Become a member
Financial Sector Releases Updated CRI Cloud Profile with Support of U.S. Treasury

Unique Public-Private Collaboration Results in Update to the Cloud Profile

Washington, D.C.–​The Cyber Risk Institute (CRI) announces the publication of the CRI Cloud Profile version 2.0 and accompanying Cloud Profile Guidebook, Together, these documents expand the existing Cloud Profile to reflect the latest version of the Profile version 2.0, incorporate key cloud frameworks and guidance, and provide robust guidance to financial institutions.

The CRI Cloud Profile version 2.0, Cloud Profile Guidebook, and other key financial sector resources were unveiled at a press conference held jointly by the U.S. Treasury and the Financial Services Sector Coordinating Council (FSSCC) on July 17, 2024.

At that press conference and in a joint Treasury and FSSCC press release, leaders from U.S. Treasury, the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB), and the FSSCC pointed to the Cloud Profile as an “effective practice” and as a “common tool developed for effective practices in secure cloud implementation” for the sector. The Cloud Profile was released alongside a suite of resources for financial institutions implementing cloud services found on Treasury’s website.

The Cloud Profile reflects longstanding collaboration among CRI, the Cloud Security Alliance, and the Cloud Service Providers to provide guidance to financial institutions moving to the cloud. These documents were developed with the assistance of the Financial Services Sector Coordinating Council (FSSCC), the Cloud Security Alliance, and CSPs. CRI Innovator, KPMG, provided technical support for the development of the Cloud Profile and Cloud Profile Guidebook.

“The CRI Cloud Profile version 2.0 ensures that financial institutions and CSPs all speak the same language by clarifying the shared responsibility model. We know that some financial institutions and CSPs have already begun leveraging this tool during their cloud contract negotiations and implementations. We are grateful to Treasury and the many government and regulatory agencies that reviewed and provided feedback on this newest version of the Cloud Profile and Guidebook,” said CRI Founder and President, Josh Magri.

“We are excited to partner with CRI and the Cloud Service Providers in the release of the CRI Cloud Profile version 2.0,” stated Jim Reavis, Co-Founder and CEO of the Cloud Security Alliance. “Secure cloud implementation practices are critical in protecting the global financial ecosystem. This collaboration has resulted in a robust framework and guidance that will prove invaluable to the FSI community as more financial institutions move to the cloud, and furthers our continued mission of defining standards and best practices to help ensure a secure cloud computing environment.”

The CRI Cloud Profile v2.0 and accompanying Cloud Profile Guidebook make it easier for financial institutions and CSPs to protect the financial ecosystem. Financial institutions have already begun using the Cloud Profile during cloud implementations and in contract negotiations. Together, these tools:

  • Conform to the CRI Profile v2.0 and the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework v2.0;
  • Establish the typical responsibilities between a financial institution and CSP to facilitate collaboration, ensure control coverage, and optimize resource allocation;
  • Point toward other key cloud frameworks like the CSA Cloud Control Matrix v4.0, the United Kingdom’s Cross Market Operational Resilience Group’s (CMORG) Cloud Control Framework, and the European Cloud User Coalition’s (ECUC) Position Paper v2.1;
  • Include interpretive guidance with additional detail to help organizations understand intent; and
  • Identify examples of effective evidence that organizations may provide to support responses in assessments.

Like the CRI Profile, the Cloud Profile is available for free download at www.cyberriskinstitute.org. To learn more about membership, please contact CRI at membership@cyberriskinstitute.org

 ###

About Cyber Risk Institute: The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. We’re working to protect the global economy by enhancing cybersecurity and resiliency through standardization.  https://cyberriskinstitute.org/

* The CRI Profile is the successor to the Financial Services Sector Coordinating Council (FSSCC) Cybersecurity Profile, a NIST and IOSCO based approach to assessing cybersecurity in the financial services industry. 

Media Contact:
Emily Beam
Emily.Beam@cyberriskinstitute.org
July 18, 2024

Next Article
CRI Expands to Include Financial Sector Community Leaders

BACK TO TOP