Become a member
CRI Issues Profile Version 2.0

Profile version 2.0 reflects the most significant update to date, expanding scope, coverage, features, and guidance.

Washington, D.C.–​The Cyber Risk Institute (CRI) is pleased to release version 2.0 of the CRI Profile—the most expansive revision to date with an enhanced scope, new features, and more mappings to regulations and best practices. This release maintains alignment with the latest version of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) released earlier this week. CRI is also pleased to be included in the first group of mappings to NIST’s CSF version 2.0 within its Online Informative References (OLIR) program that seeks to standardize mappings between documents.  

As requested by CRI’s members, the scope of Profile version 2.0 has been expanded to reflect broader information technology examinations, of which cyber is an important part. Profile version 2.0 includes enterprise technology, third-party risk management, and business continuity and resiliency in addition to cybersecurity.

“When the sector first came together to develop the Profile as an early-stage regulatory convergence tool, we had no idea the traction that it would gain. It is with great pride that I announce a new version that truly reflects the growing maturity of our sector and the importance of proper cyber risk management. As a member-driven organization, we have developed a new Profile – a Profile v2.0 – that will better position financial institutions as they navigate the cyber and IT regulatory landscape,” said Josh Magri, CRI Founder and CEO.

Additionally, the Profile v2.0 revises its third-party risk management function, which it now labels as “Extend,” to better reflect the growing importance of supply chain governance. In addition, CRI includes new features, such as subject tags, and simplified assessment responses to assist users in more easily identifying relevant content and providing assessment rationales and supporting evidence.

The CRI Profile continues to connect key cybersecurity control principles to guidance from government agencies. For the most recent update, the Profile has been mapped to and integrated numerous global standards and supervisory expectations, including those from Japan, the European Union, Singapore, and the United States, among others. In doing so, the Profile allows financial institutions to assess themselves once, and offer as a compliance tool to multiple regulators.

CRI Profile version 2.0 is accompanied with a revised CRI Profile Guidebook (formerly the Profile Workbook) that includes detailed guidance on control objectives, as well as examples of effective evidence that could be used by financial institutions during examinations.

CRI wishes to extend its gratitude to the financial institutions, regulatory groups, and other organizations who contributed to this initiative, including BCG Platinion, which provided initial support to the Profile’s development and EY which provided expertise and manpower to this important sector initiative. CRI wishes to also thank its 50+ member organizations, the CRI Board of Directors, which provided the strategic guidance, and the CRI Profile Architecture Working Group, which reviewed and validated all of the Profile’s content and mappings.

As always, the Profile and Workbook, and the Cloud Profile is available for free download at To learn more about membership, please contact CRI at


About the Cyber Risk Institute: The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. We’re working to protect the global economy by enhancing cybersecurity and resiliency through standardization.

The CRI Profile, formerly the Financial Services Sector Coordinating Council Financial Sector Profile, is a cybersecurity framework developed by and for the financial sector based on globally recognized standards. It connects the dots between cyber best practices and expectations from all over the world.

Media Contact:
Emily Beam

February 29, 2024

Next Article
CRI Commends NIST for Publishing an Enhanced Cybersecurity Framework