Head of Information Security @ CFC (Basé à London)

CFCCFC’s broad range of commercial insurance products are purpose-built for today’s risks, and we aim to give our customers everything they need in one, easy-to-understand policy. We specialize in cyber insurance, professional liability, and more.

As Head of Information Security, you will report directly into the Group CISO, and be responsible for leading and managing key pillars of our security programme, with a primary focus on Third-Party Security Risk Management, Data Loss Prevention (DLP), Policy Governance, Security Training & Awareness, and Identity & Access Management (IAM). You will work closely with the Group CISO to ensure high standards in your areas of responsibility and global adherence to security practices. The ideal candidate will have deep knowledge of regulatory frameworks such as NYDFS Cybersecurity Regulation, GDPR, and other European and Australian data protection laws, bringing a proactive, risk-based approach to security governance and operations.

This role involves contributing to security strategy, budgeting, and cross-functional planning as a member of the CISO’s leadership team. Key responsibilities include:

• Managing Cyber Incidents and supporting global coordination of these events.
• Managing vendor relationships, including renewals, negotiations, and contract updates.
• Collaborating with legal, procurement, and operational resilience teams to support Third Party Risk Management and ensure proper due diligence and SLAs.
• Leading third-party vendor assessments, onboarding, and continuous monitoring.
• Implementing risk-based frameworks and tools to evaluate and monitor vendor security posture.
• Maintaining and updating security policies, standards, and procedures to reflect evolving threats and regulations.
• Overseeing DLP strategies to prevent unauthorized data access or transfer, and coordinating incident response activities.
• Developing and implementing a company-wide security awareness and training program, tailored to emerging risks and regulatory obligations.
• Directing IAM strategy and operations, including provisioning, access reviews, and privileged access management.
• Partnering with IT to embed IAM best practices into enterprise systems.
• Ensuring security controls meet compliance under NYDFS, GDPR, and other global regulations.

The ideal candidate will have proven leadership in information security governance within a regulated environment, with strong familiarity with UK, US, European, and Australian regulatory frameworks. You should be able to:

• Translate complex regulatory and technical requirements into practical controls, policies, and processes.
• Work effectively with audit and compliance stakeholders during assessments and investigations.
• Possess a solid background in security frameworks, standards, and regulatory requirements, including enterprise IT, cloud security, data protection, threat management, and incident response.
• Develop program and project management reporting and documentation.
• Manage third-party vendors, MSSPs, and contract negotiations.

Core Values

• Love what you do: We show up each day ready to take on the world. Our passion makes a difference to colleagues, customers, brokers, and carriers.
• Challenge everything: We question the status quo and strive to improve.
• Have fun, be good: We make work enjoyable, welcome diverse viewpoints, and treat everyone with respect.