Every major financial services breach started the same way.

Bangladesh Bank. Revolut. LoanDepot. ICBC. The credential is the entry in every case. Not a zero-day exploit. A password in human hands that could be stolen, phished, or sold. DORA, FCA SMCR, and PCI DSS now create personal liability for the individuals who did not close that gap.
Book a board-ready briefing →
0
Average cost of a financial services data breach — 22% above the global average · IBM 2024
0
Of all global breaches in 2023 were in financial services — the most breached sector on earth
0
SEC mandatory breach disclosure window — personal enforcement for directors who defer known risk
0
DORA enforcement date — personal liability for named senior management for ICT governance failures
The pattern

Three incidents. All entered through a credential.

Your systems verify the credential. But the user controls the credential. Not the organization.

Bangladesh Bank — 2016
$81M
Hackers used compromised employee credentials to access SWIFT and transfer $81M. The attempted theft was $1 billion.
North Korean hackers installed malware on Bangladesh Bank’s systems using compromised employee credentials that accessed the SWIFT payment network. They observed real transactions for weeks, learned the patterns, then submitted fraudulent transfer requests. Investigators found five bank officials had created vulnerabilities by exposing SWIFT access credentials. The $81M that was transferred represented the portion not blocked by a fortuitous spelling error in a receiving account name. The attempted theft was $1 billion.
Entry point: employee credentials to SWIFT terminal
Revolut — September 2022
50,150
A social engineering attack extracted an employee credential. 50,150 customers’ data exposed. Lithuanian DPA opened a formal investigation.
A social engineering attack gave attackers access to Revolut’s customer database through a compromised employee credential. 50,150 customers had personal data exposed — names, addresses, email addresses, and partial payment card data. The breach triggered an immediate phishing wave targeting all 20 million Revolut customers, whether affected or not — attackers using real booking data to construct convincing follow-on fraud. The Lithuanian DPA opened a formal investigation and Revolut faced regulatory scrutiny over its response timeline.
Entry point: employee credential via social engineering
LoanDepot — January 2024
16.9M
ALPHV/BlackCat entered via credential compromise, encrypted systems over two days, and exposed 16.9 million customers. Systems offline for weeks.
ALPHV/BlackCat encrypted LoanDepot’s systems over two days following credential compromise, exposing names, addresses, financial account numbers, phone numbers, and dates of birth for 16.9 million customers. Systems were offline for weeks, disrupting mortgage applications nationally. Class action lawsuits were filed immediately. The SEC 4-day disclosure requirement was tested in real time during recovery — LoanDepot’s ability to meet the window while managing active incident response illustrated the operational tension that credential breaches create for listed financial institutions.
Entry point: credential compromise, ransomware deployment

In every case, security tools verified the attacker as a legitimate user — because the credential was legitimate. The failure was not at the system layer. It was at the credential layer above it: a credential in human hands that could be stolen, phished, or observed.

Risk landscape

Six credential risks specific to financial services

Financial services credential risk is amplified by the direct financial value of what credentials access, the personal liability regulatory framework, and the speed at which a breach becomes a market event.

