Profile version 2.1 and the release of the new Maturity Model reflect almost a dozen additional mappings and a new approach to organizing Examples of Effective Evidence.
Washington, D.C.–The Cyber Risk Institute (CRI) is pleased to release several key resources for the financial sector today, including Profile version 2.1, several companion resources, and a new Maturity Model to be used as a basis of peer benchmarking. These updates include almost a dozen additional mappings and introduce a new approach to organizing Examples of Effective Evidence, including the Federal Financial Institutions Examination Council’s (FFIEC) Development, Acquisition, and Maintenance Handbook; the Center for Internet Security’s Critical Security Controls v8.1; NIST 800-53 rev.5; and others. Importantly, all of the diagnostic statements from Profile version 2.0 remain unchanged.
As part of this release, CRI is also publishing an updated Profile Guidebook for v2.1, a companion resource offering detailed guidance on control objectives and examples of effective evidence to support institutions during assessments.
As requested by CRI’s members, CRI has also developed an implementation guide for EU’s Digital Operational Resilience Act (DORA) to supplement the DORA mapping included in Profile version 2.1. Profile version 2.1 continues to connect core cybersecurity principles with guidance from regulatory bodies worldwide, now featuring nearly two dozen new mappings to further reflect its alignment to global standards, guidance, and regulations.
“CRI is committed to keeping the Profile evergreen through regular updates to authoritative references,” said Josh Magri, CRI Founder and CEO. “Version 2.1 represents another step forward in providing useful guidance to the financial sector. By harmonizing regulatory expectations and providing refinements to the framework, the Profile is helping institutions streamline assessments and improve internal alignment. The Maturity Model is a game-changer—it gives firms a structured way to measure progress and benchmark against peers. We are excited to see how firms implement it moving forward.”
CRI is also releasing a Maturity Model, which addresses high-level cybersecurity risk management outcomes. The CRI Maturity Model is aligned with the NIST CSF and provides a mechanism to quantitatively score responses at the diagnostic statement level. The CRI Maturity Model is available for members today and will form the foundation for future peer benchmarking and is currently available exclusively to CRI members.
CRI extends its sincere thanks to the financial institutions, regulatory groups, and other organizations that contributed to these releases. Special recognition goes to EY, which provided expert support in updating Profile v2.1 and in the DORA implementation guide, and KPMG, which contributed to the development of the Maturity Model. CRI wishes to also thank its 100+ member organizations for participating in these efforts, the CRI Board of Directors for providing strategic guidance, and the CRI Profile Architecture Working Group for its meticulous review of the content and mappings.
The CRI Profile and Guidebook and the Cloud Profile and Guidebook are available for free download at www.cyberriskinstitute.org. The Maturity Model for peer benchmarking is available to CRI members. To learn more about membership, please contact CRI at membership@cyberriskinstitute.org.
###
About the Cyber Risk Institute: The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. We’re working to protect the global economy by enhancing cybersecurity and resiliency through standardization.
The CRI Profile, formerly the Financial Services Sector Coordinating Council Financial Sector Profile, is a cybersecurity framework developed by and for the financial sector based on globally recognized standards. It connects the dots between cyber best practices and expectations from all over the world.
Media Contact:
Emily Beam
Emily.Beam@cyberriskinstitute.org
April 15, 2025
BACK TO TOP
