Pillar 2 has so far treated the firm as a closed system: its own posture, its own access, its own data, its own recovery. That treatment is editorially useful but operationally incomplete. In practice, the Caribbean SMB’s data sits on three or four cloud platforms it does not control, is processed by a dozen suppliers it has signed contracts with but does not audit, and is accessible to a long tail of third parties the firm forgot it had ever invited in. The firm’s real exposure is the union of its own posture and every third party’s posture — weighted by the data and access each third party holds. This article asks the firm to do something most have never done: inventory its third-party perimeter the way Article 2.2 asked it to inventory its access perimeter, with the same rigour and the same surfacing of Lingerers.

Fourteen on the list, one hundred and forty-seven actually connected

In January 2026 we ran a Pillar 2 review at a Caribbean professional services firm with sixty-two staff. The firm had a competent IT function, a defined head of operations, and a board-approved risk register. As part of the review we asked the firm to produce a list of every third party that held its data or had administrative access to its systems.

The firm returned a list of fourteen entries. The list was thoughtful and accurate, in its way: it included the firm’s ERP vendor, its accounting platform, its CRM, its email and file storage provider, its core banking partner, its two principal external counsel firms, its payroll bureau, its tax compliance software vendor, its document signing platform, and three managed-service contractors with administrative responsibilities. The fourteen suppliers had signed data processing agreements where required, named relationship owners, and a place on the firm’s annual procurement review cycle.

We then asked the firm’s IT team to log into the firm’s Google Workspace, its accounting platform, its CRM and its file storage platform, and to export, from each, the complete list of connected applications, authorised OAuth integrations, marketplace add-ons, and external collaborators on shared files. We were not auditing the firm’s suppliers; we were asking each of the firm’s own systems to disclose every external party it currently had a live operational relationship with.

The combined list returned by those four systems contained one hundred and forty-seven entries.

The fourteen the firm had remembered appeared on the list. The remaining one hundred and thirty-three were a combination of expired browser extensions, abandoned SaaS trials, retired integration platforms, the personal Google accounts of three former employees who had used them to access shared folders, two freelance designers who had finished engagements eighteen months earlier, a marketing analytics platform the firm had stopped paying for in 2023, a project management tool a former CFO had connected to the accounting platform in 2022, and a long tail of one-off connections established for specific projects and never removed.

None of this was a breach. The firm had not lost data; it had not been compromised; nothing on the long list was, in itself, doing anything wrong. The firm had simply, over a decade of normal operation, granted access to roughly ten times the number of third parties it now believed it had granted access to. Each of those one hundred and thirty-three additional parties retained whatever access the firm had originally given it, and would continue to do so until the firm explicitly revoked the access.

The head of operations, asked at the close of the discovery phase whether the finding troubled him, gave the answer this article exists to honour. “It doesn’t trouble me as a finding,” he said. “It troubles me as evidence that we have a list of fourteen suppliers and an actual perimeter that includes a hundred and forty-seven. We have been managing one and exposed by the other.”

The firm’s perimeter is not where the firm thinks it is. It is where the firm’s third parties say it is — and most firms have never asked their third parties.

1. The closed-system fiction of Pillar 2 so far

The four previous articles of this pillar have treated the Caribbean SMB as a closed system. Article 2.1 examined the firm’s posture. Article 2.2 examined who, inside the firm, had access to what. Article 2.3 examined what the firm did with the data it held. Article 2.4 examined how the firm recovered when its systems failed. Each was operationally useful; each was, on its own, operationally incomplete.

The closed-system framing was a deliberate editorial choice. It is the right place to begin a Pillar 2 conversation, because a firm that has not yet articulated its own posture is not equipped to have a serious conversation about its suppliers’ posture. The firm has to know what good looks like inside its own walls before it can ask its suppliers to maintain it on the other side of the walls.

But the closed-system framing breaks down at the operational level the moment the firm tries to inventory what it actually holds, controls and depends on. In every Pillar 2 review we have run, the same finding has recurred: more of the firm’s data lives outside its walls than inside them, more of the firm’s daily operational dependencies live in cloud platforms it does not control than in the firm’s own systems, and more of the firm’s real access surface is the access it has granted to third parties than the access it has granted to its own employees.

