Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
Hello everyone and welcome to, uh, another one of our Digital Fortress Digital Session of 2025, our serial, series of webinars looking at the cyber security side of, of our client issues, uh, providing practical tips based on real experiences across the world of cyber risk. Uh, if you, just sort of housekeeping first, if you have any questions, please pop them into the Q&A function and we’ll try to address them either as we go or at the end. If you have any technical difficulties, again, please pop them in the chat function, um, it’s always worth logging out logging back in again or try and get another device as well if there is any kind of issues there. Uh, and if you want to get contact details, uh, of any of the speakers directly, if you click on the resources tab down below you’ll be taken to everyone’s kind of bio and contact details, uh, and they are usually on the, the kind of, um, follow up emails afterwards. And there will be a recording of the, uh, the session for everybody who signed up, whether you attended or not.
So, today’s digital session, we’re looking into cyber resilience, exercising your response plans and capacity to respond. I, for one, love a good cyber incident exercise. I think it delivers, in my opinion, probably the kind of biggest change in capability both for an organisation and also for the individuals who work on them. I’ve been very lucky to be part of, of lots of them over the year and every single one, I’ve walked away learning something new. So I am joined by two fantastic guests today; uh, I’m joined by Steph Itimi, the Director of Information, Protection and Compliance from Age UK, uh, and I am joined by Francisco Sanches who is the DFR IR Director from the Cyber Risk Team at Mishcon. Welcome both.
Francisco Sanches
Cyber Risk Director (non-lawyer)
Mishcon de Reya
Welcome, good to be here.
Stephanie Itimi
Director, Information, Protection and Compliance
Age UK
Likewise, I’m kind of excited to share more of our experience because we really enjoyed our Mishcon Cyber Security Incidents earlier this year, so super excited to be here.
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
Thank you Steph, thank you and that was entirely natural, I didn’t even have to pay Steph to say that so, yeah. Uh, so thank you very much for joining us. So, um, for those who kind of aren’t familiar with cyber incident exercises, or perhaps kind of have, have only a little bit of knowledge, what, how does it typically work? Francisco if you perhaps want to, want to comment how an exercise works practically and some detail.
Francisco Sanches
Cyber Risk Director (non-lawyer)
Mishcon de Reya
Right so… Sure, so a cyber incident exercise is like, um, a practice drill for your organisation. Uh, just like you’d run a fire drill, uh, to see how people react, we would simulate a realistic cyber-attack and walk your team through it to see how they would response. Uh, it’s not about catching people out, it’s about testing the plans, the communication, the decision making so that when something real happens, everyone, everyone knows their role and is confident on what to do. Now, the way we typically approach it is to make the exercise meaningful and relevant to the organisation. That is key and for that we work with someone inside the business to shape a realistic scenario that feels authentic and fit for the purpose of the organisation. We also make sure the right people are in the room, not just IT but the wider team who would be involved in a real incident. In practice it usually runs as a three hour session, including time for feedback and afterwards we provide a written report with lessons learned and if requested, happy to present the findings back to the stakeholders so the whole organisation can benefit from it.
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
Thanks Francisco. Uh, I like the kind of fire drill analogy, although give that, um, we test our office fire alarms every Wednesday at 10.00 o’clock uh, I am not sure kind of how often we should be doing these things. Um, it, you know, we’ve had a bit of a year of cyber security headlines starting with some well-known brands who have had some highly publicised problems, uh, and even in the kind of the media last week, some of the issues that are ongoing with, uh, JLR and, and the kind of government financing that’s been made available. I, I’ve noticed more and more clients are now asking questions around resilience, asking questions around incidents response planning, uh, and, and exercises are definitely part of that kind of conversation. So, why should organisations prioritise doing these exercises, uh, especially now? Francisco perhaps you want to comment again and then Steph we’ll come to you.
