Acknowledgments

Since its release, the CRI Profile has rapidly become a globally-known compliance assessment framework, which is used in every corner of the financial services industry. The increased attention to the Profile has led some regulatory agencies to make clear that they welcome the Profile as a compliance assessment framework. This includes multiple bodies in the United States and a number of additional international regulators in Europe and the Asia Pacific.

USA

UK & Europe

Asia-Pacific

Middle East

International Bodies

FFIEC referenced the CRI Profile as a tool for financial institutions to consider in its announcement sunsetting the FFIEC Cybersecurity Assessment Tool (CAT)

FFIEC

CISA included a CRI mapping in the CPGs and acknowledged CRI in its CPG Matrix

CISA

NYDFS re-cited the Profile in its public FAQs

NYDFS

“Say Goodbye to the CAT” references CRI’s presentation in the “Ask the Fed” series about the CAT sunset.

Richmond Fed

“Treasury, as Sector Risk Management Agency for the financial services sector, appreciates the inclusion of precision time resiliency into the CRI Profile. This collaboration on responsible use of precision time enables the sector to fully benefit from the Biden-Harris Administration’s continued work on this Executive Order…”

Todd Conklin, Deputy Assistant Secretary for the US Treasury Office of Cybersecurity and Critical Infrastructure Protection

“...the CRI Profile, and other similar risk-based tools have been useful to help financial institutions of all shapes and sizes assess their cyber risk and manage the myriad of financial regulatory requirements through a unified approach.”

Ron Green, Chair, Financial Services Sector Coordinating Council

“The Office of the Comptroller of the Currency (OCC) recently developed and distributed the Cybersecurity Supervision Work Program... [references include] the … the Cyber Risk Institute’s Profile.”

OCC Cybersecurity, Cybersecurity Supervision Work Program

11. Has the institution assessed its cybersecurity risk and preparedness in the last 12 months using FFIEC CAT, [CRI] Profile, NIST or any other assessment tool?

FDIC, Intrex Information Technology Profile Online Form:

“The CFTC welcomes collaborative approaches to advance and support cyber preparedness and enhance the efficiency and effectiveness of its system safeguards oversight. To this end, the CFTC welcomes use by regulated entities of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness. Such tools include the [CRI] Profile, the NIST Cybersecurity Framework, the ISO Cybersecurity Standard, and the ISACA COBIT Framework, among others.”

CFTC, CFTC Encourages Standardized Approaches to Assessing Cybersecurity Preparedness, Including the FSSCC Cybersecurity Profile

The Federal Financial Institutions Examination Council (FFIEC) members today emphasized the benefits of using a standardized approach to assess and improve cybersecurity preparedness... Institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness. These tools include the FFIEC Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework, the [CRI] Profile, and the Center for Internet Security Critical Security Controls.

FFIEC, FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness

The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. CRI’s mission is simple: Sharpen cybersecurity to protect the global economy. CRI does this by creating (and updating) a common framework for cybersecurity and resilience assessment. The [CRI] Profile tool consists of a list of assessment questions based on the intersection of global regulations and cyber standards, such as International Organization for Standardization (ISO) and NIST.

FFIEC, Cybersecurity Resource Guide for Financial Institutions:

To manage cyber risk and assess cybersecurity preparedness of its critical operations, core business lines and other operations, services, and functions firms may choose to use standardized tools that are aligned with common industry standards and best practices. Some of the tools that firms can choose from include the [CRI] Profile.

FRB, OCC, FDIC, Sound Practices to Strengthen Operational Resilience

[The CRI Profile] builds upon the Cybersecurity Framework in ways that support the financial services community. NIST has found [the CRI Profile] to be 1) correct with regard to Cybersecurity Framework Version 1.1, 2) supportive of a riskbased approach to the cybersecurity, and 3) one of the more detailed Cybersecurity Framework-based, sector regulatory harmonization approaches to-date. NIST is happy to have supported the Financial Services Sector Coordinating Council in developing your work product.

NIST, Public Correspondence from Cyber Division Chief

The current Categories in the CSF 1.1 that cover governance would be moved into the new Govern Function. NIST requests feedback as to which current Categories should be moved... NIST will review other NIST frameworks with governance as an existing function to see if any of the categories are applicable for inclusion in the CSF 2.0... [including] the Cyber Risk Institute’s The Profile (financial sector CSF Profile), the draft NIST Information and Communications Technology Risk Outcomes (SP 800-221A), and the draft AI Risk Management Framework.

Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework

The risk assessments required by Sections 500.9 & 500.2(b) are the foundation of the comprehensive cybersecurity program required by DFS’s Cybersecurity Regulation, and a cyber assessment framework is a useful component of a comprehensive risk assessment. DFS ... expect[s] Covered Entities to implement a framework and methodology that best suits their risk and operations. Among the widely used frameworks Covered Entities employ are the FFIEC [CAT], the CRI Profile, and the NIST Cybersecurity Framework.

