The Strategy That Drives Us
What began as a working group in the Financial Services Sector Coordinating Council (FSSCC), has grown into an independent organization with global impact.
Today, CRI supports the financial services ecosystem by maintaining the CRI Profile and related tools–and expanding their use across the entire industry.
The Profile has now been downloaded tens of thousands of times across six continents, serving as a trusted cybersecurity framework for financial institutions worldwide.
Meet the Sector’s Needs
As use of the CRI Profile has grown globally, we’ve continued to evolve it by:
- Integrating more technology-specific controls
- Extending the framework to cloud environments through the Cloud Profile
- Adding a maturity model to support board reporting and peer benchmarking
- Developing new guidance to manage AI-related risks in financial services
We seek to continually increase value to our members and the broader ecosystem by:
- Enhancing and expanding CRI frameworks
- Driving regulatory acceptance worldwide
- Increasing use of our frameworks across institutions and the ecosystem
- Adding practical tools to support implementation
2016 – 2022
In 2016, a sector-wide survey revealed that financial institutions’ Chief Information Security Officers’ teams were spending up to 40% of their time on compliance tasks–time that could be better spent on frontline cybersecurity. In response, the FSSCC launched a mapping exercise to align regulatory expectations to the NIST Cybersecurity Framework (CSF).
This effort evolved into a multi-year initiative involving over 150 organizations, ultimately leading to the development of the Financial sector Cyber Profile v1.0, published in 2018.Â
In August 2019, the U.S. Federal Financial Institutions Examination Council (FFIEC) issued a press release pointing to the Profile as a tool that institutions may choose from to help align “with industry standards and best practices to assess their cybersecurity preparedness.” And so, the Cyber Risk Institute was born.Â
2022 – 2024
CRI became an independent organization in 2022. During this time, we worked to expand the depth of the Profile through the incorporation of maturity, cloud controls, and additional cyber controls related to incident response and operational resilience. We developed training materials for members. We also integrated the Cloud Security Alliance’s (CSA) Cloud Control Matrix (CCM) into the Profile.
2024 – 2025
In 2024, CRI released an updated Profile and Cloud Profile aligned with the NIST CSF v2.0. In 2025, we published Profile v2.1 with two dozen mappings and a Maturity Model for the Profile v2.1. Along the way, we remained committed to the continued education of regulators and firms on the value and benefits of the Profile. We also delivered training materials to members and are working on peer benchmarking. We also have grown membership significantly during this time period and established a successful Innovator and Affiliate ecosystem.
2026 & BEYOND
CRI will explore:
- Establishing a peer benchmarking program
- Developing Profile certification and training
- Strengthening ties between cyber and technology risk into broader enterprise risk approaches
- Further integrating cyber and technology expectations related to third-party engagements, operational resilience, and quantum computing
Our Strategic Plan
Our current strategic plan includes four main areas of focus. We are currently revising our strategic plan to reflect our activities and product suite and will update you here once finalized.
Map Additional Cyber-Related Requirements
NEAR-TERM
- Sustain Profile revision cycle
- Expand cyber-related controls
- Develop Financial Services AI RMF
MEDIUM-TERM
- Develop policies, procedures, and organizational chart templates for users
- Automate mapping capabilities
- Strengthen cyber, tech, AI risk ties
LONG-TERM
- Extend Profile-like approach to other sectors
Add Functionality to the Profile
NEAR-TERM
- Provide free online tool for members
- Develop Maturity Model assessment for the Profile
- Establish benchmarking program
- Put Profile in machine-readable format (e.g., OSCAL)
MEDIUM-TERM
- Develop policies, procedures, and organizational chart templates for users
- Facilitate discussions on APIs
LONG-TERM
- Develop a training and certification program
Drive Profile Acceptance
ONGOING
- Expand regulatory engagements
- Sustain and increase pace of regulatory engagements
- Raise CRI Profile awareness via select events
- Educate/engage policymakers
Expand Profile Use
NEAR-TERM
- Provide Profile implementation training materials
- Host and participate in webinars and events
- Grow Affiliate and Innovator Programs
MEDIUM-TERM
- Build strategic partnerships
- Develop new products and frameworks
- Translate the Profile
LONG-TERM
- Create Board-level educational materials
Artificial Intelligence Risk Management, Built for Financial Services
CRI is working with the FSSCC to tailor the NIST AI Risk Management Framework (RMF) for the financial sector. The upcoming CRI Financial Services (FS) AI RMF will help financial institutions of all sizes manage AI-related risks through:
- A Risk and Controls Matrix (RCM) with AI principles, risks, and control objectives
- A questionnaire to tailor the control objectives by AI adoption stage
- A guidance document to assist with FS AI RMF implementation
This framework will scale with an organization’s AI use, align to regulatory expectations, support cross-functional governance, and align to the CRI Profile where appropriate.
Expected release: Early 2026. Participation is open to FSSCC and CRI members.
Coming Soon: CRI Benchmarking ProgramÂ
Trusted Frameworks for Evolving Risks.
CRI connects threats to mitigating controls and associated compliance to provide institutions with a comprehensive view of risk—from the server room to the boardroom.
We do this through our products - CRI Profile, Cloud Profile, and FS AI RMF – member engagement, and an ecosystem of globally known tool providers and consulting firms.
){kind=icon}