.webp)
The Risk Intel podcast welcomed back Josh Magri, CEO of the Cyber Risk Institute (CRI), for a timely Part 2 conversation focused on the evolving cybersecurity regulatory landscape and what it means for community financial institutions. As the FFIEC Cybersecurity Assessment Tool (CAT) is scheduled to sunset on August 31, 2025, Josh offers a roadmap on how financial institutions can move forward and how their CRI Profile offers a strategic, scalable alternative that’s gaining traction with regulators and institutions alike.
You can find Part 1 "Evolving Threats and the Sunset of the CAT Tool" here.
For years, the FFIEC CAT served as the industry standard cybersecurity tool for many financial institutions. But as threats evolve and regulations change, the limitations of the CAT have become increasingly apparent.
“When the FFIEC created the CAT, it was pegged to the IT examination handbooks that were out 10 years ago,” Josh explained. “They weren’t able to update it with the new ones that had come out, whereas we’ve been able to update new sets.”
This inability to keep pace with current threats and regulatory demands led regulators to support the development of a more modern solution. Enter the CRI Profile. Josh described its origin as a response to this stagnation: “We said, okay, we see the FFIEC CAT and its list of requirements and we see the NIST CSF. What if we create, almost like a connective tissue between them?”
That “connective tissue” resulted in a framework that combines the structural elegance of the NIST Cybersecurity Framework with the practical compliance demands specific to financial services.
“We show the flow from the NIST CSF function, category, subcategory to diagnostic statements, which then pair with regulatory provisions,” Josh noted. “We always adopted the idea of: let’s not reinvent the wheel, and let’s show our work.”
To learn more click the image to download CRI's Cyber Risk Institute Profile White Paper
With the FFIEC CAT being phased out this year, institutions are expected to evaluate alternative frameworks, and the CRI Profile is one of four being recommended by regulators. Josh highlighted the reality that “if you decide as a community institution to do something outside of those four, I think you better socialize that well in advance with your examiner, because if you surprise them with it, I think you’re going to have a tough examination.”
The CRI Profile offers clear benefits for financial institutions that make the switch. It’s designed to scale based on size and complexity. “If you're a small community institution, you'd have to only do a subset,” Josh explained. “Whereas if you are a large market utility or global systemically important banks, you would have to do all the things.”
CRI has even developed tools to ease the transition. “We did some mapping between the FFIEC CAT and the CRI Profile. You’re able to almost put in your old CAT results and it will convert them into CRI Profile results.”
Beyond just technical compliance, Josh emphasized that the CRI Profile is built to be understood and applied practically, even by institutions with lean teams. “Ours gives you that International Space Station docking station to pivot to something like CIS or ISO,” he said, referencing how the Profile integrates with other security frameworks.
The conversation also zoomed out to explore the broader implications of this shift. CRI’s approach has already gained recognition from regulators, who are using it as a teaching tool. “The regulators have asked us to come in and do training of their examiners on the Profile’s component parts,” Josh shared. “There was an Ask the Fed session for community institutions where we ran through the various component parts and what we’re doing.”
CRI is also proactively building resources for third-party risk and emerging technologies. One example is their partnership with AWS and other cloud providers to build a shared responsibility matrix. “Many small community institutions rely on cloud. Now they can download that for free and say, ‘Hey, for this control, this is going to be a shared responsibility between me and the cloud service provider.’”
On the AI front, CRI is leading a sector initiative to operationalize the NIST AI Risk Management Framework by tailoring it for the financial services sector.
Josh closed the conversation with practical advice: “Face the right direction and cover the basics,” echoing Phil Venables’ guidance from Part 1. For institutions starting the transition, the first step is awareness and education. All CRI materials are available for free, including the profile, guidebooks, and new translations on their website cyberriskinstitute.org/the-profile. “We’re a friendly group,” Josh said with a smile. “If anyone has any questions, feel free to reach out.”
The CRI team and SRA Watchtower are also partnering to incorporate a set of KRIs from their CRI profile into our ERM platform. Stay tuned for more information on this in the near future!
Keep listing for a future episode with CRI to talk about AI risk frameworks and best practices.
%20(600%20%C3%97%20350%20px)%20(1).png)
.png)