Support the implementation and ongoing enhancement of the Bank’s technology, information and cyber risk management framework, in collaboration with relevant stakeholders including Group counterparts, technology teams, business and support units, and other risk management functions.

Formulate, review and update risk management framework, policies and guidelines, ensuring alignment with applicable Group standards, supervisory expectations, and industry best practices.

Act as secretariat for ISDRM-related risk management committee and working groups, and represent ISDRM in relevant Group and local risk governance meetings and forums as required.

Assist in the preparation and delivery of regular risk reports, analyses and metrics (e.g. KRIs) to the Board and senior management, providing clear insights into the Bank’s overall risk posture.

Provide independent advice, support and effective challenge on technology, information and cyber risk domains associated with new products, major technology or Fintech initiatives, strategic digital transformation projects and third-party arrangements (e.g. cloud computing).

Conduct or participate in thematic reviews and compliance assessments related to emerging risks (e.g. AI-enabled attacks) and regulatory requirements (e.g. facilitation of CRAF Maturity Assessment & iCAST).

Monitor and perform independent review of specific aspects of first-line risk management activities, including risk assessment and acceptance, incident response, change management processes, and the implementation of key controls or remediation actions.

Collaborate with Group counterparts to plan and deliver risk awareness, training and testing programs to enhance staff awareness and vigilance across the Bank.

Drive and oversee the implementation of Bank-wide information risk mitigation initiatives, including enhancements to data loss prevention controls, application remote access controls, and the detection and management of system access misuse.

Support and coordinate internal and external audits, regulatory examinations and ongoing regulatory communications relating to technology, information and cyber risk domains.

A university degree in Technology, Computer Science, Information Security, Business or a related discipline.

Relevant professional certifications such as CISM, CISSP, CISA under the Enhanced Competency Framework (ECF) on Cybersecurity for a second line of defence role required.

A minimum of 5 years of relevant experience in information security, cyber / technology risk management or technology audit, gained within the financial services industry (FSI) or professional services firms serving FSI clients.

Candidates with less relevant experience will be considered for the rank of Manager.

Strong risk management mindset with a solid understanding of IT environments, evolving threat landscapes, and technology/information/cyber security controls, including relevant industry standards (e.g. ISO/IEC27001) and regulatory guidelines (e.g. HKMA’s SPM TM-G-1, C-RAF).

Good communication and stakeholder management skills, with the ability to engage effectively with both technical and non-technical stakeholders at various levels, articulate complex risk issues clearly, and provide constructive challenge with practical and proportionate recommendations. Good command of both spoken and written English and Chinese.

Self-motivated, well-organized and able to work independently as well as collaboratively within a team environment.

Demonstrates sound judgement with the ability to prioritise issues, assess materiality, and escalate risk issues appropriately.

Experience in conducting risk assessments, threat modelling or audits will be an advantage.

Support the implementation and ongoing enhancement of the Bank’s technology, information and cyber risk management framework, in collaboration with relevant stakeholders including Group counterparts, technology teams, business and support units, and other risk management functions.

Formulate, review and update risk management framework, policies and guidelines, ensuring alignment with applicable Group standards, supervisory expectations, and industry best practices.

Act as secretariat for ISDRM-related risk management committee and working groups, and represent ISDRM in relevant Group and local risk governance meetings and forums as required.

Assist in the preparation and delivery of regular risk reports, analyses and metrics (e.g. KRIs) to the Board and senior management, providing clear insights into the Bank’s overall risk posture.

Provide independent advice, support and effective challenge on technology, information and cyber risk domains associated with new products, major technology or Fintech initiatives, strategic digital transformation projects and third-party arrangements (e.g. cloud computing).

Conduct or participate in thematic reviews and compliance assessments related to emerging risks (e.g. AI-enabled attacks) and regulatory requirements (e.g. facilitation of CRAF Maturity Assessment & iCAST).

Monitor and perform independent review of specific aspects of first-line risk management activities, including risk assessment and acceptance, incident response, change management processes, and the implementation of key controls or remediation actions.

Collaborate with Group counterparts to plan and deliver risk awareness, training and testing programs to enhance staff awareness and vigilance across the Bank.

Drive and oversee the implementation of Bank-wide information risk mitigation initiatives, including enhancements to data loss prevention controls, application remote access controls, and the detection and management of system access misuse.

Support and coordinate internal and external audits, regulatory examinations and ongoing regulatory communications relating to technology, information and cyber risk domains.

A university degree in Technology, Computer Science, Information Security, Business or a related discipline.

Relevant professional certifications such as CISM, CISSP, CISA under the Enhanced Competency Framework (ECF) on Cybersecurity for a second line of defence role required.

A minimum of 5 years of relevant experience in information security, cyber / technology risk management or technology audit, gained within the financial services industry (FSI) or professional services firms serving FSI clients.

Candidates with less relevant experience will be considered for the rank of Manager.

Strong risk management mindset with a solid understanding of IT environments, evolving threat landscapes, and technology/information/cyber security controls, including relevant industry standards (e.g. ISO/IEC27001) and regulatory guidelines (e.g. HKMA’s SPM TM-G-1, C-RAF).

Good communication and stakeholder management skills, with the ability to engage effectively with both technical and non-technical stakeholders at various levels, articulate complex risk issues clearly, and provide constructive challenge with practical and proportionate recommendations. Good command of both spoken and written English and Chinese.

Self-motivated, well-organized and able to work independently as well as collaboratively within a team environment.

Demonstrates sound judgement with the ability to prioritise issues, assess materiality, and escalate risk issues appropriately.

Experience in conducting risk assessments, threat modelling or audits will be an advantage.