* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Points of View](https://origin-researchcenter.paloaltonetworks.com/blog/category/points-of-view/)
* Why Financial Institution...

# Why Financial Institutions Are Adopting the CRI Profile

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2023%2F12%2Ffinancial-institutions-are-adopting-the-cri-profile%2F)  
[](https://twitter.com/share?text=Why+Financial+Institutions+Are+Adopting+the+CRI+Profile&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2023%2F12%2Ffinancial-institutions-are-adopting-the-cri-profile%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2023%2F12%2Ffinancial-institutions-are-adopting-the-cri-profile%2F&title=Why+Financial+Institutions+Are+Adopting+the+CRI+Profile&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2023/12/financial-institutions-are-adopting-the-cri-profile/&ts=markdown)  
\[\](mailto:?subject=Why Financial Institutions Are Adopting the CRI Profile)  
Link copied  
By [Lawrence Chin](https://www.paloaltonetworks.com/blog/author/lawrence-chin/?ts=markdown "Posts by Lawrence Chin")  
Dec 12, 2023  
6 minutes  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[CRI Profile](https://www.paloaltonetworks.com/blog/tag/cri-profile/?ts=markdown)  
[cybersecurity](https://www.paloaltonetworks.com/blog/tag/cybersecurity/?ts=markdown)  
[financial sector](https://www.paloaltonetworks.com/blog/tag/financial-sector/?ts=markdown)  
[Financial Services](https://www.paloaltonetworks.com/blog/tag/financial-services/?ts=markdown)  
[Guest post](https://www.paloaltonetworks.com/blog/tag/guest-post/?ts=markdown)

*The original version of this blog appeared as an article in the Summer/Fall 2023 printed edition of Cyber Perspectives Magazine.*

## Rising Cost and Complexity of Compliance

As the cyberthreats facing financial institutions (FIs) continue to grow, financial regulators have responded with new or updated regulations to address data protection, data security, cyber hygiene, third-party risk and operational resilience. For FIs, this means additional time, resources and costs must be expended to meet regulatory requirements, which may be at odds with business growth and operational efficiency.

FIs that operate across jurisdictions face multiple distinct and separate regulatory obligations and expectations. There may be nuanced differences across such a set of regulations, which further adds to the regulatory burden. To demonstrate compliance with these myriad regulations, FIs spend countless hours, devoting significant people and technology resources to capture and provide evidence of appropriate processes and controls for every exam or audit. Some chief information security officers (CISOs) reportedly spend up to 40% of their time on compliance-related activities.

However, there are often similarities across the required elements from these multiple exams as well. Instead of addressing these separately and repeatedly, we can reuse the evidence collected to demonstrate compliance for similar obligations across multiple audits and jurisdictions.

## Efficiency via Consolidation

Taking advantage of that concept, financial institutions can reduce the burden of responding to numerous separate exams by using a consolidated approach to assess cybersecurity, resilience and efficacy. This is where the [Cyber Risk Institute (CRI)](https://cyberriskinstitute.org/) Financial Services Cybersecurity Profile (commonly known as "the Profile") can help.

![Financial Services Cybersecurity Profile](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/word-image-310472-1.png)

The Profile *harmonizes* over 3,000 regulatory expectations from around the world into less than 300 diagnostic statements (control objectives). This translation and consolidation addresses topical overlaps and phrasing differences to streamline and reduce the cost and complexity of cyber risk and compliance workloads for FIs. As an example, the Profile has a diagnostic statement (DE.CM-1.3) that calls for the implementation of intrusion detection and prevention capabilities. After gathering the appropriate evidence once, an FI can reuse it to satisfy similar obligations for the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) and the European Central Bank (ECB) Cyber Resilience Oversight Expectations --- just to name two examples. Additionally, for the largest of FIs, the Profile has almost 50% fewer questions to address than another widely used assessment tool by this sector. Ultimately, the reuse of evidence and the smaller universe of diagnostic statements results in a substantial reduction in effort for compliance-related activities. This is due to the fact that fewer interviews with assorted subject matter experts and less time are needed overall to capture the appropriate evidence. Anecdotally, one FI cited a 35% average reduction in effort for their regulatory exams since adopting the Profile.

