Cyber Threats in the Caribbean: A Risk Matrix Every Leader Must See

The Caribbean’s cyber threat landscape has transformed from an incidental business risk into a primary operational and strategic exposure. The region’s rapid digital adoption — combined with significant gaps in defensive capability, incident reporting culture, and cybersecurity talent — has created conditions that sophisticated threat actors are actively exploiting. Caribbean boards that have not yet placed cyber risk at the centre of their governance agenda are governing in a threat environment they do not fully understand.

CARISK™ CARIBBEAN CYBER RISK MATRIX — DOMAIN 6 DEEP DIVE

Threat Vector	Likelihood	Impact	Risk Score	Primary Caribbean Target Sectors
Ransomware Attack	HIGH	CRITICAL	CRITICAL	Financial services, government, healthcare, manufacturing
Business Email Compromise (BEC)	VERY HIGH	HIGH	CRITICAL	All sectors; particularly professional services, real estate, construction
Data Breach / Exfiltration	HIGH	HIGH	HIGH	BPO, financial services, healthcare, government, tourism
Phishing & Social Engineering	VERY HIGH	MODERATE	HIGH	All sectors; primary entry vector for most attack categories
Third-Party / Supply Chain Compromise	MODERATE	HIGH	HIGH	Financial services, energy, government, large enterprises with complex supply chains
Distributed Denial of Service (DDoS)	HIGH	MODERATE	MODERATE	Financial services, e-commerce, government, media
Insider Threat	MODERATE	HIGH	HIGH	Financial services, BPO, government, organisations with privileged data access
Nation-State / Advanced Persistent Threat	MODERATE	CRITICAL	HIGH	Financial centres (Cayman, Bahamas, Barbados), energy sector (T&T), government systems
Cryptocurrency / Financial Crime Cyber	HIGH	HIGH	HIGH	Financial services, fintech, money services businesses, credit unions

 

Every week, somewhere in the Caribbean, an organisation discovers it has been compromised. A finance director notices that a wire transfer confirmation does not match the instructions she thought she sent. A hospital system finds its patient records encrypted and a ransom demand on every screen. A government agency discovers that its email server has been used to send thousands of phishing messages to citizens. A BPO operator learns that client data it was contracted to protect has been exfiltrated and is now circulating on a dark web marketplace. These incidents are not rare. They are not the work of unusually sophisticated actors targeting uniquely vulnerable organisations. They are the routine operational reality of the Caribbean cyber threat environment in 2026.

What has changed over the past five years is not simply the volume of cyber incidents — though that has increased substantially — but their nature, their sophistication, and their consequences. Ransomware groups that once targeted hospitals and municipalities in North America and Europe have expanded their operational focus to include Caribbean organisations, drawn by the combination of increasingly digitised operations, limited cybersecurity defensive capability, and the perception that Caribbean organisations are more likely to pay ransoms quietly than to engage law enforcement and pursue lengthy criminal investigations. Business Email Compromise — the social engineering technique in which fraudsters impersonate executives or trusted counterparties to redirect financial transactions — has become the single most financially costly cyber threat facing Caribbean organisations, with losses across the region running into tens of millions of dollars annually.

This article, the seventh in the CARISK™ series, examines Caribbean cyber risk as it actually presents in 2026 — with honesty about the threat landscape, clarity about which sectors and organisations are most exposed, and a governance framework that Caribbean boards can begin implementing immediately. Cyber risk is not a technology problem. It is a business risk and a governance responsibility. The CARISK™ framework treats it as both.

The Caribbean Cyber Threat Landscape: What Has Changed

The Caribbean’s cyber threat landscape has been fundamentally transformed by three intersecting trends over the past decade: the rapid digitisation of Caribbean business and government operations; the professionalisation and commercialisation of the global cybercriminal ecosystem; and the growing strategic interest of state-sponsored threat actors in Caribbean financial infrastructure. Each of these trends is worth examining in detail, because understanding what has changed is the precondition for understanding what the appropriate governance response looks like.

