MSC RESEARCH · UNIVERSITY OF PORTSMOUTH · 2023
Cyber risk quantification and Caribbean financial regulation
An exploration of what role cyber risk quantification (CRQ) can play in supporting the prudential objectives of financial services regulators in the Caribbean region.
By Demetri Gittens
Mixed methods · 40 regulators surveyed; 37 regulatory documents analyzed
Published 2023
86%
agreed CRQ can help regulators achieve their goals
100%
flagged inadequate CRQ understanding as a barrier
75%
said qualitative methods may not capture risk exposure
84%
of reviewed guidelines contained no prescribed methodology for cyber risk assessment
SECTION 1 – RESEARCH CONTEXT
Why this research matters
Cyber risk is no longer a peripheral concern for financial services regulators. The prospect of a significant cyberattack disrupting payment systems, trapping depositor funds, or destabilising an individual institution has moved from being a theoretical scenario to a credible threat, one that global bodies like the IMF, the Financial Stability Board, and the Bank of England have been sounding alarms about for years.
Caribbean financial regulators are not immune to this reality. The region’s central banks and supervisory authorities have progressively updated their frameworks to address cyber risk, largely following the lead of global standard-setters like the Bank for International Settlements. On paper, the approach is consistent with international best practice. In practice, a critical question remained largely unexamined at the time of this research: are the tools being used actually fit for purpose?
It is this question that my research set out to explore. Specifically, it examined whether cyber risk quantification, the practice of expressing cyber risk in financial and probabilistic terms as opposed to using qualitative ratings, could play a meaningful role in supporting the prudential objectives of financial services regulators across the Caribbean region. The study drew on an expert survey of forty regulators and supervisors across twelve jurisdictions, combined with an analysis of published regulatory documents from across the region. What it found was a regional profession that recognises the problem, sees the potential of better tools, and faces real barriers to getting there.
THE CENTRAL RESEARCH QUESTION
What role can cyber risk quantification play in addressing cyber risk and supporting the prudential objectives of financial services regulators in the Caribbean region?
SECTION 2 – WHAT THE LITERATURE TELLS US
The state of knowledge going in
Before surveying a single regulator, the existing body of research pointed toward four clear themes and one significant gap.
The global alarm is real, but unevenly distributed
At the international level, there is broad consensus that cyber risk poses both micro and macro-prudential threats to financial systems. The IMF, the European Systemic Risk Board, and the Bank of England have each published analysis illustrating how a severe cyber incident could cascade – trapped liquidity, failed transactions, contagion across interconnected institutions. The literature on this is not speculative. It is detailed, well-cited, and increasingly urgent. Within the Caribbean, however, direct engagement with these risks in published literature is sparse. Regional regulators have acknowledged the threat in financial stability reports and public statements, but the research connecting cyber risk specifically to Caribbean prudential objectives was, at the time of this study, effectively absent.
Qualitative tools dominate and their limitations are documented
Across the region, cyber risk is typically managed as a sub-component of operational risk, assessed through qualitative and semi-qualitative tools: risk matrices, principles-based guidelines, checklist-based supervisory reviews. This approach mirrors what regulators do in more developed markets and is consistent with BIS guidance. It is also, as a body of independent research has argued, potentially inadequate. The imprecision of qualitative rating scales, the ambiguity inherent in a “high / medium / low” risk assessment, and the documented inability of tools like the risk matrix to support genuine risk-based decision-making are concerns that appear repeatedly in the literature and have direct implications for how effectively regulators can understand and respond to cyber exposure.
Quantification offers something qualitative tools cannot
Cyber risk quantification, and the FAIR model in particular offer a different approach: expressing risk in probabilistic, financial terms rather than with ordinal rankings. The potential benefits are not trivial: a better understanding of the true magnitude of cyber risk exposure, more accurate capital requirements, and more effective communication of risk to boards and policymakers. The literature is careful not to present CRQ as a silver bullet, and this research takes the same position. But the comparison between what quantification can offer and what qualitative tools routinely fail to deliver is difficult to ignore.
The barriers to adoption are known but understudied in this context
Research on CRQ adoption barriers exists, but it is concentrated in large, developed market contexts. The specific challenges facing small regulators in a developing region, such as limited data on cyber loss events, constrained budgets and technical capacity, frameworks built around qualitative norms, had not been studied directly. That gap was one of the primary justifications for this research.