Francisco Sanches
Cyber Risk Director (non-lawyer)
Mishcon de Reya
So, so it’s like they say in the industry, cyber incidents are no longer if, but, when will it happen and the exercise helps you spot the gaps before an attacker does. They also give senior leaders confidence that their organisation can handle the pressure. You know, in this day and age, regulators, clients, insurers, all want to see or to know that you are prepared and an exercise is a safe, controlled way to show that. Uh, they give you the chance to practice under safe conditions. So as I mentioned before, when the real thing happens you know, you respond with speed and confidence, not panic, not addressing it for the first time in your life. And there are many reasons to prioritise them that, that businesses have found them so, uh, I would like to highlight a few of them, like to raise awareness with senior management. That’s a very common one. Uh, to highlight the internal capabilities to show what you can do from uh, uh, what you already have in-house, to uncover areas for improvement, things that you need to make, make change before an attack happens. And, uh, one of the key ones for me is to give that senior management opportunity, a change to practice decision making under pressure and with incomplete information as that’s what typically will be facing them. Uh, it’s strengthens the trust with client regulators and overall it protects your organisation, ultimately an exercise, I believe it is one of the most practical steps you can take to make sure the whole organisation, not just IT, is ready for the moment that really counts.
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
Brilliant and Steph, perhaps you, do you have any idea around, um, why your organisation prioritises for your own experience?
Stephanie Itimi
Director, Information, Protection and Compliance
Age UK
No for sure, I think, I would just say one of the reasons why we thought that was the best time this year for us to do it is, when we think about cyber security incidents, a lot of it is theory. We have different standardisation that we try to adhere to. It’s very, I wouldn’t say check box exercise but we have procedures and flow charts but we don’t really know how effective those procedures are. And what I really liked about the cyber security incident is that it, not just tests the technology which we can do. And it’s very easy for us to kind of see how robust our technology is with ethical hacking and pen, penetration testing and things like. But you are actually testing your people, your process, your business continuity, um, how effective are those three aspects and at Age UK we’re very, very unique in the sense that we have retail shops as well as admin teams and people working from home. It’s a very complex way than it was many years ago and actually allows us to test how effective our processes, our policies, um, what are the roles and responsibilities and I think what I really liked about it is, it allows the team to put them, put themselves in that scenario, um, almost kind of like a pre-meditated step so that when they do face that, everybody knows exactly what’s expected of them. And that’s what I really liked about it. I think it was effective in letting the team know that an attack can happen at any time. And what I liked about the incident is that, you know, there were curve balls that were thrown at random times and we had to really think on our feet and that allows us to think, okay, um, we haven’t considered this scenario before and now that we’ve encountered it, what do we do because sometimes your processes and procedures are, you are not always going to have a cookie cutter clear case of an incident. It’s going to be messy and mucky and how do you extrapolate and ensure that your team is ready and I think that’s why now is the best time. With AI attacks, attacks are becoming more sophisticated, you don’t know when the next attack if going to happen. You don’t know, you might have some assurance when it comes to your technology but are you, do you have assurance when it comes to your team? Do you have assurance when it comes to your procedures and your policies and I think that’s a unique aspect of this exercise, that it allows you to test those. Um, it also gives yourself a bit of assurance because in the exercise there were some things that I, oh actually know more than I thought I did in certain scenarios. So I would definitely recommend it. I think from my experience those were the value that I got from you and that’s why I felt like now was the best time because the attacks are becoming more sophisticated and as organisations are getting more used to AI and things like this, how do we ensure that we are ready for that new change.
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
No, thank you Steph. And, and you discussed some of the kind of, uh, the benefits there and it would be good to perhaps just dive into that a bit more. I, I always kind of view exercise as a part of resilience rather than kind of risk management. So, you know, resilience is that we’re going to have the problems and yet we’re going to be able to carry on anyway and we’re kind of going to just absorb those problems, deal with them and business is kind of going to continue, um, as opposed to, to it kind of turning into a crisis. That’s business ending or it just be risk management where, you know, we’re trying to maybe prevent something, transfer or do those kind of typical things. And so, if we kind of perhaps carry on in that kind of vein, what, what, what were the real kind of benefits that, that you kind of you, you found you got out of the exercise both, uh, after it had happened?
