Cyber Governance for Caribbean Organisations

A practical framework for boards and executives managing cyber risk across the region

In late 2025, the Inter-American Development Bank published the results of a cybersecurity maturity assessment across 15 Caribbean countries. The finding that should concern every executive in the region: in about half of those countries, at least one dimension of cybersecurity maturity remains at the lowest possible level — Start-up.

The dimensions where the region is relatively strongest are Policy and Strategy, and Legal and Regulatory frameworks. Countries have written cybersecurity strategies. Some have passed cybercrime legislation. Trinidad and Tobago, Jamaica, and the Dominican Republic lead the regional rankings. But the dimensions where the region is weakest are Culture and Society, and Standards and Technology. Frameworks on paper. Capability in practice. Critically, no country in the Caribbean has achieved Dynamic maturity — the highest level — in any dimension.

This is the core challenge of cyber governance in the Caribbean today. It is not primarily a strategy problem or a legislation problem. It is an implementation problem — and implementation requires resources, skills, and organisational culture that strategies and laws cannot create by themselves.

What Cyber Governance Actually Requires

Cyber governance is the set of structures, processes, and accountabilities through which an organisation manages its cyber risk. It is distinct from cybersecurity operations — the day-to-day technical work of defending systems. Governance is what ensures that the right questions are being asked at the right levels, that resources are allocated appropriately, and that when an incident occurs, the organisation knows what to do.

For Caribbean organisations, effective cyber governance has five components. The first is board-level ownership. Someone at the top of the organisation must be accountable for cyber risk, with the authority and the information needed to exercise that accountability. The second is a clear risk appetite — an explicit statement of what level of cyber risk the organisation is willing to accept, which informs decisions about investment, vendor selection, and incident response. The third is independent assurance — regular, externally validated assessment of the organisation’s cyber posture, not self-assessment using checklists. The fourth is an incident response plan that has been tested. Not written. Tested. The fifth is supply chain visibility — an understanding of the cyber risks introduced by vendors, partners, and technology providers.

“55% of Caribbean organisations acknowledge their cybersecurity needs improvement. Acknowledgment is not a governance response.”

The Regulatory Landscape Is Tightening

The CBTT’s Cybersecurity Best Practices Guideline — first released in September 2023 and updated in July 2025 — requires financial institutions to conduct annual self-assessments across 20 cybersecurity requirements and submit returns to the Central Bank by March 31 each year. This is not a suggestion. It is a compliance obligation with supervisory consequences for non-compliance.

The CARICOM Cybercrime and Cybersecurity Action Plan 2025, launched in Port of Spain in October 2024 with EU support, establishes a six-pillar framework for regional cyber governance. Harmonised legislation across CARICOM member states will create a baseline below which no regulated organisation can fall. Caribbean organisations that are waiting for a regulatory mandate before investing in governance capability will find themselves in remediation mode — fixing problems under regulatory scrutiny rather than building capability proactively.

The Cybersecurity Investment Tax Allowance introduced by the Government of T&T in 2024, allowing businesses to claim up to TTD 500,000 in deductions for qualifying security investments through 2025, was a meaningful incentive signal. Organisations that used that window to build genuine capability are better positioned than those that treated it as a one-time procurement opportunity.

Building Internal Capability, Not Just Compliance

The IDB assessment identifies a persistent challenge across the Caribbean: limited enforcement of existing frameworks and limited specialised cybersecurity education and training. These constraints mean that compliance-focused cyber governance — doing the minimum to satisfy a regulator — will not produce cyber-resilient organisations. It will produce organisations that can pass an audit and still be breached.

The organisations building genuine cyber governance capability are investing in three areas simultaneously. They are developing internal expertise rather than outsourcing all security decisions to vendors who may not understand the organisation’s specific risk profile. They are building incident response muscle through regular tabletop exercises that test decision-making under pressure, not just technical responses. And they are treating cyber governance as a permanent management discipline, not a project with a completion date.

The gap between Caribbean frameworks and Caribbean capability is closeable. But closing it requires organisations to move from treating cyber governance as a compliance exercise to treating it as a business capability — one that protects value, enables digital growth, and builds the trust of customers, regulators, and partners who increasingly expect to see evidence of it.