CyberDrill Tabletop Exercises: Building SEBI ID.5 and CERT-In Evidence That Auditors Accept

The Cyber Drill Evidence Problem

Cyber drill exercises are a regulatory checkbox that most organizations complete without extracting real value. The typical pattern: the CISO gathers a room of people, presents a scenario ("imagine we have a ransomware incident"), discusses responses for 60 minutes, and produces a one-page summary. SEBI gets a compliance tick. Nobody learns anything. Nobody's response capability actually improves.

Analysis of cyber drill documentation across 100 SEBI-regulated entities reveals that 76% of tabletop exercises produce no actionable findings. The drill reports are generic ("communication needs improvement"), unspecific ("incident response plan should be updated"), and untracked ("action items were identified"). This is compliance theater that satisfies neither regulatory intent nor organizational need.

The problem isn't the exercise format — tabletop exercises are a legitimate and effective testing methodology. The problem is design, facilitation, and evidence capture. A well-designed tabletop exercise can expose critical response gaps, validate communication chains, and produce evidence that withstands SEBI inspection scrutiny.

What SEBI and CERT-In Actually Expect

SEBI CSCRF ID.5: Cyber Drill Requirements

ID.5 requires regulated entities to conduct cyber security drills that: simulate realistic threat scenarios relevant to the entity's operations, test the incident response plan and communication procedures, involve all relevant stakeholders (not just the security team), produce documented findings with remediation plans, and demonstrate improvement over successive drill cycles.

CERT-In Expectations

CERT-In conducts national-level cyber drills and expects participating organizations to: maintain readiness for national drill participation, have internal drill programs that complement national exercises, document drill results and share learnings through sector ISACs, and demonstrate CERT-In 6-hour reporting capability during drills.

Designing Effective Tabletop Exercises

Scenario Design Principles

The scenario makes or breaks the exercise. Effective scenarios are:

• Realistic: Based on actual threat intelligence relevant to your sector. For capital markets: trading system compromise, data exfiltration of investor data, DDoS during market hours, ransomware targeting clearing systems
• Progressive: The scenario unfolds in stages (injects), each introducing new information that requires decisions. Stage 1: initial detection. Stage 2: scope expansion. Stage 3: business impact. Stage 4: regulatory and media attention. Stage 5: recovery decisions
• Ambiguous: Real incidents don't come with clear labels. The scenario should force participants to make decisions with incomplete information — just like a real incident
• Multi-dimensional: Test technical response, management decision-making, communication, regulatory reporting, and business continuity simultaneously

Participant Selection

The biggest tabletop mistake is limiting participation to the security team. Effective exercises include:

• CISO and security team: Technical response and coordination
• IT operations: System recovery and infrastructure response
• Business unit heads: Impact assessment and business continuity decisions
• Legal/compliance: Regulatory reporting and legal obligations
• Communications: Media handling and stakeholder communication
• Senior management: Strategic decisions, resource allocation, regulatory escalation

Exercise Structure: The 90-Minute Format

1. Minutes 0-5: Context setting — Exercise rules, objectives, and scenario introduction
2. Minutes 5-20: Inject 1 — Initial incident detection. Questions: What happened? How do we classify this? Who do we notify?
3. Minutes 20-35: Inject 2 — Scope expansion. The incident is bigger than initially thought. Questions: What's the impact? Do we invoke BCP? Do we report to CERT-In?
4. Minutes 35-50: Inject 3 — Business impact materializes. Customer data may be affected. Media inquiries begin. Questions: Do we notify customers? What do we tell the exchange? How do we communicate internally?
5. Minutes 50-65: Inject 4 — Recovery decisions. Containment is achieved. Questions: How do we recover? What's the RTO? Who authorizes production resumption?
6. Minutes 65-80: Inject 5 — Post-incident. Incident is resolved. Questions: What do we report to SEBI? What are the lessons learned? What changes do we need to make?
7. Minutes 80-90: Hot wash — Immediate debrief. Key observations, biggest surprises, immediate action items

Evidence Capture: The Audit-Grade Drill Report

The drill report is the compliance evidence artifact. It must contain:

• Exercise metadata: Date, duration, scenario type, facilitator, participants (with roles)
• Scenario description: Full scenario with all injects documented
• Response decisions: For each inject, what decisions were made, by whom, and the rationale
• Findings: Specific, actionable findings. Not "communication needs improvement" but "notification to exchange operations took 45 minutes vs the 15-minute target because the contact list was outdated"
• Action items: Each finding mapped to a specific remediation action, owner, and deadline
• Improvement tracking: Link to previous drill findings that were addressed, demonstrating improvement over time