The Examination Finding That Changed Everything

The chief executive of a Caribbean insurance company with approximately US$120 million in gross written premium and operations across three territories received the regulatory examination report on a Tuesday morning. The examination had been conducted six weeks earlier by the financial services regulator as part of its routine supervisory cycle. The CEO had expected the usual findings: minor documentation gaps, a few process improvements, perhaps a recommendation to strengthen the audit committee’s oversight of a particular risk area. The company had passed its previous two examinations with manageable findings.

This examination was different. The regulator had expanded its examination scope to include cybersecurity governance — a new focus area that reflected the regulator’s growing concern about the sector’s vulnerability to cyber threats following several high-profile incidents at Caribbean financial institutions over the preceding eighteen months.

The examination report contained seventeen findings, eleven of which were classified as requiring immediate remediation. The findings were not about exotic or advanced security failures. They were about the absence of fundamental cybersecurity controls that the regulator now expected every licensed institution to demonstrate.

Finding 1 — No Cybersecurity Policy Framework: The company had no board-approved cybersecurity policy. No information security policy existed that defined the company’s approach to protecting its information assets, the roles and responsibilities for cybersecurity, the standards and controls the company committed to implementing, or the governance structure for cybersecurity oversight. The board had never discussed cybersecurity as a standing agenda item. The audit committee had never reviewed the company’s cybersecurity posture.

Finding 2 — No Risk Assessment: The company had never conducted a cybersecurity risk assessment. No process existed to identify the company’s critical information assets, assess the threats and vulnerabilities affecting those assets, evaluate the likelihood and impact of a cybersecurity incident, or prioritise the controls required to reduce risk to an acceptable level. The company could not demonstrate that it understood its own cybersecurity risk profile.

Finding 3 — No Multi-Factor Authentication: As documented in Article 6, multi-factor authentication was absent across the company’s systems. The core insurance platform, the email system, the VPN for remote access, and the financial reporting system were all protected by username and password only.

Finding 4 — No Incident Response Plan: The company had no documented plan for responding to a cybersecurity incident. No roles were defined for incident management. No communication protocols existed for notifying the regulator, the board, customers, or law enforcement in the event of a breach. No escalation procedures existed to guide the response from detection through containment, eradication, recovery, and post-incident review.

Finding 5 — No Penetration Testing or Vulnerability Assessment: As documented in Article 7, the company had never commissioned a penetration test or conducted a vulnerability assessment of its internet-facing systems. The company’s website, customer portal, and email servers had never been tested by a security professional.

Finding 6 — No Employee Security Awareness Programme: As documented in Article 4, no structured security awareness training existed. Employees had received no training on phishing identification, password management, social engineering, or the company’s security expectations.

Finding 7 — No Third-Party Risk Management for Technology Vendors: The company relied on seven technology vendors for critical services including the core insurance platform, email hosting, cloud backup, and the customer portal. No cybersecurity due diligence had been conducted on any vendor. No contract provisions required vendors to maintain specific security standards, notify the company of breaches, or permit security audits. The company had no visibility into the cybersecurity practices of the vendors who processed and stored its most sensitive data.

The remaining findings addressed the absence of data classification, the absence of access reviews, the absence of backup testing, and the absence of business continuity planning for cybersecurity events. Taken together, the seventeen findings painted a comprehensive picture of a company that had built its insurance operations with professional rigour — actuarial discipline, underwriting standards, claims processes, and financial controls — but had not applied equivalent rigour to protecting the information systems and data that those operations depended upon.

The regulator’s remediation requirements were substantial. The company was given ninety days to present a board-approved cybersecurity policy framework and a risk assessment. It was given six months to implement multi-factor authentication, establish an incident response plan, commence penetration testing, launch a security awareness programme, and initiate third-party cybersecurity due diligence. Quarterly progress reports to the regulator were required for twelve months. Failure to meet the remediation timeline would result in enhanced supervisory measures including potential restrictions on the company’s ability to write new business.

The CEO’s reflection captured the transformation: “We are a well-run insurance company. We have strong underwriting discipline, solid claims management, and clean financial controls. But we had treated cybersecurity as an IT issue, not a governance issue. The regulator has made it clear that cybersecurity is a board-level responsibility, and they expect the same rigour that we apply to our actuarial and financial controls. We need to build a cybersecurity programme — not buy a product.”