Since the Profile may be used as a shared baseline for examinations by different financial regulators, this allows FIs to deploy their resources more effectively for compliance work. It reduces time needed to reconcile exam issues and makes security oversight easier. For the financial regulators, the widely adopted cyber control assessment framework in the Profile offers greater visibility into systemic risk across the financial sector and a common, consistent vocabulary, as well. FIs have used the Profile with financial regulators in the Americas, Asia and Europe too. Financial regulators or standards bodies that have recognized or acknowledged the Profile include the U.S. Treasury, FFIEC, Federal Reserve Board, National Institute of Standards and Technology (NIST), International Organization of Securities Commissions (IOSCO), European Union Agency for Cybersecurity (ENISA) and the Reserve Bank of New Zealand.

## Evolution of the Profile

The CRI is a not-for-profit coalition of FIs and trade associations, currently with over [50 members](https://cyberriskinstitute.org/about/#Members), which include large banks, financial markets, insurance companies, regional/community banks and a growing base of global firms. Working with its members, the CRI is responsible for curating and evolving the Profile to meet the needs of the financial sector. Thousands of FIs have adopted the Profile, including some in the U.S. that have transitioned away from the FFIEC CAT. Outside of the U.S., where some firms may be reluctant to use the NIST Cybersecurity Framework (CSF), the Profile offers a viable alternative.

As its user base grows, the Profile will evolve with cybersecurity-related standards for emerging technologies and practices (e.g., AI, cloud, privacy, financial digitalization and operational resilience). The CRI will release the Profile v2.0 early in 2024. The CRI also offers the Cloud Profile, which is a collaboration with FIs and cloud service providers to ensure better communication about responsibilities. The Cloud Profile extends the Profile to include contractual language and implementation guidance. FIs that have not yet considered using the CRI Profile (or Cloud Profile) are encouraged to take a closer look. Learn how the Profile may reduce the burden of your regulatory compliance activities and explore continuous controls monitoring and automation benefits.

## Complement the Profile with Automation

With the Profile's 10x consolidation of regulatory expectations, an FI will realize a significant time and cost-savings in compliance activities overall. However, the actual effort to identify, collect and validate the needed artifacts and evidence for each diagnostic statement is still a manual process that is time and resource-intensive. For many in the risk and compliance world, the gathering of evidence is still a pain point. To lighten that load, automation and continuous controls monitoring can produce the required artifacts in real time. Looking back at the diagnostic statement on intrusion detection and prevention, a network security management tool can generate a report of all intrusion detection and prevention system (IDPS) devices in the environment as evidence. Another example is a cloud security posture management (CSPM) tool that generates a CRI Profile compliance report for an FI's cloud estate. With automation behind and aligned to the Profile's diagnostic statements, FIs can further reduce the effort required for exams and audits of cybersecurity risks.

Connect today with the [Financial Services team](https://www.paloaltonetworks.com/industry/financial-services) of Palo Alto Networks to learn more on how we support the CRI Profile with automation and continuous controls monitoring to achieve measurable business impact across your risk, compliance and security teams.

*** ** * ** ***

## Related Blogs

### [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Democratising Cybersecurity](https://origin-researchcenter.paloaltonetworks.com/blog/2024/10/democratising-cybersecurity/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Navigating Cybersecurity in a Social-First Campaign](https://origin-researchcenter.paloaltonetworks.com/blog/2023/10/navigating-cybersecurity-in-a-social-first-campaign/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### SEC Rule Sparks Reimagining of Cybersecurity Operations](https://origin-researchcenter.paloaltonetworks.com/blog/2023/08/sec-rule-cybersecurity-operations/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Cybersecurity Consolidation --- What It Is and Why You Should Care](https://origin-researchcenter.paloaltonetworks.com/blog/2023/04/cybersecurity-consolidation/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Cybersecurity Guidelines for New Governors](https://origin-researchcenter.paloaltonetworks.com/blog/2023/02/cybersecurity-guidelines-for-new-governors/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Learning From the Past --- Ten 2022 Cybersecurity Events to Know](https://origin-researchcenter.paloaltonetworks.com/blog/2022/12/unit42-cybersecurity-events-2022/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language