Become a member
Become a member
Logo
The CRI Profile
Who We Are
Press Releases

Our Cyber Profile for the financial sector is a global standard for cyber risk assessment.

Download The Profile
Learn About Membership
CRI Logo

FFIEC References the CRI Profile in Major Announcement

Learn More

Prepare Your Approach.

Download the
CRI Profile v2.0

The CRI Profile is based on the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” The Profile is an efficient approach to cybersecurity risk management that effectively counters the dynamic, evolving threat and provides adequate assurance to government supervisors.

DOWNLOAD FILE
Logo Profile FAQ
icon
CRI Profile Guidebook

The CRI Profile Guidebook provides assistance with implementing the Profile.

DOWNLOAD FILE
icon
CRI Profile User Guide

The Profile User Guide offers an overview of the Profile and its benefits.

DOWNLOAD FILE
icon
CRI Profile Impact Questionnaire

Determine which of the Profile’s 318 Diagnostic Statements apply to your organization.

DOWNLOAD FILE
icon
CRI Profile Fact Sheet

This document highlights what’s new with Profile version 2.0.

DOWNLOAD FILE
icon
CRI Mapping to CSF for OLIR

This provides a mapping between the CRI Profile version 2.0 and the NIST Cybersecurity Framework version 2.0 in the NIST Online Informative References Program (OLIR).

DOWNLOAD FILE

CRI’s Cloud Profile is an extension of the CRI Profile developed through collaboration with the Cloud Service Providers themselves. It provides actionable cloud security guidance for firms looking to implement or strengthen existing cloud technologies and operations.

 

The new-and-improved Cloud Profile v2.0 has been updated to reflect NIST CSF v2.0 and Profile v2.0, include a shared responsibility checklist and implementation tool, and a guidebook with examples of effective evidence. These documents were developed with the assistance of the Financial Services Sector Coordinating Council (FSSCC), the Cloud Security Alliance, key partners from the UK and EU, and CSPs. 

DOWNLOAD FILE
Logo Profile FAQ

The Cloud Profile was released by CRI at a U.S. Treasury press conference with the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) and the Financial Services Sector Coordinating Council (FSSCC) in July 2024 to “serve as a common tool developed for effective practices in secure cloud implementation” for the sector. The CRI Cloud Profile (v2.0), which now includes a helpful checklist and implementation tool, and Cloud Profile Guidebook provide a suite of tools to make it easier for financial institutions and cloud service providers (CSPs) to protect the financial ecosystem in many ways.

These include:

  • Developing a mutual understanding of expectations between financial institutions and CSPs, and even control owners and cloud implementers within the same firm
  • Helping all parties speak the same language
  • Simplifying regulatory engagements, setting a baseline understanding of requirements and responsibilities between financial institution and CSPs
  • Standardizing contractual terms and language, leading to efficiencies
  • Highlighting key deployments for targeted analysis for cloud launch
  • Addressing the full life cycle of the CSP and customer relationship
icon
The CRI Cloud Profile Guidebook

The CRI Cloud Profile Guidebook provides assistance with implementing the Profile.

DOWNLOAD FILE

CRI Profile v2.0 is now in Japanese thanks to CRI Innovator, NRI Secure Technologies, who completed the translation for CRI. This will help financial institutions in Japan more fully leverage the benefits provided by a streamlined self-assessment that maps to Japanese guidelines.

 

CRI InnovatorのNRIセキュアテクノロジーズの協力を得て、CRI Profile v2.0の日本語版が完成しました。これにより、日本の金融機関は、日本語版のガイドラインに基づき、より効率的に自己評価できるようになります。

DOWNLOAD FILE
Logo Profile FAQ
icon
CRI Profile Guidebook

The CRI Profile Guidebook provides assistance with implementing the Profile.

DOWNLOAD FILE
icon
CRI Profile Impact Questionnaire

Determine which of the Profile’s 318 Diagnostic Statements apply to your organization.

DOWNLOAD FILE

How it Works

The Profile is a framework.

  • A cyber risk assessment made for and by the financial sector
  • Based on the NIST Cybersecurity Framework
  • Extended for the financial industry to address the focus of regulators on important governance and third-party issues
  • Harmonizes 2,500+ regulatory expectations into 318 control objectives, called diagnostic statements
  • Regularly updated to reflect the evolving cybersecurity regulatory landscape
  • Receives global recognition from regulators and industry bodies
  • Gives financial institutions one simple framework to rely on
  • Provides regulators with a consistent and widely understood framework

58%

Reduction in questions for those firms qualifying as an Impact Tier 4 firm as compared to another widely used assessment

36%

Reduction in questions for those firms qualifying as an Impact Tier 1 firm as compared to another widely used assessment

The Profile scales to a firm’s impact on the global economy.

  • Only nine questions to determine impact tier
  • Fewer, more tailored assessment questions
  • Based on systemic impact—not asset size
  • Subsequent tier review provides roadmap for advanced security

58%

Reduction in questions for those firms qualifying as an Impact Tier 4 firm as compared to another widely used assessment

36%

Reduction in questions for those firms qualifying as an Impact Tier 1 firm as compared to another widely used assessment

Expand for more detail on how the Profile works.

image chart

Industry-Wide Harmony.

