Privacy Policy

Effective: February 3, 2026

This privacy policy (“Policy”) explains how the Cyber Risk Institute (“CRI,” “we,” or “us”) collects, uses, and shares information from an individual (“you” or “user”) when you use or access www.CyberRiskInstitute.org, or our other websites and mobile applications that link to this Policy (collectively, the “Services”), or information that is provided by your current employer.  It also describes your rights and choices with respect to the information we collect.

Information that We Collect

We may collect a variety of information you or your employer provide about you or when you use or access our Services, including:

  • Contact information.  When you create an account on the Services, register for an event, or sign up for our newsletters or emails, we may collect your contact information, such as name, mailing address, postal code, email address, and phone number.
  • Demographic and business-related information.  We also may collect demographic and other information, such as your job title or position, company name or affiliation, primary business, preferences, and interests.
  • Event registration information.  In addition to the contact, demographic, and payment information discussed above, we or our partners may collect additional information when you register for an event, such as emergency contact details, hotel accommodations, dietary restrictions, and answers to event-related questions.
  • Other information you provide to us.  We collect additional information that you provide to us directly or through the Services, such as when you communicate with us, use our web-based tools, ask us a question, respond to our surveys, or submit your name, resume, and cover letter when expressing an interest in working for us.
  • Information collected automatically.  When you use the Services, we or our third-party service providers may automatically receive and record certain information from your device or through the Services.  For example, this may include your device’s IP address, web pages you visit or features you use within the Services (including across different devices), the date and time of your activities on the Services, time since your last visit, links you click, searches conducted, the website visited before navigating to the Services, your software and hardware attributes (including browser and operating system type and version, device screen size, mobile app version, device type, and device identifiers), demographic and interest data based on browsing activity, and your general location inferred from an IP address.  To obtain such information, we or our third-party service providers may use cookies and other similar technologies to recognize your device and collect information about your device and Services usage.  See the “Third-Party Analytics and Interest-Based Advertising” section of this Policy to learn more about the use of this information and the choices available to you.  

We may combine information collected through the Services with other information that we or third parties collect about you in other contexts, such as our communications with you, our events, or through referrals. 

How We Use Information

We use the information we collect for a variety of purposes, including:

  • Providing our services.  To provide our Services to you, carry out the transaction(s) you request, fulfill the terms of any agreement you have with us, process payments, register for events, respond to your requests or inquiries, conduct internal record keeping, secure your information and our Services, and for other purposes related to managing our organization.
  • Communicating with you.  To communicate with you regarding your account, events or conferences for which you have registered, important updates regarding our Services, and other administrative matters.
  • Newsletters, promotional messages, and advertising.  To send you newsletters or other promotional messages regarding our Services and events that we organize, and to target our advertising as described in the section below titled “Third-Party Analytics and Interest-Based Advertising.”
  • Analytics and improving the Services.  To count and recognize visitors to the Services, analyze how visitors use the Services, improve the Services, create new features or services, and conduct analytics, including as described in the section below titled “Third-Party Analytics and Interest-Based Advertising.”
  • Legal Purposes.  For legal purposes, including as described in the section below titled “How We Share information.”
  • Consent.With your consent or as otherwise disclosed at the time information is collected.

We may use information that has been de-identified or aggregated without limitation.

How We Share Information

We may share information with third parties in various contexts, including:

  • Service providers.  We use third-party service providers to assist us in the operation of the Services, including to manage our communications and newsletters, provide event registration services, process payments, host and process data, and conduct analytics and interest-based advertising.  We may permit these third-party service providers to collect information on our behalf or share information with these service providers for the purposes described in this Policy.
  • CRI members.  We may share information, including event attendee or participant lists, with our members.
  • Event co-sponsors and partners.We may share information with organizations that co-sponsor events with us or otherwise partner with us to provide events or services to you.
  • Legal purposes.We may use and disclose information where we believe that doing so is necessary:
  • To comply with applicable law or a court order, subpoena, or other legal processes.
    • To investigate, prevent, or take action regarding illegal activities, suspected fraud, violations of our terms and conditions, or situations involving threats to Services users, our property, or the property or physical safety of any person.
    • To establish, protect, or exercise our legal rights or defend against legal claims.
  • Corporate transfers.  In the event of a merger, sale of capital stock or assets, investment, reorganization, bankruptcy, consolidation, or similar transaction, we may share the information we possess to facilitate the transaction, including during due diligence, or as a corporate asset to the acquiring entity.
  • Consent.  With your consent or as otherwise disclosed at the time information is collected or shared.

We may share information that has been de-identified or aggregated without limitation.

