NIS2 Article 20 explicitly states that management bodies can be held personally liable for infringements of cybersecurity requirements in essential and important entities. Named directors can face personal fines and temporary bans from management roles.
DORA places board-level accountability for ICT third-party risk governance. Directors who approved inadequate third-party risk arrangements face personal liability.
SEC rules (US listed companies) require 4-day disclosure of material cyber incidents. The SEC charged the SolarWinds CISO personally — not the company — for misleading investors about cybersecurity practices.
UK Companies Act s174 requires directors to exercise reasonable care, skill, and diligence. A director who was briefed on a documented credential vulnerability and chose not to act has a documented failure to meet the standard of care.
D&O insurance explicitly excludes known risks that board members failed to mitigate. A board that received a credential risk briefing and deferred action has a documented known risk — coverage for a resulting breach may be partial or denied.
Credential-based breaches are the largest single category of cyber insurance claims. Insurers are increasingly asking at renewal: how do you govern who holds credentials to your systems? Policy-based answers — "we have a password policy" or "we require MFA" — are insufficient at an architectural level.
MyCena provides structural credential governance that underwriters can verify: central generation (no user-created credentials), invisible injection (nothing to phish), instant revocation (timestamped log available for submission), and continuous audit trail (evidence ready on demand rather than prepared for renewal).
Organisations at MyCena Resilience or Governance tier have a materially different credential risk profile than the market average. Independent actuarial analysis suggests 10–40% premium reduction in the credential risk component is warranted for Level 4–5 credential governance maturity. This is discussed in the Credential Governance Assessment Standard.
MyCena's architecture satisfies the access control and audit requirements of: DORA (Articles 9 and 28 — ICT access management and third-party risk governance), NIS2 (Articles 20 and 21 — access control measures and supply chain security), PCI DSS v4.0 (Requirement 8 — identity and access management), ISO 27001:2022 (A.9 access control, A.12.4 logging), SOC 2 Type II (CC6 trust service criteria), HIPAA (164.312(a)(1) and 164.312(b) access control and audit), CMMC 2.0 (AC domain), and FedRAMP Moderate (AC and AU control families).
The key distinction: MyCena satisfies these requirements architecturally, not through policy compliance. The continuous audit trail is generated as a byproduct of normal operation — not compiled before each audit. This is the difference between evidence that is always ready and evidence that requires three weeks of preparation.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
Ce site utilise Google Analytics pour collecter des informations anonymes telles que le nombre de visiteurs du site et les pages les plus populaires.
Garder ce cookie activé nous aide à améliorer notre site Web.