Stephanie Itimi
Director, Information, Protection and Compliance
Age UK
No for sure. I will, so I will talk a little bit about, I think at the moment it allowed us to think about, did we have clarity on roles and responsibilities, decision making processes. Um, also certain things I didn’t think about. What happens if I’m not in the room, you know, for some reason where is the business continuity. Um, and sometimes as a senior leader, a lot of the, you do a lot of kind of sign off on the decision making, but actually is your team prepared, or are they empowered when you’re not in the room to be able to make those decisions and make them effectively. I think the second thing that, um, was a benefit was actually certain approaches we hadn’t considered and actually being able to, one, give assurance to the Board, but also allowing us to be a bit more strategic to understand where our leakages are. Um, and sometimes you don’t want to know where your leakages are because you want to think that, you know, your security and everything is perfect. But I think for us, it allowed us to identify areas of improvement. Um, and what I really liked about it was it was a great learning tool. It was a great training and I think that aspect is not really highlighted. Um, training tool because, number one, it gives that kind of psychological safety because sometimes when you are under pressure, there’s a lot of human error because you develop anxiety, you don’t want to mess up, you don’t want to make the wrong mistake. But actually being put in those high pressure situations, trains your team to, when they encounter a situation similar to that, for them to be calm, cool and collected. Um, and it’s better than e-learning, because let’s be honest, a lot of people click next, next but does information really, um, have fruit. You know, that’s debatable. But I think it’s a great way that role play for them to put themselves in that, um, position to understand that actually attacks are not always simple. You know, they’re just not always one way. You have to be very adaptive in your approach and how you are quick on your feet when you encounter different things. Um, and honestly like now is the 1st October, it’s, you know, um, October’s Cyber Security Awareness month. This is a great time I think to kind of get those exercises and book it in so that you get those training for when there is an incident. Um, but I would say the real benefit was for us to understand what are certain approaches to certain topics, like AI, what is our approaches to certain decision making that we hadn’t considered before. I think a lot of value added for us was because of a lot of people in my time are very proactive, there was a lot of duplications, so how do we improve their efficiency so we know who’s doing what at, um, at what given time. And can actually increase our efficiency and the way we respond to this so people are not duplicating work. So, I would say that those are kind of key benefit that we got, but also taking lesson learned from that exercise and improving our strategy for 2026 and ensuring that we’ll make those improvements. And kind of even now adopting an annual exercise where we are able to have those annual simulations but not only having that, bringing senior leaders on board, on board into those simulations so that they have a more better understanding because I think it’s very important, especially for leaders in this space. Cyber security is not income generation, um, it’s just not, we don’t do that. But is a costing thing and I think I think with those exercises, especially when you bring your Board and senior leaders into it, it allows them to see a real value, that this is not a back office exercise, but actually this allows us to make real savings, um, for future attacks or, or even reputational damage. And I think that those were the real value that I got from the exercise process.
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
Great. Uh, Francisco do you have anything you, you’d like to add?
