The Tribune

By Derek Smith Jr

Cyber crime has evolved from just being a mere threat into a daily occurrence that requires immediate action. Despite this, many businesses in The Bahamas continue to rely on legacy governance, risk and compliance (GRC) systems that were not designed to handle today’s dynamic cyber security landscape. In contrast to real time risk intelligence and quick-moving threats, these systems were designed for annual audits, compliance checklists and static reporting.

This mismatch is exposing company Boards to growing operational, financial and reputational risks. This article will describe why legacy governance, risk and compliance is outdated for today’s cyber risks, why Boards should take this topic seriously, and the path forward.

Legacy GRC is outdated for cyber risk

GRC tools work well for regulatory compliance, such as meeting FATCA (the US foreign account tax compliance act), GDPR (Europe’s general data protection regulation), or anti-money laundering obligations, but they fail when it comes to cyber security. Cyber threats do not follow audit cycles - they evolve hourly. Artificial intelligence (AI) is now being used by sophisticated attackers to identify and launch targeted attacks in seconds.

Recent examples illustrate the urgency. In 2024, Amazon faced over one billion cyber threat attempts daily, up from 100 million earlier that year. That is a ten-fold increase in less than 12 months. Meanwhile, Gartner projects that global cyber security spending will hit $212bn in 2025 as companies try to keep pace.

Why it matters for Bahamian Boards and executives

The US Securities and Exchange Commission (SEC) now requires public companies to disclose cyber risks, placing the issue directly on the Board’s agenda. Locally, financial regulators including the Central Bank of The Bahamas and the Insurance Commission of The Bahamas (ICB) have emphasised Board accountability for enterprise risk, including cyber.

Business leaders must now demand real time visibility of cyber risk exposure, and not just technical metrics but quantified impact in business terms.

Moving from reactive to real-time risk management

It is essential to adopt an “automation-first” cyber risk approach. For financial institutions working in or through The Bahamas to continue to succeed, integrated platforms that provide the following capabilities are needed instead of siloed reports or manual analysis:

* Quantified cyber risk in dollars and operational impact

* Real time intelligence from threat feeds, control assessments and vulnerability data

* Automated response triggers to reduce dwell time

* Unified dashboards for security, compliance and executive teams

* Audit-ready records aligned with international frameworks and local supervisory expectations

This approach aligns with the principles found in the Central Bank’s enterprise risk management guidelines (2023) and emerging regional standards.

Key next steps for businesses

During a candid conversation with a good family friend and regional information security leader, Shakera Johnson, she explained: “Compliance is still important, but it’s only one piece of the puzzle.” Mrs Johnson, director of information security at the Cable Bahamas group, continued: “Real cyber resilience means giving people across the organisation the visibility, speed and tools they need to be proactive. It is about building a culture where everyone understands their role in protecting the business, not just passing audits”.

Here are the next steps to take

* Establish alignment across risk, compliance and security teams. Treat cyber risk as a shared responsibility, not just an information technology (IT) problem.

* Quantify acceptable risk levels with input from the chief executive and Board (Board-approved risk appetite).

* Modernise your GRC approach using AI-powered platforms that integrate cyber and operational risk management - management information system integration.

* Train Board members and senior executives on interpreting cyber risk metrics.

* Select a trusted cyber security partner that supports automation without disrupting existing business operations.

In short, cyber risk is now a core business risk. In 2025, your ability to protect digital assets, customer data and operational continuity depends on moving beyond traditional GRC systems. It is time for Bahamian business leaders to modernise their risk strategies before more adversaries strike.

• NB: About Derek Smith Jr: Derek Smith Jr has been a governance, risk and compliance professional for more than 20 years with a leadership, innovation and mentorship record. He is the author of ‘The Compliance Blueprint’. Mr Smith is a certified anti-money laundering specialist (CAMS) and holds multiple governance credentials. He can be contacted at hello@pineapplebusinessconsultancy.com