01 — Financial
Payment system credentials — direct path to funds
In financial services a compromised credential can move money. Bangladesh Bank demonstrated a single set of SWIFT credentials is worth up to $1 billion in one incident.
SWIFT credentials, payment gateway access, trading platform logins, and treasury system credentials all provide direct pathways to financial transfers. The credential is not just an access token — it is a bearer instrument. No other sector has this risk at this scale: a compromised hospital credential exposes records; a compromised payment credential transfers funds in real time.
02 — Third party
Fintech, vendor, and BPO credential access to core systems
The C-Edge breach took down 300 banks through one third-party provider’s compromised credential. Every vendor with access to financial systems is a potential Bangladesh Bank scenario.
Financial institutions depend on extensive third-party ecosystems — core banking vendors, payment processors, fintech integrations, BPO contact centres, managed service providers. Each holds credentials to financial systems. DORA Article 28 requires demonstrable governance of third-party ICT access. “Our vendor has strong security” is not governance. A timestamped log of every third-party credential event, with instant revocation capability, is governance.
03 — Insider
Privileged user credential misuse and fraud
Financial services has the highest rate of insider threat incidents of any sector. An employee who can see their payment system credentials has the technical capability to conduct fraud. The only current defence is detection after the fact.
Employees with access to payment systems, trading platforms, and customer financial data hold credentials that are directly convertible to financial gain. If the employee never holds the credential — if MyCena generates it centrally and injects it invisibly at authentication — the insider fraud mechanism is removed. Not monitored. Removed.
04 — Regulatory
DORA personal liability — enforced from January 2025
DORA Article 5 places direct accountability on named management for ICT risk. Named individuals can be personally fined and banned from management roles for access control governance failures.
The EBA has confirmed that individual senior managers at financial entities can be held personally liable for governance failures — including access control failures at third-party providers. “Our vendor manages it” is explicitly insufficient under DORA. Named individuals are accountable. A board briefed on this risk that defers action has now documented its awareness under Article 5.
05 — Regulatory
PCI DSS v4.0 — new credential governance requirements
Requirement 8 now mandates unique authentication for all cardholder data environment access. Shared credentials fail multiple requirements simultaneously. Card scheme fines start at $5,000/month and escalate to $100,000/month.
PCI DSS v4.0, effective March 2025, introduces requirements for individual user accountability for every cardholder data transaction and the elimination of shared credentials. These requirements did not exist at the same level in v3.2.1. Institutions that have not reviewed their credential architecture against v4.0 Requirement 8 are likely already non-compliant. PCI DSS fines are levied on the institution regardless of whether a breach originated with a third party.
06 — Speed
SEC 4-day disclosure and the credential discovery gap
The average credential breach dwell time in financial services is 197 days. The SEC requires disclosure in 4 days. Most institutions cannot meet the window for a breach they don’t yet know has happened.
The SEC charged the SolarWinds CISO personally for misleading investors about security practices following a credential breach. Personal enforcement action for named executives is not hypothetical. Directors who defer action on a known credential governance gap while attesting to sound security practices face the same exposure. The four-day window is not a disclosure timeline challenge — it is an incentive to ensure credential breaches are structurally prevented rather than detected late.

“Financial services has invested more in identity verification than any other sector. None of that investment governs the credential itself — who created it, who holds it, and whether it can be revoked in seconds when something goes wrong.”

Where credential control applies

The financial services credential entry points MyCena closes

MyCena governs the authentication layer above financial systems — where every major breach has entered. No core banking platform modified. No payment infrastructure changed.

MyCena governs
Payment system and SWIFT access
Employee and operator credentials to payment terminals, SWIFT interfaces, and settlement systems
✓ Bangladesh Bank SWIFT credential vector — closed structurally
Operators authenticate to payment systems through MyCena — they never see or hold the credential. The Bangladesh Bank attack required weeks of credential observation before fraudulent transfers could be constructed. MyCena provides nothing to observe: the credential is invisible at every point in the session. Nothing to watch, nothing to copy, nothing to use from outside the authorised session.
MyCena governs
Third-party fintech and vendor access
Core banking vendor remote access, fintech API credentials, BPO and MSP agent access to customer systems
✓ DORA Article 28 third-party access governance — structurally satisfied
Every third-party vendor, fintech integration, and BPO contact centre that accesses financial systems does so through credentials the institution generates and controls. DORA Article 28 requires demonstrable third-party access governance — not contractual assertions about vendor security practices. The timestamped log of every third-party credential event, with instant revocation capability, is the governance DORA demands.
MyCena governs
Employee workstation and system access
Banker, analyst, and administrator credentials across trading, CRM, core banking, and compliance systems
✓ Social engineering and insider fraud credential mechanism — structurally removed
Every employee authenticates through MyCena. No credential is created by the employee, held by the employee, or knowable by the employee. The Revolut social engineering attack extracted a credential through employee manipulation — a credential that existed in that employee’s possession to be extracted. With MyCena, there is nothing for the employee to surrender. The mechanism is removed, not monitored.
MyCena governs
AI agents in financial workflows
Automated trading agents, fraud detection AI, and compliance monitoring tools accessing financial systems
✓ AI agent credential governance — DORA and FCA AI risk obligations addressed
AI agents deployed in financial workflows hold credentials to the systems they access. Those credentials are typically created by developers, stored in configuration files, and governed by nobody. Under MyCena, AI agent credentials are generated centrally, individually attributed, and instantly revocable when the deployment changes. The 82:1 ratio of AI agents to human users in enterprise environments is arriving in financial services — credential governance needs to be in place before the deployment, not discovered after a breach.
What MyCena delivers

Structural credential governance — the evidence DORA, FCA, and PCI DSS require

Regulators do not want policy documents. They want demonstrable, continuous, auditable evidence that access is governed. MyCena generates that evidence automatically.