The Profile improves cybersecurity across the entire sector.

Institutions

Enabling institutions to focus on what matters most.

  • More time for frontline defense
  • More consistent regulation mapping for policies and procedures
  • Better organization of complex risk management
  • Improved internal progress tracking
  • Better board engagement, prioritization, and funding
  • Streamlined due diligence for third parties and M&A

Regulators

Regulators

  • Improves assurance to regulators that firms are following leading practices
  • Improves evidence gathering in examinations by having a well-organized framework

Ecosystem

Ecosystem

  • Provides a commonly understood framework for third-parties and vendors
  • As a vendor, fill out once and report out to many financial institutions
  • Speak the same language as your customers

Still have questions?

Speak directly to someone about the Profile. Send us a note and we’ll happily address your curiosities.
User Guide
Josh Magri

CRI President & Founder

Recognition

“Supervised financial institutions may also consider use of industry developed resources, such as the Cyber Risk Institute’s (CRI) Cyber Profile, and the Center for Internet Security Critical Security Controls…. While the FFIEC does not endorse any particular tool, these standardized tools can assist financial institutions in their self-assessment activities.”

Federal Financial Institutions Examination Council

“As we [Treasury] develop our [Cloud use in the financial services] report and over the longer term as we continue to work on these issues, we will collaborate with the private sector and organizations like Cyber Risk Institute, FBIIC members, and our international partners, many of which are considering increasing their oversight of cloud service providers.”

Todd Conklin, Deputy Assistant Secretary for the Office of Cybersecurity and Critical Infrastructure Protection, US Dept of Treasury at  the Financial Stability Oversight Council Meeting on October 3, 2022

“Financial institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness. These tools include the FFIEC Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework, the Center for Internet Security Critical Security Controls, and the [CRI] Profile.”

Federal Financial Institutions Examination Council

“A cyber assessment framework is a useful component of a comprehensive risk assessment…widely used frameworks Covered Entities employ are the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework.”

New York State Department of Financial Services

“[The CRI Profile] is one of the more detailed Cybersecurity Framework-based, sector regulatory harmonization approaches to date.”

The National Institute of Standards and Technology (NIST)

“[The CRI Profile] is a customization of the NIST Cybersecurity Framework that financial institutions can use for internal and external cyber risk management assessment and as evidence for compliance, encompassing relations between Cyber frameworks, including the Core Standards. Further, CRI’s Cybersecurity Profile tool encompasses all three of the Core Standards (the NIST Cybersecurity Framework, ISO, and the CPMI-IOSCO Guidance), as well as others…”

The Board of the International Organization of Securities Commissions (IOSCO)

“The Cyber Risk Institute houses and maintains the CRI Profile—the benchmark for cyber security and resiliency in the financial services industry.”

European Union Agency for Cybersecurity (ENISA)

“Recommended frameworks for entities to refer to:[Cyber Risk Institute Cybersecurity Profile, NIST Cybersecurity Framework, New Zealand Information Security Manual (NZISM), and ISO/IEC 27000.]”

Reserve Bank of New Zealand

“Treasury, as Sector Risk Management Agency for the financial services sector, appreciates the inclusion of precision time resiliency into the CRI Profile. This collaboration on responsible use of precision time enables the sector to fully benefit from the Biden-Harris Administration’s continued work on this Executive Order.”

Todd Conklin, Treasury Deputy Assistant Secretary for the Office of Cybersecurity and Critical Infrastructure Protection.

“[The CRI Profile] is a powerful tool to assist banks to mitigate the cost of fragmented cybersecurity regulations…it should become the accepted supervisory base-line…so supervisors and banks alike can more efficiently use scarce cyber security expertise.”

The International Regulatory Strategy Group

“…we’ll welcome any financial institution to provide information to us using the structure and taxonomy of the Profile, we see that as a boon for harmonization.”

Board of Governors of the Federal Reserve System

“The Cyber Profile shows a third party the path and progression from a fin-tech into a mature organization. It tells you what the investment journey is going to look like, giving them a roadmap to do business with the big banks.”

COO, Assessment Organization

Cybersecurity is rapidly evolving.

Financial institutions need a consistent, agile approach to counter widespread threats. That’s why we update the Profile regularly, with major revisions in 2-3 year cycles.

Built and maintained by Axio, CRI members have access to its CRI Profile SaaS offering for free. This enables CRI members to move out of spreadsheets and use an online tool for free to streamline the assessment and data gathering process.

CRI is also engaging other Governance, Risk and Compliance companies
to further build out the Profile’s availability.

Download the Profile
Profile FAQ

BACK TO TOP

Membership is open to all organizations within the financial services sector.
Learn About Membership
icon close
Register to Start Download.
download

Please enter the following information

to access your free download.

icon close
Download Starting.
download

Thank you for your interest in the CRI Profile.

Your download should begin shortly.