This is not a Caribbean phenomenon; it is a structural consequence of how modern small and medium-sized firms operate. The cost of buying a service from a SaaS provider is now lower than the cost of building or hosting one internally for almost everything a sixty-staff firm does. The firm has not, in most cases, made an explicit decision to move its perimeter outwards; it has done so one purchase order at a time, over a decade, in response to a thousand small operational pressures. The accumulated effect, never measured in any single quarter, is the perimeter the head of operations described above.

Pillar 2 must, at this point in the series, give up the closed-system fiction. The remaining question is not whether the firm’s perimeter has moved — it has, in every firm we have engaged. The question is whether the firm has noticed, and whether the firm’s posture, access controls, data protection practice and continuity plans have moved with it. In most Caribbean SMBs the answer is no, and the gap is operationally larger than the firm imagines.

2. The three places third-party exposure lives

Once the firm accepts that its perimeter has extended beyond its walls, the next question is what its third-party exposure actually consists of. In our engagements we find that it consistently lives in three distinct places, each requiring a different operational discipline to manage.

Where exposure lives	What the firm has done	How exposure typically arrives
Data sent	Sent customer or operational data to a third party for storage or processing.	The third party suffers a breach. The firm’s data is exfiltrated from a system the firm does not control. The firm learns about it from the news, not from the supplier.
Access granted	Granted a third party login credentials or administrative access to the firm’s own systems.	The third party’s credentials are compromised. The attacker uses the third party’s authorised access to reach the firm’s systems, bypassing the firm’s perimeter entirely.
Integration authorised	Connected a third-party application to the firm’s systems via OAuth, API key, or browser extension, often during a one-off project.	The integration is no longer used, the supplier has been forgotten, but the connection is still authorised. The integration becomes the External Lingerer through which the firm’s exposure quietly extends for years.

Each of the three categories is real and material. Most Caribbean SMBs have processes — imperfect but recognisable — for managing the first category; the firm knows broadly which suppliers it has sent data to, because the firm has paid them, signed contracts with them, and reviewed them at least once. Few firms have any process at all for the second category beyond informal memory of who has been given a login. Almost no Caribbean SMB has any process for the third category, because the third category was created by the firm’s own employees during routine work and was never registered with the firm’s procurement, IT or risk functions.

The first category is where signed DPAs and annual reviews matter. The second category is where credentials hygiene, multi-factor authentication on shared accounts, and the access discipline of Article 2.2 matter. The third category is where the External Lingerers concept matters — because the third category is, almost by definition, the firm’s long tail of forgotten relationships, and the discipline of finding and closing those relationships is the discipline this article is centred on.

3. The third-party inventory

The operational discipline that closes most of the gap between the firm’s remembered third parties and its actual third parties is unglamorous and well within the operational reach of a sixty-staff firm: a periodic, systematic, technology-assisted inventory of every third party the firm currently has any relationship with. The same posture as the access inventory of Article 2.2, applied outwards rather than inwards.

The inventory should answer four questions for every third party it lists:

• What: the third party we engaged, the system it operates, and the operational reason for the engagement;
• Data and access: the data we send or have sent, and the access we have granted, with categories specific enough to make the third party’s exposure recognisable (“client personally identifying information”, not “client information”);
• Owner: the named individual inside the firm responsible for the relationship, with a fallback if that individual is unavailable;
• Currency: the date the relationship was last reviewed, and the date by which it must be reviewed again — the same ninety-day discipline that applies elsewhere in Pillar 2.

 

The fourth answer is the answer that converts the inventory from a static list into a live operational artefact. An inventory that has not been reviewed in twelve months is not an inventory; it is a memory. The discipline of dating each entry and committing to a review cadence is what keeps the inventory from quietly drifting back to the fourteen-out-of-one-hundred-and-forty-seven state we found in the firm in our opening anecdote.

The technical mechanics of building the inventory are straightforward. Most major SaaS platforms expose, in their administrative consoles, a list of connected applications, OAuth grants, external collaborators and active integrations. The firm’s engagement team should produce these lists from at minimum: the firm’s email and file storage provider, its accounting platform, its CRM, its document signing platform, and its payment processor. Where the firm uses a managed-service IT provider, the inventory should also include any administrative-console-level integrations the provider has authorised on the firm’s behalf.

