Technology Risk Manager

Position Summary

Responsible for the 2nd line of defense in technology risk related matters under 3 tiers of risk defensive model, to monitor and review the established control mechanisms and resources for execution in Head Office, China, overseas branches and significant subsidiaries in accordance with the Enterprise Risk Management (“ERM”) and Cybersecurity Fortification Initiative (“CFI”) frameworks. 

Responsibilities

• Ensure that the technology risk management framework, policies and control procedures are adequately implemented
• Regularly review the relevant policy and manual for users and IT staff
• Ensure cyber risk management function is properly performed, e.g. cyber risk identification and assessment, protection and detection for cyber incident, review and report of significant discrepancies from cyber-related risk assessment 
• Review and provide advice on products and system design, control procedures and risk indicators from technology risk perspectives
• Provide advice for root cause analysis and remediation for incidents and issues identified
• Maintain and monitor the risk profile on a regular basis
• Review the risk control for third parties and cybersecurity
• Review the risk controls for system resilience and recovery in support of operational resilience
• Undertake the oversight of the Bank’s all branches and subsidiaries in the Group
• Review project documents to ensure SDLC is being followed
• Ensure regular trainings are provided to staff members and ensure continuing training and skill development for cyber security staff are in place
• Comply with all applicable regulations, rules, codes, guidelines and standards set by regulators and the Bank, and carry out duties with high integrity

Requirements

• University graduate, preferably major in Computer Science related subjects or equivalent
• Possess certification in CISSP/CISA as required by Enhanced Competence Framework (“ECF”) issued by the HKMA
• Ideally 8-12 years’ work experience in information security, technology risk, or IT audit
• Sound knowledge in regulatory requirements related to information security in banking sector
• Sound knowledge in cryptographic techniques, firewall/network, DLP, APT, DDoS, IAM (identity and access management), vulnerability management, Cloud, etc.
• Familiar to regulatory requirements such as HKMA(TM-E-1, TM-G-1, TM-G-2, SA-2), MAS, PCI-DSS, SWIFT-CSCF etc.
• Good communication skills and risk awareness
• Strong analytical mindset; knowledge on artificial intelligence, data governance and controls is advantageous
• Good command of both spoken and written English and Chinese, fluent in Putonghua is preferable.