A cybersecurity tabletop exercise is a moderated, conversation-driven walk-through of a realistic incident. There is no live attack, no system manipulation, no production impact — just the people who would make decisions during a real incident, in a room, working through a scenario. For Malaysian organisations subject to BNM RMiT, the Cyber Security Act 2024 or PDPA 2024, tabletop exercises are one of the most cost-effective ways to evidence preparedness.
Below are ten scenarios we run for Malaysian clients. Each is calibrated to the local regulatory environment and to the kind of attacker activity actually targeting Malaysian sectors in the past 24 months. Pick two or three per year, mix sectors, and rotate the executives who attend.
Ransomware in retail banking core
Setup: At 03:00 local time, file shares on the retail banking core-app servers begin returning .locked extensions and a ransom note demanding 50 BTC. ATM authorisation latency triples and online banking starts timing out.
Departments to involve: CISO, Head of IT Operations, BCM Lead, Group Risk, Legal, Communications, BNM regulatory liaison.
Deliverable: Decision log on isolation versus continued operation, BNM RMiT major-incident notification timing test (paragraph 10.71), and a measured time-to-board-escalation.
Insider data theft — quitting employee
Setup: Two days after submitting resignation, a senior analyst in the credit team performs an unusually large export from the data warehouse to personal cloud storage just before their access is due to be revoked.
Departments to involve: CISO, HR, Legal (PDPA officer), Data Owner, SOC, Privileged Access Manager.
Deliverable: Test of the leaver process, of DLP detection, of preservation of digital evidence for potential PDPA notification, and of the joint HR-and-Security disciplinary pathway.
Vendor compromise — supply-chain breach
Setup: A Tier-1 IT outsourcing partner notifies you that their internal Jira and source-code repositories have been accessed by an unauthorised party. Your firm's deployment credentials and customer-data extracts are on that platform.
Departments to involve: CISO, Third-Party Risk, Procurement, Legal, Data Protection Officer, affected business units.
Deliverable: Vendor contract clause review, joint forensic-response protocol test, customer notification draft, and BNM RMiT outsourcing-incident reporting walkthrough.
BNM RMiT major-incident drill
Setup: A confirmed cyber incident impacts a critical system as defined under RMiT. The 10.71 clock starts: regulatory notification to BNM must be made within the prescribed timeframe; periodic updates must follow.
Departments to involve: CISO, CRO, CEO, Company Secretary, Legal, BCM Lead, Communications.
Deliverable: Stopwatch test of the BNM notification pathway, board-risk-committee briefing pack, customer-comms template, and post-incident root-cause submission process.
Ministry / GLC sensitive data breach
Setup: A ministry or GLC discovers that sensitive citizen records hosted in its cloud tenancy have been exfiltrated via a misconfigured storage bucket. Media enquiries begin within hours.
Departments to involve: CIO, CISO, MAMPU / agency liaison, NACSA reporting officer, Legal, Communications, Minister's office advisor.
Deliverable: Cyber Security Act 2024 §22 incident-reporting test, NACSA notification pack, PDPA breach-notification draft, and the public-statement decision tree.
Telco BGP hijack and routing incident
Setup: An unauthorised BGP advertisement causes a portion of your mobile data and SMS-OTP traffic to be redirected through an unfamiliar autonomous system for 18 minutes.
Departments to involve: Network Operations, CISO, Fraud, MCMC regulatory liaison, Customer Care, Banking partner relationship managers.
Deliverable: Detection-time measurement, traffic-engineering remediation playbook, fraud-correlation between OTP and account-takeover events, and MCMC notification walkthrough.
Healthcare ransomware with PDPA implications
Setup: Encryption begins spreading across hospital information systems on a Friday afternoon. Patient records, scheduling and pharmacy dispensing are affected. Personal health data is in scope.
Departments to involve: Hospital CEO, CMIO, CISO, Data Protection Officer, MOH liaison, Legal, Communications.
Deliverable: Clinical-safety prioritisation, PDPA breach-notification timing under the 2024 amendments, NACSA NCII reporting under Act 854, and ethical decision on ransom payment.
E-commerce payment-card fraud spike
Setup: Card schemes alert you to a Common Point of Purchase pattern: cards used at your e-commerce checkout in the prior 30 days are appearing on carding markets. PCI DSS forensic obligations may trigger.
Departments to involve: CISO, Head of Payments, Fraud, Acquirer relationship, PCI Internal Security Assessor, Communications.
Deliverable: PFI engagement decision, evidence preservation, customer-comms approval flow, and remediation-plan test for PCI DSS v4.0.1 Requirements 6 and 11.
Executive whaling and wire-fraud attempt
Setup: Finance receives a convincingly worded email from the CFO authorising an urgent international wire transfer to a new beneficiary. The CFO is on flight and unreachable. The amount is just under the dual-approval threshold.
Departments to involve: Finance, Treasury, CISO, HR, Legal, Bank relationship managers.
Deliverable: Out-of-band verification protocol test, segregation-of-duties review, awareness-training gap analysis, and email-security control validation.
ICS plant compromise — manufacturing OT
Setup: Operators at a Malaysian manufacturing plant report unexpected setpoint changes on the HMI. The plant historian shows write commands from an engineering workstation outside normal change windows.
Departments to involve: Plant Manager, OT Security Lead, IT CISO, Process Safety Officer, Insurer, MITI / sectoral regulator liaison.
Deliverable: Safe-state shutdown decision tree, IT/OT segmentation validation, Purdue-model boundary review, and joint IT-OT forensic playbook.
How to run these effectively
A tabletop is worth running only if it produces decisions, gaps and assigned remediation. Set a scribe, agree the scope at the top, time-box each injects, and finish with a written gap log signed by the senior-most attendee. Repeat the same scenario annually with a tougher inject pattern; the value is in the delta. For RMiT-regulated entities, file the scenario, attendance list, gap log and remediation plan in your control evidence library — examiners will ask for it.
We facilitate full-day tabletops, half-day sector-specific drills and short crisis-simulation injects against your existing playbook. See our tabletop exercise service for delivery formats, or incident response if you also need on-retainer responders.
Related reading: What is a Cybersecurity Tabletop Exercise?