Trend 1: Digital Adoption Outpacing Defensive Capability

Caribbean organisations — in financial services, government, healthcare, tourism, retail, and professional services — have adopted digital technology at a pace that has, in many cases, materially outstripped the development of their cybersecurity defensive capabilities. Online banking platforms, mobile payment systems, cloud-based business applications, remote working infrastructure, digital government services, and e-commerce platforms have all expanded rapidly, creating new attack surfaces that the region’s cyber defence investment has not kept pace with.

The talent gap is a structural constraint that amplifies this problem. The Caribbean cybersecurity talent pool is limited — the product of a combination of limited cybersecurity education and certification pathways, the brain drain of trained professionals to North American and European markets where compensation is significantly higher, and the historically low priority placed on cybersecurity investment by Caribbean organisations. An organisation that cannot recruit, retain, or afford qualified cybersecurity professionals cannot build the defensive capabilities required to operate safely in the current threat environment. For the majority of Caribbean organisations — which do not have the scale to maintain full-time cybersecurity teams — this means that managed security services, outsourced security operations, and advisory relationships with qualified cybersecurity firms are not optional supplements to an internal function; they are the primary means by which adequate defensive capability must be obtained.

Trend 2: Professionalisation of the Cybercriminal Ecosystem

The global cybercriminal ecosystem has undergone a structural transformation over the past decade that has fundamentally changed the threat profile facing all organisations, including Caribbean ones. The emergence of Ransomware-as-a-Service (RaaS) platforms — in which ransomware developers license their tools to affiliate operators who conduct attacks and share revenue with the developers — has dramatically lowered the technical barrier to conducting sophisticated ransomware attacks. Threat actors who previously lacked the technical capability to develop and deploy ransomware independently can now access industrial-grade attack tools, infrastructure, and operational support through commercial criminal platforms.

The consequence is a significant increase in the volume and geographic breadth of ransomware attacks. Affiliate operators seeking targets specifically look for organisations with valuable data and limited defensive capabilities — a profile that Caribbean healthcare institutions, government agencies, financial services firms, and educational institutions frequently match. The Caribbean’s historically low profile in cybersecurity incident reporting — most Caribbean cyber incidents are never publicly disclosed — has created a perception in the criminal ecosystem that Caribbean organisations are soft targets: worth attacking, unlikely to generate significant law enforcement response, and in some cases willing to pay ransoms quietly to avoid reputational damage.

Trend 3: Strategic Interest in Caribbean Financial Infrastructure

The Caribbean’s role as a major global offshore financial centre — with the Cayman Islands, Bahamas, Bermuda, and Barbados collectively managing trillions of dollars in investment fund, insurance, and banking assets — has attracted the attention of sophisticated state-sponsored threat actors whose objectives include financial intelligence collection, sanctions evasion facilitation, and the disruption of financial infrastructure for strategic purposes.

Nation-state actors — including groups attributed to North Korea, which has conducted some of the most technically sophisticated financial sector cyber attacks globally — have demonstrated both the capability and the intent to target offshore financial infrastructure. The Lazarus Group, attributed to North Korean state sponsorship, has executed attacks against financial institutions across Southeast Asia, Africa, and Latin America, including targets in jurisdictions geographically close to the Caribbean. Caribbean financial centres that hold or process significant volumes of international financial transactions are within the operational interest of these actors.

The distinction between criminal and state-sponsored threats is important for Caribbean financial institutions because the defensive posture required to address state-level threats — which can include advanced persistent threats (APTs), custom malware, and multi-stage intrusion campaigns — is substantially more demanding than the defences adequate for criminal opportunists. Financial institutions in Caribbean offshore centres should be assessing their threat model against both categories of threat actor, not only against the criminal opportunist baseline.

“The Caribbean cyber threat landscape in 2026 is not primarily about unsophisticated criminals targeting careless organisations. It includes professional criminal enterprises with commercial infrastructure, and in some contexts, state-sponsored actors with strategic objectives.”