The Caribbean Regulatory Cybersecurity Landscape

Caribbean financial regulators have accelerated their cybersecurity expectations significantly. What was advisory guidance two years ago is becoming enforceable supervisory expectation. The insurance company’s examination findings reflect a regional pattern.

Financial Sector Regulators: The Bank of Jamaica, the Central Bank of Trinidad and Tobago, the Central Bank of Barbados, the Cayman Islands Monetary Authority, the Eastern Caribbean Central Bank, and their counterparts across the region are progressively incorporating cybersecurity into their examination frameworks. Financial institutions — banks, credit unions, insurance companies, securities dealers, and money services businesses — face examination against cybersecurity standards that include governance, risk assessment, access controls, incident response, business continuity, vendor management, and employee awareness.

Data Protection Legislation: Jamaica’s Data Protection Act, Trinidad’s Data Protection Act, Barbados’s Data Protection Act, and similar legislation across the region impose obligations on every enterprise — not only financial institutions — that processes personal data. These obligations include implementing appropriate technical and organisational measures to protect personal data, notifying the data protection authority and affected individuals of data breaches, demonstrating accountability for data protection practices, and maintaining records of processing activities. A cybersecurity breach that exposes personal data triggers obligations under data protection legislation regardless of the enterprise’s industry.

Payment Card Industry Standards: Every Caribbean enterprise that accepts, processes, stores, or transmits payment card data is required to comply with the Payment Card Industry Data Security Standard. PCI DSS version 4.0 requires multi-factor authentication, regular vulnerability scanning and penetration testing, web application protection, access controls, encryption, and logging and monitoring. The retail group in Article 8 was found non-compliant after the web skimming breach. Compliance is not voluntary — it is a condition of the enterprise’s ability to accept card payments.

International Business Requirements: Caribbean enterprises that serve international clients, participate in global supply chains, or maintain correspondent banking relationships increasingly face cybersecurity requirements imposed by their international counterparts. International insurers require cybersecurity due diligence from their Caribbean reinsurance partners. International banks assess their Caribbean correspondents’ cybersecurity as part of de-risking evaluations. International clients require evidence of security certifications such as ISO 27001 or SOC 2. The Caribbean enterprise’s cybersecurity posture is becoming a condition of its international market access.

Building a Cybersecurity Compliance Programme

A cybersecurity compliance programme is not a collection of products. It is a governance framework that integrates policy, risk management, technical controls, human controls, vendor oversight, and continuous improvement into a structured programme that the board can oversee, the regulator can examine, and the enterprise can demonstrate.

Phase 1 — Governance and Policy (Months 1–2): The foundation is governance. The board approves a cybersecurity policy framework that defines the enterprise’s commitment to protecting its information assets, the roles and responsibilities for cybersecurity (including the board’s oversight role), the standards and controls the enterprise commits to implementing, and the reporting structure that keeps the board informed. The cybersecurity policy framework should align with a recognised standard — NIST Cybersecurity Framework, ISO 27001, or the enterprise’s regulator’s specific guidance — to provide the structure and completeness that ad hoc policy development often lacks. The audit committee or a designated board committee assumes oversight responsibility for cybersecurity, receiving regular reports on the enterprise’s security posture, risk assessments, incident activity, and programme progress.

Phase 2 — Risk Assessment (Months 2–3): The cybersecurity risk assessment identifies the enterprise’s critical information assets (customer data, financial records, intellectual property, operational systems), assesses the threats and vulnerabilities affecting those assets, evaluates the likelihood and business impact of cybersecurity incidents, and produces a risk register that prioritises the controls required. The risk assessment is the evidence-based foundation for every subsequent investment decision: the enterprise invests in the controls that address the highest-priority risks, rather than purchasing technology based on vendor recommendations or peer comparison.

Phase 3 — Technical Controls Deployment (Months 3–6): The technical controls documented throughout this series are deployed based on the risk assessment’s priorities. For most Caribbean enterprises, the priority sequence addresses the attack surface in the order that this series has documented: email threat defence (Article 2 — the primary attack vector), endpoint protection and recovery (Article 3 — the device-level defence), human risk management (Article 4 — the human dimension), device and infrastructure management (Article 5 — the mobile and infrastructure visibility), identity and access governance (Article 6 — the authentication and privileged access controls), offensive security and vulnerability management (Article 7 — the testing and assessment discipline), and data and application security (Article 8 — the application, data, and infrastructure protection layer). The deployment sequence may vary based on the enterprise’s specific risk profile, but the layered approach ensures that each control reinforces the others.

