Information security and cyberrisk management have become crucial components in the safe and sound operation of financial companies. A growing number of criminals, activists, and nation-state actors are exploiting weak digital security to pursue illegal activities, and instances of cybercrime — including money laundering, fraud, and information theft — have grown exponentially in recent years.
Regulators have responded with heightened expectations for information security practices and new expectations in emerging areas such as vendor security, cloud computing, and mobile computing. Bank boards and managers are under pressure to demonstrate that they understand the threats they face today and the ones they are likely to face tomorrow.
Promontory’s Information Security & Cyberrisk Management practice helps financial companies address regulatory expectations for cybersecurity. We tailor our advice to the threats that a company is most likely to face based on its products, services, complexity, and footprint, and measured against its existing controls and cyberrisk management. We assess programs at all levels, from strategic reviews of cyberrisk management models to detailed compliance reviews.
Promontory has deep experience in financial services technology, operations, and regulation. Our Information Security & Cyberrisk Management team is uniquely qualified to help companies develop practical cybersecurity programs that meet regulatory requirements and expectations.
Promontory’s Information Security & Cyberrisk Management practice helps clients whose regulators have identified areas for improvement, as well as those looking to update existing programs to meet heightened expectations. We advise mid-size financial institutions in making the most of their cybersecurity budget, as well as large multinationals seeking to integrate global operations in a risk management framework. We also assist clients preparing for regulatory or audit examinations.
We focus on helping clients move from a detect-and-respond to an anticipate-and-defend posture. That includes developing technology risk and performance metrics that provide managers with information they can use.
NIST Framework Risk Management and Validation
Promontory’s Web-based risk software allows financial institutions to identify, manage, and report on cybersecurity risk in line with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.
Our solutions help institutions by:
- Validating and assessing current cybersecurity programs against the framework
- Performing a gap analysis of current cybersecurity programs against the framework and identifying areas of future regulatory concern
- Using the framework review and validation as a pre-evaluation and preparation for upcoming examinations
- Communicating the regulatory impact of the framework to executives and directors, including the board and audit and risk committees
Click here to download product information »
Although our services vary widely depending on the client’s needs, we typically structure our assistance through three broad offerings: Diagnostic Review, Deep-Dive Review, and Risk Mitigation.
Promontory provides clients with an initial assessment of their cybersecurity programs and their compliance with regulatory guidance and expectations through a unique approach organized around five critical pillars: strategy and architecture, governance, modeling and risk assessment, controls validation, and continuous monitoring. The diagnostic review is designed to identify potential blind spots and gaps in cyberrisk controls so that clients can make meaningful changes to decrease risk. We also offer limited-scope reviews across a wide range of activities that fall within a specific pillar.
We customize each review to the client’s business, and usually complete a diagnostic review in two to three weeks. We deliver an evaluation of the program against regulatory expectations and best practices, as well as specific, practical recommendations to remediate identified shortcomings.
Promontory offers a targeted review of specific elements of information security and cyberrisk management. Typical deep dives include an evaluation of an organization’s current state; a comparison against regulatory expectations and industry-leading practices, highlighting areas requiring improvement; and program design and planning. Engagements typically run for four or more weeks, depending on the nature and number of activities within the review scope.
We typically conduct deep dives in:
- Governance of information security programs
- Policy, procedure, and process review
- Incident response, threat intelligence, and security operations
- Regulatory findings review and response
Promontory provides risk mitigation to clients that have identified weaknesses, whether through regulators, third parties, or internal audits. We recommend technical changes to fine-tune existing programs and overhaul programs for clients looking to make broader changes. The Promontory team has experience developing and implementing complex risk management programs at leading financial institutions and federal government agencies.
The Promontory Difference
Promontory Financial Group helps companies and governments around the world manage complex risks and meet their greatest regulatory challenges with integrity and quality. We are the world’s foremost experts in financial risk, regulation, and compliance. Our work makes our clients stronger and the financial system safer for consumers.
Our cyberrisk team includes experts with backgrounds in the financial services and information security industries, regulatory agencies, the law-enforcement and intelligence communities, and academia. We have decades of experience creating and implementing information security programs for financial institutions and government agencies.
We also have a wealth of network security experience and subject-matter knowledge, and our professionals stay on the leading edge of industry best practices, cybersecurity frameworks, and third-party products and services. We monitor emerging attack trends, threat actors, and system vulnerabilities through an extensive network of contacts. We help clients focus not only on current threats, but also on the threats they may face in the future