This is the closing article of Pillar 2 of the Caribbean Digital Foundations Series. Articles 2.1 through 2.5 built five operational disciplines: posture, access, data, continuity, and the third-party perimeter. This article produces the instrument that converts those five disciplines into a single composite measure the Caribbean SMB can actually track. The Caribbean Cyber Hygiene Scorecard contains 25 items across five dimensions, each scored 0 / 1 / 2 against a 90-day demonstrability rubric. The Scorecard is published openly as a contribution to Caribbean professional practice; any firm can run it on itself. Dawgen Global offers independent validation and Caribbean peer-cohort benchmarking as the sixth and final Pillar 2 commercial engagement.

The single-number question

In November 2025 a Caribbean regional advisory client, a hundred-and-twenty-staff financial services firm with operations across three territories, asked us a question we had not been asked in quite that form before.

The firm had, over the preceding eighteen months, completed the full Pillar 2 Operational Readiness Programme. It had a Cybersecurity Posture Review. It had an Access Inventory Audit. It had a Data Protection Act 2020 Operational Readiness Review. It had a Continuity Readiness Review with an exercised restore. It had a Third-Party Exposure Review with an inventoried perimeter and an External Lingerers exercise. Each engagement had produced an excellent deliverable, and the firm’s operational posture across all five dimensions had materially improved.

The managing director, in a quarterly executive meeting, had asked the executive team a question he had been asking every quarter for the previous twelve months and which, twelve months in, the team still could not cleanly answer. “How are we doing on cyber hygiene this quarter, compared to last quarter, in one slide?”

The chief operating officer had presented an update from the Access Inventory Audit. The chief financial officer had reported on cyber insurance renewal. The head of IT had presented the current incident log. The chief risk officer had circulated the most recent Continuity Readiness Review findings. The managing director had thanked each of them and asked his question again. “You have each told me something I find useful. None of you has told me how we are doing this quarter compared to last quarter. Can someone tell me whether we are getting better or worse?”

The room was quiet, in the way Caribbean executive teams are quiet when the question is fair and the answer is not yet on the table. The firm had five excellent reports, each produced annually or biennially. It did not have a single number, or a single page, that let the executive team track the firm’s overall hygiene over time. The firm could describe its disciplines; it could not measure them.

The Cyber Hygiene Scorecard exists because that question was asked. The article exists because every Caribbean SMB that has completed serious work on Pillar 2 will, sooner or later, ask the same question. The Scorecard is the answer.

The Caribbean SMB does not need another maturity model. It needs a small, specific, periodically refreshed instrument that converts the five disciplines of Pillar 2 into a single composite measure the firm can actually track.

1. Why the Caribbean SMB needs a Scorecard of its own

Cybersecurity maturity models are not, in 2026, in short supply. The NIST Cybersecurity Framework, the ISO 27001 control set, the CIS Controls, the CISA Performance Goals, the various Big Four maturity matrices, and the regulatory scorecards published by Caribbean financial regulators are all credible, well-built, and useful in their proper contexts. None of them, in our observation across hundreds of Caribbean engagements, is the right instrument for a Caribbean SMB’s quarterly executive review.

Three things distinguish the Caribbean SMB’s requirement from the requirement these other frameworks were built to serve. The first is scale: a Caribbean SMB of thirty to two hundred staff cannot, in any realistic operational sense, implement a control set designed for an organisation with a chief information security officer, a dedicated security operations centre, and a multi-person governance, risk and compliance function. The Caribbean SMB has a head of operations who, on Wednesday afternoons, also reviews cyber hygiene. The instrument has to fit that reality.

The second is context: Caribbean operational specifics — the JPS grid, single-carrier telecoms exposure, fuel logistics during regional disruption, cloud-region latency from data-centres outside the Caribbean, the particular shape of the Data Protection Act 2020 — are not reflected in frameworks designed for North American or European markets. A Scorecard that does not contain Caribbean operational specifics will, at best, be partly applicable and, at worst, will give the firm a passing score for items the firm has not actually addressed in any Caribbean-meaningful way.

The third is cadence: the global frameworks are designed for annual or biennial certification cycles. The Caribbean SMB’s executive team needs a quarterly instrument — light enough to run every ninety days, structured enough to be comparable over time, specific enough to identify which dimension has drifted, and short enough to review in twenty minutes.

