The Banking on Data podcast welcomed back Josh Magri, CEO of the Cyber Risk Institute (CRI), for a timely Part 2 conversation focused on the evolving cybersecurity regulatory landscape and what it means for community financial institutions. As the FFIEC Cybersecurity Assessment Tool (CAT) is scheduled to sunset on August 31, 2025, Josh offers a roadmap on how financial institutions can move forward and how their CRI Profile offers a strategic, scalable alternative that’s gaining traction with regulators and institutions alike.
You can find Part 1 "Evolving Threats and the Sunset of the CAT Tool" here.
Out With The Old (FFIEC CAT), In With The New (CRI Profile)
For years, the FFIEC CAT served as the industry standard cybersecurity tool for many financial institutions. But as threats evolve and regulations change, the limitations of the CAT have become increasingly apparent.
“When the FFIEC created the CAT, it was pegged to the IT examination handbooks that were out 10 years ago,” Josh explained. “They weren’t able to update it with the new ones that had come out, whereas we’ve been able to update new sets.”
This inability to keep pace with current threats and regulatory demands led regulators to support the development of a more modern solution. Enter the CRI Profile. Josh described its origin as a response to this stagnation: “We said, okay, we see the FFIEC CAT and its list of requirements and we see the NIST CSF. What if we create, almost like a connective tissue between them?”
That “connective tissue” resulted in a framework that combines the structural elegance of the NIST Cybersecurity Framework with the practical compliance demands specific to financial services.
“We show the flow from the NIST CSF function, category, subcategory to diagnostic statements, which then pair with regulatory provisions,” Josh noted. “We always adopted the idea of: let’s not reinvent the wheel, and let’s show our work.”
To learn more click the image to download CRI's Cyber Risk Institute Profile White Paper
What’s Expected of Institutions Now?
With the FFIEC CAT being phased out this year, institutions are expected to evaluate alternative frameworks, and the CRI Profile is one of four being recommended by regulators. Josh highlighted the reality that “if you decide as a community institution to do something outside of those four, I think you better socialize that well in advance with your examiner, because if you surprise them with it, I think you’re going to have a tough examination.”
The CRI Profile offers clear benefits for financial institutions that make the switch. It’s designed to scale based on size and complexity. “If you're a small community institution, you'd have to only do a subset,” Josh explained. “Whereas if you are a large market utility or global systemically important banks, you would have to do all the things.”
CRI has even developed tools to ease the transition. “We did some mapping between the FFIEC CAT and the CRI Profile. You’re able to almost put in your old CAT results and it will convert them into CRI Profile results.”
Beyond just technical compliance, Josh emphasized that the CRI Profile is built to be understood and applied practically, even by institutions with lean teams. “Ours gives you that International Space Station docking station to pivot to something like CIS or ISO,” he said, referencing how the Profile integrates with other security frameworks.
The Industry-Level Impact
The conversation also zoomed out to explore the broader implications of this shift. CRI’s approach has already gained recognition from regulators, who are using it as a teaching tool. “The regulators have asked us to come in and do training of their examiners on the Profile’s component parts,” Josh shared. “There was an Ask the Fed session for community institutions where we ran through the various component parts and what we’re doing.”
CRI is also proactively building resources for third-party risk and emerging technologies. One example is their partnership with AWS and other cloud providers to build a shared responsibility matrix. “Many small community institutions rely on cloud. Now they can download that for free and say, ‘Hey, for this control, this is going to be a shared responsibility between me and the cloud service provider.’”
On the AI front, CRI is leading a sector initiative to operationalize the NIST AI Risk Management Framework by tailoring it for the financial services sector.
How Do We Get There?
Josh closed the conversation with practical advice: “Face the right direction and cover the basics,” echoing Phil Venables’ guidance from Part 1. For institutions starting the transition, the first step is awareness and education. All CRI materials are available for free, including the profile, guidebooks, and new translations on their website cyberriskinstitute.org/the-profile. “We’re a friendly group,” Josh said with a smile. “If anyone has any questions, feel free to reach out.”
The CRI team and Lumio Solutions are also partnering to incorporate a set of KRIs from their CRI profile into our ERM platform. Stay tuned for more information on this in the near future!
Keep listing for a future episode with CRI to talk about AI risk frameworks and best practices.
Emphasize your product's unique features or benefits to differentiate it from competitors
In nec dictum adipiscing pharetra enim etiam scelerisque dolor purus ipsum egestas cursus vulputate arcu egestas ut eu sed mollis consectetur mattis pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus mauris aliquam ornare nisl purus at ipsum nulla accumsan consectetur vestibulum suspendisse aliquam condimentum scelerisque lacinia pellentesque vestibulum condimentum turpis ligula pharetra dictum sapien facilisis sapien at sagittis et cursus congue.
- Pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus.
- Justo urna nisi auctor consequat consectetur dolor lectus blandit.
- Eget egestas volutpat lacinia vestibulum vitae mattis hendrerit.
- Ornare elit odio tellus orci bibendum dictum id sem congue enim amet diam.
Incorporate statistics or specific numbers to highlight the effectiveness or popularity of your offering
Convallis pellentesque ullamcorper sapien sed tristique fermentum proin amet quam tincidunt feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Use time-sensitive language to encourage immediate action, such as "Limited Time Offer
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
- Pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus.
- Justo urna nisi auctor consequat consectetur dolor lectus blandit.
- Eget egestas volutpat lacinia vestibulum vitae mattis hendrerit.
- Ornare elit odio tellus orci bibendum dictum id sem congue enim amet diam.
Address customer pain points directly by showing how your product solves their problems
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Vel etiam vel amet aenean eget in habitasse nunc duis tellus sem turpis risus aliquam ac volutpat tellus eu faucibus ullamcorper.
Tailor titles to your ideal customer segment using phrases like "Designed for Busy Professionals
Sed pretium id nibh id sit felis vitae volutpat volutpat adipiscing at sodales neque lectus mi phasellus commodo at elit suspendisse ornare faucibus lectus purus viverra in nec aliquet commodo et sed sed nisi tempor mi pellentesque arcu viverra pretium duis enim vulputate dignissim etiam ultrices vitae neque urna proin nibh diam turpis augue lacus.
