Information Security and Cyberrisk Management
Home > Expertise

Information Security and Cyberrisk Management

Representative Engagements

Financial companies need practical risk management solutions to meet heightened cybersecurity expectations.


Information security and cyberrisk management have become crucial components in the safe and sound operation of financial companies. A growing number of criminals, activists, and nation-state actors are exploiting weak digital security to pursue illegal activities, and instances of cybercrime — including money laundering, fraud, and information theft — have grown exponentially in recent years.

Regulators have responded with heightened expectations for information security practices and new expectations in emerging areas such as vendor security, cloud computing, and mobile computing. Bank boards and managers are under pressure to demonstrate that they understand the threats they face today and the ones they are likely to face tomorrow.

Promontory’s Information Security & Cyberrisk Management practice helps financial companies address regulatory expectations for cybersecurity. We tailor our advice to the threats that a company is most likely to face based on its products, services, complexity, and footprint, and measured against its existing controls and cyberrisk management. We assess programs at all levels, from strategic reviews of cyberrisk management models to detailed compliance reviews.

Promontory has deep experience in financial services technology, operations, and regulation. Our Information Security & Cyberrisk Management team is uniquely qualified to help companies develop practical cybersecurity programs that meet regulatory requirements and expectations.

Our Clients

Promontory’s Information Security & Cyberrisk Management practice helps clients whose regulators have identified areas for improvement, as well as those looking to update existing programs to meet heightened expectations. We advise mid-size financial institutions in making the most of their cybersecurity budget, as well as large multinationals seeking to integrate global operations in a risk management framework. We also assist clients preparing for regulatory or audit examinations.

We focus on helping clients move from a detect-and-respond to an anticipate-and-defend posture. That includes developing technology risk and performance metrics that provide managers with information they can use.

NIST Framework Risk Management and Validation

Promontory’s Web-based risk software allows financial institutions to identify, manage, and report on cybersecurity risk in line with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

Our solutions help institutions by:

  • Validating and assessing current cybersecurity programs against the framework
  • Performing a gap analysis of current cybersecurity programs against the framework and identifying areas of future regulatory concern
  • Using the framework review and validation as a pre-evaluation and preparation for upcoming examinations
  • Communicating the regulatory impact of the framework to executives and directors, including the board and audit and risk committees

Click here to download product information »

Scalable Solutions

Although our services vary widely depending on the client’s needs, we typically structure our assistance through three broad offerings: Diagnostic Review, Deep-Dive Review, and Risk Mitigation.

Diagnostic Review

Promontory provides clients with an initial assessment of their cybersecurity programs and their compliance with regulatory guidance and expectations through a unique approach organized around five critical pillars: strategy and architecture, governance, modeling and risk assessment, controls validation, and continuous monitoring. The diagnostic review is designed to identify potential blind spots and gaps in cyberrisk controls so that clients can make meaningful changes to decrease risk. We also offer limited-scope reviews across a wide range of activities that fall within a specific pillar.

We customize each review to the client’s business, and usually complete a diagnostic review in two to three weeks. We deliver an evaluation of the program against regulatory expectations and best practices, as well as specific, practical recommendations to remediate identified shortcomings.

Deep-Dive Review

Promontory offers a targeted review of specific elements of information security and cyberrisk management. Typical deep dives include an evaluation of an organization’s current state; a comparison against regulatory expectations and industry-leading practices, highlighting areas requiring improvement; and program design and planning. Engagements typically run for four or more weeks, depending on the nature and number of activities within the review scope.

We typically conduct deep dives in:

  • Governance of information security programs
  • Policy, procedure, and process review
  • Incident response, threat intelligence, and security operations
  • Regulatory findings review and response

Risk Mitigation

Promontory provides risk mitigation to clients that have identified weaknesses, whether through regulators, third parties, or internal audits. We recommend technical changes to fine-tune existing programs and overhaul programs for clients looking to make broader changes. The Promontory team has experience developing and implementing complex risk management programs at leading financial institutions and federal government agencies.

The Promontory Difference

Promontory Financial Group helps companies and governments around the world manage complex risks and meet their greatest regulatory challenges with integrity and quality. We are the world’s foremost experts in financial risk, regulation, and compliance. Our work makes our clients stronger and the financial system safer for consumers.

Our cyberrisk team includes experts with backgrounds in the financial services and information security industries, regulatory agencies, the law-enforcement and intelligence communities, and academia. We have decades of experience creating and implementing information security programs for financial institutions and government agencies.

We also have a wealth of network security experience and subject-matter knowledge, and our professionals stay on the leading edge of industry best practices, cybersecurity frameworks, and third-party products and services. We monitor emerging attack trends, threat actors, and system vulnerabilities through an extensive network of contacts. We help clients focus not only on current threats, but also on the threats they may face in the future

Representative Engagements


  • Developed action plans for numerous financial services firms in response to federal and state-level regulatory findings — such as matters requiring attention and consent orders — that successfully addressed concerns about governance, security controls, and effective countermeasures to threats. The resulting improvements optimized the performance of business lines while preventing significant regulatory sanctions.
  • Performed information security governance reviews at a bank vendor following a widely publicized data breach. The reviews included “tone at the top” assessments of senior management and incident-response effectiveness, followed by the implementation of improved security controls.
  • Assisted a bank vendor in responding to regulatory concerns about cloud storage of sensitive data, including personally identifiable information. As a result of the engagement, the bank was able to continue using the vendor and maintain regulatory goodwill.
  • Created a roadmap for cybersecurity improvements at a financial services utility to address regulatory concerns. Results included better reporting to upper management, new vulnerability and threat programs, and improved information-security risk modeling. The engagement’s successful conclusion mollified regulators’ concerns and demonstrated the firm’s commitment to cybersecurity best practices.
  • Designed a client’s third-party and vendor-assessment methodology and cybersecurity risk evaluation process, and assisted in reviews of prospective vendors. As part of its assessment, Promontory reviewed vendor-security audits, which required mapping controls to relevant regulatory requirements.


Enter Below Code :