Become a member

Our Cyber Profile for the financial sector is a global standard for cyber risk assessment.

Prepare Your Approach.

Download the
CRI Profile v2.0

The CRI Profile is based on the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” The Profile is an efficient approach to cybersecurity risk management that effectively counters the dynamic, evolving threat and provides adequate assurance to government supervisors.

Logo Profile FAQ
CRI Profile Guidebook

The CRI Profile Guidebook provides assistance with implementing the Profile.

CRI Profile User Guide

The Profile User Guide offers an overview of the Profile and its benefits.

CRI Profile Impact Questionnaire

Determine which of the Profile’s 318 Diagnostic Statements apply to your organization.

CRI Profile Fact Sheet

This document highlights what’s new with Profile version 2.0.

CRI Mapping to CSF for OLIR

This provides a mapping between the CRI Profile version 2.0 and the NIST Cybersecurity Framework version 2.0 in the NIST Online Informative References Program (OLIR).


CRI’s Cloud Profile is an extension of the CRI Profile resulting from collaboration with the Cloud Service Providers themselves. It provides actionable cloud security guidance for firms looking to implement or strengthen existing cloud technologies and operations.

Logo Profile FAQ

The CRI Cloud Profile (v1.2) makes it easier for financial institutions and cloud service providers (CSPs) to protect the financial ecosystem in many ways. These include:

  • Developing a mutual understanding of expectations between financial institutions and CSPs, and even control owners and cloud implementers within the same firm
  • Helping all parties speak the same language
  • Simplifying regulatory engagements, setting a baseline understanding of requirements and responsibilities between financial institution and CSPs
  • Standardizing contractual terms and language, leading to efficiencies
  • Highlighting key deployments for targeted analysis for cloud launch
  • Addressing the full life cycle of the CSP and customer relationship

How it Works

The Profile is a framework.

  • A cyber risk assessment made for and by the financial sector
  • Based on the NIST Cybersecurity Framework
  • Extended for the financial industry to address the focus of regulators on important governance and third-party issues
  • Harmonizes 2,500+ regulatory expectations into 318 control objectives, called diagnostic statements
  • Regularly updated to reflect the evolving cybersecurity regulatory landscape
  • Receives global recognition from regulators and industry bodies
  • Gives financial institutions one simple framework to rely on
  • Provides regulators with a consistent and widely understood framework


Reduction in questions for those firms qualifying as an Impact Tier 4 firm as compared to another widely used assessment


Reduction in questions for those firms qualifying as an Impact Tier 1 firm as compared to another widely used assessment

The Profile scales to a firm’s impact on the global economy.

  • Only nine questions to determine impact tier
  • Fewer, more tailored assessment questions
  • Based on systemic impact—not asset size
  • Subsequent tier review provides roadmap for advanced security


Reduction in questions for those firms qualifying as an Impact Tier 4 firm as compared to another widely used assessment


Reduction in questions for those firms qualifying as an Impact Tier 1 firm as compared to another widely used assessment

Expand for more detail on how the Profile works.

image chart

Industry-Wide Harmony.

The Profile improves cybersecurity across the entire sector.


Enabling institutions to focus on what matters most.

  • More time for frontline defense
  • More consistent regulation mapping for policies and procedures
  • Better organization of complex risk management
  • Improved internal progress tracking
  • Better board engagement, prioritization, and funding
  • Streamlined due diligence for third parties and M&A



  • Improves assurance to regulators that firms are following leading practices
  • Improves evidence gathering in examinations by having a well-organized framework



  • Provides a commonly understood framework for third-parties and vendors
  • As a vendor, fill out once and report out to many financial institutions
  • Speak the same language as your customers

Still have questions?

Speak directly to someone about the Profile. Send us a note and we’ll happily address your curiosities.
User Guide
Josh Magri

CRI President & Founder


“As we [Treasury] develop our [Cloud use in the financial services] report and over the longer term as we continue to work on these issues, we will collaborate with the private sector and organizations like Cyber Risk Institute, FBIIC members, and our international partners, many of which are considering increasing their oversight of cloud service providers.”

Todd Conklin, Deputy Assistant Secretary for the Office of Cybersecurity and Critical Infrastructure Protection, US Dept of Treasury at  the Financial Stability Oversight Council Meeting on October 3, 2022

“Financial institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness. These tools include the FFIEC Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework, the Center for Internet Security Critical Security Controls, and the [CRI] Profile.”

Federal Financial Institutions Examination Council

“A cyber assessment framework is a useful component of a comprehensive risk assessment…widely used frameworks Covered Entities employ are the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework.”

New York State Department of Financial Services

“[The CRI Profile] is one of the more detailed Cybersecurity Framework-based, sector regulatory harmonization approaches to date.”

The National Institute of Standards and Technology (NIST)

“[The CRI Profile] is a customization of the NIST Cybersecurity Framework that financial institutions can use for internal and external cyber risk management assessment and as evidence for compliance, encompassing relations between Cyber frameworks, including the Core Standards. Further, CRI’s Cybersecurity Profile tool encompasses all three of the Core Standards (the NIST Cybersecurity Framework, ISO, and the CPMI-IOSCO Guidance), as well as others…”

The Board of the International Organization of Securities Commissions (IOSCO)

“The Cyber Risk Institute houses and maintains the CRI Profile—the benchmark for cyber security and resiliency in the financial services industry.”

European Union Agency for Cybersecurity (ENISA)

“Recommended frameworks for entities to refer to:[Cyber Risk Institute Cybersecurity Profile, NIST Cybersecurity Framework, New Zealand Information Security Manual (NZISM), and ISO/IEC 27000.]”

Reserve Bank of New Zealand

“Treasury, as Sector Risk Management Agency for the financial services sector, appreciates the inclusion of precision time resiliency into the CRI Profile. This collaboration on responsible use of precision time enables the sector to fully benefit from the Biden-Harris Administration’s continued work on this Executive Order.”

Todd Conklin, Treasury Deputy Assistant Secretary for the Office of Cybersecurity and Critical Infrastructure Protection.

“[The CRI Profile] is a powerful tool to assist banks to mitigate the cost of fragmented cybersecurity regulations…it should become the accepted supervisory base-line…so supervisors and banks alike can more efficiently use scarce cyber security expertise.”

The International Regulatory Strategy Group

“…we’ll welcome any financial institution to provide information to us using the structure and taxonomy of the Profile, we see that as a boon for harmonization.”

Board of Governors of the Federal Reserve System

“The Cyber Profile shows a third party the path and progression from a fin-tech into a mature organization. It tells you what the investment journey is going to look like, giving them a roadmap to do business with the big banks.”

COO, Assessment Organization

Cybersecurity is rapidly evolving.

Financial institutions need a consistent, agile approach to counter widespread threats. That’s why we update the Profile regularly, with major revisions in 2-3 year cycles.

Built and maintained by Axio, CRI members have access to its CRI Profile SaaS offering for free. This enables CRI members to move out of spreadsheets and use an online tool for free to streamline the assessment and data gathering process.

CRI is also engaging other Governance, Risk and Compliance companies
to further build out the Profile’s availability.

Download the Profile
Profile FAQ


Membership is open to all organizations within the financial services sector.