Head of Information & Cyber Security Risk

Head of Information & Cyber Security Risk

Application Deadline: 22 August 2025

Department: Risk

Employment Type: Permanent - Full Time

Location: Hong Kong (SAR)

Description

About MoxMox is built by and for the ones who aspire to live life to the fullest – we call them Generation Mox! The name Mox reflects the endless opportunities we can create, - Mobile eXperience; Money eXperience; Money X (multiplier), eXponential growth, eXploration… it’s all up for us to define together.
Why MoxEverything at Mox – from our products, features, to rewards – is designed based on customer research, tailor made for your needs. We care about what customers care about, especially in data security and privacy. Data ethics is core to everyone here at Mox. Mox rewards you with an array of banking and lifestyle benefits. Who says banking can’t be fun?
Who are we looking for?
The Mox Chief Information Security Risk Officer (CISRO) organization is instrumental in protecting and ensuring the resilience of the virtual bank's data and IT systems by managing information and cyber security (ICS) and Technology risk across the enterprise.

As the deputy CISRO - directly reporting to the Chief Information Security Risk Officer for the Bank, this role is accountable for ensuring and strengthening the Bank’s control for ICS, Tech and Data risk. The successful candidate will manage the second line control environment to protect the Bank. Keeping abreast of market trends and regulatory requirements, the successful candidate will continuously manage and improve the ICS and Technology risk framework for the Bank.

Responsibilities

• Direct the design of the Bank’s second line of defense in managing ICS and Technology risk, encompassing the areas of strategy, governance, business engagement, policy, risk assessment, and awareness/training.
• Understand regulatory requirements for information and cyber security, Technology and define control requirements to mitigate relevant risks.
• Work with First Line Cyber Security and Technology teams to oversee incident investigations and ensure security risks are identified and managed.
• Support CISRO in participating in firmwide cyber security programs such as business continuity program, disaster recovery operations, impact analysis and awareness/training programs for different business streams.
• Support CISRO in representing the Bank on internal and external information and cyber security, and Technology forums/committees.
• Establish and review risk assessment processes for: 1) new products and services; and 2) the continuous control monitoring of existing platforms and infrastructure.
• Establish and review appropriate cyber risk tolerance thresholds and follow-up actions. 

PROCESSES

• Oversee and challenge First Line ICS risk proposals and risk-taking activities.
• Intervening in First Line activities if they are not in line with existing or adjusted Risk Appetite.
• Monitoring of ICS and Technology risks and associated remediation plans using the Risk Type Framework.
• Assuring the First Line implements controls to comply with applicable laws and regulations as defined by the CISRO Policy team and escalate significant regulatory non-compliance matters and developments to the CISRO.
• Promoting a healthy risk culture and good conduct within Bank.

RISK MANAGEMENT

• Support the Bank's ICS and Technology risk management approach and objectives.
• Ensure the roles within the team are performed in accordance with the defined Risk Type Framework and associated Policy and Standards; and that issues are identified, escalated, and addressed as appropriate. 

GOVERNANCE

• Establish strong ties into the relevant management of leadership, governance, risk and control committees to ensure adequate monitoring, tracking and governance of ICS and Technology risk.
• Drive integration of Risk Type Frameworks and utilize for the ongoing risk governance of the Bank.

REGULATORY AND BUSINESS CONDUCT

• Display exemplary conduct and live by the Bank's Values and Code of Conduct.
• Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct. This includes understanding and ensuring compliance with, in letter and spirit, all applicable laws, regulations, guidelines and the Code of Conduct.
• Effectively and collaboratively identify, escalate, mitigate, and resolve risk, conduct, and compliance matters.

ENGAGEMENT

• Establish strong relationships with identified stakeholders and understand their strategic goals, to ensure ICS and Technology alignment. 
• Articulate the value of ICS controls and their bottom-line impact on the Bank's security and resiliency. 
• Prepare, present and challenge in a Second Line capacity at relevant risk committees, steering groups and cross-business opportunities.
• Measure efficient and effective management of ICS and Technology risk.
• Validate the accuracy of risk appetite metrics and other risk ratings, as well as process designs, to meet policy requirements.
• Ensure that Process Owners are escalating risk, control, and process deficiencies appropriately in accordance with the relevant risk frameworks.
• Build trusted working relationships with other security functional heads, risk and compliance counterparts.
• Utilize appropriate risk management tool(s) to manage, track and monitor ICS and Technology risks across the Bank.
• Maintain sufficient and appropriate evidence of work performed for review by Internal Audit and others.
• Monitor, assess and advise the Bank on acceptable risk tolerances based on policy and control environment and the evolving regulatory and threat landscape.

Requirements

• Over 15 years’ aggregate industry experience in IT Security, Information and Cyber security risk, Technology Risk - mandatory
• Experience of ICS and Technology risk regulations (preferably HKMA and SFC)
• Educational background in Computer Science, Information Security, or Engineering.
• Familiarity with information and cyber security regulatory requirements and the three lines of defense risk model.
• Strong knowledge of cyber security frameworks, information security principles, architecture, and Familiarity with NIST cyber security framework, NIST information security principles, ISO/IEC 27000-series is preferred
• Experience in the following areas is important: Information Security, Cyber Security, Technology Risk Management, and Cloud Security.
• Experience in the following areas is desirable: Network and application security, data loss prevention, data encryption, identity and access management, vulnerability management, business continuity program and disaster recovery operation.
• Proficiency in MacOS environment.
• Professional Certifications such as CISSP, CISM, CRISC, CISA or equivalent. 
• Influencing skills and ability to manage relationships with senior management.
• Excellent written and oral communication, and reporting skills.
  
  

All personal data provided by applicants will be used for recruitment and other employment-related purposes only. Personal data of unsuccessful applicants will be erased within 24 months of rejection of the applicant’s application.