The Five Highest-Risk Sectors: A Caribbean Cyber Profile

1. Financial Services: The Primary Target

Caribbean financial services — commercial banking, credit unions, insurance companies, securities dealers, money services businesses, and the offshore financial sector — represent the most targeted sector in the Caribbean cyber threat environment, for the straightforward reason that financial institutions hold both money and money-adjacent data that criminals can monetise directly. The attack vectors are multiple: ransomware disrupting operations and demanding payment for decryption keys; business email compromise redirecting wire transfers; account takeover attacks using stolen credentials; and payment system fraud exploiting weaknesses in online banking and card processing systems.

Caribbean credit unions present a specific and concerning cyber risk profile. Many credit unions operate with legacy technology systems, limited IT budgets, and no dedicated cybersecurity function. Their member data — which includes employment information, salary deposits, loan records, and in some cases national identification data — is valuable for identity theft and fraud. Their digital banking interfaces, which have been rapidly expanded to meet member expectations, have often been deployed without the security testing and monitoring infrastructure required to operate them safely. Credit union boards and management should treat the cybersecurity baseline assessment as a governance priority equivalent to their financial audit obligations.

The correspondent banking relationship dimension adds a further compliance imperative. Major international correspondent banks are increasingly assessing the cybersecurity posture of Caribbean respondent banks as part of their due diligence process. A Caribbean financial institution that cannot demonstrate adequate cybersecurity controls may find that its correspondent banking relationships are placed at risk — adding a regulatory and commercial dimension to the operational risk of a cyber incident.

2. Business Process Outsourcing: Data Liability at Scale

The Caribbean BPO sector — concentrated in Jamaica, Trinidad and Tobago, Barbados, and Belize — handles customer data, financial records, healthcare information, and business process functions for major international corporations across multiple industries. The data processed by Caribbean BPO operators is, by definition, the data of the clients’ customers — individuals in North America, Europe, and beyond whose personal information is subject to GDPR, CCPA, and other stringent data protection frameworks in their home jurisdictions.

A significant data breach affecting a Caribbean BPO operator creates consequences at three levels simultaneously: regulatory enforcement action in the jurisdictions of affected individuals; contractual liability to the clients whose data was breached; and reputational damage to both the BPO operator and, by association, to the Caribbean BPO sector’s international brand. The sector’s competitive positioning — built on the combination of English-language proficiency, time zone alignment with North American markets, and competitive labour costs — depends critically on the trust of international clients that Caribbean operators can protect the data they are entrusted with.

BPO operators should be investing in cybersecurity at a level commensurate with the value and sensitivity of the data they process — not at the minimum their clients contractually require, but at the level their actual risk exposure demands. This means ISO 27001 certification or equivalent, real-time security monitoring through a Security Operations Centre (SOC) capability, regular penetration testing of client-facing systems, and documented incident response procedures that meet the notification timeline requirements of applicable data protection frameworks.

3. Government and Public Sector: Critical Infrastructure Exposure

Caribbean government systems — revenue authorities, customs agencies, immigration and national identification databases, social protection systems, and public utilities — represent a concentration of sensitive citizen data and critical operational infrastructure that is increasingly targeted by both criminal and state-sponsored actors. Ransomware attacks on Caribbean government systems have disrupted public services, exposed citizen data, and in some cases forced extended periods of manual processing that have imposed significant economic costs on businesses dependent on government interfaces.

The post-Melissa context adds a specific dimension to government cyber risk. As Caribbean governments have digitised recovery management processes — distributing disaster relief, processing insurance claims, managing reconstruction procurement — the digital systems supporting these functions have become both more critical and more visible to threat actors who specifically target post-disaster environments, when defensive attention is divided and the operational pressure to maintain system availability at any cost is highest.

Government cybersecurity investment in the Caribbean is generally inadequate relative to the sensitivity and criticality of the data and systems being protected. The absence of mandatory cyber incident reporting requirements in most Caribbean jurisdictions means that the true frequency and severity of government cyber incidents is substantially underreported, creating a governance environment in which political pressure to improve cybersecurity investment is weaker than the actual risk profile warrants.

