No Longer a Distant Threat: Cyber Risk in the Caribbean

In October 2023, the RansomEXX ransomware group successfully breached Telecommunications Services of Trinidad and Tobago — better known as TSTT. The attack exposed an ID file containing 377,164 customer records, a contacts file with 800,977 records, and a file with employee IDs and passwords containing 158,032 records, all of which were subsequently dumped on the dark web.

TSTT is not a small organisation. It is a state enterprise. The breach was not a warning shot. It was a direct hit on one of Trinidad and Tobago’s most critical pieces of digital infrastructure — and it landed in full public view, with customer data circulating on criminal forums while the organisation and government struggled to respond.

That incident crystallised something that Caribbean leaders can no longer afford to treat as an abstract risk. Cyber threats in this region are not theoretical. They are active, they are escalating, and they are finding targets that have historically assumed they were too small, too peripheral, or too unknown to be of interest to international criminal networks. That assumption is demonstrably wrong.

 205  successful cyberattacks recorded in T&T between 2019 and 2023 — 52 in 2023 alone  (TT-CSIRT / CBTT Financial Stability Report 2023)

25%  average annual growth rate in disclosed cyber incidents across LAC over the last decade  (World Bank / Cybersecurity Economics Report 2024)

53%  year-over-year increase in cyberattacks in Latin America in Q2 2024  (Check Point Research)

 The Numbers Make Uncomfortable Reading

Between 2019 and 2023, the Trinidad and Tobago Cyber Security Incident Response Team recorded 205 successful cyberattacks — 52 of them in 2023 alone. That single-year surge was flagged directly by the Central Bank of Trinidad and Tobago in its Financial Stability Report 2023, which noted that T&T witnessed a significant increase in attacks affecting both public and private sector organisations, with the country’s increased digital adoption and growing number of connected devices amplifying vulnerability.

The insurance sector bore the heaviest concentration of reported incidents. Four insurance companies reported incidents between 2019 and 2023 — ranging from a ransomware attack in 2019 to a malware attack in 2021, a data breach in 2022, and the detection of ongoing ransomware activity in 2023. The financial sector’s growing digital investment is simultaneously expanding its attack surface. In 2023 alone, the banking sector invested $180.6 million in software development while the insurance sector spent $35.6 million — both figures representing capability growth that increases exposure if not matched by security investment.

Zoom out to the region and the picture is equally stark. Latin America and the Caribbean is the world’s fastest-growing region for disclosed cyber incidents, with a 25% average annual growth rate over the last decade — and simultaneously the least protected region, with an average cybersecurity score of 10.2 out of 20. In Q2 2024, cyberattacks across Latin America rose 53% year-over-year, the highest increase of any global region. These are not statistics about distant markets. They describe the threat environment in which every Caribbean organisation is operating today.

What Is Being Targeted — and Why

Understanding the threat requires understanding why the Caribbean has become an attractive target. The answer is straightforward: digital adoption has outpaced digital defence.

As organisations across the region have digitalised — expanding e-banking platforms, moving to cloud infrastructure, connecting previously isolated systems — they have created new entry points without always securing them. A financial institution that launches a mobile banking app without implementing multi-factor authentication has opened a door. A government ministry that digitises its records without encrypting data at rest has created a liability. A manufacturer that connects its operational technology to the internet without network segmentation has given attackers a pathway into systems that were never designed to be exposed.

Across the LAC region, government institutions account for 21% of successful attacks and the financial sector 13%, according to Positive Technologies’ 2023–2024 cybersecurity analysis. In T&T specifically, the sectors most affected by cyberattacks are government, finance, and manufacturing — all organisations that hold data their owners cannot afford to lose and that typically lack the backup and recovery capability to restore operations without paying a ransom.

The threat is also increasingly automated. Attack tools that once required significant technical sophistication are now available as subscription services on criminal marketplaces — Ransomware-as-a-Service. This commoditisation means a criminal group with modest technical capability can deploy the same ransomware strain against a hospital in Trinidad, a government ministry in Barbados, and a manufacturer in Jamaica in the same week. The Caribbean’s size is no longer a shield. Small markets are not low-value targets; they are under-defended ones.

 “Latin America and the Caribbean is the world’s fastest-growing region for cyber incidents — and the least protected, with an average cybersecurity score of 10.2 out of 20.”

 The Maturity Gap: Where the Region Actually Stands

The most authoritative assessment of where the Caribbean stands on cybersecurity was published in late 2025. The IDB’s 2025 Cybersecurity Report, prepared with the Organization of American States and the Global Cybersecurity Capacity Centre at the University of Oxford, assessed 30 countries including 15 from the CARICOM region across five dimensions of cybersecurity maturity, from Start-up (lowest) to Dynamic (highest).

The findings are sobering. In about half of the Caribbean/CARICOM countries examined, at least one dimension is still at the lowest stage — Start-up. While countries generally performed adequately on Policy and Strategy, and Legal and Regulatory frameworks, the dimensions of Culture and Society, and Standards and Technology were markedly weaker. Critically, no country in the region has achieved Dynamic maturity in any dimension.

The Dominican Republic, Jamaica, and Trinidad and Tobago led the regional assessment and demonstrated greater cybersecurity capacity maturity overall. T&T’s comparative strength is partly attributable to the Central Bank’s Cybersecurity Best Practices Guideline — released in September 2023, updated in July 2025 — which introduced 20 mandatory cybersecurity requirements for supervised financial institutions. The government also introduced a Cybersecurity Investment Tax Allowance in 2024 allowing businesses to claim up to TTD 500,000 in deductions for qualifying security investments.

