6 min read

Why Credit Unions Should Consider Changing Penetration Testing Providers Every Three Years

Why Credit Unions Should Consider Changing Penetration Testing Providers Every Three Years

Most credit unions are doing some form of penetration testing as part of their regular regulatory requirements. The question is whether the test is still giving leadership an honest picture of risk, or whether it has quietly become an annual exercise that feeds the audit file and not much else.

The lifecycle of a penetration testing engagement tends to follow a predictable arc. A credit union finds a provider they trust, usually through a peer referral or an existing vendor relationship. The provider learns about the environment through enumeration and repeated testing. Scoping gets easier. Reports start to feel familiar. The client and vendor both know what to expect. There's real value in that rhythm, but there's also a slow, quiet risk building underneath it.

Penetration testing is meant to challenge assumptions. When the same team looks at the same environment the same way for the fourth or fifth year in a row, the challenge starts to dull. Not because they're doing poor work, but because familiarity has a way of narrowing the lens.

Credit unions should consider changing penetration testing providers at least every three years. Not because the current provider is necessarily doing poor work, but because leadership benefits from a fresh set of eyes, a different testing approach and an independent challenge to the way risk has been viewed in prior years.

Familiarity Can Become a Blind Spot

A good provider should develop deep knowledge of the environment. They should understand the credit union's systems, architecture, business processes and what the real-world impact would be if an attacker got in. That context makes the work more useful. A finding tied to a core banking integration hits differently than a generic CVSS score.

There comes a point when familiarity with the environment can start to weaken the effectiveness of the test.

After a few years, a provider tends to follow the same paths. They test the same external ranges. They revisit the same internal systems. They make the same assumptions about segmentation, identity and third-party access that they made last year, because those assumptions were mostly right last year.

The report may still be technically accurate. But it may not be genuinely challenging the environment anymore.

If the test is predictable to the credit union, it may also be predictable to the testing team. And if the test becomes predictable, it may no longer reflect how a real attacker would approach the environment.

Different Testers Find Different Problems

Penetration testing is not like running a scanner and waiting for a report to print. Tools matter, but the real value comes from the tester’s judgment. Two qualified providers can look at the same environment and find different issues, not because one is better, but because they think differently. They follow different attack paths. They weigh risk differently. They've developed different instincts from different engagements. One provider may focus heavily on exposed services and missing patches. Another may spend more time on Active Directory attack paths. Another may be stronger in web application testing, Microsoft 365, password attacks, segmentation validation or sensitive data exposure.

This isn’t about who's more qualified. It's about perspective, and perspective is exactly what you're paying for.

A finding is not valuable just because it has a severity rating; it is valuable when it helps leadership understand what could actually happen. Could an attacker access member data? Could they reach a core banking integration? Could they abuse a service account? Could they move from a workstation to a server? Could they get into systems that were assumed to be segmented? Those are the questions that matter. Rotating providers increases the likelihood that someone will ask them in a way that surfaces something new.

The Goal Isn't Vendor Churn

I do not recommend changing providers just to change providers. That creates its own set of problems.

If a provider is doing quality work, communicating clearly, drafting useful reports, continuing to find meaningful risks and pushing back when the scope gets too narrow, that relationship has real value. The goal isn't to punish a good vendor or start over every year – the goal is to avoid getting locked into one view of the environment.

Every few years, leadership should ask whether the current provider is still bringing value or whether the test has become routine. That question should be part of vendor management, cybersecurity governance and audit discussions.

For credit unions, this is especially important because cybersecurity is not just an IT issue. It is a board and executive leadership issue. The NCUA has been clear that boards should provide meaningful oversight of cybersecurity programs and understand how external assessments are being used to validate program effectiveness.1 That oversight only means something if the assessment is still objective.

Three Years Is a Practical Point to Reassess

Three years is not a magic number, and I am not presenting it as a regulatory requirement. It's a governance cycle that tends to make sense in practice.

The first year with a provider usually establishes a baseline. The provider learns about the environment, validates the scope, identifies initial issues and gives leadership a sense of where the biggest risks are.

The second year should show whether remediation worked. Did repeat findings go down? Were compensating controls effective? Did the credit union improve, or did the same issues show back up under a slightly different name?

By the third year, leadership should have enough information to decide whether the provider is still challenging the environment or whether it is time for a different perspective.

That decision does not have to be dramatic. A credit union could rotate the full penetration testing provider. It could alternate providers every few years. It could keep the current provider for network testing and bring in a specialist for web applications, cloud, Microsoft 365, wireless or social engineering. It could also request a more adversarial assessment from the same provider if the prior tests were more compliance focused.

The main point is that the decision should be intentional.

Rotation Can Expose What Prior Tests Missed

One of the most useful things a new provider can do is validate whether prior testing was deep enough.

Sometimes a new provider finds a significant issue that has existed for years. That does not automatically mean the prior provider was careless. Maybe the scope was too narrow. Maybe the system was excluded. Maybe credentials were not provided. Maybe exploitation was limited by the rules of engagement. Maybe the prior report identified the issue but did not explain the business impact clearly enough.

But sometimes the answer is much simpler: the prior test missed it.

