Crisis Exercising Programme with Asia Pacific Insurer

This client is one of the world’s leading life insurers and a multinational provider of insurance and financial services, serving over 40 million policyholders across more than 18 Asia-Pacific markets. They offer a wide range of products, including life insurance, accident and health coverage, and savings plans, serving both individual and corporate clients.

Cybersecurity is vital for this life insurer as they handle sensitive personal and financial data, rely on digital systems for core operations, and are subject to strict compliance obligations. A cyber incident could disrupt services, damage customer trust, and lead to severe financial and reputational loss. 

The client aimed to strengthen their ability to respond swiftly and effectively to cyber threats, minimise operational disruption, and improve overall incident and crisis management. To achieve this, they engaged Beyond Blue to conduct remote tabletop crisis exercises across multiple global office locations.

Despite this, they faced a number of challenges, including enhancing coordination among teams during incidents, particularly around roles, responsibilities, and decision-making processes. They also had issues reviewing and improving communication strategies with stakeholders and customers during crises, as well as identifying gaps and opportunities for improvement within existing policies and procedural documentation.

To gain a comprehensive understanding of the organisation’s cyber landscape and business functions, Beyond Blue conducted stakeholder interviews and reviewed technical architecture diagrams. This process identified the most plausible and high-impact scenarios, tailored to the client's environment, which were then used to design realistic and targeted tabletop exercises.

• Assessment and Simulation: Beyond Blue assessed the challenge by exploring a range of disruptive cyber-attack scenarios, including denial-of-service attacks, fraud, data breaches, and ransomware incidents. The simulation injects were customised to reflect the organisation’s operations and regional context, and explored critical areas including incident activation, internal and external communications, information management, regulatory and law enforcement engagement, customer impact and response strategies, ransomware policies, service recovery prioritisation, and strategic decision-making. The 3–4-hour exercises were developed in close collaboration with local teams to accurately reflect the organisation’s critical business lines, system architecture, and established crisis and incident management protocols. Beyond Blue co-facilitated the sessions using a hybrid delivery model, aligning with contemporary workplace practices and enabling realistic, scenario-based engagement. The facilitation approach was structured to empower the Executive Comittee to take the lead, with supplementary information provided to key participants to support decision-making.
  ‍
• Conclusion: After the exercise, a hot debrief was conducted, during which anonymous real-time feedback was gathered via Mentimeter. This allowed participants to reflect on key learnings and identify areas for improvement in their response. A roundtable discussion followed, providing an open forum for people to review the anonymous insights and share additional observations and feedback.
  ‍
• Reporting: The reporting process began with a debrief session involving facilitators and the project team to review initial findings. This was followed by a detailed report for each exercise, outlining key observations, sector best practices, and tailored recommendations to enhance organisational resilience. Additionally, a consolidated report was produced, capturing thematic insights and strategic recommendations across all exercises and participating entities.

The tabletop exercises were very well received by the client and proved highly effective in surfacing critical areas of focus during a cyber incident. The sessions highlighted several key dimensions of incident response, including customer impact, internal and external communications, stakeholder engagement, operational disruptions, technical recovery processes, the prioritisation of response and recovery actions, and effective decision-making under pressure.

Through the collaborative nature of the exercises, teams were able to reflect on how they functioned collectively during a simulated crisis. This fostered a shared understanding of existing strengths, particularly in coordination and responsiveness, as well as identified opportunities for improvement in various aspects of their response approach.

The exercises reinforced the vital role of the Group in leading and guiding during certain types of incidents, particularly those governed by overarching policies such as the Group’s ransomware policy and standard runbooks. This recognition underscored the need for a clearer definition of responsibilities and escalation protocols between Group and local entities.

As a direct outcome of the insights gained, local teams have launched a series of initiatives aimed at enhancing ransomware preparedness and recovery capabilities. These include strengthening technical playbooks, improving team readiness, and refining communication and escalation procedures. More broadly, the exercise prompted updates and enhancements to the organisation’s overall incident and crisis management framework, helping to build a more resilient and coordinated response structure across the global business.