Cybersecurity Regulation in the Financial Sector: Reflexive Risk Management in the UK, USA and Nigeria

Abstract

Ph. D. ThesisThe consistent increase in the scale and forms of cyber threats, alongside the growth in use and global uptake of communications technologies, has made risk management a core function of 21st century service providers. This has necessitated the proactive mitigation of cyber threats and the integration of frameworks, policies and regulations that ensure the security of financial transactions. Exploring reflexivity as a mechanism for informing adaptive and resilient cybersecurity risk management practices, this thesis examines structures of coexistence between criminal justice and self-regulatory responses, multiple cycles of reflexive processes of self-examination, participation, communication, and revisions to influence future practices in ever evolving risk and policy landscapes. This thesis evaluates the review, identification, and control dimensions of cybersecurity risk management frameworks, analyses self-regulatory cybersecurity standards and specific cybersecurity legal frameworks applicable to financial institutions in the UK, US, and Nigeria, which can be implemented and/or remodelled to enhance the effectiveness of cybersecurity risk regulation. It observes that while effective cybersecurity risk regulation across the financial institutions is being hampered by factors such as cherry-picked laws, unclear mandates, and a lack of coordination between public and private stakeholders, strong implementation and enforcement structures may be facilitated by initiatives directed at networked governance and institutional arrangements involving a shared understanding of cyber threats and decision making processes. This thesis highlights the link between reflexivity and governance for learning in financial institutions, arguing that reflexivity will always not deliver learning, in the absence of good institutional structures of governance. Employing realist and constructivist risk theories and secondary analysis of qualitative data obtained from government and non government agencies to inform practices and steer regulatory policy decisions, this thesis identifies measures to enhance effective cybersecurity risk regulation in financial institutions and addresses possible challenges to reflexivity in cybersecurity risk regulation