THE DISCONNECT WORTH NAMING
Global discourse on cyber risk and financial stability is sophisticated, data-rich, and increasingly urgent. Caribbean regulatory literature on the same subject is thin. This is not a criticism of regional regulators. It reflects a genuine research gap that this study was designed to address.
SECTION 3 – HOW THE RESEARCH WAS DONE
Methodology
This study used a mixed-methods approach, combining a quantitative expert survey with qualitative document analysis. This was a necessary and deliberate choice given that cyber risk management involves both measurable attitudes and nuanced, context-dependent practice and capturing both required more than one lens.
Rather than sequencing the two methods, the choice was made to run them concurrently. The expert survey served as the primary strand, designed to address the full range of research questions across forty regulators and supervisors from twelve Caribbean jurisdictions. The document analysis ran alongside it as a supporting strand, examining thirty-seven published regulatory documents (i.e. guidelines, frameworks, financial stability reports, and supervisory communications) to provide context and grounding for the survey findings.
The two strands were then interpreted together. Where the survey captured what regional regulators believe and experience, the document analysis reflected what their frameworks actually say. Reading both in combination allowed for a more complete and honest picture than either method could produce alone.
ON THE INSTRUMENTS:
The survey instrument and full document sample are documented in the dissertation. Readers wishing to review the methodology in detail, replicate the study, or engage with the full findings are welcome to request the dissertation via the contact page.
SECTION 4 – KEY FINDINGS
What the Research Found
The findings pointed in a clear direction: regional regulators see value in better tools for measuring cyber risk, operate frameworks that fall short of what those tools would require, and face barriers to change that are significant but not insurmountable.
01
There is genuine appetite for improvement
86% of respondents agreed that CRQ could help regulators achieve their goals. Regional regulators recognise the limits of their current toolkit and are open to something better.
Current approaches to cyber risk management, while consistent with global norms, leave room for improvement. That 86% agreement is not a marginal finding as it reflects a profession that recognises the limits of its current toolkit and is open to something better..
02
Understanding of CRQ is the critical missing ingredient
Every respondent identified inadequate understanding of CRQ methodologies as a barrier with 56% indicating it would certainly hinder adoption. The obstacle is not motivation; it is knowledge and capacity.
Appetite for change without the capacity to support it produces frustration, not progress. The 56% who said inadequate CRQ understanding would certainly hinder adoption made this the highest-scoring barrier across the entire survey. The obstacle to better cyber risk measurement in the region is not motivation. It is knowledge and capacity.
03
Data availability is a perceived barrier, but the perception deserves scrutiny
97.5% flagged data availability as a concern. But CRQ frameworks like FAIR are built on structured estimation, not solely historical data and as such closing the gap may require a shift in understanding more than a data infrastructure programme.
The assumption that meaningful quantification requires rich historical loss data is worth examining carefully. FAIR is built around structured estimation rather than historical data dependency, and Hubbard makes a related point: we tend to overestimate how much data we need to reduce uncertainty meaningfully. Well-calibrated expert judgment can produce more defensible outputs than qualitative ratings backed by no quantitative reasoning at all.
The practical implication is that closing this gap may require less a data infrastructure programme and more a shift in understanding of what CRQ actually demands as a starting point.
04
Qualitative tools are widely used but not widely trusted
75% agreed qualitative methods may not capture the true extent of cyber risk. Regulators are operating tools they do not fully trust to give them the picture they need.
Regional regulatory frameworks are built overwhelmingly around qualitative and semi-qualitative approaches: risk matrices, principles-based guidelines, and checklist-driven supervisory reviews. These are the dominant instruments. Yet regulators are, in many cases, operating tools they do not fully trust to give them the picture they need.
05
Not a single reviewed document specified how cyber risk should be assessed
84% of reviewed guidelines explicitly described themselves as non-prescriptive, placing responsibility on regulated institutions to define their own approach to cyber risk assessment
Across the twelve documents (32%) specifically focused on cyber risk management (as opposed to broader or related topics such as operational risk, corporate governance, business continuity), a consistent pattern emerged: frameworks established governance expectations and directed institutions to identify and assess cyber risk, but none specified a methodology for doing so. While the instruction to assess was present, the instruction on how to was absent.
This is not incidental. It means the gap between qualitative tools and something more rigorous is not merely a capacity problem or a preference. It is structurally embedded in the frameworks themselves. Regulators cannot easily hold firms to a standard of quantitative rigour that their own published guidance does not require or describe.