The Caribbean Cyber Hygiene Scorecard is built for these three requirements. It is small. It is Caribbean-specific. It is quarterly. It is not in competition with the larger frameworks; a firm pursuing ISO 27001 certification should pursue it. The Scorecard is the instrument the Caribbean SMB uses on the Wednesday afternoons between certifications, to know whether its hygiene is currently in operational practice or has drifted out of the ninety-day window the firm requires of itself.

2. The Scorecard at a glance

The Caribbean Cyber Hygiene Scorecard contains twenty-five items across five dimensions — one dimension for each of the operational articles of Pillar 2. Each dimension contains exactly five items. Each item is scored 0, 1, or 2. The raw score is out of fifty. The composite score is reported as a percentage with five dimension sub-scores. The Scorecard is run quarterly, by the firm, on the firm’s own evidence.

The five dimensions

• Posture: the firm’s overall cybersecurity posture, written and owned (from Article 2.1);
• Access: internal account inventory, Lingerers exercise, MFA coverage, privileged access, departure procedure (from Article 2.2);
• Data: data inventory across the four states, retention policy in operational practice, DPA 2020 mapping, subject access requests, classification (from Article 2.3);
• Continuity: continuity artefact, restore exercise, backup retention windows, offline copies, Caribbean operational specifics (from Article 2.4);
• Third-Party: third-party inventory, tiering decision, External Lingerers exercise, supplier-incident plan, cross-border data flows (from Article 2.5).

 

The scoring rubric

Each of the twenty-five items is scored against the same three-band rubric. The rubric is deliberately strict on the freshness window the item requires — 90 days for the most operational items, 12 months for the more strategic items — because the entire pillar has argued that operational disciplines must be demonstrable, not merely intended.

Score	What the firm must be able to demonstrate
0	The item is absent, or the supporting evidence is expired (older than the 90-day or 12-month window specified for the item). The firm cannot, today, produce the artefact or the demonstration the item requires.
1	The item is present but not currently demonstrable within its required window. A document exists, a procedure is described, an inventory was built — but the most recent dated evidence falls outside the freshness window the item requires. This is the most common score in our experience, and it is the score the Scorecard exists to surface.
2	The item is present and currently demonstrable. The firm can, today, produce dated evidence within the 90-day or 12-month window the item requires. This is the only score that signals the firm has the discipline operationally in place.

 

Three observations about the rubric. First, the rubric scores demonstrability, not intent. A firm cannot score 2 by promising to do the work; it can only score 2 by having done the work and being able to evidence it within the freshness window. Second, a score of 1 is the most common score in our experience — it means the artefact exists but has not been refreshed, which is the operational state most Caribbean SMBs find themselves in. The Scorecard exists to surface these items. Third, a score of 0 is not a moral judgement; it is a diagnostic. A firm that scores 0 on a given item has identified, with precision, where its next quarter’s investment should go.

3. The five dimensions in detail

Each of the five dimensions contains five items. The items are drawn directly from the operational disciplines named in Articles 2.1 through 2.5. The evidence column specifies, in operational terms, what the firm must be able to produce, dated within the required window, to score 2 on the item. The evidence column is the most important column on the Scorecard — it is the column that prevents the Scorecard from drifting into self-assessment optimism.

Dimension 1 — Posture (from Article 2.1)

The first dimension addresses whether the firm has, in writing, a current articulation of its overall cybersecurity posture and the operational commitments that posture implies. Posture is the foundation; without it, the other four dimensions become tactical activities without a strategic frame.

#	Item	90-day or 12-month evidence the firm must produce for a score of 2
1	Written cybersecurity posture statement owned by a named executive, dated within 12 months	Posture document, signed off by the named executive, dated within the last 12 months, identifying the firm’s cybersecurity priorities and the resources committed to them.
2	Risk-aligned investment statement reviewed at board or executive level within 12 months	Minutes or paper of the board or executive committee meeting at which the firm’s cybersecurity investment was reviewed, dated within the last 12 months.
3	MFA enforced on the firm’s email, financial systems, and administrative consoles	Administrative console screenshots or audit logs showing MFA enforcement on all three system classes, dated within the last 90 days.
4	Endpoint protection deployed and verified on every workstation issued by the firm	Endpoint management console report listing every workstation and the protection state on each, dated within the last 90 days.
5	Documented cybersecurity training delivered to every staff member in the last 12 months	Training completion register listing every current staff member and the date of their most recent completed training, with the most recent completion within the last 12 months.