Phase 4 — Incident Response Planning (Months 4–5): The incident response plan defines how the enterprise will detect, contain, eradicate, and recover from cybersecurity incidents. The plan assigns roles and responsibilities to named individuals (not just job titles), defines escalation procedures based on incident severity, establishes communication protocols for the board, the regulator, law enforcement, customers, and the media, includes playbooks for the most likely incident scenarios (ransomware, data breach, business email compromise, insider threat), and defines the post-incident review process that captures lessons learned and drives improvement. The plan must be tested through tabletop exercises at least annually — a requirement that regulators are increasingly examining.

Phase 5 — Third-Party Risk Management (Months 5–6): The enterprise’s cybersecurity is only as strong as the weakest vendor in its supply chain. Third-party risk management establishes the due diligence process for technology vendors: assessing the vendor’s cybersecurity practices before engagement, incorporating cybersecurity requirements into contracts (security standards, breach notification, audit rights, data handling), monitoring the vendor’s cybersecurity posture during the relationship, and conducting periodic reassessments. The insurance company’s seven technology vendors with no cybersecurity due diligence represented seven unassessed access points to the company’s data.

Phase 6 — Continuous Improvement and Reporting (Ongoing): Cybersecurity is not a project with a completion date. It is a continuous programme that evolves as threats change, as the enterprise’s technology environment evolves, and as regulatory expectations increase. Continuous improvement includes regular risk reassessment (at least annually and after significant changes), periodic penetration testing and vulnerability assessment, ongoing security awareness training, access reviews and recertification, incident response plan testing, vendor reassessments, and regular reporting to the board and the regulator. The reporting cadence should produce quarterly board reports that summarise the enterprise’s security posture, incident activity, programme progress, and emerging risks.

Dawgen Global’s Cybersecurity Compliance Programme

Dawgen Global’s Cybersecurity Compliance Programme is the integrated service that enables Caribbean enterprises to build, implement, and sustain the cybersecurity programme that regulators expect, international partners require, and the enterprise’s own risk profile demands.

Governance and Policy Development: Dawgen Global develops the board-level cybersecurity policy framework aligned to the enterprise’s regulatory requirements and chosen standard (NIST CSF, ISO 27001, or regulator-specific guidance). The framework includes the information security policy, acceptable use policy, incident response policy, vendor management policy, data classification policy, and the governance structure that connects cybersecurity oversight to the board.

Cybersecurity Risk Assessment: Dawgen Global conducts the comprehensive cybersecurity risk assessment: asset identification, threat and vulnerability assessment, risk evaluation, and the production of the risk register that prioritises the enterprise’s control investments. The risk assessment is delivered in a format that satisfies regulatory examination requirements and that the board can use for governance oversight.

Technical Controls Implementation: Dawgen Global deploys the full suite of technical controls documented in this series: email threat defence, endpoint protection and recovery, human risk management, device and infrastructure management, identity and access governance, offensive security and vulnerability management, and data and application security. The implementation is sequenced based on the risk assessment’s priorities, ensuring that the highest-priority risks are addressed first.

Incident Response Planning and Testing: Dawgen Global develops the incident response plan, conducts tabletop exercises to test the plan, and provides the managed incident response capability that ensures the enterprise can respond effectively when an incident occurs. The plan is tailored to the enterprise’s regulatory reporting obligations and communication requirements.

Third-Party Risk Management: Dawgen Global establishes the vendor cybersecurity due diligence programme: assessment methodology, contract provisions, ongoing monitoring framework, and the periodic reassessment cycle. For enterprises with multiple technology vendors, the programme prioritises assessments based on the vendor’s access to sensitive data and critical systems.

Regulatory Reporting and Examination Support: Dawgen Global provides the reporting that regulatory compliance requires: board-ready quarterly reports, regulatory examination documentation, remediation progress tracking, and direct support during regulatory examinations when cybersecurity is within the examination scope. For enterprises responding to regulatory findings — as the insurance company was required to do — Dawgen Global manages the remediation programme and the quarterly progress reporting.

