CRI Profile
A Forward-Looking Approach to Cybersecurity Risk Management for Financial Institutions
Understanding the CRI Profile
The Cyber Risk Institute (CRI), in collaboration with industry leaders and regulatory bodies, developed the CRI Profile as a comprehensive cybersecurity risk management tool tailored to financial institutions. Aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the CRI Profile provides a structured, risk-based approach for assessing and managing cybersecurity.
The CRI Profile is designed to be flexible, allowing institutions to scale cybersecurity efforts based on size, risk tolerance, and regulatory requirements. With FFIEC CAT scheduled to sunset in 2025, the CRI Profile represents a great option in the evolution of cybersecurity compliance, offering enhanced capabilities for tracking cybersecurity maturity and mitigating evolving risks.
Key Features of the CRI Profile
The CRI Profile is structured around core cybersecurity domains similar to FFIEC CAT, ensuring a smooth transition for organizations familiar with CAT’s framework. It includes enhanced controls and a focus on resilience and adaptability. Additionally, the profile consolidates thousands (2,500+) of regulatory expectations into 318 control objectives.
1. Risk-Based Flexibility
The CRI Profile’s adaptable structure allows organizations to tailor their cybersecurity strategies based on specific risk profiles (i.e., impact tiering). This flexibility supports institutions of all sizes in implementing risk management measures that align with their unique needs.
2. Alignment with NIST and Regulatory Standards
Built on the NIST Cybersecurity Framework, the CRI Profile integrates seamlessly with other frameworks and regulatory requirements, including FFIEC, ISO 27001/2, and others, offering a streamlined approach to multi-framework compliance.
3. Enhanced Third-Party Risk Management
The CRI Profile emphasizes third-party risk management (supply chain/dependency management), a critical aspect for financial institutions relying on vendors and partners. This ensures comprehensive oversight of cybersecurity measures beyond the organization’s perimeter.
4. Updated Incident Response and Recovery
The profile prioritizes proactive incident response and recovery planning, equipping institutions to respond effectively to cybersecurity events, protect sensitive information, and ensure business continuity. This is inherited from enhancements made to NIST CSF 2.0.
5. Focus on Operational Resilience
In addition to traditional cybersecurity measures, the CRI Profile emphasizes operational resilience. This ensures that institutions can continue to serve clients and stakeholders in the face of disruptions, aligning with regulatory expectations for resilience.
With the FFIEC CAT officially sunsetting in August 2025, organizations are encouraged to begin transitioning to the CRI Profile. While FFIEC CAT provided a strong foundation, the CRI Profile introduces a modernized approach to cybersecurity that aligns with today’s threat landscape and regulatory priorities. Additionally, the CRI Profile will be actively maintained and updated to address emerging technologies and practices such as Artificial Intelligence (AI), cloud, and privacy.
The shift to the CRI Profile brings several advantages:
Future-Proofed Standards – As cybersecurity threats and regulatory expectations evolve, the CRI Profile’s alignment with NIST and industry standards ensures organizations remain compliant with minimal reconfiguration or duplication of efforts.
Comprehensive Risk Management – The CRI Profile covers a broader range of risks and integrates the latest practices in third-party risk and resilience.
Regulatory Alignment – Regulators are increasingly encouraging the adoption of the CRI Profile, positioning it as a valuable tool for meeting complex regulatory requirements.
As a trusted partner in cybersecurity compliance, we provide a full spectrum of services to support financial institutions in proactively adopting the CRI Profile. Our approach focuses on enabling your institution to make a smooth transition while enhancing your overall cybersecurity posture.
We start by assessing your current cybersecurity maturity under FFIEC CAT and identifying the gaps for CRI Profile alignment. This process provides a clear roadmap for a seamless transition or starting fresh with the CRI Profile. We are able to use mappings to NIST CSF 2.0 as well as to the FFIEC CAT to ease transition efforts and avoid duplication of work. Note some additional mappings are available to support various combinations of compliance tasks:
FFIEC Architecture, Infrastructure, and Operations (AIO) Examination Handbook
FFIEC Business Continuity Management (BCM) Examination Handbook
OCC CSWP
SEC Cybersecurity risk management, strategy, governance and incident disclosure
NYDFS Part 500
NIST Ransomware Profile
Others
For a clear understanding of the risks your organization faces, we step through the Impact Tiering Questionnaire with stakeholders to determine the level of assessment to conduct. Impact tiers include:
National/Super-National Impact
Subnational Impact
Sector Impact
Localized Impact
For a clear understanding of the risks your organization faces, we step through the Impact Tiering Questionnaire with stakeholders to determine the level of assessment to conduct. Impact tiers include:
As part of the overall analysis, we conduct a gap assessment of the CRI Profile controls (subcategories). This allows us to customize your analysis based on the impact tiers and gain a clear understanding of areas that need improvement. With clear responses and evidence guidance, our experts make quick work of this assessment.
We assist in implementing updated controls and policies aligned with the CRI Profile. Our team provides guidance on enhancing cybersecurity policies, incident response plans, and documentation to meet CRI standards.
Operational resilience is a core element of the CRI Profile (and NIST CSF 2.0). We help develop and test resilience strategies (e.g., business continuity, disaster recovery, incident response, and tabletop exercises), ensuring your institution remains prepared for disruptions and can recover effectively.
With the CRI Profile’s continuous monitoring requirements, we offer support in developing an ongoing compliance program that keeps pace with regulatory changes and evolving threats. The CRI Profile recommends repeating the assessment and gap-closing process routinely (or upon significant changes or events).
Why Choose Us for CRI Compliance?
Expertise
Our team brings in-depth knowledge of FFIEC CAT, the CRI Profile, and other critical frameworks relevant to financial institutions.
Efficient Transition Support
We prioritize a seamless transition to the CRI Profile, minimizing disruptions while ensuring compliance.
Custom-Fit Solutions
We customize our services to meet the specific needs of your institution, balancing compliance, risk management, and operational resilience.
Long-Term Partnership
Beyond achieving compliance, we focus on supporting your institution’s cybersecurity maturity and resilience, adapting to new challenges and regulatory updates.
Prepare your institution for a resilient future with the CRI Profile. As your partner, we are here to guide you through every step of the transition, ensuring you meet industry standards while strengthening your cybersecurity framework. Contact us today to begin your journey with the CRI Profile.