Leadership needs to know that, and a penetration test is one of the safer ways to find these issues. It gives the credit union a controlled process, written authorization, defined rules of engagement and a chance to fix problems before they become incidents. That matters because the NCUA’s cyber incident notification requirements make clear that federally insured credit unions have reporting obligations when certain cyber incidents occur.2

A controlled penetration test is where the tough questions should be asked before an attacker asks them for you.

Scope Has to Evolve with the Credit Union

Another reason to rotate or reassess providers is that the credit union’s environment changes.

A scope that made sense three years ago may not make sense today.

The credit union may have changed core processors, added new online banking integrations, expanded Microsoft 365 usage, adopted new remote access tools, added vendors, changed firewall rules, moved applications to the cloud or implemented new security controls.

If the testing scope does not evolve with those changes, the annual test can start to drift away from the actual risk.

This is where leadership should push for better scoping discussions. Do not only ask, “What did we test last year?” Ask, “What could materially impact the credit union if it failed or was compromised?”

That conversation should include IT, information security, compliance, audit and leadership. It should also include the testing provider, but the provider should not be the only party shaping the scope.

Better Questions for Leadership to Ask

Credit union leadership doesn't need to understand the technical mechanics of a penetration test to provide good oversight. But they should be asking sharper questions than "did we pass."

For example:

  • Are we evaluating the systems that matter most to member impact and business continuity?
  • Did the test include realistic attack paths, or was it mostly vulnerability validation?
  • Were findings connected to actual business risk, not just technical severity ratings?
  • Did the provider explain what an attacker could realistically do with what they found?
  • Are repeat findings being escalated, or are they cycling through the same remediation process year after year?
  • Did this report help management make decisions?
  • Does the scope reflect changes we've made in the past twelve months?
  • Are we still learning something from this provider?

A Good Provider Should Be Able to Stand Behind the Work

A strong penetration testing firm shouldn't have any anxiety about another qualified team reviewing the same environment a year later. The methodology should be documented. The evidence should support the findings. The report should be written in a way that IT can act on, and leadership can understand it.

That's the standard. Penetration testing shouldn't be about locking a client into the same report every year. It should be about helping a credit union understand its risk, make better decisions and improve.

If a provider is doing that well, they may earn another cycle. If they are not, leadership should be willing to rotate.

Rotation Still Requires Rigorous Due Diligence

Changing providers doesn't reduce the responsibility for vetting them, it increases it.

Credit unions should evaluate qualifications, methodology, demonstrated experience with financial institutions, reporting quality, professional liability coverage, data handling practices, subcontractor use and how the firm protects sensitive information obtained during the engagement.

This fits squarely into third-party risk management. NCUA guidance on third-party relationships emphasizes planning, due diligence, contractual controls and ongoing oversight proportionate to the risk of the relationship.3 A penetration testing provider may access internal credentials, network diagrams, vulnerability data and evidence of security weaknesses. That access deserves to be treated with the seriousness it carries.

Rotating providers should never be an excuse for cutting corners on who gets the work.

Final Thought

Credit unions are built on trust. Members trust the institution to protect their money, their personal information and their access to financial services. A penetration test is one of the most direct ways to find out whether that trust is well-founded.

Staying with the same provider year after year may be comfortable. It may be easy. It may even be defensible in an audit file. What it may not always be is accurate.

Every three years, credit union leadership should step back and ask whether the current penetration testing provider is still giving them a clear, independent and useful view of risk. If the answer is yes, renew with confidence. If the answer is no, or even uncertain, bring in a fresh set of eyes.

The best time to find out what the last test missed is not after an incident.

It is during the next test.

References

  1. NCUA, Board Director Engagement in Cybersecurity Oversight.

  2. NCUA, Cyber Incident Notification Requirements, 12 CFR Part 748.

  3. NCUA, Evaluating Third-Party Relationships.

Why Credit Unions Should Consider Changing Penetration Testing Providers Every Three Years

Why Credit Unions Should Consider Changing Penetration Testing Providers Every Three Years

Most credit unions are doing some form of penetration testing as part of their regular regulatory requirements. The question is whether the test is...

Read More
When the Deals Get Loud, So Do the Scammers

When the Deals Get Loud, So Do the Scammers

Every year, retail events like Amazon Prime Day, Black Friday and Cyber Monday create a predictable spike in online activity. Shoppers are in a...

Read More
Penetration Testing is Now Available From Optiri

1 min read

Penetration Testing is Now Available From Optiri

The IT and Cybersecurity solutions provider is now offering Penetration Testing as one of its key offerings.

Read More
5 Signs Your CU’s BCP is Outdated and Exposing You to Risk

1 min read

5 Signs Your CU’s BCP is Outdated and Exposing You to Risk

The following is an article written by Optiri's Director, Business Continuity Management, Tim Daugherty. It originally appeared on CUInsight.com.

Read More
The Importance of Conducting Tabletop Exercises at Your Credit Union

1 min read

The Importance of Conducting Tabletop Exercises at Your Credit Union

Being prepared for a continuity event involves more than just having a plan in place and distributing it to the team. Your credit union should have...

Read More