Skip to content
Tech News
← Back to articles

What 345 Days of Untested Exposure Looks Like at a Bank

2026-06-03 | original
read original more articles
Why This Matters

This article highlights the risks of relying solely on annual penetration testing in the banking industry, demonstrating how vulnerabilities can remain unaddressed for nearly a year. It underscores the need for continuous security measures to better protect financial institutions and their customers from evolving cyber threats. The findings emphasize that current regulatory frameworks may be insufficient given the rapid pace of digital change and attack sophistication.

Key Takeaways

In April, a single VPN vulnerability led to data breaches at more than seventy financial institutions running Marquis Software's infrastructure, according to American Banker's reporting on the incident. The patch existed. The institutions affected likely had recent penetration tests on file. Neither prevented the exposure from compounding across the portfolio.

The math is straightforward. A standard annual external penetration test runs two to three weeks of active testing. That leaves roughly 345 days of operational reality unvalidated.

Mandiant's M-Trends 2026 report puts the 2025 median dwell time at fourteen days, reversing a multi-year decline, with espionage actors averaging 122-days.

CrowdStrike's 2026 Global Threat Report ranks financial services fourth in interactive intrusion targeting. Adversaries did not wait between annual assessments. The model assumed they would.

Regulators Set the Floor Against a Slower Threat Model

PCI DSS, FFIEC, and NYDFS all reference penetration testing in their requirements and guidance. None of them describe annual cadence as sufficient.

PCI DSS 4.0 Requirement 11.3.1 mandates external penetration testing after any significant infrastructure or application upgrade or modification. The FFIEC IT Examination Handbook describes penetration testing as part of ongoing vulnerability management, not a discrete annual event. NYDFS Section 500.05 mandates annual testing alongside continuous monitoring obligations strengthened in the 2023 amendments to 23 NYCRR 500.

Every one of these frameworks already assumes testing happens in response to change. The regulatory floor was written for institutions where significant changes happened on quarterly release cycles.

That cadence does not match modern banking infrastructure. Digital banking releases, cloud workload migrations, fintech API integrations, third-party portal launches, and M&A integration work all generate untested attack surface between annual tests.

The compliance question is no longer whether the institution tested last year. It is whether the institution tested the things that actually changed.

... continue reading

Explore topics: vpn marquis software penetration testing american banker financial institutions
Related:
Hackers duped Meta AI support chatbot to steal celebrity Instagram accounts
Why I just connected my living room TV to a router VPN (and you should, too)
Hackers hijacked Instagram accounts by tricking Meta AI support chatbot into granting access
The Newest Instagram "Exploit" Is the Goofiest I've Seen
Patch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit

© 2026 GoKawiil

About | Editorial Policy | Contact