CRI Profile — Cyber Risk Institute Profile

Why it Matters

The CRI Profile empowers financial institutions to manage cyber risk effectively while aligning security practices with evolving regulatory expectations and industry standards.

Key benefits include:

• Improve cybersecurity governance

Establish structured accountability for managing cyber risk across the organization's cybersecurity program and operations.

• Enhance regulatory alignment

Support compliance with financial sector cybersecurity requirements by mapping CRI Profile controls to applicable regulatory obligations.

• Promote operational resilience

Strengthen the institution's ability to anticipate, withstand, and recover from cyber incidents affecting critical financial operations.

• Strengthen third-party risk management

Assess preparedness, identify gaps in vendor and partner controls, and manage third-party cyber risks within the financial ecosystem.

• Increase audit readiness

Facilitate comprehensive documentation and evidence gathering to demonstrate regulatory compliance and making regulatory examination more efficient.

How it Works

The CRI Profile—Cyber Risk Institute Profile for Financial Services—is structured around the NIST Cybersecurity Framework and maps its functions to financial sector-specific requirements from multiple regulatory bodies. The Profile organizes controls into diagnostic statements aligned to NIST CSF categories, providing a comprehensive catalog specifically tailored to the financial industry's cybersecurity and regulatory obligations. It integrates principles from key standards and frameworks into a single, unified approach for managing cyber risk across institutional and third-party environments.

Organizations implement the CRI Profile by conducting a self-assessment against its diagnostic statements, identifying control gaps, and prioritizing remediation based on risk exposure and regulatory requirements, conducting activities such as evaluating current cybersecurity posture, mapping controls to regulatory obligations, and establishing governance structures to oversee ongoing compliance. Regular reassessments and continuous monitoring activities help organizations maintain alignment with evolving cybersecurity and regulatory expectations.

With SmartSuite, organizations operationalize the CRI Profile by leveraging control libraries aligned to the Profile's diagnostic statements, maintaining risk registers for identified cyber risks, and managing policy governance across the financial institution. The platform supports evidence collection, compliance tracking, and reporting dashboards that provide visibility into control effectiveness, cyber risk posture, and ongoing assurance programs tailored for financial sector requirements.

Key Elements

• NIST CSF-Aligned Control Domains

Organizes cybersecurity requirements across the five NIST CSF functions—Identify, Protect, Detect, Respond, and Recover—tailored for the financial sector.

• Regulatory Mapping Structure

Provides cross-references between CRI Profile controls and financial sector regulatory requirements, enabling streamlined compliance management.

• Diagnostic Assessment Framework

Defines a catalog specifically designed for self-assessment against cybersecurity and operational resilience expectations in financial services.

• Third-Party Risk Management Controls

Establishes requirements for assessing and managing cyber risks from vendors, service providers, and other third-party relationships.

• Governance and Accountability Structures

Describes responsibilities and administrative controls for managing cybersecurity programs and ensuring ongoing compliance with financial sector standards—such as FFIEC, NYDFS, and others.

• Incident Response and Recovery Processes

Outlines structured requirements for detecting, responding to, and recovering from cybersecurity incidents affecting financial operations.

Framework Scope

The CRI Profile is used by banks, insurance companies, investment firms, and other financial sector organizations managing cybersecurity risk. The framework governs cybersecurity programs, third-party relationships, and incident management processes, and is typically implemented to align with financial regulatory requirements, demonstrate cybersecurity maturity, and support assurance programs within the financial sector.

Framework Objectives

The CRI Profile provides a comprehensive, financial sector-specific framework for managing cyber risk and achieving regulatory alignment.

Strengthen cybersecurity governance and risk management across financial institutions

Enhance regulatory compliance with financial sector cybersecurity obligations

Improve operational resilience against cyber threats targeting financial systems

Support third-party risk management through structured assessment and oversight

Promote audit readiness by maintaining comprehensive documentation and evidence

Enable ongoing monitoring to sustain effective cybersecurity programs within financial services

Framework in Context

The CRI Profile maps to the NIST Cybersecurity Framework and incorporates requirements from major financial sector regulators including FFIEC, NYDFS, OCC, and the Federal Reserve. Financial institutions adopt it to consolidate multi-regulatory compliance, demonstrate cybersecurity maturity to examiners, and streamline risk management across enterprise and third-party environments.

Common Framework Mappings

The CRI Profile is commonly mapped to other cybersecurity and financial sector frameworks to enable consolidated compliance, streamline regulatory assessments, and strengthen enterprise cyber risk governance within financial institutions.

Mapped frameworks include:

COBIT

FFIEC Cybersecurity Assessment Tool

ISO/IEC 27001

ISO/IEC 27002

NIST Cybersecurity Framework

NIST SP 800-53

NY DFS Cybersecurity Regulation (23 NYCRR 500)

PCI DSS

SOC 2