The first time a Caribbean SMB performs this exercise it is, in our experience, surprising. The second time, eighteen months later, after the firm has built the discipline, it is unremarkable. The difference is the discipline itself — not a procurement reform, not a vendor management programme, simply the regular act of asking the firm’s own systems to disclose who they are currently talking to.

4. Tiering: not every third party deserves the same scrutiny

Once the firm has its inventory, the next operational decision is the most consequential. An inventory of one hundred and forty-seven third parties is unmanageable if every entry receives the same procurement scrutiny; it is also wasteful, because most of the entries do not warrant the same scrutiny. The firm should tier its third parties explicitly, and apply different disciplines to different tiers.

Tier	Definition	Caribbean examples	Operational discipline
Tier 1	A breach at this supplier would be material to the firm’s operations, reputation, or regulatory standing.	Core banking platform, ERP vendor, primary cloud provider, payroll bureau, core accounting platform.	Annual review, signed DPA on file, named relationship owner, incident notification clause, scope-aware backup arrangements.
Tier 2	A breach would be embarrassing and operationally inconvenient but recoverable without lasting commercial damage.	CRM platform, marketing automation, document signing platform, customer support tool, file-sharing service.	Light annual review, DPA on file where applicable, named owner per supplier, included in supplier-incident plan.
Tier 3	A breach would be a non-event for the firm and would matter mainly to the supplier’s other customers.	Browser extensions, low-traffic analytics tools, free SaaS utilities, single-use trial accounts.	Inventory only. No bilateral review. Quarterly External Lingerers exercise — anything inactive for twelve months is closed.

The tiering decision is the most useful procurement reform a Caribbean SMB can make in this area. It allows the firm to concentrate its limited procurement and risk attention on the small number of third parties through whom a breach would actually be material, while applying lighter-touch discipline to the long tail without pretending the long tail does not exist.

Tier 1 in a typical Caribbean SMB is six to twelve suppliers — small enough that the named relationship owner for each is a realistic ask. Tier 2 is fifteen to thirty. Tier 3 is the bulk of the inventory, and the discipline for Tier 3 is not bilateral review but the External Lingerers exercise the next section describes.

Manage the Tier 1 suppliers bilaterally. Manage the Tier 3 long tail by exception. The firm cannot afford to do the first for the long tail and cannot afford to ignore the second for Tier 1.

5. External Lingerers

Article 2.2 of this series introduced the concept of Lingerers — accounts inside the firm that should have been removed but were not. Lingerers exist because the standard processes of joining and leaving the firm have not been completed to closure: a contractor’s account remains active after the contract ends; a former employee retains a shared mailbox after departure; an integration account is created for a one-off project and never decommissioned. The Lingerers concept has done productive editorial work across the pillar and is, in our experience, the single most useful operational frame for Caribbean SMBs trying to understand where their access exposure quietly accumulates.

Pillar 2’s third-party perimeter has its own version of this phenomenon, and the discipline of finding and closing it is the discipline this section is centred on. We call the third-party version External Lingerers: third-party relationships the firm forgot it had, integrations the firm forgot were running, authorisations the firm forgot were live, and SaaS subscriptions the firm forgot it was paying for.

External Lingerers are not malicious. They are not, in themselves, breaches. They are the residue of a decade of routine operational activity that has not been closed to completion. Their material risk is that each one carries some quantum of the firm’s data, access or operational dependency forward in time, on a relationship the firm is no longer actively managing. When the External Lingerer’s parent company is breached, or sold, or quietly discontinued, the firm finds that data it had forgotten it had sent is now in a place it had forgotten it had been sent to.

The discipline of the External Lingerers exercise is to run it quarterly, on a structured basis, against the six categories where External Lingerers consistently accumulate.