But the IDB assessment identifies the region’s central challenge with precision: much of the improvement in cybersecurity maturity since 2020 has been in framework elements — laws, strategies, and policies. The current challenge is successfully implementing those enabling structures, which requires technical hardware, software standards, suitably qualified personnel, and a fundamental change in organisational culture. In plain terms: we have written the strategies. We have passed some of the laws. We have not yet built the capability to execute them.

Three Vulnerabilities Every Caribbean Board Should Understand

Beyond the headline statistics, three structural vulnerabilities define the Caribbean cyber risk landscape and deserve specific attention from leadership.

Underreporting distorts the true scale of the problem: The 205 successful attacks recorded in T&T between 2019 and 2023 represent only reported incidents. The manager of TT-CSIRT has stated publicly that cyberattacks are significantly under-reported, with businesses opting not to disclose incidents to avoid reputational damage. This silence is dangerous: every organisation that stays quiet after a breach deprives others of intelligence about attack patterns and threat actors. The actual exposure across the Caribbean is almost certainly far larger than published statistics suggest.

 The supply chain is the new perimeter: Caribbean organisations have tended to think about cybersecurity as defending their own networks. But the TSTT breach — and global precedent — illustrates that attackers increasingly gain entry through third parties: vendors, technology partners, payment processors, and cloud service providers. An organisation can have strong internal security and still be compromised through a supplier with weak controls. Third-party risk management — assessing and contractually requiring minimum cybersecurity standards from vendors — remains nascent across most of the region.

 The skills shortage is structural, not cyclical: Among the persistent challenges identified in the IDB 2025 assessment are the absence of dedicated, fully resourced national CSIRTs in several countries, limited enforcement of existing frameworks, and limited specialised cybersecurity education and training. The Caribbean cannot train cybersecurity professionals fast enough to fill the gap at current rates of digital adoption. This requires a regional talent strategy — including competitive compensation, international training partnerships, and deliberate retention of graduates who are currently being recruited into remote roles by North American and European employers paying in hard currency.

 “Every organisation that stays silent after a breach makes the next organisation more vulnerable.”

 What the Leading Organisations Are Doing

The organisations in T&T and the broader Caribbean that are ahead of the threat share several practices worth distilling for boards and executive teams.

They have moved from compliance to resilience. Compliance — meeting the CBTT’s 20 requirements, passing an audit, ticking the boxes — is necessary but not sufficient. The leading organisations have shifted their thinking from “are we compliant?” to “can we operate if we are breached?” Business continuity planning, tested backup and recovery systems, and incident response procedures that have been rehearsed before an attack are the markers of genuine cyber resilience. A plan that has never been practiced is not a plan — it is a document.

They treat cyber risk as a board-level matter. Organisations where cybersecurity sits exclusively in the IT department are consistently less prepared than those where the board reviews cyber risk as a standing agenda item, where the CEO owns the organisational response to a major incident, and where risk appetite for cyber exposure is set at governance level. The CBTT’s Cybersecurity Best Practices Guideline explicitly requires board-level oversight — but the spirit of that requirement, not just the letter, separates adequate compliance from genuine preparedness.

They invest in people, not just products. A security operations centre running the latest threat detection software is only as effective as the people monitoring it. The organisations ahead of the curve in our region are investing in training, building internal capability rather than total vendor dependency, and creating career pathways that give cybersecurity professionals a reason to stay in the organisation — and in the region.

The Regional Response Is Accelerating — but So Is the Threat

The institutional response to Caribbean cyber risk has stepped up meaningfully in the past two years. The updated CARICOM Cybercrime and Cybersecurity Action Plan 2025 — launched in Port of Spain in October 2024 and supported by the European Union under the EU-LAC Digital Alliance — provides a six-pillar strategic framework for protecting the Caribbean’s digital transformation. The inaugural Commonwealth Caribbean Cyber Fellowship, convened in Port of Spain in January 2025, brought together cybersecurity experts from the Bahamas, Barbados, Grenada, Guyana, Jamaica, and T&T to develop a shared roadmap aligned with the Commonwealth Cyber Declaration. CARICOM’s Cyber Resilience Strategy 2030 Project, launched in March 2024 with USAID support, aims to bolster capabilities across all member states.

These are real advances. Regional cooperation on cybersecurity matters because the threat does not respect national borders. A ransomware group that successfully attacks a financial institution in one Caribbean territory will probe similar institutions across the region. Shared intelligence, harmonised legislation, and coordinated incident response are force multipliers that no individual country can generate alone.

But cooperation frameworks take time to mature. The attacks are happening now. And the gap between the region’s digital ambitions and its cyber defences is not closing fast enough.

 The Caribbean cyber threat is no longer a future risk to be managed through strategy documents and awareness campaigns. It is a present operational reality that requires investment, governance, and the kind of organisational seriousness we reserve for the threats we take most seriously.

The TSTT breach in 2023 was not an isolated incident. It was a preview — of the scale of data that criminal groups will target, of the reputational and operational damage a successful attack inflicts, and of the gap between our digital ambitions and our digital defences.

Closing that gap is not optional. In a region accelerating toward a digital economy, cyber resilience is the foundation on which everything else must be built. Organisations and governments that treat it as a technical afterthought will discover, sooner than they expect, that it is an existential priority.