The intensifying hunt for the JPMorgan hackers comes as the bank, which has said it spends about $250 million a year on digital security and plans on doubling that in the future, wrestles every day with securing its vast global network.

An internal assessment of the bank’s security found that by the end of 2014 the bank had made “significant progress” in reducing “severe patch issues” in its digital network, but still had critical issues to address. The January report to the bank’s cybersecurity business control committee — a copy of which was reviewed by The New York Times — also noted that one server did not have the latest antivirus protection, but that it was being upgraded.

Patching holes in the bank’s network is critical because hackers exploited such vulnerabilities to gain access to JPMorgan in the first place. Attackers breached a server that had not been upgraded with so-called two-factor authentication, The Times previously reported. Double authentication schemes, which are now considered industry standard, require a second, one-time password for employees to gain access to a secure system. Without that second password requirement, hackers were able to breach a server using the stolen login credentials for a bank employee.

Once inside, hackers gained high-level access to more than 90 servers, but they were stopped before they could move customers’ financial information to their servers abroad.

The internal review also noted that JPMorgan recently increased its requirements for giving people the highest level of access to the bank’s network. It did so, according to the review, to minimize the risk of “catastrophic technical or reputational damage to the firm.” JPMorgan now limits so-called “high security access” to bank employees who must submit to annual credit screenings and criminal background checks. The bank now also conducts a “routine review” to make sure that high security access is justified for a particular person.

A JPMorgan spokeswoman declined to comment for this article.

Federal authorities said the lack of prosecutions in big breach cases is often a reflection of the fact that the attackers are cloistered away in countries where the ability to make arrests is limited.

In May, the Justice Department indicted five members of China’s People’s Liberation Army in connection with hacking attacks. None have been apprehended. And in December, the White House took the unusual step of identifying, and pledging retaliation against, North Korea for a destructive attack at Sony Pictures, without filing a criminal case.