 

Dimension 2 — Access (from Article 2.2)

The second dimension addresses who, inside the firm, can access what. This is the dimension where the Lingerers concept introduced in Article 2.2 has its operational expression. The dimension is the most operationally tractable of the five — a firm that commits to it can usually move from 0 to demonstrable within a single quarter.

#	Item	90-day or 12-month evidence the firm must produce for a score of 2
6	Current accounts inventory across all primary systems, dated within 90 days	Exported account list from each Tier 1 system, consolidated, dated within the last 90 days, with each account attributed to a named individual.
7	Lingerers exercise completed within 90 days with documented closures	Memorandum identifying the Lingerers surfaced in the most recent exercise and the closure date for each, dated within the last 90 days.
8	MFA coverage measured and reported, with target ≥95% on Tier 1 systems	Coverage report by system, dated within the last 90 days, showing MFA enabled per account and identifying the residual accounts.
9	Privileged access reviewed within 90 days, with named privileged-account owners	List of privileged accounts with the named owner of each and the date of the most recent review, the review dated within the last 90 days.
10	Documented departure procedure executed within 5 working days for every departure in 12 months	Departure register listing every departure in the last 12 months and the date of access revocation for each, with no departure unactioned beyond 5 working days.

 

Dimension 3 — Data (from Article 2.3)

The third dimension addresses what the firm does with the personal and operational data it holds. This is where the Data Protection Act 2020’s operational requirements have their Scorecard expression — not the Act’s legal requirements (which the firm’s counsel addresses), but the operational practice the Act’s Standards translate into.

#	Item	90-day or 12-month evidence the firm must produce for a score of 2
11	Data inventory across the four data states, dated within 12 months	Inventory document covering data at rest, in transit, in use, and disposed-of — the four data states from Article 2.3 — dated within the last 12 months.
12	Retention policy in operational practice with evidence of recent deletion in line with the policy	Retention policy document plus a deletion log showing deletions executed in the last 12 months that match the policy’s retention windows.
13	DPA 2020’s eight Standards mapped to firm operational practice, with named owners	Mapping table listing each of the eight Standards, the firm’s operational practice against it, and the named owner accountable for the practice.
14	Subject access request procedure documented and exercised within 12 months	Procedure document plus evidence of at least one subject access request fulfilled in the last 12 months — or a documented dry-run exercise if no live request was received.
15	Data classification scheme applied to the firm’s primary data stores	Classification scheme document plus evidence of its application to at least the firm’s file storage platform and its CRM/ERP, dated within the last 12 months.

 

Dimension 4 — Continuity (from Article 2.4)

The fourth dimension addresses whether the firm can recover from disruption — across the three time windows of thirty minutes, eight hours and three days, and against the four failure modes of accidental deletion, silent corruption, outage and ransomware. This is the dimension where backup-evidence is distinguished from recovery-evidence, in operational practice.

#	Item	90-day or 12-month evidence the firm must produce for a score of 2
16	Continuity artefact dated within 90 days, covering 30-min / 8-hr / 3-day windows	Continuity document covering all three time windows, dated within the last 90 days, with named owners against each window’s actions.
17	Restore exercise completed within 90 days, end-to-end, timed against RTO	Memorandum of the most recent restore exercise: system restored, time taken, recovery objective tested against, deviations identified, dated within the last 90 days.
18	Backup inventory with retention windows that protect against silent corruption (12+ months)	Backup inventory document showing, for each backed-up system, the retention window in operation — with at least one retention window of 12 months or more to protect against silent corruption.
19	Offline or immutable backup copy verified within 90 days	Evidence of an offline or immutable backup copy, with verification dated within the last 90 days. An offline copy untested in 90 days does not score 2.
20	Power, telecoms, fuel and cloud-incident specifics documented in the continuity artefact	Section of the continuity artefact specifically addressing the Caribbean operational specifics from Article 2.4 Section 7: power, telecoms, fuel, cloud-region incidents, and cyber insurance posture.

 

Dimension 5 — Third-Party (from Article 2.5)

The fifth dimension addresses the firm’s third-party perimeter — the suppliers, integrations and External Lingerers through which the firm’s data, access and operational dependencies extend beyond its walls. This is the newest dimension in the Pillar 2 framework and the dimension on which most Caribbean SMBs score lowest on their first Scorecard.