Francisco Sanches
Cyber Risk Director (non-lawyer)
Mishcon de Reya
Uh, sure. Uh, I think the benefits offering these type of exercise for organisations are, are very real and immediate. Uh, namely for the first few times they do it. Uh, the, the most common ones of course are, you know, improve reaction speed because teams have rehearsed so they respond much faster when the incident happens. They don’t lose as much time figuring out who does what. They react much more straight away, which makes all the difference at the early stage of containing the incident. Um, it, it brings clarity, you know, exercise make roles and possibility much clearer to everybody. It’s just not the IT team, we have HR, we have communications, legal, the board, senior management, and they all need to see how they fit and response. And that clarity at the end of the day means less confusion and fewer mistakes when the pressure is on. Uh, of course a lot of these helps to build confidence, senior management who have been through a simulation are much more calmer during the real thing. They know what to expect, uh, much more. They know how decisions flow and that organisation has a plan and I think it’s very important that that confidence then filters down and keeps the whole team steady. That’s, that’s key for me. Uh, on the other hand, it raises credibility as well. Externally, it sends a strong signal, you know, uh, regulators should be able to say to them that we are resilient or more resilient because we have run inside exercise. We have tested our response. That gives you credibility and builds trust. And, uh, I, I’ll add one more, the continuous improvement aspect to it. You know, so every exercise uncovers lessons and opportunities to tighten process, improve them, apply playbooks, uh, it strengthens collaboration across the team and teams also change new members so it’s good to run it and practice it with all of them. That means you effectively come out stronger each time. So I think that, that’s quite positive actually for organisations.
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
Yes thanks, Francisco. Do you know what, why don’t we just talk about the kind of practicalities, uh, and exercise now and Steph, I just kind of come to you. You, you, you’ve been through all these, these exercises with our team. What, what was it like in practice?
Stephanie Itimi
Director, Information, Protection and Compliance
Age UK
I think what was quite eye opening, eye opening in the element that sometimes I, I think by us going through and the team going through the exercise is that we realised that we didn’t have to do a lot of things on our own. So, you have things like your cyber insurance and your second line of, um, defence, which in our case is Mishcon and even thinking about in those critical different moments, when do you bring the external in. I think that was quite eye opening for us. Um, I think also understanding how things like small delays and even testing our assumptions can snowball into bigger risk. And how we didn’t consider that in certain elements. And actually I was surprised by how much, um, challenge and non-technical aspect because I think sometimes we can be quite focussed on the technical aspect, but thinks like decision making flows, um, prioritisation, especially when you’re under pressure and having those strong comms, whether it is internal and external and working with the comms team in a more, um, in-depth way. I think that was quite eye opening for us. But I liked, um, the fact that the curve balls, we didn’t know what was going to happen next. Um, and I think that element of surprise and understanding that in the wild you wouldn’t know what happened next and sometimes you wouldn’t even know have the full information for you to make a sound judgment. Um, and understanding that with these exercises, not to catch out, there’s no right or wrong answer, but it’s understanding that whatever decisions you make, do you understand the pros and cons and the consequence of that action. I think that was quite helpful for the team and even strengthening your decision making processes, um, under pressure on what decisions they need to make at a certain time but also considering certain elements that they may have not considered, um, during different parts of the exercise. But so, I would say it was eye opening. Um, definitely I think roles and responsibilities is one of the major things that came out and how do we make that, um, process a little bit more efficient was one of my biggest things. But I’ll say with the, with the exercise at first I didn’t know what to expect, um, because you, you do attend some of these type of exercises and like events and things and they tend to be quite smaller. But I would say what I liked with the Mishcon one was that it was quite in-depth, um, even though it was like three hours there were so many things coming at your way, it’s like you had to catch your breath at some points as well as seeing how you’re going to respond to it. So I really liked how in detail, um, the cyber exercise was and allowing us to actually think when we do face certain scenarios, do we on the, do we have enough board level and senior leadership support for us to make those decisions. So now I think I might discuss it just later and we have now taken certain steps after that, um, to kind of improve our processes, which I am really excited about.
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
Uh, great. And Francisco, perhaps could you, could you just comment perhaps around the kind of like the, the practicalities, um, in terms of kind of, you know, what, what an exercise can look like from, from the delivery team’s perspective.
