With the retirement of FFIEC Cybersecurity Assessment Tool in August 2025, we decided to partner with the Cyber Risk Institute to adopt the CRI Profile as a replacement. CRI, a not-for-profit coalition of financial institutions and trade associations, developed the Profile specifically for use by the financial services sector. Built on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Profile is recognized by international supervisory and regulatory bodies and was one of two frameworks referenced in the FFIEC’s sunset announcement.
How It Works
The CRI Profile uses a tier-based model to assess risk based on the potential impact an organization could have on the global, national, sector, or local markets in the event of a significant cybersecurity incident.
The Profile includes seven core Functions for assessing an organization’s cyber risk management program: Each function is further broken down into Categories (shown below) and Subcategories (not shown) which are designed to reflect an element of an effective cyber risk management program.
The CRI Profile is designed to be a standardized, repeatable assessment tool that community banks can use to measure their cybersecurity posture as well as comply with regulatory requirements. The Navanta delivery model supplements the Profile with assistance from compliance experts during completion of the assessment, and informational, clear reporting to deliver the results of the assessment to stakeholders.
The Navanta Model
Annually, a dedicated Navanta Advisory/Compliance Specialist will guide you through the CRI Profile experience — from importing your previous FFIEC CAT responses into the ECAT Application to guiding you through the entire CRI Profile process.
Along with the application, Navanta has developed an action plan process, as well as supporting reports (examples shown below) to effectively communicate your cybersecurity preparedness to all stakeholders, from the institution’s Board of Directors to auditors and examiners.
The CRI Profile was the optimal choice for us to support banks replacing the CAT because of its robust, standardized, and internationally recognized framework tailored specifically for financial institutions. With our model, you also get a dedicated Advisory/Compliance Specialist to ensure a smooth transition and clear communication of your institution's cybersecurity readiness to all stakeholders.
There are other alternatives to consider, and we previously published a guide to help you better understand your choices. If you are interested in the CRI profile and would like to learn more about the benefits of our model, please reach out to us [email protected].
