In 2019 Aon ran a simulated phishing email exercise to test the resilience of UK pension schemes. The exercise was aimed at approximately 250 people, primarily trustees and others involved with pensions, across a selection of Aon clients. A substantial minority didn’t recognise the email as a phishing attempt, and followed the link. Based on feedback from schemes running the test in 2019, Aon has decided to extend this exercise and offer all pension schemes the opportunity to take part in our 2020 simulated phishing exercise.
Why take part in this exercise
A large proportion of cyber attacks start out with a phishing email, which is an attempt to trick the recipient into following a link or providing data to the cyber-criminal. Simulated phishing exercises are used widely by corporates as a way of testing the resilience of their organisations, from both a technical and behavioural perspective, to such attacks, and Aon has extensive experience of running these exercises with corporates and with pension schemes.
To date, most trustees have been unable to run similar exercises as the cost has been prohibitive. This multi-scheme approach provides a solution. Taking part in phishing exercises like this one helps to keep all trustees on their toes; they are also a great learning tool for everyone involved in pensions.
In response to last year’s exercise, the Pensions Regulator commented that it was “pleased to see schemes taking this risk seriously and testing their defences”.
How does this work?
The exercise will involve a simulated phishing email sent to all participants on a date determined by Aon, sometime between 1 July and 31 December 2020, plus a report back to your trustee board (or pension body) on the results of the exercise both for your scheme (on an anonymous basis) and across the group of pension schemes as a whole. The cost of participating in this exercise will be £150 per participant, subject to a minimum fee of £500. Participants do not have to be limited to just the trustees, we can include anybody associated with the pension scheme that you see as a potential cyber risk.
How can I participate?
If you would like your scheme to participate, please contact your usual Aon consultant or Jason Wilson. You will then be asked to provide details of the
participants and confirm your agreement to the terms of the exercise.
To make the exercise as realistic as possible, many schemes choose to not disclose details of the exercise to the whole trustee board. We are therefore happy to take instruction from one person (eg, trustee chair or pensions manager).
Finally, participating in a phishing exercise is just one area of good governance to improve your scheme’s cyber resilience. Aon can undertake a range of testing around providers, procedures and processes, can run ‘war game’ simulations to test how you could react to an actual attack, or provide specialist cyber support should an attack take place. If you would like to know more about how we can support your scheme with understanding, protecting and responding to cyber threats, please contact one of the team or visit the cyber risk section.
Last update: 11 June 2020