Francisco Sanches
Cyber Risk Director (non-lawyer)
Mishcon de Reya
Uh, sure. So we, in, in the background, we try to draft a scenario that, like I say, is fit for the client and that it’s mapped out against real, um, acting and as non parties that could attack the organisation and using real, uh, uh, real techniques. And we’ll be mapping them all, all against that so that the team then has the technical report as well showing them how the things might have happened on the technical side behind them. Uh, but to build all that story, uh, just to better prepare for the, the client to face it, uh, we want to make sure that on the client side we have all the right roles because we’ll be asking questions of different areas and different expertise might need to be involved. Sometimes people, for instance, are attending throughout the exercise. Other times we do it with the client that when the time is right, they will reach out to whatever party and they will make themselves available to support them at that step to make it as realistic as the client wants, uh, to handle the situation. And, uh, for me that, that’s quite interesting because it makes every exercise different from the next and to play all around those things. So we really adapt to the client, to their reality and, and, and what’s realistic and important for them, uh, to assess during an incident.
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
Thank you. No, that’s great. Uh, and, and I’m just quickly, we, we, we’ve got a question that I thought it might be just be worth us answering it here, uh, Francisco and carry on. It says, for SME’s without a cyber incident plan in place, does a cyber 18.51, are still worthwhile or would resources be better spent creating a plan first? So, Francisco, perhaps if you could…
Francisco Sanches
Cyber Risk Director (non-lawyer)
Mishcon de Reya
Yeah, yeah, that’s a very good question. And we get that question quite frequently and as usual the most common question we, uh, the most common answer would be depends. Now there’s pros and cons with that. You might say, we don’t have a plan we might as well just draft our 19.13 response and prepare for that and then test it. That’s true. On the other hand, an accident, an incident will not wait for you to have a plan in place. So you might as well just test your common sense and say, this happened, how are you going deal with it? And some companies prefer to do it like that, to assess what they would do with it. And out of that, then they, they design their plans around it and what they learn from the experience itself. So you can do it actually both ways.
Stephanie Itimi
Director, Information, Protection and Compliance
Age UK
It’s a good…
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
Yes, Steph, please, please, yeah. Yeah, come in that would be great.
Stephanie Itimi
Director, Information, Protection and Compliance
Age UK
I was going to say actually, um, I would recommend it because you can’t protect what you don’t know. Um, and I think the exercise is a great identification of areas in your business that is lacking, whether it’s your procedure or whether it’s you don’t have certain people in place with those expertise, it takes you through it so that if you ever encounter those situations, you are in a better position to be prepared. So even if you don’t have policies, procedures, a staff member in place, by understanding how an attack works and the difference processes and how it can build up or progress, uh, or snowball into a bigger risk, I think having that information lets you then work backwards and then start thinking of areas where you can improve. And actually it allows you to have a better plan because you’ve been able to identify all the risks within your business and it also allows your organisation to have a better understanding of those processes, of, of things. Because with SME’s, let’s be honest, you’re a small business. You’re not thinking about cyber security. Mostly you’re thinking about how to make it profitable and how to ensure the processes are going. But actually by doing this allows you to then think about it in a more concrete way. So I would say it’s great, one for training but also it allows you to have that identification to know what to protect.
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
Yeah, thanks Steph. From my experience, I mean, the two ways to approach it, right. You can do kind of mini exercise, improved plan, full exercise or sometimes, you know, if, if you want to invest the time in a plan, you can then focus on testing the plan itself. Um, but the one thing I would always say is like, don’t go from nothing to a major cyber incident exercise because you probably already know the answers that the exercise will, will show you is that if there’s nothing in place, there’s nothing in place. So you, you always need something. Great, uh, if there’s I think there actually might be, uh, another couple of questions. So, um, a question, actually very useful because this is what I was just going to come on to. Um, could we describe a bit more about the structure of the three hour session. What platform do you use, is it presented for a slide deck. So, uh, again, happy for you, you both to talk through kind of, uh, the, the exercise perhaps again. Steph, why don’t I talk to you based on kind of your experience of being on the receiving end of it and then Francisco, maybe you could, you could perhaps talk about how the kind of practicalities of how things are structured and the different types of exercise.
