Support the implementation of risk management framework for technology, information and cyber risk domains in collaboration with relevant stakeholders including Group counterparts, technology teams, business / support units and other risk management functions.
Formulate, review and update risk management framework and supporting policies and guidelines which incorporate applicable Group standards, industry practices, and regulatory requirements.
Organize the ISDRM-related risk management committee and related working groups as the secretariat and represent ISDRM in various Group and local risk governance meetings and forums whenever required.
Assist to prepare and deliver regular risk reports, analysis and metrics (e.g. KRIs) on the Bank’s overall security posture for the Board and senior management.
Provide advice, support and challenge on technology, information and cyber risk domains associated with new products, major technology / Fintech initiatives, strategic digital transformation projects and third-party arrangements (e.g. cloud computing, APIs).
Conduct or participate in thematic reviews and compliance assessments over emerging risks (e.g. DDoS attack) and regulatory guidelines (e.g. CRAF’s Maturity Assessment & iCAST).
Monitor and perform independent review of specific aspects of day-to-day risk management activities conducted by the first line of defense (i.e., technology teams), covering risk assessment & acceptance, incident response, change management and implementation of key controls or remediation actions.
Work alongside the Group counterparts to plan and take part in the risk awareness, training and testing programs for all staff.
Support or coordinate internal and external audits, and regulatory examinations or communications with respect to technology, information and cyber risk domains.
Degree holder in technology, computer science, information security, business or related disciplines
At least 5 years of relevant experience in information security, cyber / technology risk or technology audit gained from financial services industry (FSI) or professional services serving FSI clients.
CISM, CISSP, CISA or other recognized certificates under ECF on Cybersecurity for second line of defence required
Strong risk management mindset. Solid understanding in IT environment, threat landscape and technology/information/cyber controls, including relevant industry standards (e.g. ISO/IEC27001) and regulatory guidelines (e.g. HKMA’s SPM TM-G-1, C-RAF)
Good communication skills, with the ability to interact with both technical and non-technical stakeholders at various levels and articulate complex risk issues with effective challenge and practical recommendation.
Good command of both spoken and written Chinese and English
Self-motivated and organized. Able to work independently and as a member of a team
Experience in conducting risk assessments, threat modelling or audits will be an advantage
Candidates with less experience will be considered for the rank of Manager