NYDFS, Cybersecurity Resource Center - Cybersecurity FAQs

Industry and financial authority toolkits and best practices for financial institutions continue to evolve. For example, the Cyber Risk Institute’s cloud profile provides financial institutions with a framework to evaluate cybersecurity risk with cloud services.

US Treasury, The Financial Services Sector’s Adoption of Cloud Services

CRI houses and maintains [the CRI Profile] — the benchmark for cybersecurity and resiliency in the financial services industry. This ever-evolving and concise list of assessment questions is drawn based on the intersection of global regulations and cyber standards, such as the standards of ISO and NIST.

ENISA, EU Cybersecurity Initiatives in the Finance Sector

[The Profile] managed by the Cyber Risk Institute... is a powerful tool to assist banks to mitigate the cost of fragmented cybersecurity regulations — incorporating national requirements from across the globe... it should become the accepted supervisory base-line upon which national variations can be established so supervisors and banks alike can more efficiently use scarce cyber security expertise.

ISRG, Financial Services Priorities for the UK’s G7 Presidency

Originating from the United States in response to the financial services regulatory fragmentation that began emerging around cybersecurity in 2016, the [CRI] Profile is designed as a global tool that can scale across geographies, regulatory jurisdictions, and financial institution type and complexity... The Profile’s modular and scalable nature mean that it can readily incorporate additional regulatory frameworks to evolve with the changing regulatory landscape. This flexible design is why the Profile remains relevant now and will do so in the future, and why firms across the UK and mainland Europe are increasingly using it as a cyber risk assessment and regulatory convergence instrument.

UK Finance, A Unified Approach to Assessing Cybersecurity Risk – The Profile

Japan’s Financial Services Agency referenced the CRI Profile as a “relevant guideline” alongside the NIST Cybersecurity Framework

JFSA

Recommended frameworks for entities to refer to ... Cyber Risk Institute Cybersecurity Profile (previously known as Financial Services Sector Cybersecurity Profile)...

Reserve Bank of New Zealand, Guidance on Cyber Resilience

[The CRI Profile, also known as the FSP,] synthesizes the best cyber practices from industry, as well as regulators in different jurisdictions. We believe adoption of the FSP by FIs and recognition of the FSP by SC would increase global regulatory harmonisation and elevate the sector’s cyber posture as well as make communication between firms and competent authorities in Malaysia more effective.

Asian Securities Industry and Financial Markets Association (ASIFMA)

Abu Dhabi Global Market and its Financial Services Regulatory Authority (FSRA) pointed to the CRI Profile as a framework to use

Abu Dhabi Global Market

“In spite of the “shared responsibility” model, financial authorities deem FIs as ultimately responsible for managing their cloud services risks... [by] following well established industry standards such as... the Cyber Risk Institute (CRI)...”

BIS, FSI Insights on policy implementation No 50 Banks’ cyber security – a second generation of regulatory approaches

The [CRI] Profile provides a framework for cyber risk management assessment by financial firms and to demonstrate regulatory compliance... The [CRI] Profile is a customisation of the NIST Cybersecurity Framework that financial institutions can use for internal and external cyber risk management assessment and as evidence for compliance, encompassing relations between Cyber frameworks, including the Core Standards. Further, the [CRI] Profile tool encompasses all three of the Core Standards of this report, as well as others, detailing how different subsections of each of the three Core Standards (the NIST Cybersecurity Framework, ISO, and the CPMI-IOSCO Guidance), as well as other frameworks may overlap with or be functionally equivalent to each other.

IOSCO, Cyber Task Force – Final Report

The [CRI] Profile aggregates cybersecurity regulatory requirements from several regions, identifies where requirements are shared and creates diagnostic statements that describe the desired end state that a firm needs to reach in order to be compliant.

WEF, Systems of Cyber Resilience: Secure and Trusted FinTech

icon close
Register to Start Download.
download

Please enter the following information

to access your free download.

icon close
Download Starting.
download

Thank you for your interest in the CRI Profile.

Your download should begin shortly.

Trusted Standards for Evolving Risks

Trusted Standards for Evolving Risks. The Cyber Risk Institute mission is to advance the development and harmonization of cybersecurity, technology, and AI risk management standards for the financial services industry.

As a not-for-profit standards development organization, CRI connects threats to mitigating controls and associated compliance to provide institutions with a comprehensive view of risk—from the server room to the boardroom.

We do this through our products - CRI Profile, Cloud Profile, and FS AI RMF – member engagement, and an ecosystem of globally known tool providers and consulting firms.

Join Now Learn More