Annual penetration tests aren't enough anymore. Cyber insurers and regulators now demand continuous testing.