What are the responsibilities and job description for the IT, Data and Cyber Risk Oversight Associate position at SMBC Group?
SMBC Group is a top-tier global financial group. Headquartered in Tokyo and with a 400-year history, SMBC Group offers a diverse range of financial services, including banking, leasing, securities, credit cards, and consumer finance. The Group has more than 130 offices and 80,000 employees worldwide in nearly 40 countries. Sumitomo Mitsui Financial Group, Inc. (SMFG) is the holding company of SMBC Group, which is one of the three largest banking groups in Japan. SMFG’s shares trade on the Tokyo, Nagoya, and New York (NYSE: SMFG) stock exchanges.
In the Americas, SMBC Group has a presence in the US, Canada, Mexico, Brazil, Chile, Colombia, and Peru. Backed by the capital strength of SMBC Group and the value of its relationships in Asia, the Group offers a range of commercial and investment banking services to its corporate, institutional, and municipal clients. It connects a diverse client base to local markets and the organization’s extensive global network. The Group’s operating companies in the Americas include Sumitomo Mitsui Banking Corp. (SMBC), SMBC Nikko Securities America, Inc., SMBC Capital Markets, Inc., SMBC MANUBANK, JRI America, Inc., SMBC Leasing and Finance, Inc., Banco Sumitomo Mitsui Brasileiro S.A., and Sumitomo Mitsui Finance and Leasing Co., Ltd.
Role Description
The Risk Associate role supports the operationalization of the second line of defense Risk oversight of information technology, cybersecurity, and data risk for the SMBC Group Americas Division (AD) by performing independent review, effective challenge, and risk analysis in alignment with regulatory expectations, internal/head office policies, and industry standards.
The Risk Management Department (RMDAD) is the second line of defense in its role of monitoring and assessing business practices as related to the risk appetite framework for SMBC. Within the RMDAD, the Tech, Data and Cyber Risk Oversight (TDCRO) establish technology, data and cyber risk management policies and framework with defined roles and responsibilities across first and second lines.
Role Objectives: Delivery
Supports the TDCRO management in ensuring IT, data management, and cybersecurity risks are adequately governed, managed and controlled.
Supports the independent review and credible challenge of 1st Line of Defense risk assessments, controls, metrics, and remediation plans related to IT, data, and cyber risk domains.
Assist in the maintenance and periodic update of technology, data, and cybersecurity risk management frameworks, policies, standards, and procedures.
Provides review and challenge on IT, data management and cybersecurity policies, standards, control framework, risk metrics/indicators, risk and control self-assessment (“RCSA”).
Support the preparation of technology, data, and cybersecurity risk reporting for management and risk committees, including issue tracking and escalation.
Collaborate with cross-functional stakeholders across risk, technology, cybersecurity, and data teams
Qualifications And Skills
Well-versed in technology & cyber risk practices with the ability to connect and align with the firm’s operational risk management processes.
2 years of direct work experience within the financial services industry, with IT risk management, control testing, regulatory/audit, or cybersecurity experience.
Foundational understanding of enterprise risk management concepts, including risk assessment, control design, issue management, and RCSAs.
Working knowledge across multiple technology, cyber, or data risk domains (e.g., SDLC, application security, Data Management, IT governance, infrastructure Architecture, IT asset management (incl. End of Life and Shadow IT), Infrastructure management application lifecycle management, change management, back-up and availability of critical systems, Service management, Event, Problem and incident management, Helpdesk, SLA- service quality, Cloud, … ).
Familiarity with technology, cyber and data risk management industry frameworks and standards (e.g., NIST, ISO, COBIT).
Foundational knowledge of Tech/Cyber/Data Management regulatory guidance
Strong written communication skills, with experience supporting management or committee-level reporting.
Proficiency in Excel and PowerPoint; experience with Power BI or data visualization tools preferred.
Strong organizational skills with ability to successfully manage multiple, concurrent priorities.
Work effectively in a matrixed environment and across various organizational levels, where flexibility, collaboration, and adaptability are important.
Strong desire to deliver a quality work product in a timely and efficient manner.
Bachelor’s/University Degree Required And Master’s Degree Preferred.
CISA, CRISC, CISM, CISSP certifications (or exam taken) preferred.
SMBC’s employees participate in a Hybrid workforce model that provides employees with an opportunity to work from home, as well as, from an SMBC office. SMBC requires that employees live within a reasonable commuting distance of their office location. Prospective candidates will learn more about their specific hybrid work schedule during their interview process. Hybrid work may not be permitted for certain roles, including, for example, certain FINRA-registered roles for which in-office attendance for the entire workweek is required.