Read alongside the survey finding that 75% of respondents doubt qualitative methods capture the true extent of cyber risk exposure, the picture that emerges is a coherent one: regulators privately question the adequacy of the tools, and their frameworks publicly ask for nothing better. That alignment between what the documents say and what practitioners believe is precisely what the mixed-methods design of this research was built to surface.
06
Regional focus is institution-level, not system-level
Respondents most frequently identified micro-prudential concerns as the primary impact of cyber risk suggesting systemic, cross-institution risk remains underweighted in regional frameworks.
Respondents most frequently identified the safety and soundness of individual institutions as the regulatory goal most at risk, a micro-prudential framing that sits in notable contrast to international discourse, where the primary concern is systemic contagion: one significant incident cascading across interconnected institutions and markets. The regional focus is not wrong, but it may be incomplete.
The gap matters for framework design. If cyber-related systemic risk is assumed to cascade bottom-up (i.e. through individual firms first) then micro-prudential tools are a reasonable starting point. But international evidence suggests lateral contagion is plausible: a significant incident at one institution can affect payment systems, clearing infrastructure, and counterparty confidence simultaneously. Regional frameworks don’t currently appear to account for this scenario. The document analysis found no evidence of stress-testing or scenario frameworks designed around multi-institution or system-wide cyber events and 55% of survey respondents indicated cyber risk reporting requirements require improvement, which is the mechanism through which cross-institution monitoring would normally operate.
SECTION 5 - WHAT IT MEANS
Implications and the path forward
Research findings are only useful if they point somewhere. These do.
The picture that emerges from this study is not one of failure. Caribbean financial regulators are engaging with cyber risk, their frameworks are broadly aligned with international norms, and there is genuine professional appetite for improvement. The more accurate description is one of a known destination with an unclear path and a set of structural obstacles that are real but addressable.
Three implications naturally stand out.
For regulators: the priority is capacity before mandate
The finding that 100% of respondents identified inadequate understanding of CRQ methodologies as a barrier should reframe how the conversation about better cyber risk measurement is approached in the region. The question is not whether to move toward more quantitative approaches as there is broad agreement that this is worthwhile. The question is what needs to be in place first. Investment in technical capacity, access to training on quantification methodologies, and regional knowledge-sharing among supervisors are prerequisite steps, not follow-on considerations. Mandating tools that practitioners cannot yet use produces compliance theatre, not better risk management.
For the region collectively: the perception gap is the more immediate problem
The widespread concern among regulators about data availability is understandable, but it may be directing attention toward a longer-term infrastructure problem when a more immediate one sits closer to hand. Cyber risk quantification frameworks like FAIR are designed to work from structured expert estimation, not historical loss databases. The starting point is disciplined judgment, not data completeness. A regional regulator with access to good threat intelligence, relevant analogues, and a structured decomposition of the risk question has more to work with than the data concern implies.
This does not make data collection irrelevant. Richer incident data improves the precision of quantitative outputs over time, and the Financial Stability Board's push for greater convergence in cyber incident reporting reflects a legitimate long-term goal that the Caribbean, through bodies like the Caribbean Group of Banking Supervisors, has both the incentive and the architecture to engage with. But framing data availability as the gate that must open before quantification can begin misreads what the methodology actually requires. The more productive near-term investment is in building the estimation and analytical capacity to work with what already exists.
For the broader conversation: the qualitative-only approach deserves scrutiny, not deference
The consistency of regional frameworks with BIS guidance is real and it matters. But consistency with a global standard is not the same as adequacy. The research found that three quarters of regional regulators themselves are not confident that qualitative methods give them a complete picture of cyber risk exposure. When practitioners express doubt about their own tools, that doubt deserves to be taken seriously and not as a criticism of those practitioners, but as a signal that the tools need to evolve. The global standard-setting conversation is already moving in this direction. The Caribbean has an opportunity to be a thoughtful participant in that shift rather than a late adopter of it.
A note on limitations
This research has boundaries worth acknowledging. The survey captured perspectives from forty regulators across twelve jurisdictions which is a meaningful sample given the size of the regional regulatory community, but it was not exhaustive. The findings also reflected attitudes and perceptions at a point in time while the regulatory landscape is evolving. And the study focuses on the regulator side of the equation: how regulated institutions themselves perceive and navigate these questions is a related but distinct inquiry that remains largely unexplored in the regional context.