Certification Support: For enterprises pursuing international cybersecurity certifications (ISO 27001, SOC 2), Dawgen Global provides the gap assessment, remediation guidance, documentation development, and implementation support that prepares the enterprise for certification. Certification is increasingly valuable for Caribbean enterprises seeking international business relationships, correspondent banking relationships, and competitive differentiation.

The Compliance Maturity Journey

Caribbean enterprises approach cybersecurity compliance from different starting points. Dawgen Global’s programme is designed to meet the enterprise where it is and advance it systematically.

Stage 1 — Reactive: The enterprise has no cybersecurity programme. Security is handled ad hoc by the IT team. No policies, no risk assessment, no formal controls. This was the insurance company’s starting point. The priority is establishing governance, conducting the risk assessment, and deploying the foundational controls that address the most immediate risks.

Stage 2 — Foundational: The enterprise has basic controls (antivirus, firewall, backup) but lacks the governance framework, the advanced controls, and the continuous management that a comprehensive programme requires. The priority is formalising the governance structure, deploying the layered controls, and establishing the monitoring and reporting that demonstrate programme maturity.

Stage 3 — Managed: The enterprise has a governance framework, deployed controls, and regular reporting. The priority is optimising the programme: advanced threat detection, proactive threat hunting, automated response, continuous testing, and the programme refinements that move the enterprise from compliance to resilience.

Stage 4 — Optimised: The enterprise operates a mature cybersecurity programme that exceeds regulatory expectations, supports international certifications, and integrates cybersecurity into business strategy. The priority is maintaining the programme, adapting to emerging threats, and leveraging the enterprise’s cybersecurity maturity as a competitive advantage.

Beyond Compliance: Cybersecurity as Business Enablement

The insurance company’s CEO described the regulatory examination as a wake-up call. But the programme that the company built in response to the examination delivered benefits that extended far beyond satisfying the regulator.

Client Confidence: The company’s corporate clients — particularly those in regulated industries — began requesting evidence of the company’s cybersecurity practices as part of their own vendor due diligence. The cybersecurity programme provided the documentation, certifications, and assurances that satisfied these requests and strengthened client relationships.

International Market Access: The company’s reinsurance partnerships required cybersecurity due diligence. The programme’s alignment with international standards satisfied the reinsurers’ requirements and protected the company’s access to international reinsurance capacity — capacity that is essential to its business model.

Operational Resilience: The technical controls, the incident response plan, and the business continuity planning reduced the company’s vulnerability to the disruptions documented throughout this series. The programme did not merely satisfy the regulator; it protected the company’s operations.

Board Governance: The quarterly cybersecurity reports gave the board visibility into a risk category that it had previously been unable to assess. The board could now ask informed questions, allocate resources based on evidence, and discharge its governance responsibilities for a risk that is material to the enterprise.

From Examination Finding to Competitive Advantage

The fictional insurance company received seventeen regulatory findings because it had treated cybersecurity as an IT issue rather than a governance imperative. The remediation programme that followed was substantial — six months of intensive work to build the policy framework, deploy the controls, establish the processes, and demonstrate the progress that the regulator required.

But the programme that emerged from the remediation was not merely a response to regulatory pressure. It was a cybersecurity capability that protected the enterprise’s operations, satisfied its clients’ expectations, maintained its international relationships, and gave its board the governance visibility that every board in the Caribbean needs.

Every Caribbean enterprise — whether regulated or not — faces the same fundamental choice: build the cybersecurity programme proactively, or build it reactively after the examination finding, the breach, or the client loss that makes the investment unavoidable. The cost of building the programme is the same either way. The cost of delay is not.

Build Your Cybersecurity Compliance Programme

Dawgen Global invites Caribbean enterprises to build the cybersecurity compliance programme that regulators expect, clients require, and the enterprise’s own resilience demands.

Request a Dawgen Global Cybersecurity Compliance Assessment, Regulatory Readiness Review, or Cybersecurity Programme Development engagement. Email [email protected] or visit www.dawgen.global to begin the conversation.

DAWGEN GLOBAL | Big Firm Capabilities. Caribbean Understanding.

Request a Dawgen Global Cybersecurity Compliance Assessment or Regulatory Readiness Review.

Email: [email protected]

Web: www.dawgen.global

About Dawgen Global