The time is 10.30am on Thursday. An anonymous hacker collective has just sent a chilling video to an international charity, demanding millions of pounds. On any other day, this would be a nightmare. Today, itโs a simulation.
Welcome to Halycon Haven Trustโs cyber crisis simulation โ an immersive, high-stakes exercise hosted by law firm Shakespeare Martineau, cyber security consultancy CSS Assure and the PrivacyRules alliance, powered by Polpeoโs platform. In Colmore Square in Birmingham city centre, executives, lawyers and IT professionals have gathered to experience the full weight of a breach as if it were real. Why have they done that? Ransomware is relentless. Every 11 seconds, a business suffers a cyber attack. And globally, more than 60 per cent of small and medium enterprises that experience a serious incident shutter within six months.
With organisations under constant threat anywhere in the world, and for a plurality of unforeseeable reasons, practise in this arena isnโt optional โ itโs survival.
Stepping into the fire
Participants are split into four teams representing the fictional global charity Halycon Haven Trust’s leadership structure, including board members, IT specialists, legal counsel, finance directors and communications professionals โ many operating outside their usual day-to-day roles. What unfolds next is deliberately unpredictable.
Unlike traditional table-top exercises where participants discuss a hypothetical scenario around a boardroom table, this simulation places teams directly inside a rapidly evolving cyber crisis. Alerts arrive in real time, new developments appear without warning and information is incomplete.
Participants must interpret fragments of information, weigh competing risks, and make decisions that could have significant legal, financial and reputational consequences. In most of these real-life crises, business continuity is at stake. External scrutiny builds quickly, internal systems begin to falter, and stakeholders demand answers at such a pace that c-suites wonder if clients and investors will still be with the company as the news of the attack spreads.
What begins as a technical issue rapidly expands into something far broader โ touching communications, governance, regulatory responsibilities and organisational leadership. The exercise is designed to challenge not only technical knowledge but also judgement, collaboration and resilience under pressure.
The pressure cooker
For a few intense hours, leaders find themselves confronting an evolving cyber storm. Some details turn out to be misleading, others raise new questions and each decision influences what happens next. The pressure is deliberate. In the real world, cyber incidents rarely unfold in tidy stages and leaders rarely have the luxury of perfect information.
Participants must quickly establish priorities, assign responsibilities and maintain clear communication across the organisation. The challenge is not simply technical response but coordinated decision making and crisis management.
As the hours pass, conversations sharpen and choices are made faster as teams adapt, adjust and sometimes rethink their strategies entirely. What emerges is a powerful reminder that cyber crises are not just IT problems โ they are organisational calamities.
Lessons from the simulation
The post-simulation debrief โ guided by the experienced, multi-disciplinary facilitators that support and monitor the unfolding of the exercise โ reveals just how unforgiving modern cyber crises can be, and how and where to best strategise readiness. One of the clearest lessons is the importance of decision-making under uncertainty. Waiting for perfect clarity is rarely an option; leaders must act quickly while the situation continues to evolve.
Communication also proves critical. In a real cyber crisis, employees, customers, partners, investors, regulators and the media all expect timely and accurate information, making the balance between transparency and caution a delicate task. The exercise reinforces that cyber resilience is not confined to technical teams. Legal advisers, communications specialists, senior executives and operational leaders all play essential roles in managing the wider consequences of an incident.
Perhaps the most significant takeaway is the value of immersive preparation. Traditional exercises remain useful for discussing procedures but they cannot fully replicate the pace, pressure and unpredictability of a real attack. By contrast, the immersive PrivacyRules simulation with its team of talented specialists exposes leaders to the emotional and operational realities of crisis decision making and stress-test what organisations have conceived at times of peace.
A new reality
By the end of the simulation, exhaustion is universal. Teams have experienced the confusion, fear and rapid decision-making of a real cyber attack in compressed time.
Facilitators have observed, noted and reported on assessed strengths and weaknesses to help players focus on where and how improvement can be the winning card when a crisis really hits the real-life fan. Simulations like this are the closest organisations can come to fire without being burned. They allow teams to rehearse high-stakes decision-making, identify gaps in planning and build resilience across every layer of the business.
In a world where cyber attacks increase, preparation is no longer theoretical. For organisations, a cyber crisis is not a question of if โ but when.
