Information and Cyber Security Risk Manager

About Mox

Mox is built by and for the ones who aspire to live life to the fullest – we call them Generation Mox! The name Mox reflects the endless opportunities we can create, - Mobile eXperience; Money eXperience; Money X (multiplier), eXponential growth, eXploration… it’s all up for us to define together.

Why Mox

Mox helps you grow – your money, your world, your possibilities. We equip you with the financial management tools, information and insights you need to make your dreams, big or small, come true.

Everything at Mox – from our products, features, to rewards – is designed based on customer research, tailor made for your needs. We care about what customers care about, especially in data security and privacy. Data ethics is core to everyone here at Mox.

Mox rewards you with an array of banking and lifestyle benefits. Who says banking can’t be fun?

Who are we looking for?

The Mox Chief Information Security Risk Officer (CISRO) organization is instrumental in protecting and ensuring the resilience of the virtual bank's data and IT systems by managing information and cyber security (ICS) risk across the enterprise.

This role reports to the Head of Information and Cyber Security Risk. The successful candidate will manage the second line control environment to protect the Bank by keeping abreast of market trends and regulatory requirements.

Apply

Responsibilities

  • Support the design of the Bank’s second line of defense in managing ICS risk, encompassing the areas of strategy, governance, business engagement, policy, risk assessment, and awareness/training.

  • Understand regulatory requirements for information and cyber security and define control requirements to mitigate relevant risks.

  • Work with First Line Cyber Security to oversee incident investigations and ensure security risks are identified and managed.

  • Participate in firmwide cyber security program such as business continuity program, disaster recovery operations, impact analysis and awareness/training program for different business streams.

  • Represent the Bank on internal and external information and cyber security forums/sessions

  • Perform risk assessment for: 1) new products and services; and 2) the continuous monitoring of existing platforms and infrastructure.

  • Establish and review appropriate cyber risk tolerance thresholds and follow-up actions.

PROCESSES

Oversee and challenge First Line ICS risk proposals and risk-taking activities.

Intervening in First Line activities if they are not in line with existing or adjusted Risk Appetite.

Monitoring of ICS risks and associated remediation plans using the Risk Type Framework.

Assuring the First Line implements controls to comply with applicable laws and regulations as defined by the CISRO Policy team and escalate significant regulatory non-compliance matters and developments to the CISRO.

Promoting a healthy ICS risk culture and good conduct within Bank.

RISK MANAGEMENT

  • Support the Bank's ICS risk management approach and objectives.

  • Perform risk management in accordance with the defined Risk Type Framework and associated Policy and Standards; and that issues are identified, escalated, and addressed as appropriate.

GOVERNANCE

  • Ensure adequate monitoring, tracking and governance of ICS risk.

  • Support the ICS Risk Type Framework and utilize it for the ongoing risk governance of the Bank.

REGULATORY AND BUSINESS CONDUCT

  • Display exemplary conduct and live by the Bank's Values and Code of Conduct.

  • Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct. This includes understanding and ensuring compliance with, in letter and spirit, all applicable laws, regulations, guidelines and the Code of Conduct.

  • Effectively and collaboratively identify, escalate, mitigate, and resolve risk, conduct and compliance matters.

ENGAGEMENT

  • Articulate the value of ICS controls and their bottom-line impact to the Bank's security and resiliency.

  • Prepare, present and challenge in a Second Line capacity at relevant risk forums/sessions and cross-business opportunities.

  • Measure efficient and effective management of ICS risk.

  • Validate the accuracy of risk appetite metrics and other risk ratings, as well as process designs, to meet policy requirements.

  • Ensure that Process Owners are escalating risk, control, and process deficiencies appropriately in accordance with the relevant risk frameworks.

  • Build trusted working relationships with other security, risk and compliance teams.

  • Utilize appropriate risk management tool(s) to manage, track and monitor ICS risks across the Bank.

  • Maintain sufficient and appropriate evidence of work performed for review by Internal Audit and others.

  • Monitor, assess and advise the Bank on acceptable risk tolerances based on policy and control environment and the evolving regulatory and threat landscape.

Requirements

  • Over 6 years’ aggregate industry experience in IT Security, Information and Cyber security risk - mandatory

  • Experience of ICS regulation (preferably HKMA and SFC).

  • Educational background in Computer Science, Information Security, or Engineering.

  • Familiarity with information and cyber security regulatory requirements and the three lines of defense risk model.

  • Strong knowledge of cyber security frameworks, information security principles, architecture, and cryptography.

  • Familiarity with NIST cyber security framework, NIST

information security principles, ISO/IEC 27000-series is preferred.

  • Experience in the following areas is important: Information Security, Cyber Security, Technology Risk Management and Cloud Security.

  • Experience in the following areas is desirable: Network and application security, data loss prevention, data encryption, identity and access management, vulnerability management, business continuity program and disaster recovery operation.

  • Proficiency in MacOS environment.

  • Professional Certifications such as CISSP, CISM, CRISC, CISA or equivalent.

  • Good written and oral communication, and reporting skills.