The six categories where External Lingerers accumulate

Category	How the External Lingerer is discovered
Forgotten OAuth grants	Export the connected applications list from the firm’s Google Workspace or Microsoft 365 admin console, its accounting platform, its file storage platform, and its CRM. Anything granted access more than twelve months ago that has not been used in the last quarter is a candidate for revocation.
Auto-renewing SaaS trials	Run a transaction-level search against the firm’s primary payment card for the last twenty-four months. Group recurring small charges by merchant. Most firms find two to five recurring charges for services no one in the firm remembers commissioning.
Retired browser extensions	Audit the browser extensions installed on every workstation the firm operates. Many extensions request broad permissions including the ability to read web traffic; many were installed for a single task and never removed.
Departed freelancers and contractors	Cross-reference the firm’s payment records against the firm’s access logs. Anyone paid in the last three years who still appears on any access list is either currently engaged or is an External Lingerer. The Access Inventory Audit from Article 2.2 catches the internal version; the external version requires checking each platform’s collaborator and guest-access lists separately.
Abandoned integrations	Each major SaaS platform exposes a connected-apps list. Each accounting platform exposes a marketplace-integrations list. Each CRM exposes an installed-apps panel. The integrations that remain on these lists from a previous CFO, a previous marketing team, or a previous one-off project are External Lingerers — connected, still authorised, no longer needed.
Personal accounts of former employees	Where a former employee used a personal account to access the firm’s shared files, the firm cannot remove the access from inside its own systems — the account is not the firm’s to manage. The firm must, on departure, audit every shared resource and revoke external access by email address. Most firms have never done this for past departures.

 

A firm that performs this exercise quarterly will, within twelve months, have surfaced and closed the majority of its External Lingerers. The exercise will continue to find new ones every quarter — the External Lingerer phenomenon is not solvable in one pass, because the firm continues to generate new relationships in the normal course of operations — but the steady-state population of External Lingerers in a disciplined firm is small, knowable and managed. The steady-state population in an undisciplined firm is large, unknown and growing.

Every External Lingerer is a relationship the firm has stopped actively managing but has not stopped being exposed by. The exercise is not to prevent External Lingerers; it is to find them faster than the firm creates them.

6. The supplier-incident plan

Article 2.4 introduced the continuity artefact — the firm’s documented response to a disruptive incident in its own systems, organised around the three time windows of thirty minutes, eight hours, and three days. The continuity artefact, as we wrote it in 2.4, addressed the four failure modes the firm should plan for. There is a fifth failure mode that 2.4 deferred to this article, and that almost no Caribbean SMB has documented at all: the failure mode in which the disruptive incident happens not at the firm but at one of the firm’s suppliers.

The supplier incident is operationally distinct from the firm’s own incident in three respects. First, the firm does not control the response: the firm has to wait for substantive information from the supplier and cannot direct the supplier’s investigation. Second, the firm’s exposure depends entirely on what the firm sent the supplier, which the firm should already know from the third-party inventory but in most cases does not. Third, the firm’s notification obligations — to its clients, to regulators, to its bankers — begin with the supplier’s incident, not the firm’s, and the timing of those obligations may run faster than the supplier’s ability to provide substantive information.

The supplier-incident plan is the firm’s documented response to this distinct failure mode. It should sit alongside the continuity artefact from 2.4 and follow the same time-windows structure, modified for the supplier context.

Stages of the supplier-incident plan

Stage	What the firm does when its supplier has the incident
First 30 minutes	Identify what the firm sent the supplier, what access the supplier has, and what integrations are running. The Tier-1 inventory should make this answerable in fifteen minutes; if it does not, the inventory is not current.
First 8 hours	Revoke the supplier’s access to the firm’s systems if there is any indication the supplier’s credentials may be compromised. Reset shared credentials. Disable integrations that depend on the supplier. Inform the firm’s own clients only after verifying with the supplier what data has actually been affected.
First 3 days	Engage the firm’s legal counsel on the Caribbean and cross-border notification implications. Determine, in writing from the supplier, what data was affected and over what period. Notify the Office of the Information Commissioner if the data engages the Data Protection Act 2020’s notification requirements. Notify affected clients with substance, not speculation.
First 30 days	Review the supplier’s incident report. Decide whether the supplier remains in Tier 1 or whether the relationship requires renegotiation. Update the firm’s third-party inventory with the lessons of the incident. Add the incident to the supplier-incident plan as a worked example for the firm’s next review.