SMBC provides reasonable accommodations during candidacy for applicants with disabilities consistent with applicable federal, state, and local law. If you need a reasonable accommodation during the application process, please let us know at accommodations@smbcgroup.com.
In the Americas, SMBC Group has a presence in the US, Canada, Mexico, Brazil, Chile, Colombia, and Peru. Backed by the capital strength of SMBC Group and the value of its relationships in Asia, the Group offers a range of commercial and investment banking services to its corporate, institutional, and municipal clients. It connects a diverse client base to local markets and the organization’s extensive global network. The Group’s operating companies in the Americas include Sumitomo Mitsui Banking Corp. (SMBC), SMBC Nikko Securities America, Inc., SMBC Capital Markets, Inc., SMBC MANUBANK, JRI America, Inc., SMBC Leasing and Finance, Inc., Banco Sumitomo Mitsui Brasileiro S.A., and Sumitomo Mitsui Finance and Leasing Co., Ltd.
Role Description
The Risk Associate role supports the operationalization of the second line of defense Risk oversight of information technology, cybersecurity, and data risk for the SMBC Group Americas Division (AD) by performing independent review, effective challenge, and risk analysis in alignment with regulatory expectations, internal/head office policies, and industry standards.
The Risk Management Department (RMDAD) is the second line of defense in its role of monitoring and assessing business practices as related to the risk appetite framework for SMBC. Within the RMDAD, the Tech, Data and Cyber Risk Oversight (TDCRO) establish technology, data and cyber risk management policies and framework with defined roles and responsibilities across first and second lines.
Role Objectives: Delivery
Supports the TDCRO management in ensuring IT, data management, and cybersecurity risks are adequately governed, managed and controlled.
Supports the independent review and credible challenge of 1st Line of Defense risk assessments, controls, metrics, and remediation plans related to IT, data, and cyber risk domains.
Assist in the maintenance and periodic update of technology, data, and cybersecurity risk management frameworks, policies, standards, and procedures.
Provides review and challenge on IT, data management and cybersecurity policies, standards, control framework, risk metrics/indicators, risk and control self-assessment (“RCSA”).
Support the preparation of technology, data, and cybersecurity risk reporting for management and risk committees, including issue tracking and escalation.
Collaborate with cross-functional stakeholders across risk, technology, cybersecurity, and data teams
Qualifications And Skills
Well-versed in technology & cyber risk practices with the ability to connect and align with the firm’s operational risk management processes.
2 years of direct work experience within the financial services industry, with IT risk management, control testing, regulatory/audit, or cybersecurity experience.
Foundational understanding of enterprise risk management concepts, including risk assessment, control design, issue management, and RCSAs.
Working knowledge across multiple technology, cyber, or data risk domains (e.g., SDLC, application security, Data Management, IT governance, infrastructure Architecture, IT asset management (incl. End of Life and Shadow IT), Infrastructure management application lifecycle management, change management, back-up and availability of critical systems, Service management, Event, Problem and incident management, Helpdesk, SLA- service quality, Cloud, … ).
Familiarity with technology, cyber and data risk management industry frameworks and standards (e.g., NIST, ISO, COBIT).
Foundational knowledge of Tech/Cyber/Data Management regulatory guidance
Strong written communication skills, with experience supporting management or committee-level reporting.
Proficiency in Excel and PowerPoint; experience with Power BI or data visualization tools preferred.
Strong organizational skills with ability to successfully manage multiple, concurrent priorities.
Work effectively in a matrixed environment and across various organizational levels, where flexibility, collaboration, and adaptability are important.
Strong desire to deliver a quality work product in a timely and efficient manner.
Bachelor’s/University Degree Required And Master’s Degree Preferred.
CISA, CRISC, CISM, CISSP certifications (or exam taken) preferred.
SMBC’s employees participate in a Hybrid workforce model that provides employees with an opportunity to work from home, as well as, from an SMBC office. SMBC requires that employees live within a reasonable commuting distance of their office location. Prospective candidates will learn more about their specific hybrid work schedule during their interview process. Hybrid work may not be permitted for certain roles, including, for example, certain FINRA-registered roles for which in-office attendance for the entire workweek is required.
SMBC provides reasonable accommodations during candidacy for applicants with disabilities consistent with applicable federal, state, and local law. If you need a reasonable accommodation during the application process, please let us know at accommodations@smbcgroup.com.