Barbados' Evolution in Cybersecurity Amid Regulatory Shifts and Global Compliance Pressures
Barbados experiences a 12-day national outrage cycle after crises, like the recent cyberattack on the Barbados Revenue Authority. Local businesses, including financial institutions, are adapting to evolving cybersecurity and data privacy regulations.
Barbados often experiences a national outrage phenomenon that unfolds in predictable stages. It starts with disbelief, swiftly followed by collective outrage and an intense search for someone to blame. However, within nine to 12 days, the fervour dissipates, leaving the issue largely unresolved—a fleeting storm of public concern often termed a “12-day wonder”.
With the recent high-profile data breaches, I had hoped that the national consciousness would shift toward the urgent need for a comprehensive cybersecurity strategy—one connected to and vital for our economic development. Unfortunately, it seems that the pressure the government initially faced following the Barbados Revenue Authority cyberattack is already beginning to ease. The winds of this fleeting storm are waning, and the urgency for meaningful action is fading.
Nevertheless, whether we like it or not, cybersecurity and data privacy practices have become integral to the evolving global compliance landscape, and local multinationals are already feeling the pressure to adapt. Financial institutions like Sagicor are leading the way by implementing robust cybersecurity measures, not just for regulatory compliance but also to maintain their financial ratings and attract global clients who take these matters seriously. This shift is becoming evident in banking operations as well, with First Citizens Bank requiring businesses connecting to their online payment gateway to complete a detailed Data Privacy Vendor Due Diligence Questionnaire, asking critical questions about Data Protection Act 2019 alignment and whether a Data Protection Officer is appointed. This emerging regulatory landscape is rapidly reshaping how businesses operate, and it is only a matter of time before cybersecurity and data privacy become standard practice across sectors.
The International Telecommunication Union’s (ITU) Global Cybersecurity Index 2024 ranks Barbados in the “evolving” category, reflecting some progress but also exposing significant gaps in the nation’s cybersecurity readiness. Urgent attention is needed to strengthen key areas, such as legal frameworks for data protection and cybercrime, while the absence of a fully operational national Computer Incident Response Team (CIRT) further limits Barbados’ ability to respond effectively to cyber threats. Although some organisational efforts are underway, the lack of a comprehensive national strategy with clear metrics and regular audits is concerning. Barbados must not only bolster its legal framework but also invest in technical and cooperative measures to proactively address cyber threats rather than continuously reacting after incidents occur. The focus shouldn’t be on starting from scratch but on adapting global standards to meet local needs.
One global standard that Barbados has already adopted is the European Union’s framework for data privacy, which served as a model for the Barbados Data Protection Act 2019. In the realm of cybersecurity, the EU has also set a precedent with its NIS Directive (Directive on Security of Network and Information Systems), adopted in 2016. This was the first EU-wide cybersecurity legislation aimed at improving the cybersecurity posture across critical infrastructure sectors. The directive mandates stronger security measures for operators of essential services, including energy, banking, and healthcare, as well as digital service providers. It requires organisations to implement robust security protocols, report major incidents, and encourage cooperation through established national authorities and information-sharing practices. Adopting and adapting similar frameworks will allow Barbados to enhance its cybersecurity capabilities while aligning with global best practices.
However, we currently have a culture where data breach incidents—whether in the private or public sector—are viewed with shame rather than responsibility. Though subtle, this difference significantly impacts how we handle digital security incidents as a nation.
In the spirit of not wasting a crisis, I urge the government to take three critical actions:
National Cybersecurity Council: Oversee national cybersecurity strategies, coordinate public-private efforts, advise on laws and regulations, ensure international compliance, and manage responses through a national Computer Incident Response Team (CIRT). Cybersecurity Act: Establish a legal framework to combat cybercrime, protect critical infrastructure, mandate security for key sectors, and require incident reporting to a national authority. The Act would also promote collaboration, ensure compliance, and enhance awareness while aligning with data protection laws. National Cybersecurity Strategy: Provide a comprehensive roadmap for improving cybersecurity, define roles, and set measurable objectives. This strategy would integrate cybersecurity into national development plans, support capacity building, and promote international cooperation.
While the initial uproar following cyber incidents often fades, the need for a robust and sustained approach to cybersecurity remains critical. Barbados cannot afford to be complacent in the face of increasing global cyber threats.
The implementation of a National Cybersecurity Council, a comprehensive Cybersecurity Act, and a well-structured National Cybersecurity Strategy are essential steps in safeguarding the country’s digital infrastructure and economic future. By adopting international best practices and fostering a culture of responsibility, Barbados can shift from reactive crisis management to proactive defence, ensuring that cybersecurity becomes a cornerstone of its national development strategy.
steven@dataprivacy.bb