Photo by [Jason Dent](https://unsplash.com/@jdent) on [Unsplash](https://unsplash.com)

16 June 2026 · George St. Clair

Regulated Industries Carry Patch Debt They Haven't Priced

  • patch-management
  • regulated-industries
  • risk-management
  • compliance

Unpatched CVEs on regulated estates are balance sheet exposures boards have not quantified. The cost of staying blind now exceeds the cost of measurement.

Most regulated organisations carry a patch backlog. The IT operations team knows the number: how many critical CVEs are outstanding, how long the oldest ones have been open, which systems are most exposed. That number sits in a vulnerability management dashboard and rarely leaves the security team’s reporting pack.

It belongs on the board’s risk register. The reason it does not appear there is a translation problem, not a governance gap. Security teams report in technical units (CVE count, CVSS score, days outstanding) while boards reason in financial units (expected loss, contingent liability, regulatory exposure). No one has done the conversion.

That conversion is now necessary, because regulators, auditors, and cyber insurers have started doing it themselves.

What Patch Debt Actually Looks Like

A medium-sized financial services firm operating in 2026 will typically have between 800 and 2,000 managed endpoints, a mix of on-premises servers and cloud workloads, and an estate that has been accumulating for 10 to 15 years. Industry benchmarks from vulnerability management programmes suggest that firms in this profile carry an average of 150 to 400 open critical or high CVEs at any given point in time.

Of those, a meaningful proportion are classified against systems that process or store regulated data: payment card information, personal financial data, health records. The average age of an outstanding critical CVE in a traditionally managed estate typically exceeds 45 days. In some cases, particularly for legacy systems that cannot be easily patched without service disruption, the age exceeds 180 days.

Each of those outstanding CVEs represents a known attack surface. The probability of exploitation is not hypothetical. Action1’s data on CVE weaponization timelines shows that for critical vulnerabilities, active exploit code is available within 48 hours of disclosure. A CVE that has been outstanding for 90 days on an internet-accessible system has been exposed to active exploitation for approximately 88 days beyond the point at which a patch was available.

The Regulatory Obligation

The FCA’s Senior Managers and Certification Regime (SMCR) makes individual named executives accountable for the firms’ operational resilience and information security posture. PRA supervisory expectations, codified in SS1/21, require firms to identify and manage vulnerabilities in their IT systems. The CQC’s data security standards for healthcare organisations require that software is kept up to date and that known vulnerabilities are remediated within defined timescales.

None of these frameworks specify a 30-day patch cycle as compliant. Several explicitly state that patch timescales must be proportionate to the risk of the vulnerability. For a critical CVE on a system holding patient data or payment records, the defensible interpretation of “proportionate timescale” under current regulatory expectations is measured in days, not weeks.

An organisation that has been operating a monthly patch cycle for critical CVEs can face a difficult conversation with a regulator following a breach: the patch was available on day 1, exploitation occurred on day 20, and the patch was scheduled for day 30. That timeline does not demonstrate proportionate risk management.

How Insurers Are Pricing It

Cyber insurers have access to claims data that regulators do not. The correlation between patch lag and breach probability is direct and measurable in actuarial terms. Insurers writing cyber liability policies in 2025 and 2026 have moved from questionnaire-based underwriting to technical validation: they are requesting evidence of patch SLA compliance, not self-certification.

Several major insurers now include patch compliance windows as explicit policy conditions rather than underwriting factors. A policy may specify that critical CVEs must be remediated within 72 hours of disclosure. A breach that occurs while a critical CVE has been outstanding beyond that window can trigger a coverage dispute. The insurer’s position is that the policyholder has materially increased the risk beyond what was underwritten.

This is not an edge case. Claims against policies with patch SLA conditions are being contested on this basis in 2025 and 2026. Firms that have not read their policy conditions with this specificity are exposed.

The Board Presentation Problem

The gap between what security teams know and what boards understand about patch debt is a presentation problem with material consequences. A risk register entry that reads “150 critical CVEs outstanding, average age 52 days” communicates nothing to a board member without a security background.

The equivalent statement in financial terms is more communicable: “Systems processing customer payment data have 23 critical vulnerabilities that have been known and unpatched for an average of 52 days. Based on current exploitation rates for this CVE class, the probability of a successful breach in the next 30 days is estimated at [X]%. The expected regulatory fine for a breach of this type under current FCA enforcement patterns is in the range of [Y] to [Z]. The cyber insurance policy requires remediation within 72 hours for this CVE class; claims arising while these vulnerabilities are outstanding may be contestable.”

That statement presents the same facts in terms that a board member can assess against other financial risks. The conversion requires three inputs: exploitation probability (available from threat intelligence feeds and vendor data), expected regulatory loss (available from published enforcement decisions), and policy condition review (available from reading the insurance contract). None of these require proprietary data.

What It Costs to Quantify Versus What It Costs to Stay Blind

A vulnerability quantification exercise for a medium enterprise estate typically requires two to four weeks of security architecture time, access to existing vulnerability scan data, and a structured framework such as FAIR (Factor Analysis of Information Risk) to convert technical metrics into financial exposure figures. The output is a board-ready risk register entry with quantified expected loss.

That investment is measurable in days and people. The alternative is operating without board-level visibility of a material contingent liability, in an environment where regulators and insurers are developing their own quantification methodologies that may not reflect the firm’s actual risk mitigation activity.

The cost of staying blind is the sum of the potential regulatory penalty, the potential insurance claim denial, and the reputational damage from a preventable breach. For regulated firms, that sum is not small.

Photo by [Natanael Melchor](https://unsplash.com/@nmelchorh) on [Unsplash](https://unsplash.com)

patch-management

“A critical CVE outstanding for 90 days on a system holding payment card data is not a technical debt item. It is a contingent liability with a quantifiable expected loss.”

About the Author

George St. Clair

Director, SCITAS Ltd — enterprise technology architecture for financial services, public sector, and central government.

Ready to Move?

Bring us your toughest challenge.

Every engagement starts with a direct conversation about what’s blocking you.