Payment credentials — nothing to phish or socially engineer
Operators of payment systems and SWIFT interfaces never see or hold their credentials. Social engineering and insider observation cannot extract a credential that does not exist in human-visible form. The Bangladesh Bank attack required weeks of credential observation before fraud was possible. MyCena provides nothing to observe at any point in the session.
DORA Article 28 — third-party access governance on demand
Every third-party vendor, fintech partner, and BPO agent who accesses financial systems does so through credentials the institution generated and controls. Instant revocation demonstrated. Continuous timestamped access log available to regulators on demand — not assembled before examination.
PCI DSS v4.0 Requirement 8 — satisfied architecturally
Individual authentication factors for every cardholder data environment access, individual accountability for every access event, zero shared credentials — all satisfied architecturally. PCI DSS v4.0 assessors receive the continuous access log, not a policy assertion assembled before the assessment.
Board and D&O liability — documented governance, not documented exposure
Named directors who approved MyCena deployment have documented evidence that the credential governance gap was identified and structurally addressed. Under DORA Article 5, NIS2 Article 20, and FCA SMCR, the decision to deploy MyCena is the decision that protects personal liability — not the one that creates it. A board briefed on this risk that defers action has documented its awareness without documenting action.
The board liability question

Bangladesh Bank’s investigation found five officials who had created credential vulnerabilities in the SWIFT access system. Under today’s DORA and FCA SMCR, those officials would face personal liability. A board presented with this page and choosing to defer action has now documented its awareness of a known credential governance gap. Under NIS2 Article 20 and DORA Article 5, documented awareness without action is the regulatory liability.

How it works

Credential governance without modifying financial infrastructure

No core banking platform modified. No payment infrastructure changed. No trading system disrupted.

Step 01
Institution generates all credentials centrally
Every credential for every financial system — employee, vendor, AI agent — is generated by the institution. No individual creates their own access. Credential ownership is institutional from the moment of creation.
Step 02
Invisible injection — nothing to phish or steal
Employees click to connect. MyCena injects the credential at authentication — never displayed, never typed, never held. A social engineering attack finds no credential to extract. An insider finds nothing to sell.
Step 03
Continuous access log — DORA and FCA evidence auto-generated
Every credential event logged — user, system, timestamp. The DORA Article 28 evidence is continuous. The PCI DSS Requirement 8 audit log is on demand. Regulators receive the log, not a document assembled under examination pressure.
Step 04
Instant revocation — any user, all systems, four seconds
Vendor relationship ends, employee departs, or suspected breach: one command, all access revoked in seconds, timestamped log produced. The SEC 4-day window starts from discovery — instant revocation means the dwell window is seconds, not months.
Regulatory framework

DORA, FCA SMCR, PCI DSS v4.0, NIS2, SEC

Every framework requires demonstrable technical evidence — not policy assertions. MyCena generates that evidence continuously.

DORA — Articles 5, 9, 28
Article 5: management body personal accountability for ICT risk. Article 9: access control governance requirements. Article 28: third-party ICT risk management requiring demonstrable access governance and instant revocation capability. Enforcement from January 2025. Personal liability for named individuals confirmed by the EBA.
✓ Satisfied
FCA SMCR — PS21/3
Named Senior Managers held personally responsible for operational resilience failures. Credential governance is an explicit component of FCA operational resilience expectations. The FCA requires financial institutions to demonstrate — not assert — that access to critical systems is governed, attributable, and recoverable within impact tolerances.
✓ Satisfied
PCI DSS v4.0 — Requirement 8
TPCI DSS v4.0 Requirement 8 mandates unique authentication for all cardholder data environment access, individual accountability for every access event, and elimination of shared credentials. MyCena satisfies all three architecturally — individual credentials per user, every access attributed to a named individual, no shared credentials structurally possible.
✓ Satisfied
NIS2 — Articles 20 & 21
Essential service operators under NIS2 face personal management liability for access control governance failures (Article 20) and must demonstrate supply chain security including third-party credential governance (Article 21). Continuous technical logs satisfy NIS2’s evidence requirements where policy documents do not.
✓ Satisfied
SEC Cyber Disclosure Rule
Publicly listed financial institutions must disclose material cyber incidents within four business days. The SEC charged the SolarWinds CISO personally for misleading investors about security practices. Directors on record as having been made aware of a credential governance gap and not acted are specifically at risk under this rule and under D&O exclusion clauses.
✓ Satisfied
Cyber insurance
Financial services cyber insurance premiums are at sustained highs following the 2024 breach wave. Underwriters explicitly assess third-party access governance and credential control as rating factors. Level 4–5 credential governance maturity — demonstrated by MyCena’s continuous access log and instant revocation capability — supports premium negotiation at renewal.
✓ Satisfied
Financial services board briefing
A 45-minute board-ready briefing — DORA, FCA SMCR, PCI DSS v4.0, and the personal liability picture.
Book a board-ready briefing →
MyCena
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.