These limitations do not undermine the findings. They point toward where the research conversation should go next.
Future research directions
Three questions emerge naturally from this work and remain open. First, how do regulated financial institutions in the Caribbean region perceive the adequacy of current supervisory approaches to cyber risk and what would they need to support a shift toward quantification? Second, as regional regulatory frameworks continue to develop, what implementation pathways for CRQ are realistic given the specific capacity and resource constraints of smaller jurisdictions? Third, how does the Caribbean experience compare to other small developing market contexts facing similar structural challenges?
SECTION 6 - PUBLICATIONS FROM THIS RESEARCH
Where the research goes next
This research has generated a programme of writing exploring its themes in depth. Each piece stands alone, is grounded in the findings of the study and is intended for practitioners, policymakers, and others working at the intersection of cyber risk and financial regulation.
01
FROM THE RESEARCH - PART 1
Cyber Risk as a Special Case in Operational Risk
Treating cyber as operational risk isn't wrong. It's just not enough. Operational risk frameworks brought structure and regulatory legitimacy to cyber risk management but they were built around historical loss data, stable threat profiles, and actuarial logic that cyber doesn't reliably conform to. This piece examines what the operational risk classification gets right, where it falls short, and why a supplementary lens is needed rather than a wholesale replacement.
02
FROM THE RESEARCH - PART 2
The Perception Gap: What CRQ Actually Requires
The most cited barrier to cyber risk quantification may be based on a misconception. Nearly all regulators surveyed flagged data availability as a significant obstacle to adopting CRQ. But the frameworks most associated with quantification, particularly FAIR, are built around structured estimation, not historical loss databases. This piece examines the gap between what practitioners believe CRQ demands and what it actually requires as a starting point.
03
FROM THE RESEARCH - PART 3
Whose Risk Is It? The Regulator's Lens and the Firm's Exposure
Supervisory effectiveness depends on asking the right question and the right question isn't always the firm's. There is a meaningful distinction between a regulator assessing whether a firm's cyber risk threatens its own prudential objectives and one attempting to replicate the firm's internal risk assessment. Conflating the two leads to poorly scoped supervisory tools and unclear expectations on both sides. This piece draws on survey findings to explore what the appropriate supervisory frame looks like in practice.
COMING
In Preparation
04
FROM THE RESEARCH - PART 4
CRQ for Financial Services Regulators: A Practical Primer
What cyber risk quantification is, what it isn't, and why it matters for supervisors. Written specifically for the regulatory audience, this piece provides an accessible introduction to the main quantification frameworks, with FAIR as the centrepiece, and examines how a regulator might apply them as supervisory tools rather than internal risk management instruments.
COMING
In Preparation
05
FROM THE RESEARCH - PART 5
The Appetite Paradox: Wanting the Destination, Uncertain About the Path
Regulators broadly support the case for better cyber risk measurement. They're also the first to identify why it won't be easy. Survey findings reveal near-unanimous agreement that CRQ can help regulators achieve their goals, alongside near-unanimous identification of barriers to its adoption. This piece takes that tension seriously, examines what it reveals about the state of readiness in the region, and offers a practical framing for how the gap between appetite and adoption can begin to close.
COMING
In Preparation
06
FROM THE RESEARCH - PART 6
How Regulators Are Evolving Their Cyber Risk Toolkits
The international direction of travel is clear. The question is whether the Caribbean is positioned to follow. Recent BIS and regulatory discussions have placed cyber risk quantification at the centre of the supervisory toolkit conversation. This piece surveys how leading regulators globally are innovating their approaches and uses the findings from this research as a case study in the distance between where global regulatory thinking is heading and where regional frameworks currently sit.
COMING
In Preparation
07
FROM THE RESEARCH - PART 7
The Case for CRQ in Caribbean Financial Supervision: A Research Synthesis
What the evidence shows, what it means, and what comes next. Drawing together the findings of this research and the body of writing that followed it, this piece makes the cumulative case for cyber risk quantification as a supervisory tool in the Caribbean financial sector and outlines the conditions under which meaningful progress is most likely.
COMING
In Preparation
This series reflects the author's independent research conducted as part of an MSc dissertation at the University of Portsmouth (2023). Views expressed are those of the author in a research capacity and do not represent the position of any institution or employer.