4. Tourism and Hospitality: The Data-Rich, Defence-Poor Sector

Caribbean hotels, resorts, tour operators, and hospitality businesses hold significant volumes of guest personal data — passport information, credit card data, travel itineraries, and in the case of loyalty programmes, extensive behavioural and preference data — combined with payment processing systems, property management systems, and booking platforms that, if compromised, can produce both direct financial loss and significant reputational damage with the international guests who represent the sector’s primary revenue source.

The tourism sector’s cyber risk profile is characterised by a specific vulnerability pattern: highly seasonal operations that concentrate system activity in peak periods, creating operational pressure against security controls that slow system performance; high staff turnover that creates persistent gaps in security awareness; and a technology ecosystem of point-of-sale systems, property management software, and online booking integrations that creates multiple third-party access points into the organisation’s network. The sector’s international brand exposure — where a data breach reported in a major UK or North American media outlet can materially affect booking volumes — makes reputational consequence a particularly significant cyber risk dimension for Caribbean tourism operators.

5. Energy Sector: Operational Technology Risk

T&T’s energy sector — along with the broader Caribbean energy infrastructure including electricity utilities across the region — faces a specific category of cyber risk that extends beyond data and financial systems to operational technology (OT): the industrial control systems, SCADA platforms, and process automation systems that operate physical energy infrastructure. A cyber attack on OT systems can cause physical damage to equipment, disrupt energy supply, and in extreme cases create safety hazards — consequences that are categorically different from the business disruption and data loss produced by attacks on conventional IT systems.

The convergence of IT and OT networks — as Caribbean energy companies have connected their operational systems to corporate networks and internet-facing management interfaces — has introduced IT-category threats into OT environments that were historically isolated from external networks and therefore not designed with cyber defence in mind. The energy sector’s cybersecurity risk management must now address this convergence explicitly, with separate threat models for IT and OT environments and specific controls for the interfaces between them.

The CARISK™ Caribbean Cyber Risk Assessment: Territory Profiles

 

Territory	CRI Cyber Rating	Trajectory	Key Cyber Risk Characteristics
Jamaica	MODERATE	WORSENING	BPO data liability; government system incidents; limited national CERT capacity; post-Melissa recovery system targeting
Trinidad & Tobago	MODERATE	WORSENING	Energy OT/IT convergence risk; regional financial conglomerate concentration; data protection framework immature
Barbados	LOW-MOD	STABLE	Most advanced digital governance; IBC sector high-value target; FSC cyber supervision strengthening
Cayman Islands	MODERATE	WORSENING	Highest-value target in Caribbean; hedge fund and private equity data; advanced threat actor interest
Bahamas	MODERATE	WORSENING	Sand Dollar CBDC infrastructure; financial sector data concentration; tourism sector PII exposure
Belize	HIGH	WORSENING	Limited national cybersecurity infrastructure; offshore sector under AML pressure; BPO sector growing
OECS States (avg.)	MODERATE	WORSENING	Very limited national cyber capacity; CBI applicant data a high-value target; government systems under-defended
Guyana	HIGH	WORSENING	Rapid digitalisation driven by oil revenues; limited regulatory framework; energy sector OT risk emerging

 

Business Email Compromise: The Caribbean’s Costliest Cyber Threat

Of all the cyber threats facing Caribbean organisations, Business Email Compromise (BEC) deserves particular attention because it is simultaneously the most financially costly, the most consistently underreported, and the most preventable through non-technical means. BEC does not require sophisticated malware or network intrusion. It requires only the ability to impersonate a trusted party convincingly enough to persuade a finance professional to redirect a payment or provide account credentials.

The BEC attack pattern most commonly affecting Caribbean organisations involves one of three scenarios: the CEO fraud, in which an attacker impersonates a senior executive and instructs a finance team member to make an urgent wire transfer; the vendor impersonation, in which an attacker impersonates a known supplier and provides updated banking details for an outstanding invoice; or the attorney impersonation, in which an attacker impersonates a lawyer handling a transaction and directs funds to be transferred to a fraudulent account. All three scenarios exploit the combination of time pressure, authority, and familiarity — and all three are highly effective against finance teams that have not been specifically trained to identify and verify these attack patterns.

