Published in


How regulations can provide opportunity

The Australian financial services industry is currently working through the final guidance from APRA on CPS 234 — the prudential standard on information security management.

For some teams, APRA’s guidance will just be added to a compliance ‘to do’ list focused on meeting the minimum requirements.

Regulators across the globe are doing their best to introduce operating frameworks to meet the varied desires and needs of diverse stakeholders. In addition to their role in providing oversight, they must also provide assurance to the community — that the industry they oversee — is meeting a base standard of expectations.

In some markets, they choose to do this with a light touch for policy reasons or the reality of their resources. This can lead to guidelines being interpreted as nothing more than a checklist to execute as painlessly as possible, rather than an opportunity to align regulation, business outcomes and growth.

What’s your organisation’s focus?

For the companies we work with, APRA’s prudential practice guide on information security opens opportunities to revise security strategy. Starting from first principles, we ask, “What is the problem we need to solve?”

The common approach is to then map board, executive team and regulators’ views to ensure all stakeholders’ needs are met. But we prefer to then ask, “How can your cybersecurity strategy help you to grow your business? “

We look at APRA’s guidelines from the customer’s viewpoint, asking how each of the requirements or changes could be of value to a customer and how you could tell them about it.

The implementation of the new guidelines is not only a great time to ensure you meet the intent of the regulation, but it’s also an opportune time to revisit your customers’ stories, ensuring cybersecurity matters to them too.

Moving from compliance to growth

The APRA guidelines on information security cover key areas that customers (and you) should care about, including identity, access management, and customer impact.

If you took each requirement, could you approach it as a product offering? And how would you sell it? Your approach to cybersecurity will enhance your brand and help to build trust with customers. We recommend working closely with your marketing team to help shape those messages.

You could create a section on your website, outlining your approach to cybersecurity. Transparency matters and stories about your approach to cybersecurity can go a long way to reassuring customers, both current and prospective, that you really do take security seriously. The stories don’t need to be extensive or detailed. They just need to reflect your company’s philosophy and act as a source of trusted information. There are many great examples of this, from cloud companies to banks, and they can provide inspiration on how to gain additional value from your compliance activities and turn them into business assets.

At TriSecOps we help our clients embed cybersecurity in their growth strategies through an integrated, end-to-end cybersecurity offering. We provide assurance and unlock opportunity.

Reach out if you need help implementing the new information security prudential standard.



Assurance. Opportunity. Growth. Cybersecurity that grows business.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store