For over 235 years, Bank of New York Mellon (BNY Mellon) has been at the center of the global financial markets, providing the world’s leading institutions the tools, capabilities, and services to be distinctive investors. BNY Mellon has approximately $16.5 billion in revenues and a 23% return on tangible common equity.
BNY Mellon is a leader in the world of investment services and investment management, and our businesses support the full range of stakeholders of the financial system including:
- Managing the custody of approximately $37 trillion financial assets of the world’s leading institutional investors, hedge funds, sovereign wealth funds, and corporates
- Investing approximately $2 trillion as one of the largest global asset managers across a wide range of asset classes
- Providing collateral, liquidity, and funding for the world’s largest banks through our markets franchise
- Serving family offices and high net worth individuals through our wealth management franchise
- Providing a full suite of solutions to advisors, broker-dealers, family offices, hedge and '40 Act fund managers, registered investment advisor firms and wealth managers
- Advising large global corporations on a range of trust and other solutions
- Providing integrated managed data services to asset managers
What we do:
BNY Mellon Technology's mission is to provide our business partners with technology-based solutions that enhance their ability to be successful through world-class software solutions maintained on a stable and secure infrastructure, and to provide our employees with the tools and means to enhance their professional qualifications and careers.
We made risk management agile. We believe that unrestricted collaboration and continuous conscious reprioritization are key to effective execution, so we took an innovative approach to risk management applied agile practices to manage our daily work. Here your work makes impact every day. Non-hierarchical organization supports free-flowing communication and empowers employees to take initiatives. Your voice is heard, and your actions seen.
Within this role you will lead the 1st line of defence Technology team with direct line responsibility for driving IT and cyber risk management practices across the APAC region. Accountable to lead the assessment, monitoring and reporting on technology, cyber, and information security risks inherent to business activities.
You will provide technical and though leadership through effective challenge, sound advice and material support across the full range of risk management lifecycle activities, including risk identification, assessment, and oversight of remediation planning and execution.
Building strong relationships by serving as the primary Technology Risk interface with Audit, Compliance, Legal, 2nd Line Risk Management, Technology (including Information Security) and Business stakeholders across the APAC region. Facilitate the timely sharing of emerging regulations, technology and information security risks, and operational changes across these teams. You will serve as the SME on regulations in the APAC region where they concern technology and information security risks.
Partnering with Internal Audit to help facilitate Internal Audit engagements to ensure audit requests are timely met and potential issues are properly vetted, while working together to ensure efficiency and effectiveness throughout the engagement.
This role consults with global IT and information security teams to maintain situational awareness, and proactively identify risk issues, drive remediation activities and continuously improve APAC Technology Risk. Interpreting and drives enforcement of technology risk and information security policies, standards, regulatory requirements and a consistent technology risk management.
You will manage regulatory interactions while partnering with Technology (including Information Security), Compliance, Legal and 2nd Line Risk. This includes oversight of general queries, consultations, inspections, incident reporting, as appropriate. Prior direct experience with regulators is essential.
The successful candidate will:
- Have the skills in risk identification and management of process across all aspects of Technology and cyber related risks and controls.
- Have ability to support the effectiveness of enterprise-wide information security strategy including related programs, processes and initiatives.
- Have the ability to provide consultative guidance around sound risk management practices, frameworks (ISO, NIST CSF, COBIT, COSO, SOX, SOC, etc.) to technology and business stakeholders in order to guide them through managing risks within the risk appetite thresholds.
- Have the knowledge and ability to monitor and assess the potential impact of technology and information security emerging technologies, laws, regulations, and/or policies on the bank.
In this role you will:
- Assess the adequacy of the security strategy, business continuity/disaster recovery plans, threats to systems, and then calculating the impact of potential adverse events within the APAC Region.
- Assist with management and coordination of Audits, regulatory responses and assessments focusing on a broad scope of technology and information security topics. This includes understanding International Auditing Standards as well as understanding process for documenting self-assessment evidence and records retention practices.
- Implement continuous control monitoring on behalf of the 1st line of defense and understand that assessment must be continual, as the risk profiles change constantly.
- Ensure management is kept up to date on the results of the risk assessment and make recommendations for mitigations, or projects to protect their systems or cover potential losses.
- Continually improve the quality of the risk management – through evaluation of communication of security, data vulnerability, business continuity and compliance risks.
- Self-identification of technology and cyber risks even before it occurs
- Stay knowledgeable of current advances in all areas of information technology concerning vulnerabilities, security breaches or malicious attacks
- Identify vulnerabilities or weaknesses in systems and facilitate collaborate sessions to remediate these issues.
- Examine employee compliance with security controls and deficiencies escalating issues to Information Security and business contacts, as appropriate.
- Evaluate security policy, processes and procedures for completeness
- Work with business leads and information security to ensure that controls are adequate to protect sensitive information systems
- Clearly document and define risks and potential impacts along with the statistical probability of such an event and identify systems affected by the defined risk
- Provide thought leadership on mitigation/damage reduction proposals
- Manage and resolve escalations focused on delivering consistent stakeholder satisfaction and responsiveness.
- Act as the Technology point of contact for robust technology risk and control support and engagement activities on technical incidents / risk / controls matters with the aim of reducing risk and increasing resiliency in operational processes.
- Identify technology risk (e.g. End of Life) proactively and addresses through a structured delivery plan along with the regional service owners.
- Serve as management contact for implementing the Technology Control Framework at the regional level.
Experience & Qualifications:
- 15+ years of total experience in IT Risk and/or Information Security
- Experienced team leader and team player with the ability to work independently to organize, manage and complete projects within tight deadlines
- Significant knowledge in 2 or more: Application Security, IT Governance, IT Compliance & Audit, Identity & Access Management, Cloud Security, Asset Security, Threat/Vulnerability Management, BCM & DR
- Analytical skills with the ability to provide practical solutions for effective risk management
- Results oriented and assertive (ability to tackle challenging situations)
- Proficiency in written and spoken English (It would be a plus if the candidate understands another Asian language – Mandarin/Japanese) to support the APAC Business segments
- Excellent time management skills
- Experience managing a 1st, 2nd, or 3rd line function responsible for technology and information security related risks and controls
- Excellent stakeholder management and ability to communicate (verbal and written) with different levels of seniority as well as able to communicate technical issues in business language within a global organization
- Confidence to respectfully challenge stakeholders
- Ability to quickly adopt to quick changes
- A self-motivator who has solid track record of local and regional delivery in a global organization
- Prior experience in dealing with regulators in the Asia Pacific Region
- Experience in the securities or financial services industry
- IT Audit experience
- Project Management experiment
- Information risk and/or security qualification (CISSP, CRISC, CISM or equivalent)
If you have questions about this job, please click on apply. The employer will contact you then.