Become a member
Cyber Risk Institute Privacy Policy

Effective: April 12, 2023

This privacy policy (“Policy”) explains how the Cyber Risk Institute (“CRI,” “we,” or “us”) collects, uses, and shares information in connection with an individual’s (“you” or “user”) use of, and our other websites and mobile applications that link to this Policy (collectively, the “Services”).  It also describes your rights and choices with respect to the information we collect.

Information that We Collect

We collect a variety of information when you use or access our Services, including:

  • Contact information.  When you create an account on the Services, register for an event, or sign up for our newsletters or emails, we may collect your contact information, such as name, mailing address, postal code, email address, and phone number.
  • Demographic and business-related information.  We also may collect demographic and other information, such as your job title or position, company name or affiliation, primary business, preferences, and interests.
  • Event registration information.  In addition to the contact, demographic, and payment information discussed above, we or our partners may collect additional information when you register for an event, such as emergency contact details, hotel accommodations, dietary restrictions, and answers to event-related questions.
  • Other information you provide to us.  We collect additional information that you provide to us directly or through the Services, such as when you communicate with us, use our web-based tools, ask us a question, respond to our surveys, or submit your name, resume and cover letter when expressing an interest in working for us.
  • Information collected automaticallyWhen you use the Services, we or our third-party service providers may automatically receive and record certain information from your device or through the Services.  For example, this may include your device’s IP address, web pages you visit or features you use within the Services (including across different devices), the date and time of your activities on the Services, time since your last visit, links you click, searches conducted, the website visited before navigating to the Services, your software and hardware attributes (including browser and operating system type and version, device screen size, mobile app version, device type, and device identifiers), demographic and interest data based on browsing activity, and your general location inferred from an IP address.  To obtain such information, we or our third-party service providers may use cookies and other similar technologies to recognize your device and collect information about your device and Services usage.  See the “Third-Party Analytics and Interest-Based Advertising” section of this Policy to learn more about the use of this information and the choices available to you.  

We may combine information collected through the Services with other information that we or third parties collect about you in other contexts, such as our communications with you, our events, or through referrals. 

How We Use Information

We use the information we collect for a variety of purposes, including:

  • Providing our services.  To provide our Services to you, carry out the transaction(s) you request, fulfill the terms of any agreement you have with us, process payments, register for events, respond to your requests or inquiries, conduct internal record keeping, secure your information and our Services, and for other purposes related to managing our organization.
  • Communicating with you.  To communicate with you regarding your account, events or conferences for which you have registered, important updates regarding our Services, and other administrative matters.
  • Newsletters, promotional messages, and advertising.  To send you newsletters or other promotional messages regarding our Services and events that we organize, and to target our advertising as described in the section below titled “Third-Party Analytics and Interest-Based Advertising.”
  • Analytics and improving the Services.  To count and recognize visitors to the Services, analyze how visitors use the Services, improve the Services, create new features or services, and conduct analytics, including as described in the section below titled “Third-Party Analytics and Interest-Based Advertising.”
  • Compiling aggregated information.  To compile aggregated statistics or reports that we may share with our event co-sponsors, partners, or other third parties.
  • Legal Purposes.  For legal purposes, including as described in the section below titled “How We Share information.”
  • Consent.  With your consent or as otherwise disclosed at the time information is collected. 

How We Share Information

We may share information with third parties in various contexts, including:

  • Service providersWe use third-party service providers to assist us in the operation of the Services, including to manage our communications and newsletters, provide event registration services, process payments, host and process data, and conduct analytics and interest-based advertising.  We may permit these third-party service providers to collect information on our behalf or share information with these service providers for the purposes described in this Policy.
  • CRI members.  We may share information, including event attendee or participant lists, with our members.
  • Event co-sponsors and partnersWe may share information with organizations that co-sponsor events with us or otherwise partner with us to provide events or services to you.
  • Legal purposesWe may use and disclose information where we believe that doing so is necessary:
  • To comply with applicable law or a court order, subpoena, or other legal processes.
  • To investigate, prevent, or take action regarding illegal activities, suspected fraud, violations of our terms and conditions, or situations involving threats to Services users, our property, or the property or physical safety of any person or third party.
  • To establish, protect, or exercise our legal rights or defend against legal claims.
  • Corporate transfers.  In the event of a merger, sale of capital stock or assets, investment, reorganization, bankruptcy, consolidation, or similar transaction, we may share the information we possess to facilitate the transaction, including during due diligence, or as a corporate asset to the acquiring entity.
  • Aggregated informationWe may provide third parties with aggregated information about our membership or users of our Services, including demographic and usage information.
  • Consent.  With your consent or as otherwise disclosed at the time information is collected or shared. 

Third-Party Analytics and Interest-Based Advertising

We partner with third parties to engage in analytics, auditing, research, and reporting on our Services.  These third parties collect information regarding your usage of the Services as described in the section above titled “Information that We Collect” using cookies and similar technologies.  In particular, we use Google Analytics on the Services.  You can learn more about Google Analytics’ data practices here and opt out here.