 

The most useful test of whether the firm’s supplier-incident plan is operational is a single question, asked of the firm’s leadership team without warning: if our primary cloud platform announced a breach this morning, what would we do in the next thirty minutes? The firm that can answer the question concretely — with names, systems and actions — has a supplier-incident plan. The firm that cannot answer it has the gap this section is asking the firm to close.

7. Cross-border data flows and the Caribbean reality

A particular feature of the Caribbean SMB’s third-party perimeter is that almost every cloud platform the firm uses operates from a primary data-centre region outside the Caribbean. The firm’s email is hosted in a US, UK or EU region; its CRM is hosted in a US region; its accounting platform is hosted in a UK or US region. Caribbean customer data, by the operational fact of where the platforms run, is leaving the customer’s territory every time it is processed.

The Jamaican Data Protection Act 2020 has a position on this, in the eighth Data Protection Standard, on transfers of personal data outside Jamaica. Equivalent positions exist in other Caribbean territories’ data protection statutes. Article 2.3 of this series addressed the operational — not legal — framing of the Act, and this section observes the same boundary: the firm should consult its counsel on the Act’s specific application to its cross-border transfers and on whether the supplier’s contractual protections meet the Standard’s requirements. The article addresses the operational discipline that supports the legal answer, not the legal answer itself.

The operational discipline has three components. The firm should know, for each Tier 1 and Tier 2 supplier, the data-centre region the supplier’s primary processing takes place in. The firm should know what contractual protections the supplier offers for cross-border processing of Caribbean customer data — standard contractual clauses, equivalent commitments, or in some cases nothing at all. And the firm should know what its own client commitments say about where its clients’ data may be processed, because the firm’s commercial obligation to its own clients may be more demanding than the supplier’s commitment to the firm.

Most Caribbean SMBs do not know any of these three things for most of their suppliers. The Third-Party Exposure Review the next section describes makes a knowable answer for each. Where the answer is unsatisfactory, the firm has a procurement decision to make. Where the answer is satisfactory, the firm has a defensible position to take with its own clients and regulators.

8. The pillar position, with the perimeter where it actually is

With Article 2.5 in place, Pillar 2’s operational position is now stated with the perimeter where it actually is, not where the firm imagined it was when the pillar opened. The position the firm should be able to demonstrate is:

• Posture: the firm has a posture — articulated, current, owned (Article 2.1);
• Internal access: the firm controls who has access — internal accounts inventoried, internal Lingerers managed (Article 2.2);
• Data: the firm protects the data it holds — across the four data states, with inventory and retention discipline (Article 2.3);
• Continuity: the firm can recover — across three time windows and four failure modes, with a 90-day-current artefact (Article 2.4);
• Third-party perimeter: the firm knows its third parties — inventoried, tiered, with External Lingerers managed and a supplier-incident plan (Article 2.5).

The five articles compose into a single operational picture: a firm that has stopped treating itself as a closed system and has built the disciplines required to be, instead, the centre of a perimeter that includes itself and every party the firm shares data, access or operational dependencies with. The picture is more demanding than the closed-system picture, but it is the picture the Caribbean SMB actually has to manage.

Article 2.6 will close the pillar with a translation of this entire position into a measurable scorecard — the Caribbean Cyber Hygiene Scorecard — against which the firm can track its operational readiness over time. The Scorecard will compose the five articles’ disciplines into a single composite measure and will be the closing artefact of Pillar 2.

9. Dawgen Global’s Third-Party Exposure Review

The Third-Party Exposure Review is the fifth offering in the Pillar 2 commercial menu, designed for Caribbean SMBs that have understood the argument of this article and would like to know, in operational terms, where their third-party perimeter actually stands.

The Review is a one-week fixed-price engagement that produces four deliverables. The first is the third-party inventory: a structured list of every third party that holds the firm’s data, has access to the firm’s systems, or has authorised integrations running. The inventory is produced by exporting connected-applications and external-collaborator data from the firm’s primary platforms, not by asking the firm to remember its suppliers. The second is the tiering decision: each third party in the inventory is placed in Tier 1, Tier 2 or Tier 3, with a written justification, and the firm’s engagement partners are equipped to apply differentiated disciplines to each tier. The third is the External Lingerers report: the long tail of forgotten authorisations, abandoned integrations, auto-renewing subscriptions and departed-contractor access, with a recommended closure list. The fourth is the supplier-incident plan: a sectioned document organised around the four time windows of thirty minutes, eight hours, three days and thirty days, with named owners and concrete actions.

