • your full cyber incident response team
  • members of the wider trustee board
  • representatives from your administrators
  • your lawyers, and
  • a representative from the sponsoring employer.

It also helps to have a facilitator whose job is to guide you through the scenario so you don’t miss anything and you get to the end in the time available. Otherwise it’s very easy to get stuck in the weeds and simply run out of time.

To ensure everyone gets to play an active role, you could task each trustee with taking the lead on a particular aspect of the response such as member experience, governance, or sponsor liaison.

  1. Be a stickler for the rules

There is usually no point playing a game unless you follow the rules to the letter.

In the same way, when it comes to planning for a major cyber incident, the details matter. You don’t want a vague plan. So, when running your Cybergame make sure you are really specific about every move you make.

If you are concluding that your next move is to speak to the administrator, ask yourself: Who would we speak to? How would we contact them? What would we be asking them for?

If you’ve decided you need to communicate with members: When? How? What would you say? How quickly could you actually issue something? Who would draft/approve the text? Who would send it? What if you got questions back?

  1. Allow enough game time 

Games usually give you an estimated playing time – a realistic idea of how long the game should take.

A Cybergame can’t be rushed. Nor can you do it justice at the end of a long meeting by which point everyone has run out of steam.

You need enough time (and energy) for questions and robust discussion. Ideally you would also have some extra time at the beginning to properly set the scene, so everyone is in the right mindset, and at the end to allow for reflection and to agree next steps whilst it’s still fresh. So think carefully about when to schedule it, rather than just squeezing it in.

  1. Know the aim of the game

Game instructions always start by telling you the aim of the game.

Before you start your Cybergame, everyone should know what “winning” looks like. In other words, what do you want to achieve/take away? Are you looking to refine your incident response plan? Have a list of queries for key providers or areas for improvement?

As valuable insights, observations and learnings are likely to come up throughout the game, decide how best to capture them so that you don’t miss anything whilst not unnecessarily interrupting your flow.

Cyber risk isn’t a game, far from it. But a Cybergame is without doubt one of the best ways to help you develop and test your cyber incident response plans. It’s definitely worth running one, and it’s definitely worth making the effort to do it well.

It’s also a good idea to run a Cybergame more than once. Periodic reruns using different scenarios will help you refine your processes and increase your familiarity with the key issues. It’s also the only way to keep pace with an ever-changing cyber landscape – new threats, new challenges, new systems, new stakeholders – so preparing for a cyber incident shouldn’t be a once and done thing. Trustees need to keep levelling up.

Game on.