We also partner with third parties to provide advertising services that are targeted based on your online activities across websites, mobile apps, and devices over time (commonly referred to as “interest-based advertising”).  Our advertising partners may collect information about your activities on our Services on your current device and combine it with information about your activities on other websites, mobile apps, and devices.  

You can learn more about this type of advertising and how to opt out on websites by companies participating in the Digital Advertising Alliance’s self-regulatory program by visiting the DAA Webchoices tool at  If you wish to opt-out of interest-based advertising in mobile apps on your device by companies that participate in the DAA’s AppChoices app, you may do so by downloading the tool at and following the instructions in the app.  Note that electing to opt out will not stop advertising from appearing in your browser or applications.  It may make the ads you see less relevant to your interests.

Please note that the opt-outs described above will apply only to the specific browser or device from which you opt out, and therefore you will need to opt out separately on all of your browsers and devices.  If you delete or reset your cookies or mobile advertising identifiers, change browsers (including upgrading certain browsers), or use a different device, any opt-out cookie or tool may no longer work and you will need to opt out again.  Our Services do not respond to Do Not Track signals at this time.

Additionally, you can set your browser to refuse all cookies or to indicate when a cookie is being set, allowing you to decide whether to accept it.  You can also delete cookies from your device.  However, if you choose to block or delete cookies, certain features of the Services may not operate correctly.

Information for Users in the EEA, Switzerland, or the United Kingdom 

This section applies to those that access our Services from the European Economic Area (“EEA”), Switzerland, or the United Kingdom.

The information that we collect through or in connection with our Services is processed by CRI in the United States in its role as data controller, for the purposes described above.  When transferring personal information to countries outside the EEA, Switzerland, or the UK, we are required to ensure personal information about you is adequately protected in the country where it is transferred. We transfer personal information in this manner subject to safeguards that assure the protection of personal information, such as implementing standard contractual clauses.

We may process information about you under the following conditions:

  • Consent: You have given your consent for processing information about you for one or more specific purposes.
  • Performance of a contract: Provision of information about you is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof.
  • Legal obligations: Processing information about you is necessary for compliance with a legal obligation to which CRI is subject.
  • Vital interests: Processing information about you is necessary in order to protect your vital interests or of another natural person.
  • Public interests: Processing information about you is related to a task that is carried out in the public interest or in the exercise of official authority vested in CRI.
  • Legitimate interests: Processing information about you is necessary for the purposes of the legitimate interests pursued by CRI.

You have the rights to the following:

  • The right to access – You have the right to request copies of information about you held by CRI. 
  • The right to rectification – You have the right to request that CRI correct any information about you that you believe is inaccurate. 
  • The right to erasure –  You have the right to request that CRI erase information about you, under certain conditions. 
  • The right to restrict processing – You have the right to request that CRI restrict the processing of information about you, under certain conditions. 
  • The right to object to processing – You have the right to object to CRI processing information about you under certain conditions. 
  • The right to data portability – You have the right to request that CRI transfer the information that we have collected to another organization or directly to you, under certain conditions.
  • The right to withdraw consent – You have the right to withdraw your consent on using information about you. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Service.

To make exercise or inquire about these rights, please email with “Attn: Privacy” in the subject line.  We may need to verify your identity or authenticate your information before implementing your request.

If you have questions with our response to your request, please reach to us first at  If we do not provide you with a satisfactory response, you have the right to complain to a supervisory authority in your country of residence. 

Your Choices

If you no longer want to receive newsletters or promotional communications from CRI, please follow the “unsubscribe” instructions that are included at the bottom of each message.  Please note that if you unsubscribe from our newsletter or promotional communications, you will still receive administrative messages.

For choices with respect to third-party interest-based advertising activities, please see the “Third-Party Analytics and Interest-Based Advertising” section above.  

Data Retention

CRI retains information about you for as long as reasonably necessary for its legitimate business purposes, to provide the Services to you, to fulfill the purposes described in this Policy, or as required by law.

Third-Party Websites and Tools

The Services may contain links to websites or mobile apps of other third parties, including social media sharing features that link to third-party websites.  If you follow a link to any of these websites or apps, please note that these websites and apps (and any services that may be accessible through them) have their own privacy policies.  We are not responsible for the privacy practices of other websites or apps or the information you share through such other websites or apps.  We encourage our users to be aware when they leave the Services and to read the privacy policies applicable to such third-party websites and apps.  

The Services may integrate third-party plugins (such as a Twitter “follow” button).  Even if you do not click on these plugins, they may collect information about you, such as your IP address and the pages that you view.  They also may set and/or access cookies or use similar technologies.  These plugins are governed by the privacy policies of the companies providing them.

Contact Us

If you have any questions or concerns regarding this Policy, please contact us by email at, with “Attn:  Privacy” in the subject line, or by mail at Cyber Risk Institute, Attn:  Privacy, 600 13th Street NW, Suite 400, Washington, DC 20005.