Cyber IT Supervisory Forum eBook

CRI Profile Mappings

• MAS Technology Risk Management Guidelines & Cyber Hygiene Notice • New York DFS NYCRR Part 500 Amendment 2 • OCC Cybersecurity Supervision Work Program • SEC 2023 Disclosure Rule • CISA Cross-Sector Cyber Performance Goals • NIST Ransomware Framework • NIST Cybersecurity Framework v2.0 • Hong Kong Monetary Authority (HKMA) C-RAF • ISO 27002 • National Association of Insurance Commissioners (NAIC) Insurance Security Data Model Law • Swift Customer Security Programme (CSP) Customer Security Controls Framework (CSCF)

• EBA Guidelines on ICT and Security Risk Management • ECB Cyber resilience oversight expectations • FFIEC Architecture, Infrastructure, & Operations Handbook • FFIEC Business Continuity Management Handbook • FFIEC Cybersecurity Assessment Tool (CAT) • Japan FSA’s Comprehensive Guidelines for Supervision of Major Banks • Australian Securities and Investments Commission (ASIC) Cyber resilience good practices and key questions for an organization’s Board of Directors • Canada’s Office of the Superintendent of Financial Institutions’ Cyber Security Self-Assessment and No. B-13 – Technology and Cyber Risk Management Guidelines • European Union’s Digital Operational Resilience Act (DORA) • Australian Prudential Regulation Authority (APRA) Prudential Practice Guide CPG 234 & Prudential Standard CPS 234

Version 2.0 Published: February 2024

Version 2.1 (Q3/Q4 2024)*

• NIST 800-53 rev. 5 • Sheltered Harbor

In Development * • Center for Internet Security (CIS) • MITRE ATT&CK • RBI / SEBI (India) *Target dates subject to regulatory review, IP negotiation, and other dependencies

Differences between CAT & Profile CRI Profile FFIEC Cybersecurity Assessment Tool

Domains  Assessment Factors  Components  Declarative Statements

Functions  Categories  Subcategories  Diagnostic Statements  Regulatory Mappings

Cyber-only scope Inherent risk profile

Cyber & IT scope

Impact tiering questionnaire (based on systemic risk)

Maturity levels Some mappings

Tier levels

Aligned to NIST CSF & Global standards and regulatory requirements

Will be sunset

Updated continuously (annually for small updates; every 3-4 years for larger updates)