The testing of IT infrastructure and core system including penetration testing and vulnerability assessment referred to in Paragraph CRA-5.2.7 must be conducted each year in June and December, and the assessment report, along with the steps taken to mitigate the risks must be provided to the CBB within two months from the end of the reporting period.