Annual penetration testing is no longer sufficient for board assurance

A penetration test report with no critical findings is not evidence that the organisation is secure. It is evidence that the organisation was not critically vulnerable on the day the test was conducted.

Boards in financial services, legal and professional services regularly approve annual penetration testing as part of their cyber governance framework. The report lands, the findings are remediated, and the board satisfies itself that due diligence has been done. That logic has a significant flaw, and regulators, auditors and incident response teams are increasingly aware of it.

What Changes in the Twelve Months Between Tests

The gap between an annual penetration test and the next one is not a quiet period. It is twelve months of continuous change that the previous test says nothing about.

New systems get deployed. Third-party suppliers are onboarded without full security review. Microsoft 365 configurations drift as permissions accumulate and policies are modified. Staff join and leave, taking access rights that are never fully revoked. Vendors release patches for vulnerabilities that did not exist when the test was run. Threat actors develop new techniques to exploit weaknesses that were not even classified as vulnerabilities at the time.

The organisation that received a clean pen test report in January has a materially different attack surface by October. The January report does not speak to October's risk. A board that treats it as though it does is making governance decisions on stale data.

Why Boards Carry the Exposure, Not Just the IT Team

The penetration test report lands with the IT or security team, but the governance accountability sits with the board. Directors approve the security budget, sign off on the assurance framework, and carry personal liability for decisions made in their name.

The FCA's operational resilience rules, which came into full effect in March 2025, require firms to identify important business services, set impact tolerances, and demonstrate that they can remain within those tolerances during a severe but plausible disruption. A board that can point only to an annual pen test report cannot demonstrate continuous operational resilience. It can demonstrate a point-in-time test.

The ICO's expectations under Article 32 of the UK General Data Protection Regulation (UK GDPR) require organisations to implement "appropriate technical and organisational measures" to ensure security appropriate to the risk. The ICO has consistently interpreted this as a continuous obligation, not an annual checkbox. A data breach that occurs eight months after a clean pen test will not be defended by producing that report. The question the ICO will ask is what measures were in place at the time of the breach, and whether they were appropriate to the risk the organisation faced at that moment.

The NCSC's guidance on penetration testing explicitly states that testing should be part of a broader security programme, not a standalone annual exercise. Boards that have not read that guidance are operating on an assumption the NCSC does not share.

The Clean Report Creates Its Own Risk

A penetration test with no critical findings is a useful result. It can also be a dangerous one.

When the board sees a clean report, the instinctive response is reassurance. Audit committees treat it as a green light. Budget conversations move on. The security team, having spent weeks preparing for the test, turns its attention to other priorities. The organisation enters a period of reduced scrutiny at exactly the point when the test data begins to age.

This is the clean report risk. The absence of critical findings in a point-in-time test creates organisational complacency that persists for the next twelve months, regardless of what changes in the environment during that time. The report becomes a ceiling on the conversation rather than a floor.

Senior leaders in regulated sectors should be asking not just "what did the pen test find?" but "what has changed since the pen test, and how would we know if a new vulnerability had been introduced?"

What PCI DSS 4.0 Signals for Every Regulated Organisation

Payment Card Industry Data Security Standard (PCI DSS) version 4.0, which became mandatory in March 2024, introduced explicit requirements for continuous monitoring of security controls. Organisations in scope must now demonstrate that their security posture is assessed on an ongoing basis, not just at annual audit points.

This is a signal worth reading carefully, even for organisations outside direct PCI DSS scope. Regulatory frameworks across financial services, legal and professional services are moving in the same direction. Annual testing cycles were designed for a threat environment that no longer exists. The frameworks are catching up.

The organisations that adapt their governance model now will find the transition to future requirements less disruptive. Those that wait for a regulatory requirement to force the change will be making that transition under pressure, often in the aftermath of an incident.

What Adequate Assurance Actually Looks Like

Penetration testing remains a valuable tool. The argument here is not against pen testing. It is against pen testing as the primary or sole mechanism of board-level cyber assurance.

Adequate assurance for a board in 2024 requires a layered approach. Continuous vulnerability management identifies and prioritises weaknesses as they emerge, rather than at an annual point in time. Regular internal testing cycles, including configuration reviews and access control audits, track the changes that accumulate between formal tests. Threat intelligence integration ensures the organisation's defences are evaluated against current attack techniques, not those that were relevant at the last test date. Defined remediation service level agreements (SLAs) with tracked closure rates give the board evidence of active risk management, not just risk identification.

Board-level reporting should show security performance over time: vulnerability counts trending up or down, remediation velocity, coverage gaps, and third-party risk indicators. A single annual report cannot provide that picture. A continuous programme with regular board-level reporting can.

Conosco's managed security service treats penetration testing as one component within a continuous programme. Vulnerability and threat management runs throughout the year, and board-level reporting is built into the service rather than retrofitted at audit time.

If annual pen testing is the primary assurance mechanism for your board, it is worth reviewing what a continuous programme would add. Talk to Conosco about managed security: conosco.com/managed-security

Frequently Asked Questions

Is annual penetration testing a regulatory requirement?
Some frameworks, including PCI DSS and certain FCA-supervised firm standards, require periodic penetration testing. However, meeting a minimum frequency requirement is not the same as demonstrating adequate assurance. Regulators increasingly expect continuous monitoring alongside periodic testing, not instead of it.

What is the difference between a penetration test and continuous vulnerability management?
A penetration test is a structured, time-limited assessment conducted by a third party. Continuous vulnerability management is an ongoing process of identifying, prioritising, and remediating weaknesses across systems, configurations, and third-party connections as they emerge. Both have a role. One without the other leaves significant gaps.

Can a board be held personally liable for a breach that follows a clean pen test?
Personal liability for directors depends on the specific circumstances and jurisdiction. However, a clean pen test report does not automatically constitute evidence that the board discharged its duty of care. Regulators will assess whether appropriate measures were in place at the time of the breach, and whether the board's governance framework was adequate given the risk profile of the organisation.

How often should a penetration test be conducted?
The appropriate frequency depends on the organisation's risk profile, regulatory obligations, and the rate of change in its IT environment. Once per year is a starting point, not a ceiling. Organisations undergoing significant infrastructure change, new system deployments, or acquisitions should consider testing at those trigger points, not only on an annual schedule.

What should a board-level security report contain?
A useful board-level security report covers the current state of known vulnerabilities and their remediation status, the organisation's exposure to recent threat intelligence, third-party and supply chain risk indicators, changes since the last report, and any open items from previous testing cycles. A report that only presents the outcome of an annual test provides insufficient visibility for informed governance decisions.