The Review composes with the four Pillar 2 offerings already published in the series:

• the Cybersecurity Posture Review (Article 2.1), which establishes the firm’s overall posture and roadmap;
• the Access Inventory Audit (Article 2.2), which surfaces the firm’s internal Lingerers;
• the DPA 2020 Operational Readiness Review (Article 2.3), which addresses the Act’s eight Standards in operational practice;
• the Continuity Readiness Review (Article 2.4), which exercises the firm’s recovery and produces the continuity artefact;
• the Third-Party Exposure Review (this article), which inventories and tiers the firm’s third-party perimeter, surfaces External Lingerers, and produces the supplier-incident plan.

The five engagements may be commissioned individually, sequentially, or as the combined Pillar 2 Operational Readiness Programme that the firm now sees, with this article, in its complete form. Clients commissioning the combined programme receive a single integrated current-state report and a single integrated 12-month roadmap, with engagement-level deliverables on each of the five pillars.

Closing

The professional services firm whose story opens this article completed its External Lingerers exercise in the fortnight that followed our review. Of the one hundred and thirty-three previously unrecorded third parties on its inventory, the firm closed ninety-four within seven days — expired browser extensions, the personal accounts of former employees, abandoned trials, the marketing analytics platform that had stopped being paid for in 2023. Twenty-eight required a brief operational decision (kept, with a refreshed authorisation; closed, with the integration removed; or referred to the relationship owner for renewal). Eleven required a structured procurement decision and have been routed through the firm’s Tier 1 and Tier 2 processes.

The firm’s third-party inventory now stands at fifty-three entries: the fourteen original suppliers, six new ones added in the year since, and thirty-three of the previously unrecorded long tail that turned out, on inspection, to have ongoing operational value. The firm reviews the inventory quarterly. Its last External Lingerers exercise, two weeks ago, surfaced four new candidates for closure and was completed in an afternoon.

The change for the firm was not technical. No new platform was deployed; no new tool was purchased; no new headcount was added. The discipline that converted a perimeter of one hundred and forty-seven invisible relationships into a perimeter of fifty-three visible ones was simply the discipline of asking the firm’s own systems, every quarter, who they were currently talking to — and closing the relationships the firm had stopped needing.

The firm that knows its own perimeter is not necessarily the firm with the smallest perimeter. It is the firm whose perimeter, large or small, is visible — every quarter, to a named owner, with the inactive relationships closed before they become the channel through which the firm’s next incident arrives.

The firms that have read this article and would like to know, in operational terms, where their own third-party perimeter actually stands are invited to contact [email protected] to discuss a Third-Party Exposure Review. The conversation begins with one question, which the firm can usefully answer for itself before the call: How many third parties does the firm believe it has — and how many would the firm’s own systems list if the firm asked them this afternoon?

ABOUT THE AUTHOR

Dr. Dawkins Brown is Executive Chairman and Founder of Dawgen Global, an independent, integrated multidisciplinary professional services firm headquartered in New Kingston, Jamaica, with engagements across more than fifteen Caribbean territories. Dawgen Global’s services span audit and assurance, tax advisory, IT and digital transformation, risk management, cybersecurity, HR advisory, mergers and acquisitions, corporate recovery, business advisory, accounting BPO and virtual CFO services, and legal process outsourcing. The firm is independent and is not affiliated with any international network.

ABOUT THE SERIES

The Caribbean Digital Foundations Series is a multi-pillar thought-leadership programme published by Dawgen Global. Pillar 2 — Trust & Security — comprises six articles examining the operational disciplines a Caribbean SMB requires to build and maintain trust in its systems, its data, its continuity and its third-party perimeter. Articles 2.1 (Cybersecurity Posture), 2.2 (Identity and Access), 2.3 (Data Protection), 2.4 (Continuity), and 2.5 (Third-Party Perimeter) are published. Article 2.6 (the Caribbean Cyber Hygiene Scorecard) will conclude the pillar.

© 2026 Dawgen Global. All rights reserved.

About Dawgen Global