Third-Party Analytics

We partner with third parties to engage in analytics, auditing, research, and reporting on our Services.  These third parties collect information regarding your usage of the Services as described in the section above titled “Information that We Collect” using cookies and similar technologies.  In particular, we use Google Analytics on the Services.  You can learn more about Google Analytics’ data practices here and opt out here.

Information for Users in the EEA, Switzerland, or the United Kingdom 

This section applies to those that access our Services from the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”).

The information that we collect through or in connection with our Services is processed by CRI in the United States in its role as data controller, for the purposes described above.  When transferring personal information to countries outside the EEA, Switzerland, or the UK, we are required to ensure personal information about you is adequately protected in the country where it is transferred.  We transfer personal information in this manner subject to safeguards that assure the protection of personal information, such as implementing standard contractual clauses.

We may process information about you under the following conditions:

  • Consent: You have given your consent for processing information about you for one or more specific purposes.
  • Performance of a contract: Provision of information about you is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof.
  • Legal obligations: Processing information about you is necessary for compliance with a legal obligation to which CRI is subject.
  • Public interests: Processing information about you is related to a task that is carried out in the public interest or in the exercise of official authority vested in CRI.
  • Legitimate interests: Processing information about you is necessary for the purposes of the legitimate interests pursued by CRI.

You have the rights to the following:

  • The right to access – You have the right to request copies of information about you held by CRI. 
  • The right to rectification – You have the right to request that CRI correct any information about you that you believe is inaccurate. 
  • The right to erasure – You have the right to request that CRI erase information about you, under certain conditions. 
  • The right to restrict processing – You have the right to request that CRI restrict the processing of information about you, under certain conditions. 
  • The right to object to processing – You have the right to object to CRI processing information about you, under certain conditions. 
  • The right to data portability – You have the right to request that CRI transfer the information that we have collected to another organization or directly to you, under certain conditions.
  • The right to withdraw consent – You have the right to withdraw your consent on using information about you.  If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Service.

To exercise or inquire about these rights, please email membership@cyberriskinstitute.org with “Attn: Privacy” in the subject line.  We may need to verify your identity or authenticate your information before implementing your request.

If you have questions with our response to your request, please reach out to us at membership@cyberriskinstitute.org.  If we do not provide you with a satisfactory response, you have the right to complain to a data protection supervisory authority in your country of residence. 

Your Choices

If you no longer want to receive newsletters or promotional communications from CRI, please follow the “unsubscribe” instructions that are included at the bottom of each message.  Please note that if you unsubscribe from our newsletter or promotional communications, you will still receive administrative messages.

For choices with respect to third-party interest-based advertising activities, please see the “Third-Party Analytics and Interest-Based Advertising” section above.  

Data Retention

CRI retains information about you for as long as reasonably necessary for its legitimate business purposes, to provide the Services to you, to fulfill the purposes described in this Policy, or as required by law.

Third-Party Websites and Tools

The Services may contain links to websites or mobile apps of other third parties, including the innovators we partner with, and social media sharing features that link to third-party websites.  If you follow a link to any of these websites or apps, please note that these websites and apps (and any services that may be accessible through them) have their own privacy policies.  We are not responsible for the privacy practices of other websites or apps or the information you share through such other websites or apps.  We encourage our users to be aware when they leave the Services and to read the privacy policies applicable to such third-party websites and apps.  

The Services may integrate third-party plugins.  Even if you do not click on these plugins, those third parties may collect information about you, such as your IP address and the pages that you view.  They also may set and/or access cookies or use similar technologies.  These plugins are governed by the privacy policies of those third-party companies providing them.

Contact Us

If you have any questions or concerns regarding this Policy, please contact us by email at membership@cyberriskinstitute.org, with “Attn:  Privacy” in the subject line, or by mail at Cyber Risk Institute, Attn:  Privacy, 600 13th Street NW, Suite 400, Washington, DC 20005.

icon close
Register to Start Download.
download

Please enter the following information

to access your free download.

icon close
Download Starting.
download

Thank you for your interest in the CRI Profile.

Your download should begin shortly.

Trusted Standards for Evolving Risks

Trusted Standards for Evolving Risks. The Cyber Risk Institute mission is to advance the development and harmonization of cybersecurity, technology, and AI risk management standards for the financial services industry.

As a not-for-profit standards development organization, CRI connects threats to mitigating controls and associated compliance to provide institutions with a comprehensive view of risk—from the server room to the boardroom.

We do this through our products – CRI Profile, Cloud Profile, and FS AI RMF – member engagement, and an ecosystem of globally known tool providers and consulting firms.

Join Now Learn More