Cyber Governance Analyst

Role Profile: Cyber Governance Analyst 

Why Tokio Marine HCC? 

Standing still is not an option in the current world of Insurance. TMHCC are one of the world’s leading speciality insurers. With deep expertise in our chosen lines of business, our unparalleled track record and a solid balance sheet, TMHCC evaluates and manages risk like no one else in the industry. Looking beyond profit, empowering our people and delivering on our commitments are at the core of our customer values, and so is a desire to grow and provide creative and innovative solutions to our clients. We have doubled our gross written premiums in the past 3 years and our plan is to do so again in the next 3 years. To support this desire, we need to be forward-thinking and innovative in every respect. That means continually improving our customer-focused business, it means providing systems, solutions and technology to enable seamless growth and business innovation, and it means having the best people capability to apply to these challenges.  

Part of our evolution involves growing our team, and bringing in a range of views, perspectives and backgrounds that will allow us to deliver this forward-looking culture, that relies upon open and trusting relationships, and a shared vision for that continual improvement. We aspire to build an environment where new perspectives are encouraged, where resilience, fresh ideas and different opinions are valued. 

About the Opportunity 

TMHCC is in the midst of an exciting IT transformation and is the process of recruiting and developing a broad range of suitably qualified, skilled and experienced people. Reporting into the Cyber Governance Manager for TMHCC International (TMHCCI), the Cyber Governance Analyst is part of the Business Information Security Officer (BISO) team working under TMHCCI’s Chief Information Officer (CIO). This role is designed for individuals who are enthusiastic about cyber risk management, compliance, and assurance, with an adaptable approach, excellent communication skills, and the ability to work independently.  

Under the guidance of the Cyber Governance Manager, you will collaborate with a variety of teams within TMHCC International to manage regular cyber risk, reporting, and governance activities. You will be knowledgeable in the assessment and implementation of security controls in line with leading practice cyber security control frameworks, utilising this knowledge to support the review and refinement of TMHCCI’s cyber security controls. You will evaluate organizational cyber risks, working with key IT stakeholders to understand these risks, assist teams in risk assessment and remediation activities, and document metrics to demonstrate the impact of investment on residual risk reduction. You will also be involved in the performance of third-party cyber risk management processes for TMHCCI’s suppliers. 

Core Responsibilities 

• Review security policy exceptions and manage these policy exceptions throughout their lifecycle, working with IT stakeholders to maintain the quality and consistency of these security policy exceptions in accordance with applicable policies and standards. 

• Track performance metrics for cyber security services provided to International against agreed SLAs, and assist in the refinement of these metrics over time. 

• Support third party cyber due diligence processes by providing assistance to the Procurement team to manage cyber risks related to third party suppliers. 

• Develop and maintain an in-depth understanding of the current cyber control landscape within the organisation, documenting the current state of controls in line with leading cyber security control frameworks alongside potential improvement opportunities. 

• Foster an understanding of cyber risks within the organisation, updating and maintaining the cyber risk register and escalating significant cyber risks and issues as they emerge to the Cyber Governance Manager.  

• Assist the Cyber Governance Manager in the documentation and analysis of cyber security reporting metrics for reporting to IT Leadership. 

• Establish and maintain strong relationships with stakeholders in IT, Enterprise Security and Enterprise Risk Management. 

• Critically evaluate information gathered from multiple sources, reconcile conflicts, decompose high-level information into details, abstract up from low-level information to create a clear understanding of cyber risks within the organisation. 

Skills and Requirements: 

Essential: 

• 2-5 years of experience in Cyber Governance and Assurance, with working experience in relation to cyber governance and risk management frameworks. 

• Working knowledge of risk and compliance assurance and monitoring practices, and a good understanding of risk and compliance issues. 

• An ability to handle day-to-day cyber risk management activities and complete these activities in a timely manner while maintaining quality and consistency of output.  

• Strong knowledge of cyber processes and working within an IT team. 

• Understanding of the audit process, having worked with Audit (internal & external) in the past. 

• Knowledge of good practice security risk and control frameworks (NIST Cybersecurity Framework; CIS; ISO 27001; SOC 2).  

• A good understanding of key UK regulations and requirements within these regulations that impact cyber security (e.g. GDPR; DORA). 

• Excellent verbal, written communication, and presentation skills, being able to explain complex items in a simple yet articulate manner. 

• Excellent stakeholder management skills. 

• A confidence in presenting information and acting as a source of knowledge for cyber security queries. 

• Analytical, conceptual thinking, planning and execution skills. 

• Ability to identify improvements and take charge of initiatives, backed with excellent coordination strength as well as assertiveness. 

• A desire to champion a cyber security culture. 

Desirable: 

• Experience of the Specialty and Lloyd’s/Companies market insurance industry. 

• Relevant industry qualifications preferable (SSCP, CISSP, CISM, CRISC, CISA). 

• Relevant degree or similar qualification (e.g., BSc Computer Science, Information Technology, Cyber Security, or other related fields of study).