The financial losses from BEC attacks on Caribbean organisations are material. Individual incidents range from tens of thousands to millions of dollars, and the recovery rate for funds lost to BEC is low — particularly when funds have been transferred internationally through multiple jurisdictions. The reputational and relationship consequences of a significant BEC loss — particularly for organisations in professional services, real estate, or law firms handling client funds — can be as damaging as the financial loss itself.

The controls required to prevent BEC are not primarily technological. They are procedural: verification protocols that require out-of-band confirmation for any payment instruction or banking detail change above a defined threshold; clear escalation procedures for unusual payment requests; staff training that specifically addresses BEC attack patterns; and a culture that empowers finance staff to challenge and verify instructions even when they appear to come from senior executives. These controls are inexpensive to implement, highly effective when consistently applied, and conspicuously absent in many Caribbean organisations that have suffered significant BEC losses.

“Business Email Compromise is not a sophisticated attack. It is a social engineering attack that succeeds because organisations have not implemented the basic procedural controls that defeat it. The Caribbean is losing tens of millions of dollars a year to preventable fraud.”

Building Cyber Resilience: The CARISK™ Governance Framework

The CARISK™ cyber risk governance framework for Caribbean enterprises is built around three disciplines: prevention — reducing the likelihood of successful attacks through technical and procedural controls; detection — identifying attacks that occur despite preventive controls through monitoring and alerting capabilities; and response — containing and recovering from incidents efficiently, minimising business disruption, and meeting regulatory notification obligations. All three disciplines are required; none is sufficient without the others.

Prevention: The Non-Negotiable Baseline

The minimum preventive cyber controls that every Caribbean organisation of meaningful scale should have in place are well-established in global frameworks such as the NIST Cybersecurity Framework, ISO 27001, and the CIS Critical Security Controls. They include: multi-factor authentication (MFA) deployed across all critical systems and email accounts — MFA alone defeats the majority of credential-based attacks; privileged access management ensuring that administrative access to critical systems is limited, monitored, and time-bounded; patch management ensuring that known software vulnerabilities are remediated promptly; email security controls including anti-phishing and anti-spoofing measures; network segmentation separating critical systems from general user networks; and regular, tested data backups maintained in offline or isolated environments to ensure recovery capability following ransomware.

For many Caribbean organisations, the audit of current controls against this baseline will reveal significant gaps. Closing those gaps is not an exotic cyber investment; it is the implementation of controls that have been the global standard for years and that defeat the majority of attacks that Caribbean organisations actually face. The organisations that have suffered the most damaging Caribbean cyber incidents are, in almost every case, organisations that had not implemented this baseline.

Detection: Knowing When You Have Been Compromised

The average time between a cyber attacker gaining access to an organisation’s systems and the organisation detecting that access — the ‘dwell time’ — has historically been measured in weeks or months. During that period, attackers are conducting reconnaissance, moving laterally through the network, escalating privileges, exfiltrating data, and preparing for the final stage of their attack, whether ransomware deployment or fraud execution. An organisation that only discovers a compromise when the ransomware executes or the fraudulent transfer clears has lost the opportunity to detect and disrupt the attack while it was still in progress.

Effective detection requires monitoring capability that most Caribbean organisations do not currently maintain. At minimum, organisations should have: endpoint detection and response (EDR) tools deployed on all endpoints; centralised logging of authentication events, privileged access activity, and network traffic; and alerting on indicators of compromise — unusual login patterns, off-hours access, large data transfers, and privilege escalation events. For organisations that cannot maintain these capabilities internally, Security Operations Centre (SOC) services, available through managed security service providers, can provide the monitoring capability on an outsourced basis at a cost that is accessible to mid-market organisations.

Response: When the Incident Occurs

Every Caribbean organisation should have a tested cyber incident response plan before it experiences an incident — not as a compliance document, but as a practical operational guide that defines who does what in the first 24 hours of a confirmed cyber incident. The response plan should address: incident identification and classification; containment procedures to limit the spread of an attack; evidence preservation for forensic investigation and regulatory reporting; communication protocols — internal, regulatory, and external; recovery procedures for restoring systems from clean backups; and regulatory notification obligations, which in most Caribbean jurisdictions and under GDPR require notification within 72 hours of a personal data breach.