#	Item	90-day or 12-month evidence the firm must produce for a score of 2
21	Third-party inventory exported from the firm’s own systems within 90 days	Inventory document built from the firm’s own systems’ connected-applications and external-collaborator lists, not from memory, dated within the last 90 days.
22	Tiering decision applied (Tier 1 / Tier 2 / Tier 3) with named owner per Tier 1 supplier	Inventory annotated with the tier of each third party, with a named relationship owner against every Tier 1 supplier.
23	External Lingerers exercise completed within 90 days with documented closures	Memorandum of the most recent External Lingerers exercise listing the closures executed, dated within the last 90 days.
24	Supplier-incident plan documented with 30-min / 8-hr / 3-day / 30-day stages	Plan document covering all four stages of the supplier-incident response from Article 2.5 Section 6, dated within the last 12 months.
25	Cross-border data-flow position documented for every Tier 1 supplier	Document recording, for each Tier 1 supplier, the data-centre region and the contractual protections covering cross-border processing of Caribbean customer data.

 

4. Scoring, weighting, and the composite score

Each of the twenty-five items is scored 0, 1, or 2. The raw score is the sum of all twenty-five items, with a maximum of fifty. The composite score reported quarterly is the raw score expressed as a percentage of fifty. Each of the five dimensions is also reported as a sub-score — the dimension’s raw score (out of ten) expressed as a percentage.

No dimension is weighted above another. This is a deliberate design choice. The argument of Pillar 2 has been that the five disciplines are mutually supporting and that a firm strong in four dimensions and weak in the fifth is materially exposed through the fifth. Weighting one dimension above another would implicitly tell the firm that one discipline matters more than another, which is not the position the pillar takes. The firm should aim for a balanced score across the five dimensions, not a high overall score with one dimension at zero.

The five bands

Composite score	Band	What it indicates
80% – 100%	Demonstrable	The firm has the disciplines in operational practice across all five dimensions, with current evidence. This is the steady state Pillar 2 has been building toward.
60% – 79%	Maintained	The firm has most disciplines in place but some have drifted out of the freshness window. A focused review of the items scoring 1 will return the firm to demonstrable within a quarter.
40% – 59%	Partial	The firm has the artefacts but is not operating them as live disciplines. The Pillar 2 Operational Readiness Programme is the route to demonstrable. Independent validation is recommended before reporting the score externally.
20% – 39%	Aspirational	The firm has intentions in several dimensions but limited demonstrable practice. This is the typical starting score for a Caribbean SMB that has not previously had a structured cyber hygiene programme.
0% – 19%	Exposed	The firm does not, at present, have demonstrable cyber hygiene disciplines. The exposure is real, but so is the opportunity — a firm at this band moving to Partial within twelve months is achievable and the Pillar 2 Programme is designed to do exactly that.

 

The most common starting Scorecard for a Caribbean SMB that has not previously had a structured cyber hygiene programme is in the Aspirational or Partial band — typically between 30% and 55% — with strong items in Posture (most firms have a written policy) and Access (most firms have a recent password reset), weak items in Continuity (most firms have backups but no recent restore exercise) and Third-Party (most firms have never inventoried their actual perimeter). The Scorecard’s diagnostic power is in revealing exactly this asymmetry, and in giving the firm a sequence to work on it.

The Scorecard’s job is not to score the firm well. Its job is to make the firm’s current state visible to itself, every quarter, in a format that is comparable over time.

5. Running the Scorecard — cadence, ownership, evidence

Cadence

The Scorecard is a quarterly instrument. The firm runs it four times a year, on a fixed cadence that aligns with the executive team’s quarterly cycle. A typical Caribbean SMB schedule is to run the Scorecard in the second-last week of each quarter, present the result at the first executive meeting of the following quarter, and review the dimension that has shown the most movement at the meeting after that. The annual cycle produces four data points, four executive reviews, and four follow-on focus quarters.

Ownership

The Scorecard has a single named owner inside the firm — typically the head of operations, the chief operating officer, or the chief risk officer, depending on the firm’s structure. The owner is not the only person who contributes to the Scorecard; each of the five dimensions has a dimension owner who provides the evidence for the five items in that dimension. But the Scorecard’s ownership is single. The Scorecard arrives at the executive meeting with one signature, not five.

Evidence

The Scorecard scores demonstrability, not intent. Each item’s score of 2 requires the firm to produce, on the day of the scoring, the evidence the item specifies, dated within the freshness window the item requires. The evidence is gathered into an evidence pack that accompanies the Scorecard — not appended to every executive presentation, but available for any item the executive team queries. The evidence pack is also what the Cyber Hygiene Scorecard Validation engagement reviews when the firm commissions one.

