Stolen credentials have become one of the clearest examples of cyber risk turning into business risk. A single username and password can give an attacker the same access as an employee, a contractor, a supplier, or an administrator. From the board’s perspective, this makes credential exposure a governance issue, a financial issue, and a resilience issue.