The organisations that recover from cyber incidents most effectively are those that have rehearsed their response before the incident occurs. Tabletop exercises — structured simulations of cyber incident scenarios conducted with the board and senior management team — are the most effective and most cost-efficient means of testing and improving incident response capability. A two-hour tabletop exercise conducted annually will reveal more gaps in cyber incident readiness than any paper-based review of the incident response plan.

The Board’s Cyber Governance Obligations

Caribbean boards cannot delegate cyber governance entirely to the IT function or to management. The regulatory environment, the financial consequences of cyber incidents, and the reputational stakes of a significant breach all place cyber risk squarely within the scope of board-level governance responsibility. The following five obligations define what cyber governance at the board level requires in the current environment.

• Regular cyber risk reporting to the board: The board should receive a structured cyber risk report at every meeting — covering the current threat environment relevant to the organisation, the status of key cyber controls, any incidents or near-misses since the last meeting, the progress of remediation against identified gaps, and emerging regulatory developments in data protection and cybersecurity. The report should be prepared by or reviewed by a qualified cybersecurity professional, not summarised through the IT manager’s general operations report.
• Annual cybersecurity gap assessment: The organisation should commission an independent cybersecurity gap assessment annually — or more frequently following significant changes to the digital environment — that measures the current state of cyber controls against a recognised framework. The gap assessment report should be reviewed by the board’s audit or risk committee, with findings tracked through to remediation.
• Cyber incident response plan ownership: The board should formally approve the organisation’s cyber incident response plan, satisfy itself that the plan has been tested through tabletop exercises, and designate clear board-level responsibility for oversight of the response in the event of a significant cyber incident. The board should not learn of a major cyber incident at the same time as the press.
• Cyber insurance assessment: Organisations should assess whether cyber insurance — covering first-party costs such as incident response, ransomware negotiation, data recovery, and business interruption, as well as third-party liability for data breaches — is appropriate for their risk profile. Cyber insurance does not substitute for cyber controls, but for organisations that have implemented an adequate control baseline, it provides meaningful financial risk transfer for the residual incident risk.
• Supply chain and third-party cyber due diligence: For organisations whose operations depend on third-party technology providers, cloud platforms, or managed service providers, the board should satisfy itself that the organisation’s third-party cyber risk management programme includes cybersecurity requirements in supplier contracts, periodic assessment of critical suppliers’ cyber posture, and contingency arrangements for the failure of critical digital dependencies.

 

The Caribbean’s cyber risk landscape will continue to intensify. Digital adoption will expand. Threat actors will continue to develop their capabilities and expand their target set. And the regulatory environment around cyber incident reporting, data protection, and operational resilience will continue to tighten. The organisations that invest in cyber governance now — building the prevention, detection, and response capabilities required to operate safely in this environment — are the ones that will navigate the next major Caribbean cyber incident as a managed event rather than a crisis.

In Article 8 of this series, we examine the risk domain that most frequently surprises Caribbean boards because it operates in plain sight: Political Risk and Social Instability. From governance failures to civil unrest, from gang influence to social polarisation — we examine what Caribbean political and social risk looks like when assessed with genuine rigour.

 

REQUEST YOUR CARISK™ CYBER RISK ASSESSMENT Plan effectively with Dawgen Global’s expert analysis on the cyber risk factors affecting your Caribbean operations. From cybersecurity gap assessments against ISO 27001 and NIST frameworks to BEC prevention programmes, incident response planning, and board cyber governance reviews, our Cybersecurity & Digital Risk service provides the tools to confidently anticipate and mitigate Caribbean cyber risk. Request a complimentary CARISK™ Cyber Risk Intelligence Briefing today. [email protected]

Next in the Series

Article 8 — Political Risk, Social Instability, and the Board’s Blind Spot. Caribbean political stability is real. Caribbean political and social risk is also real. We examine the governance failures, social fault lines, and institutional pressures that Caribbean boards systematically underestimate — and the risk management disciplines required to govern these risks with genuine rigor.

About Dawgen Global