Disputes

Where the dimension owner and the Scorecard owner disagree on whether an item scores 1 or 2, the disagreement is resolved by the evidence test: can the firm produce the specified evidence today, dated within the required window? If yes, the item is 2. If not, the item is 1. The Scorecard does not score the firm’s confidence in its own practice; it scores the firm’s ability to produce the evidence of the practice. This is, in our experience, the most operationally useful discipline the Scorecard imposes.

External validation

The firm’s own Scorecard is a self-assessment. Self-assessments are useful, in the way most instruments of self-assessment are useful: they reveal patterns over time, they create the discipline of measurement, they make the firm’s current state visible to itself. They are, however, susceptible to optimism, particularly in the items where the evidence test is harder to apply consistently. Independent validation, every twelve to eighteen months, addresses this. The Cyber Hygiene Scorecard Validation engagement that Section 7 introduces is designed for this purpose.

6. Reading the Scorecard over time

The Scorecard’s value is not the single number from a single quarter. The Scorecard’s value is the sequence of numbers over multiple quarters, and the pattern the sequence reveals about the firm’s operational discipline. Five patterns recur in our experience of running the Scorecard with Caribbean SMBs, each with a distinct interpretation.

Pattern over time	What it usually means	What the firm should do
Steady improvement, dimension by dimension	The firm has chosen a sequence and is executing it. Items scoring 0 are being moved to 1; items scoring 1 are being moved to 2.	Continue. The Scorecard is doing its job. Communicate the trajectory to the audit committee or board risk committee.
Improvement followed by silent regression	Items scored 2 in one quarter and 1 in the next quarter — the artefact existed but was not refreshed. This is the most common Scorecard pattern in our experience.	Identify the owner of each regressing item. The pattern indicates the discipline was built but not embedded. The remedy is named ownership with calendar cadence.
Improvement in some dimensions, no movement in others	The firm has invested attention asymmetrically — typically in Access and Posture (where progress is visible) but not in Continuity or Third-Party (where progress is harder to demonstrate).	Plan a focused quarter on the dimension that has not moved. The Continuity Readiness Review and the Third-Party Exposure Review are designed for exactly this.
Sudden jump after a single quarter	Either the firm has commissioned the Pillar 2 Operational Readiness Programme and is reflecting the engagement’s deliverables — or the firm is scoring optimistically. Both are possible; the Scorecard cannot distinguish them without external validation.	Commission a Cyber Hygiene Scorecard Validation. The jump is real if the validation confirms it. If the validation does not confirm it, the jump was a self-assessment artefact and the next-quarter Scorecard will revert.
No movement across multiple quarters	The Scorecard is being run but the disciplines are not. The firm has accepted the diagnostic without acting on it.	Escalate. A stable low score over multiple quarters is a governance signal, not a hygiene signal. The audit committee, board risk committee, or executive sponsor should be engaged on why the Scorecard’s findings are not being acted on.

 

The most common pattern, in our experience, is the second — the silent regression. A firm completes the Pillar 2 Operational Readiness Programme, scores in the upper-Maintained or Demonstrable band the following quarter, and then watches the score drift backwards over the next three quarters as the artefacts age out of their freshness windows. The pattern is not a sign of failure; it is a sign of the discipline being built but not yet embedded. The remedy is named ownership and calendar cadence — the calendar-based commitment to refresh each artefact within its required window.

A scorecard that improves quarter by quarter is the firm’s scorecard. A scorecard that regresses is the firm’s diary — a record of what the firm built and stopped maintaining.

The Scorecard’s second-order value is its comparability across firms. A Caribbean SMB that scores 64% in its third quarter of 2026 and 72% in its third quarter of 2027 knows it has improved. The same firm that knows the median Scorecard for Caribbean SMBs of similar scale is currently 58% knows that it is above the median, and that the improvement matters in commercial terms — to its bankers, to its insurers, to its larger clients. The peer-cohort benchmarking is the part of the Scorecard the firm cannot produce on its own, and is the part the Scorecard Validation engagement adds.