Stephanie Itimi
Director, Information, Protection and Compliance
Age UK
No worries. So I think, um, for us, what happened was we had an initial meeting to say, um, what we wanted and I think there was a couple of questions, um, that he asked about our organisation. And then we had to have a nominated person that would work with Mishcon to kind of get, um, information and roles, responsibility, who’s responsible for what, um, kind of like what our technology system looks like and things like that to a, in a high level, um, perspective. And that individual was responsible for being the main contact between us and Mishcon to ensuring that they provide enough information for Mishcon to be able to create this pack. Now, nobody else within the organisation had that information, just Mishcon the points of contact. Um, and also with, with that, um, so we had our project manager do, be our point of contact because she had a bit of an understanding of who was responsible, responsible but also was a little bit far back, um, from the process. So that was quite nice. Um, and then after that during the session we had a slide deck but also we said which stakeholder we needed. So we had people from our tech team and, and different aspects that we felt would benefit from the session. Um, and then there were slide decks both for, because we had a hybrid approach, so this is good for those who might have more of a hybrid team. So we had some people, um, dialling in and some people in office. And then we went through a series of slide decks and a series of scenarios. Um, and it started off light, um, with limited information of you discovered this and then it was slowly building up, building up and building up. Um, and actually there was questions as to what would you do in this particular, um, scenario. And then we had to discuss through it, um, highlighting what was our, um, incident response plan, things we had in place. We’d be responsible for what, how we’d make the decision. So it was very kind of in the moment, what would you do. Um, but I think, like I said, I really liked the curve balls because it was really throwing the team off, um, because there were different things that you didn’t consider and then so many, um, factors to take in place. So I think for us, that’s kind of how it progressed for those three hours. Um, obviously there were breaks because people get tired, so it wasn’t just a full, um, three hours, but it was, it was, again, it was very helpful. So it was slide deck and asking us questions and I think at the end, um, there were a bit more questions for us to think about. You know, we then discussed how we felt about the, um, exercise and what value each person within the team got from the exercise. And I think that was also very helpful, um, of our peer learning as well because we’re able to quickly identify the gaps even before we got the report, which was also quite helpful for us.
Francisco Sanches
Cyber Risk Director (non-lawyer)
Mishcon de Reya
Right, so quickly just summarise.
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
Thanks Steph. And Francisco just aware, just aware of time, um, perhaps could you, could you give a one minute perhaps on the other types of exercise? So the, um, how kind of like, the non slide deck or more kind of operational exercises work but also please carry on because I, I am aware of…
Francisco Sanches
Cyber Risk Director (non-lawyer)
Mishcon de Reya
So we try to get everyone physically in the same room just to facilitate communications, but we also work with remote people joining through Teams or Zoom calls, uh, as needed. Uh, the scenario is presented, what we call information inject. We say this happened and then we facilitate a discussion, uh, among everybody. We draft artefacts as needed to support. Like for instance, there’s a log or, or a, or an email, or a report that we need to present to the people attending for them to help them react. Uh, we also request for a place where people can kind of draft timeline and take notes so that we can follow up on where we are with these sets. On a more technical front, we would simulate and for instance, send the artefacts, uh, directly to the IT teams, to the right people for them to open on their own device, their systems and, and react to that. Uh, a bit of an overlap, like a blue team exercise for the more techy, uh, out there.
Joe Hancock
Partner (non-lawyer)
Mishcon de Reya
No thank you. Unfortunately, we have reached our, uh end of our allotted time, which is always disappointing. So I always feel we have more questions to answer. So another couple of questions came through. I will, uh, respond where people have identified themselves. If, if you are anonymous, uh, I will try my best. Um, just to thank Steph and Francisco. Thank you so much for your insights today, uh, and Steph, thank you again for, uh, sharing how your exercise went. It’s lovely to speak to both of you. Uh, and again, so a recording will be sent out of the Digital Fortress session, uh, before Christmas topic soon to be announced. Take care everyone. Speak soon.
Mishcon de Reya
It’s business. But it’s personal