MyCena: Not a compensating control.

Underwriting summary

The structural elimination of the attack surface that drives most claims.

The fundamental problem in credential-based cyber claims is that users know their passwords. A user who knows a password can be phished for it, socially engineered out of it, share it with a colleague, sell it to a threat actor, or lose it through credential stuffing. Every one of these attack vectors requires the same precondition: the user holds the credential.

MyCena removes that precondition entirely. The organisation generates every credential centrally, distributes it encrypted, and injects it invisibly at the moment of authentication. The user clicks once and accesses the system normally — they never see, know, or hold the credential. There is nothing to phish, share, sell, or steal from the user’s possession.

This is not a compensating control layered on top of credential risk. It is a structural elimination of the attack surface that drives the majority of cyber claims.

Attack vectors addressed

Before and after MyCena deployment.

Each of these vectors is a claim driver. Each requires the same precondition: a credential in human hands. MyCena removes that precondition structurally.

01 — Phishing

Credential theft via deceptive communication

User receives phishing email, enters credentials on spoofed site. Attacker gains valid session access, often undetected for weeks.

No credential exists in user knowledge. Phishing attempt finds nothing to steal. User cannot enter what they do not know.

02 — Social engineering

Credential extraction via impersonation

Attacker calls posing as IT support. User reads credential aloud or enters it on attacker-directed screen. MFA codes intercepted.

“I don’t know my password — the system handles it” closes the attack entirely. Nothing to extract under pressure.

03 — Insider sharing

Deliberate or convenience-driven sharing

Users share credentials at shift handover, with contractors, or between colleagues. Audit trail is broken. Attribution is impossible.

Credentials are never in user possession. Sharing is architecturally impossible. Every access event is attributed to one named identity.

04 — Offboarding failure

Persistent access after employment ends

Departed employee retains active credentials for days or weeks. Revocation is manual, incomplete, or never happens across all systems.

One command revokes all credentials across every system simultaneously. Revocation is logged with timestamp. Zero access window provable.

05 — Third-party access

Uncontrolled contractor and vendor credentials

Vendors hold credentials to client systems indefinitely. Revocation on contract end is manual and often delayed. Supply chain exposure is structural.

All vendor credentials are organisation-controlled, scoped per system, and revocable instantly. Third-party access report available on demand.

06 — Credential stuffing

Reused passwords exploited across services

Employee reuses personal password on corporate systems. External breach of an unrelated service yields valid corporate credentials.

MyCena generates unique, high-entropy credentials per system per user. No reuse is possible — credentials are not user-created. Stuffing finds no match.

Evidence for underwriting

Evidence available — generated automatically by the platform.

Every document below is generated as a byproduct of normal operation. No manual compilation. Available for any audit period or underwriting review.

Evidence document What it demonstrates for underwriting purposes

Access event log

Complete, tamper-evident record of every access event — user identity, system, timestamp, device, source IP. Demonstrates 100% attributable access. No anonymous or shared-credential events.

Provisioning log

Every credential issuance with authorising administrator, user identity, target system, scope, and timestamp. Demonstrates that access is granted only through formal authorisation — no self-provisioning.

Revocation log with timestamps

Every revocation event with exact timestamp and post-revocation blocked access confirmation. Provides provable termination-to-zero-access time — critical for offboarding risk assessment.

Third-party access report

All vendor and contractor credentials currently active: scope, last access, duration, revocation status. Directly addresses third-party access governance — one of the highest-frequency claim contributors.

Workforce lifecycle log

Complete joiner-to-leaver credential history per employee. Onboarding authorisation through offboarding revocation, with all intermediate changes. Addresses workforce security controls comprehensively.

Architecture documentation

Technical documentation confirming: credentials never stored in user-accessible form, browser blocking active, injection-only architecture, encryption in transit and at rest.

Underwriting Q&A

Common underwriting questions — what MyCena deployment demonstrates.

Underwriting questionWhat MyCena deployment demonstrates

“Do all users have unique credentials for each system?”

Yes — MyCena generates unique credentials per user per system at issuance. No shared accounts are possible. The provisioning log confirms uniqueness for every access grant.

“How quickly is access revoked when an employee leaves?”

Revocation is simultaneous across all connected systems — not sequential. The revocation log records the exact timestamp and any post-revocation blocked attempts. Termination-to-zero-access time is measurable and typically under 60 seconds.

“How do you govern third-party and vendor access?”

All vendor credentials are organisation-controlled and scoped per system at issuance. The third-party access report shows current vendor credentials, scope, last access date, and revocation status. No vendor retains access after engagement ends without explicit re-authorisation.

“What controls prevent credential phishing?”

Structural: users never hold credentials, so phishing has no target. The browser is actively blocked from saving or displaying credential values. Even a fully compromised user device cannot expose credentials they never possessed.

“Can you provide an audit trail of privileged access?”

Yes. Every access event to every connected system is logged — user, system, timestamp, device, IP. Exportable in standard formats for policy period review. 100% coverage of MyCena-mediated access.

“What is the organisation’s MFA posture?”

MyCena complements rather than replaces MFA. Where MFA is deployed, MyCena addresses the layer beneath it: the credential itself. MFA becomes more effective when the underlying credential cannot be extracted from user knowledge.

Carrier and programme context

Where MyCena deployment is most relevant to underwriting.

Credential governance risk varies materially by sector and operating model. These are the segments where MyCena deployment changes the risk profile most significantly.

SMB / mid-market cyber

50–2,000 employees

Clients often lacking dedicated security staff. Credential governance is frequently the weakest control in the assessment.

✓ MyCena addresses the gap without requiring a dedicated security team — deployment is two weeks, ongoing overhead near zero.

MSP / managed service clients

Supply chain credential risk

MSPs accessing multiple client environments carry supply chain credential risk. One compromised technician credential reaches every client simultaneously.

✓ MyCena governs all technician credentials centrally — instant revocation across every client environment eliminates the supply chain cascade risk.

BPO / outsourced operations

Highest credential claim frequency

High agent turnover, shared workstation risk, credential sharing between shifts. Highest credential claim frequency of any sector.

✓ MyCena structurally eliminates agent credential possession — nothing to share, sell, or leave behind at shift end.

Healthcare / HIPAA-regulated

Primary HIPAA enforcement trigger

ePHI access requires unique user identification, audit controls, and workforce security safeguards. Credential governance failures are the primary HIPAA enforcement trigger.

✓ MyCena’s access log satisfies §164.312(b) audit control requirements. Unique per-user credentials satisfy §164.312(a)(1). Evidence available on demand.

Financial services / SOC 2

Most common audit finding

SOC 2 CC6 series and third-party access governance are the most common audit findings. Credential evidence is frequently manual and incomplete.

✓ MyCena generates SOC 2 CC6.1–CC6.7 evidence automatically. The access and revocation logs replace manual evidence collection entirely.

Professional services / legal

Client confidentiality obligations

High partner and contractor turnover, access to sensitive client matter files, and strong regulatory pressure from client confidentiality obligations.

✓ Contractor credential revocation on matter close is instant and auditable. Client file access is attributed to named individuals with full event logs.