7. Dawgen Global’s Cyber Hygiene Scorecard Validation

The Caribbean Cyber Hygiene Scorecard, in its complete specification, is published in this article. Any Caribbean firm can run it on itself, with or without engaging Dawgen Global. We have intentionally published it as a contribution to Caribbean professional practice, because Pillar 2’s argument is that operational disciplines matter more than gatekeeping access to frameworks. The Scorecard is open IP. Its value is in being used.

Dawgen Global’s commercial engagement on the Scorecard is the Cyber Hygiene Scorecard Validation, the sixth and final offering in the Pillar 2 commercial menu. The Validation is designed for firms that have run the Scorecard on themselves and would like an independent view of their score, or that would like to benchmark their score against the Caribbean peer cohort that Dawgen Global maintains across its engagements.

The Validation is a three-day fixed-price engagement that produces three deliverables. The first is an independent re-scoring of the firm’s Scorecard against its own evidence pack, with each item reviewed for whether the firm’s self-score is supported by the evidence the item specifies. Differences between the firm’s self-score and the independent score are documented, with the basis for each difference noted. The second is the peer-cohort benchmark: the firm’s composite score and five dimension sub-scores, expressed as percentiles against the Caribbean cohort of similar-scale firms that have completed the Scorecard. The third is a Scorecard improvement plan: a prioritised list of the items most worth moving from 0 to 1 or 1 to 2 in the next quarter, with the operational steps each item requires.

The Validation composes with the five Pillar 2 offerings published in the series:

• the Cybersecurity Posture Review (Article 2.1), which produces the artefacts the Posture dimension scores against;
• the Access Inventory Audit (Article 2.2), which produces the artefacts the Access dimension scores against;
• the DPA 2020 Operational Readiness Review (Article 2.3), which produces the artefacts the Data dimension scores against;
• the Continuity Readiness Review (Article 2.4), which produces the artefacts the Continuity dimension scores against;
• the Third-Party Exposure Review (Article 2.5), which produces the artefacts the Third-Party dimension scores against;
• the Cyber Hygiene Scorecard Validation (this article), which independently re-scores the firm and benchmarks the result against the Caribbean peer cohort.

Most firms commission the Validation annually, in the quarter following the firm’s completion of the prior year’s Pillar 2 Programme work. A firm that commissions only the Validation, without the Programme, is welcome to do so — the Validation does not require the Programme as a prerequisite — though firms in the lower bands often find the Programme the more useful first step, with the Validation in the second year confirming the trajectory.

8. Pillar 2 in retrospect, and what Pillar 3 will address

With Article 2.6 in place, Pillar 2 of the Caribbean Digital Foundations Series is complete. The pillar has covered six articles, five operational disciplines, six commercial engagements, and one integrating instrument:

• Article 2.1 — The Caribbean Cybersecurity Posture: Beyond Antivirus. The shield alone.
• Article 2.2 — Identity and Access Management for the Caribbean SMB. The shield with a brass key. Lingerers introduced.
• Article 2.3 — Data Protection in Operational Practice. The shield with a ribbon-bound brass scroll. The eight Standards translated.
• Article 2.4 — Backup is Not Recovery. The shield with a brass hourglass, sand partially fallen. Continuity in three time windows.
• Article 2.5 — The Perimeter is Not Where You Think It Is. The shield with a brass chain. External Lingerers and the third-party perimeter.
• Article 2.6 — The Caribbean Cyber Hygiene Scorecard. The shield with all five previous objects arranged around it. The cumulative instrument.

The pillar’s editorial argument, made over six articles and now resting on the Scorecard, is that the Caribbean SMB’s cybersecurity posture is not a project to complete but a discipline to maintain. The Scorecard is the instrument by which the firm holds itself to the maintenance commitment, every ninety days, on its own evidence, in a format comparable across quarters and across firms.

The pillar’s commercial argument, made across six engagements and now resting on the Pillar 2 Operational Readiness Programme plus the Cyber Hygiene Scorecard Validation, is that the disciplines the pillar describes are within operational reach of any Caribbean SMB of thirty to two hundred staff that chooses to commit to them. The Programme builds the artefacts; the Validation confirms them and benchmarks the firm against its peers.

Pillar 3 of the Caribbean Digital Foundations Series — to be published in 2026 — will address Performance & Insight: the operational disciplines that translate the firm’s data into management information, executive decision-making, and the early indicators of operational and commercial performance. Pillar 3 will assume Pillar 2’s position — that the firm’s data is in operational practice, its third-party perimeter is inventoried, and its continuity is exercised — and will move forward from there. Firms that have completed Pillar 2 will find Pillar 3 a natural continuation. Firms that have not will find Pillar 2 the more useful place to begin.

