The vulnerability assessment and penetration testing report (refer to Paragraph SIO-9.6.32), along with the steps taken to mitigate the risks must be maintained by the licensee for a five-year period from the date of the report.