Mon - Sat8.00 - 18.00 Sunday CLOSED
Offices47 Trinidad Terrace New Kingston, Jamaica.
[email protected]
1876 9265210
 
Advisory ServicesAML Audits:Artificial Intelligence (AI)Audit and Assurance ServicesConsulting ServicesCorporate StrategyCybersecurity ServicesCybersecurity SolutionData ProtectionDawgen Global ESG servicesDigital TransformationDigitalization

Four Lines, One Mission: Building a Layered Cyber-Risk Defence

May 27, 2025by Dr Dawkins Brown

Dawgen Decodes — Bank-of-Jamaica Cyber-Risk Series | Article 2

The Bank of Jamaica’s 2025 Standard of Sound Practice – Management of Cyber Risks requires every deposit-taking institution (DTI) to embed a four-lines-of-defence model inside its cyber-risk-management framework. The structure—Operational Management, Risk Management, Internal Audit, and Information-Sharing & External Assurance—creates clear ownership, independent challenge, and an external feedback loop that together drive faster detection, stronger controls, and regulator confidence.

1 | Why “Four Lines” Outperform Single-Layer Defences

  • Cyber threats move laterally; isolated controls do not. Segregating duties across four lines reduces single-point failure and conflict of interest.

  • The model aligns with corporate-governance best practice and is now a minimum expectation for Jamaican DTIs.

  • Board minutes must show the lines interacting—reporting, challenging, and remediating—on a routine schedule.

2 | First Line of Defence — Operational Management

Mandate Practical Actions
Own & manage day-to-day cyber risk. Structure & expertise: designate CIO, CISO, Cyber-Incident Response & Recovery (CIRR) leads, plus a PMO for tech change.
Cyber hygiene: mandatory awareness training, multi-factor authentication (MFA), social-engineering drills.
Third-party due diligence: supplier screening, SOC 2 evidence, and contract clauses.

Tip: Maintain a dynamic risk register and prioritise threats that could materially disrupt “critical operations,” as defined by the BOJ.

3 | Second Line of Defence — Risk Management Function

The CRO’s team oversees, challenges, and aggregates cyber risk across the enterprise. Core duties include:

  • Propose risk-tolerance levels for board approval.

  • Ensure cyber risk is embedded into the enterprise-risk-management framework.

  • Track impact-driven metrics such as duration of system unavailability, records exposed, and revenue lost.

  • Validate that First-Line treatment plans address the highest-severity items and are resourced.

4 | Third Line of Defence — Internal Audit

Internal Audit provides independent assurance that the first two lines are working:

  • Test control design and operating effectiveness against NIST CSF or other recognised standards.

  • Coordinate with external assessors and regulators to benchmark maturity.

  • Report gaps directly to the Audit Committee—bypassing management if required.

5 | Fourth Line of Defence — Information-Sharing & External Assurance

This “outer ring” brings threat intelligence and impartial validation:

Element BOJ Expectation
Threat-intel sharing Establish relationships with JaCIRT and sector ISACs; feed actionable intel into SOC.
Regulatory reporting Notify BOJ of cyber incidents within 72 hours and supply forensic reports if requested.
External attestation Alternate yearly between self-assessment (2nd/3rd line) and independent audit; include compensating controls for any gaps.
Continuous testing External vulnerability scans (≥ twice yearly) and penetration tests (≥ annually).

6 | Making the Lines Work Together — Reporting & Escalation

  • Risk dashboards: First and Second Lines provide KPIs (RPO, RTO, dwell time, patch status) to the board each quarter.

  • Escalation triggers: A critical vulnerability unresolved past SLA or any incident breaching tolerance limits must rise from First → Second → Board within 24 hours.

  • Annual “four-lines” workshop: Align roles, update RACI, and rehearse cross-line communications.

7 | 90-Day Implementation Checklist

Timeline Key Deliverable Accountable Line
Days 1–30 Map existing functions to the four-line model; close any role gaps. Board & Senior Mgmt
Days 31–60 Launch integrated risk register; define tolerance thresholds & KPIs. First & Second
Days 61–90 Conduct a tabletop exercise with Internal Audit observing; ingest JaCIRT threat-intel feeds. All Lines

Dawgen Global View

A well-oiled four-line defence is more than governance—it’s a competitive differentiator that proves cyber resilience to regulators, investors, and customers alike.

How Dawgen Global Helps

Service Benefit
Four-Line RACI Design Clear ownership, no overlaps, no gaps.
KPI & Dashboard Build-out Real-time visibility for boards and regulators.
External Assurance & Pen-Testing Meet the BOJ’s fourth-line requirements without overhead.
Cross-Line Simulation Drills Stress-test communication and escalation pathways.

Ready to operationalise the BOJ’s four-line mandate? Let’s talk.

 

Next Step!

“Embrace BIG FIRM capabilities without the big firm price at Dawgen Global, your committed partner in carving a pathway to continual progress in the vibrant Caribbean region. Our integrated, multidisciplinary approach is finely tuned to address the unique intricacies and lucrative prospects that the region has to offer. Offering a rich array of services, including audit, accounting, tax, IT, HR, risk management, and more, we facilitate smarter and more effective decisions that set the stage for unprecedented triumphs. Let’s collaborate and craft a future where every decision is a steppingstone to greater success. Reach out to explore a partnership that promises not just growth but a future beaming with opportunities and achievements.

✉️ Email: [email protected] 🌐 Visit: Dawgen Global Website

📞 Caribbean Office: +1876-6655926 / 876-9293670/876-9265210 📲 WhatsApp Global: +1 876 5544445

📞 USA Office: 855-354-2447

Join hands with Dawgen Global. Together, let’s venture into a future brimming with opportunities and achievements

by Dr Dawkins Brown

Dr. Dawkins Brown is the Executive Chairman of Dawgen Global , an integrated multidisciplinary professional service firm . Dr. Brown earned his Doctor of Philosophy (Ph.D.) in the field of Accounting, Finance and Management from Rushmore University. He has over Twenty three (23) years experience in the field of Audit, Accounting, Taxation, Finance and management . Starting his public accounting career in the audit department of a “big four” firm (Ernst & Young), and gaining experience in local and international audits, Dr. Brown rose quickly through the senior ranks and held the position of Senior consultant prior to establishing Dawgen.

previous
Beyond Firewalls: Governing Cyber Risk the BOJ Way
next
Bridging Finance and Forecasting: Actuarial Services for CFOs and Financial Leaders
https://www.dawgen.global/wp-content/uploads/2023/07/Foo-WLogo.png

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region. We are integrated as one Regional firm and provide several professional services including: audit,accounting ,tax,IT,Risk, HR,Performance, M&A,corporate recovery and other advisory services

Where to find us?
https://www.dawgen.global/wp-content/uploads/2019/04/img-footer-map.png
Dawgen Social links
Taking seamless key performance indicators offline to maximise the long tail.
https://www.dawgen.global/wp-content/uploads/2023/07/Foo-WLogo.png

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region. We are integrated as one Regional firm and provide several professional services including: audit,accounting ,tax,IT,Risk, HR,Performance, M&A,corporate recovery and other advisory services

Where to find us?
https://www.dawgen.global/wp-content/uploads/2019/04/img-footer-map.png
Dawgen Social links
Taking seamless key performance indicators offline to maximise the long tail.

© 2023 Copyright Dawgen Global. All rights reserved.

© 2024 Copyright Dawgen Global. All rights reserved.