Most trucking companies have an incident response plan. Almost none have practiced it under pressure. The NMFTA framework and ransomware data agree: a plan no one has rehearsed is not a plan. It’s paperwork.
The ransomware hit at 6:12 a.m.
Dispatch went dark. TMS was inaccessible. Drivers were calling. Customers were calling. And the executive team was staring at each other asking a question no one had ever actually answered before:
Who is in charge right now?
Not “who is technically responsible for IT.” Who makes the decision to shut systems down? Who calls legal? Who calls the insurance carrier? Who authorizes the forensics firm? Who communicates with drivers? Who notifies customers?
If your team would have to answer those questions for the first time during an active incident, your incident response plan has never been practiced.
A plan no one has practiced is not a plan. It’s paperwork.
The NMFTA Framework Is Explicit About This
The NMFTA Cargo Crime Framework requires a documented incident response plan that is regularly tested and kept up to date — not written once and filed. Tested. Meaning someone ran a scenario, people made real decisions, gaps were exposed, and those gaps were corrected before the real incident revealed them.
What the Ransomware Data Tells Us
- 64% of closed claims in 2025 were resolved with no out-of-pocket loss — the direct result of rapid, practiced response (Coalition 2026)
- 65% average reduction in ransom demands via negotiation — but negotiation requires time, legal authority, and a coordinated team that knows their roles (Coalition 2026)
- The gap between a breach and the first class-action filing has shrunk to days (Chubb 2026)
If your team is making decisions for the first time during the incident, you are not responding. You are improvising. And improvisation under pressure is how recoverable situations become catastrophic ones.
The Five Decisions That Must Be Pre-Made
- Containment authority — who can take systems offline right now, without a committee?
- Legal notification — who calls counsel, and when? Breach notification laws may require action within 72 hours.
- Insurance activation — who calls the carrier, and do they have the policy number memorized?
- Forensics authorization — who engages a forensics firm, and do you have one on retainer?
- Communication authority — who speaks to drivers, customers, and media?
These decisions need to be made before the crisis. Written down. Distributed. Practiced until they are muscle memory.
What a Tabletop Exercise Actually Looks Like
A tabletop exercise is not a presentation about cybersecurity. It is a structured simulation in which your leadership team walks through a realistic scenario and makes real decisions in real time.
It exposes who hesitates when they should move, who moves when they should escalate, and where your documented plan breaks down against reality. Then those gaps get fixed — before the real incident.
The Proof to Profit Argument
You don’t rise to the occasion. You fall to the level of your preparation.
And preparation that has never been practiced is not preparation. It’s intention.
At the NMFTA Convention this year, Proof to Profit is my answer to that question. It’s a leadership framework built on five disciplines: Prepare. Prove. Practice. Protect. Profit.
Criminals have practiced. They’ve rehearsed this. They know what they’re doing when they hit your systems.
The question is whether you do.
Book a Tabletop Exercise with IT ArchiTeks | Register for NMFTA Convention 2026
Written by Melanie Padron
Vice President of Strategic Growth · IT ArchiTeks
Risk Strategist · National Cybersecurity Speaker
Melanie Padron brings nearly three decades of risk management experience, spanning insurance and cybersecurity, to help trucking and logistics leaders validate security posture, strengthen resilience, and protect revenue before pressure reveals what preparation concealed.
She’s a nationally recognized cybersecurity keynote speaker and the creator of two acclaimed talks:
- Surviving a Cyber Crisis: Real Stories. Real Lessons. Real Money.
- Proof to Profit: How Leaders Protect Revenue in the Age of Ransomware and AI
To bring either conversation to your conference, association, or leadership team — visit ITArchiTeks.com or connect with Melanie directly on LinkedIn.