Third Party Cyber Risk Lead

Tokio Marine HCC is one of the world’s leading Specialty Insurers. With deep expertise in our chosen lines of business, our unparalleled track record and a solid balance sheet, TMHCC evaluates and manages risk like no one else in the industry. Looking beyond profit, empowering our people and delivering on our commitments are at the core of our customer values, along with a desire to grow and provide creative and innovative solutions to our clients.

About Operations: Operations sits at the heart of TMHCC, ensuring the smooth running of all business processes — from policy administration and claims handling to data, technology, and delivery. We focus on driving efficiency which enables our teams across the business to deliver exceptional results every day. Our value statement: Ops makes it happen. Operations is made up of 7 functions; this role sits within IT. We are the foundation for TMHCC’s success - enabling the business to grow, compete, and innovate through technology, security, and solution design.

Job Purpose: Reporting to the Cyber Governance Manager in the Business Information Security Office, you will own and mature TMHCC International’s third-party cyber risk management processes, streamlining processes as the vendor landscape grows. You will partner with internal teams such as Procurement and Legal to prioritise risk, remediate issues and deliver clear management information on cyber risk across the third-party portfolio.

Key Responsibilities:

• Own, manage, and evolve the third-party security due diligence process for TMHCC International vendors, including onboarding and continuous monitoring.
• Establish and maintain a vendor criticality assessment process; ensure the appropriate vendor due diligence and monitoring activities take place in accordance with vendor criticality.
• Own and maintain ongoing due diligence requirements for critical and high-risk suppliers in line with regulatory expectations, including DORA, NIS2, PRA and FCA requirements.
• Build MI and dashboards to showcase security due diligence and third-party risk management efforts for senior IT stakeholders and executives.
• Collaborate with IT, Procurement, and Legal teams to embed third party security risk management controls into the overall vendor risk management process.
• Ensure compliance with relevant industry regulations and standards (e.g., DORA, NIS2, CIS Controls, NIST, GDPR).
• Provide security guidance on third party due diligence, contract reviews, and other ad-hoc vendor security risk management queries.
• Create and maintain vendor security risk management documentation (including process documentation) and training materials.
• Stay current on emerging vendor security trends, tools, and technologies.
• Support the Cyber Governance Manager by providing metrics to the Divisional IT Risk Reporting and Dashboards.
• Escalate significant cyber risks and issues as they emerge to the Cyber Governance Manager and BISO for action or information.

Performance Objectives:

• Develop a strong understanding of TMHCC’s third party landscape and current organisational controls used within the vendor risk management process and take on responsibility for cyber third-party risk management.
• Identify gaps and improvement areas within the cyber third-party risk processes, develop plans to further mature cyber security controls within this area, and own the implementation of these plans going forward.

Essential Skills and Experience Specification:

• Experience in cyber/information security risk roles with a focus on third-party/vendor risk management.
• Bachelor’s degree in information security, Technology Risk Management or a related field.
• Relevant professional certifications such as CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Lead Auditor.
• Experience in regulated industries, implementing relevant regulations and expectations for third-party security risk management.
• Proven experience designing, running, and improving vendor security due diligence processes.
• Strong knowledge of security assurance certifications and assessments maintained by vendors (e.g., ISO 27001, SOC 2, CSA STAR/CAIQ, vendor security questionnaires).
• Deep understanding of and ability to articulate the risk associated with vendor risk posture to both technical and non-technical stakeholders.
• Ability to coordinate and chair regular meetings and workshops with multiple stakeholders to provide guidance, collaboration and oversight of third-party security risk management initiatives.
• Confidence in presenting information and acting as a source of SME knowledge and guidance.
• Analytical, conceptual thinking, planning and execution skills.
• Ability to drive improvements and take charge of initiatives, backed with excellent coordination strength as well as assertiveness.
• Results-orientated and able to manage to measurable targets and desired outcomes.
• A passion to champion a cyber security culture and continuous learning of latest cyber threat trends.
• Strong communication skills with the ability to explain complex security issues to non-technical stakeholders.

Desirable:

• Experience with third party risk management platforms or GRC tooling.
• Capability and experience in building actionable MI and dashboards (e.g. using Power BI) and turning data into clear decisions and narratives.
• Experience of the Specialty and Lloyd’s/Companies market insurance industry.

What We Offer: The Tokio Marine HCC Group of Companies offers a competitive salary and employee benefit package. We are a successful, dynamic organization experiencing rapid growth and are seeking energetic and confident individuals to join our team of professionals. The Tokio Marine HCC Group of companies is an equal opportunity employer.