FINANCE & RISK DESK · HONG KONG · WEEKLY

The Stress Test Banks Wrote to Pass

Banks just passed a stress test built for 2008 risk while the actual attack clock has gone negative, and the regulator writing the exam knows it.
MH

The Test They Wrote

The Federal Reserve tested America's 32 largest banks against a scenario that looks brutal on paper: commercial property values down 39 percent, house prices down 30 percent, unemployment at 10 percent. The banks cleared it with room to spare, landing well above the 5 percent capital floor regulators require (Federal Reserve, June 24). Here's the part that matters: the gap between where the banks started and where they landed after the hypothetical disaster was the smallest capital dent since 2020. In plain terms, this was the easiest stress test the industry has passed in six years. So what did the Fed do with that result? Fed Vice Chair for Supervision Michelle Bowman froze capital requirements at 2025 levels through 2027, pending a rewrite of the loss models. Translation: because the banks aced the old exam, they simply will not be asked a harder one for two years. The freeze takes effect immediately, and the next mandatory update to those models isn't due until 2027. Until then, the exam a bank has to clear stays the one it just passed.

The Clock Went Negative

While the Fed was grading 2008-style homework, Google's Mandiant threat-intel arm published the number that actually matters right now. It's called mean time-to-exploit: the average gap between a software flaw becoming public and someone actively breaking in through it. That number is now an estimated negative seven days. Sit with that for a second. A negative number means attackers are getting into systems before the patch even exists, working from leaked details or finding the flaw themselves ahead of the vendor's fix. And this gap hasn't just gone negative overnight, it's been sprinting there: 63 days back in 2018, down to zero in 2024, now seven days into negative territory (Mandiant, M-Trends 2026, built on 500,000 hours of incident response). One caveat worth flagging: Mandiant sells incident response and threat intelligence retainers, so a shrinking exploit clock also happens to be the pitch for buying faster detection from Mandiant. That doesn't make the seven days wrong. It just means you should know who's billing for the fix before you panic. Put the two data points side by side and the mismatch is obvious. Bowman's two-year freeze assumes risk holds still long enough to model it properly. Mandiant's number says the exploit clock now runs backward. Separately, the World Economic Forum's Global Cybersecurity Outlook found 94 percent of security leaders now name AI as the single biggest driver of change in their risk picture. And here's the twist: worry about AI-generated data leaks (34 percent) now outranks fear of AI-powered attackers (29 percent) (WEF, 2026). In other words, the thing keeping executives up at night isn't hackers anymore, it's their own AI tools spilling secrets. Meanwhile, Hong Kong's Monetary Authority didn't wait around: its Quantum Preparedness Index and AI-era baseline went live in February 2026, built directly on 2025's record attack volumes. The Fed's models, by contrast, will not be touched again until 2027.

Two regulators, one month apart: the Fed freezes its model until 2027, the HKMA ships a new one in February. Neither has priced in an exploit clock running seven days negative. The number worth a board's attention this year isn't the Fed's 11.2 percent. It's Deloitte's 20 percent, the share of companies that actually have a real grip on their AI agents. Everyone else is calling that a governance program. Sleep well.

PREVIOUS COLUMNS, FINANCE & RISK DESK
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.