Closing

The Caribbean regional financial services firm whose story opens this article ran its first Scorecard in December 2025, three weeks after the question was asked at the executive meeting. The composite score was 64% — in the upper Maintained band, with strong dimension scores in Posture (90%) and Continuity (80%), middling scores in Access (70%) and Data (60%), and a weak score in Third-Party (20%), the dimension the firm had not yet engaged. The firm’s managing director, on receiving the Scorecard for the first time, said the answer the article exists to honour: “It is exactly the page I asked for. I now know what I have, what I have not, and what I am most exposed by. The single number was not the point. The pattern was.”

The firm has now run the Scorecard four times. The composite score has moved from 64% to 72% over twelve months. The Third-Party dimension has moved from 20% to 64% following the Third-Party Exposure Review. The Continuity dimension has moved from 80% to 88% following a refreshed restore exercise. The Posture dimension has held at 90%. The Access dimension regressed slightly — from 70% to 64% — in the second quarter, when the Lingerers exercise was missed; it recovered to 76% in the third quarter when the exercise was performed. The managing director’s quarterly question is now answered on a single slide. The executive team’s discussion has moved from “what are we doing about cyber hygiene” to “which dimension is our focus for this quarter.”

The change for the firm was not the Scorecard itself. It was the discipline the Scorecard imposed: the quarterly cadence, the evidence test, the dimension sub-scores, the comparison over time. The Scorecard is, in this respect, the closing instrument of Pillar 2 and the most useful tool the pillar has produced. It is also, by design, the simplest. Twenty-five items, five dimensions, one quarterly review.

The firm that runs the Scorecard knows how its hygiene is changing, quarter by quarter, on its own evidence, against its own targets. The firm that does not run it has, at best, its own confidence — and the gap between confidence and demonstrability is the gap Pillar 2 was written to close.

The firms that have read this article and would like to run the Scorecard on themselves are invited to do so. The Scorecard is published openly in this article; the rubric is in Section 3; the freshness windows are in the evidence column of each dimension table. No engagement with Dawgen Global is required. The firms that would like an independent view of their Scorecard, or a benchmark against the Caribbean peer cohort, are invited to contact [email protected] to discuss a Cyber Hygiene Scorecard Validation.

This article closes Pillar 2 of the Caribbean Digital Foundations Series. We thank the Caribbean firms that have engaged with the pillar over its publication — in the readership, the correspondence, and the engagements that have informed every article. Pillar 3 — Performance & Insight — will open in due course.

ABOUT THE AUTHOR

Dr. Dawkins Brown is Executive Chairman and Founder of Dawgen Global, an independent, integrated multidisciplinary professional services firm headquartered in New Kingston, Jamaica, with engagements across more than fifteen Caribbean territories. Dawgen Global’s services span audit and assurance, tax advisory, IT and digital transformation, risk management, cybersecurity, HR advisory, mergers and acquisitions, corporate recovery, business advisory, accounting BPO and virtual CFO services, and legal process outsourcing. The firm is independent and is not affiliated with any international network.

ABOUT THE SERIES

The Caribbean Digital Foundations Series is a multi-pillar thought-leadership programme published by Dawgen Global. Pillar 2 — Trust & Security — is now complete and comprises six articles: 2.1 (Cybersecurity Posture), 2.2 (Identity and Access), 2.3 (Data Protection), 2.4 (Continuity), 2.5 (Third-Party Perimeter), and 2.6 (the Caribbean Cyber Hygiene Scorecard). Pillar 3 — Performance & Insight — will open in due course.

ABOUT THE SCORECARD

The Caribbean Cyber Hygiene Scorecard is published in this article as open IP and may be used freely by any Caribbean firm wishing to run it on itself. Citation: Brown, D., “The Caribbean Cyber Hygiene Scorecard,” Caribbean Digital Foundations Series, Article 2.6, Dawgen Global, May 2026. The Cyber Hygiene Scorecard Validation engagement, which provides independent re-scoring and peer-cohort benchmarking, is offered exclusively by Dawgen Global.

© 2026 Dawgen Global. All rights reserved. The Caribbean Cyber Hygiene Scorecard is published as open IP for use by Caribbean firms.

Big Firm Capabilities. Caribbean Understanding.

About Dawgen Global