§ I — The room
A trusted hand, a quiet exit.
The fictional client — call them Meridian Holdings — was nineteen days from closing the largest acquisition in their history. The target was a mid-market competitor in regulated financial services. Two data rooms. Twelve workstreams. A deal team of forty-one, plus outside counsel, plus the bankers, plus the board.
The insider — we'll call them Subject A — was a director-level finance lead read into the deal from week one. Clean record. High performer. A retention package worth more than three years of salary, vesting on a successful close.
On a Tuesday evening, Subject A connected an encrypted personal SSD to a corporate laptop and, over the course of forty-three minutes, moved the integration plan, the synergy model, the unredacted target customer list, and seven folders of legal working papers.
The DLP alert fired. The alert was triaged. The alert was closed as a false positive by a tier-one analyst who had seen Subject A's name on the approved deal-team roster and assumed the transfer was sanctioned. Twenty-six hours passed before the second signal — an anomalous login from a residential IP — landed on a senior analyst's desk who connected the dots.
"The breach didn't begin when the data moved. It began the moment we stopped reading our own alerts."
§ II — The first thirty minutes
What we made the room decide.
Infiniqo tabletops are not a slide deck. The room receives an injects packet — emails, a Slack thread, a draft press inquiry, a regulator's voicemail — and a clock. The facilitator role-plays the adversary, the journalist, the general counsel of the target, and the board chair. The participants make decisions. Real ones, with names attached.
Within the first half hour, the executive team was forced through six binary decisions. None of them were technical. All of them were consequential.
- 01
Do we tell the target?
Material non-public information has potentially left the perimeter. Disclosure may collapse the deal. Non-disclosure may breach the merger agreement's notification clause.
- 02
Do we suspend Subject A?
Suspending tips them off, risks evidence destruction, and may be wrongful if the transfer turns out to be sanctioned. Not suspending keeps a potential adversary inside the perimeter.
- 03
Do we engage outside counsel — and which one?
Deal counsel knows the agreement. Cyber counsel knows the privilege playbook. Calling both creates a coordination tax. Calling neither creates exposure.
- 04
Do we notify the board now or at the regular Thursday call?
Early notification preserves trust. Premature notification, before facts are firm, invites a board to act on incomplete information — and creates a paper trail.
- 05
Do we file an 8-K?
SEC cyber disclosure rules require materiality determination within four business days. The clock starts when materiality is determined — not when the incident occurred. When does the room declare it?
- 06
Do we tell the bankers?
The bankers will need to know if the deal terms change. The bankers also talk. Every additional person told is an additional person who can leak.
§ III — What broke
The runbook was right. The room was not rehearsed.
Meridian had an insider-threat policy. It was forty-one pages, last reviewed eleven months earlier, and approved by three committees. It correctly named every action the team eventually took. It did not survive contact with the calendar.
Three failures repeated across the simulation:
- I.Privilege ambiguity. No one in the room could state — under stress, on the clock — which communications were privileged and which were discoverable. Three of the first eight emails sent were later flagged as unhelpful to the legal posture.
- II.Decision ownership drift. The CISO assumed the General Counsel would call the regulator. The General Counsel assumed the CEO would. The CEO was on a plane. Forty minutes evaporated.
- III.Communications mismatch. The draft holding statement, written by an external PR firm, did not match the factual posture the legal team could defend. Both had been pre-approved. Neither had been read together.
§ IV — What we left them with
Three changes, before the next deal.
Every Infiniqo engagement closes with an after-action document — short, signed, actionable. For Meridian, the document had three commitments and a date.
A deal-mode incident cell.
Pre-staged, pre-named, pre-briefed. Stands up automatically the day a transaction enters confirmatory diligence. Stands down the day after close.
A materiality rubric for the SEC clock.
Drafted with cyber counsel, owned by the General Counsel, refreshed quarterly. Removes the most expensive question from the room: when did we know?
A quarterly rehearsal, not an annual one.
The muscle decays in months, not years. The next exercise is on the calendar before the team leaves the room.
Coda
A tabletop is not a test. It is a rehearsal — the only honest preparation for the call you cannot afford to get wrong. When the alarm sounds, your team will not rise to the occasion. They will fall to the level of their training.
This scenario is one of five in Infiniqo's Cyber Risk Readiness practice. The names, numbers and circumstances are composite and anonymised. The decisions are drawn from live engagements with regulated enterprises, healthcare systems, and public-market acquirers.