CYBER REGULATORY CRI PROFILE PROGRAM MANAGER

Location: Buffalo, NY (Hybrid)
Duration: 6 months (possibility of extension)
Implementation: Blue.Cloud
End Client: HSBC

JD:
Role Summary
The Americas Cybersecurity Governance, Risk, and Compliance (GRC) Senior Support Specialist is responsible for leading and delivering key US cyber regulatory governance and reporting obligations, ensuring the organization maintains compliance with applicable cybersecurity regulations and effectively manages cyber risk. The role supports the Americas Cybersecurity GRC Lead and US CISO by owning end-to-end execution of time-bound regulatory programs and submissions, producing regulator-ready artifacts, and maintaining repeatable, auditable processes.

The role provides oversight and effective challenge of the regional cybersecurity risk profile, risk appetite, metrics, and control effectiveness, and drives remediation follow-up when metrics indicate non-compliance or risk appetite breaches. Working in partnership with Group Cybersecurity teams, the broader GRC/Regulatory Compliance teams, technology and control owners (including non-US IT Service Owners), and the regional Chief Controls Office, the role coordinates regulatory deliverables such as the CRI Profile assessment, GLBA reporting, NYDFS attestation support, bi-monthly regulatory meeting materials, and ad hoc regulatory requests, ensuring high-quality outcomes and operational resilience across US Cyber governance forums.

Role Description
• Broad understanding of cybersecurity across Security Operations, engineering, technology, controls, and tooling, with the ability to translate technical topics into clear regulatory and executive-level messaging.
• Strong knowledge of IT (preferably cybersecurity) governance, risk management, and compliance, including experience assessing cyber regulatory compliance and supporting regulatory exams and inquiries.
• Demonstrated program management capability, with end-to-end ownership of time-bound, non-discretionary regulatory deliverables (e.g., CRI Profile assessment, GLBA reporting, NYDFS attestation support), including planning, execution, quality control, and submission readiness.
• Proven ability to develop and maintain repeatable, auditable operating models by documenting processes and building program artifacts (procedures, templates, guidance, training materials, trackers, and evidence repositories).
• Ability to analyze and interpret cybersecurity risk and control metrics (KPI/KRI/KCI), identify data discrepancies, drive root-cause analysis with stakeholders, and track remediation actions through to closure.
• Strong stakeholder management skills, including the ability to coordinate across 1LOD, 2LOD, CCO Tech, Group Cybersecurity, technology teams, control owners, and non-US ITSOs to deliver outcomes on schedule.
• Excellent written and verbal communication skills, with the ability to produce clear, concise, well-evidenced materials fit for senior management, the Board of Directors, and regulatory bodies.
• Ability to lead through influence, prioritize effectively across competing deadlines, and coordinate the tasking of others (including contractors or virtual team resources when required).
• Ability to provide responsive support for ad hoc regulatory requests, including rapid evidence gathering and issue resolution with appropriate sensitivity to the US regulatory environment.
• Proficiency with Microsoft tools (Word, Excel, PowerPoint, SharePoint, Power BI, Teams) and collaboration platforms (e.g., Confluence) to manage workspaces, reporting, and regulatory artifacts.
• Strong attention to detail and a continuous improvement mindset, proactively identifying opportunities to reduce cycle time, stakeholder friction, and execution risk year over year

Qualifications
• Bachelor’s Degree in relevant discipline (e.g., IT/Risk) or equivalent work experience.
• One or more industry certifications (e.g., CISSP, CISA, CISM) preferred.
• Strong, demonstrated program management experience, including end-to-end ownership of time-bound regulatory deliverables (e.g., FFIEC CAT/CRI Profile–type assessments and GLBA reporting), including planning, execution, quality control, and submission readiness.
• Prior experience with US Financial Services regulatory (OCC, FRB) engagement, experience in dealing with compliance matters, and regulatory liaison is preferred; knowledge of US Financial Services regulatory requirements is required.
• Ability to build strong relationships and communicate on complex issues with a wide spectrum of stakeholders.
• Ability to efficiently operate and analyze large data sets in Excel; proficiency with Microsoft tools (Word, Excel, PowerPoint, SharePoint, Power BI, Teams).
• Comprehensive understanding of banking and cybersecurity in the context of wider industry trends and direction.
• Strong written and verbal communication skills, including the ability to translate technical subject matter for non-technical audiences, with excellent attention to detail.

Key Responsibilities
• Leads delivery of mandatory United States cybersecurity regulatory programs and submissions, including planning, execution, quality control, and readiness for submission.
• Coordinates and delivers the annual report required under the Gramm-Leach-Bliley Act for the Board of Directors, including managing inputs from many stakeholders and ensuring consistent quality year over year.
• Supports regulatory engagement and examinations by coordinating responses, gathering evidence, and ensuring materials are complete, accurate, and suitable for regulators and senior leadership.
• Builds and maintains repeatable, auditable ways of working by documenting processes and maintaining templates, guidance, training materials, trackers, and centralized evidence repositories.
• Produces clear, well-evidenced reporting and briefing materials for senior management, the Board of Directors, and regulators on cybersecurity risk, compliance status, and program outcomes.
• Reviews cybersecurity risk and control performance metrics, identifies data issues, drives root-cause analysis with stakeholders, and tracks remediation actions through closure.
• Prepares materials and action tracking for recurring regulatory governance routines, including meeting packs, follow-ups, and escalation of delivery risks and dependencies.
• Maintains the annual New York State cybersecurity attestation support process, including evidence coordination and leadership briefing materials to enable confident sign-off.
• Drives remediation governance for United States cybersecurity control gaps by obtaining remediation plans from control owners, tracking progress, and coordinating closure.
• Provides governance oversight for the United States cyber service sustainability forum by reviewing remediation plans, ensuring non-compliance is escalated for business decision, and flagging funding risks that could impact service sustainability.
• Represents United States cybersecurity in application security governance forums and acts as the point person for issue resolution and follow-through.
• Leads through influence across cybersecurity, technology, risk, and controls teams, including coordinating the work of others when needed to meet fixed regulatory deadlines.