SMBC Jobs

SMBC Group is a top-tier global financial group. Headquartered in Tokyo and with a 400-year history, SMBC Group offers a diverse range of financial services, including banking, leasing, securities, credit cards, and consumer finance. The Group has more than 130 offices and 80,000 employees worldwide in nearly 40 countries. Sumitomo Mitsui Financial Group, Inc. (SMFG) is the holding company of SMBC Group, which is one of the three largest banking groups in Japan. SMFG’s shares trade on the Tokyo, Nagoya, and New York (NYSE: SMFG) stock exchanges.

In the Americas, SMBC Group has a presence in the US, Canada, Mexico, Brazil, Chile, Colombia, and Peru. Backed by the capital strength of SMBC Group and the value of its relationships in Asia, the Group offers a range of commercial and investment banking services to its corporate, institutional, and municipal clients. It connects a diverse client base to local markets and the organization’s extensive global network. The Group’s operating companies in the Americas include Sumitomo Mitsui Banking Corp. (SMBC), SMBC Nikko Securities America, Inc., SMBC Capital Markets, Inc., SMBC Rail Services LLC, Manufacturers Bank, JRI America, Inc., SMBC Leasing and Finance, Inc., Banco Sumitomo Mitsui Brasileiro S.A., and Sumitomo Mitsui Finance and Leasing Co., Ltd.

The anticipated salary range for this role is between $194,000.00 and $224,000.00. The specific salary offered to an applicant will be based on their individual qualifications, experiences, and an analysis of the current compensation paid in their geography and the market for similar roles at the time of hire. The role may also be eligible for an annual discretionary incentive award. In addition to cash compensation, SMBC offers a competitive portfolio of benefits to its employees.

Role Description

• Responsible for building a Third-Party Cyber Resilience program designed to increase planning and crisis response capabilities supporting third party risk management, vendor management, information technology, data management, cybersecurity, cyber resilience, and operational resilience management across various businesses, group companies, and functions of the bank and reporting to executive leadership, as necessary.

• Design and participate in cybersecurity exercising involving 3rd party incident and crisis response engagement.

• Identify and implement cyber incident readiness and third-party cyber resilience related improvements in alignment with regulatory expectations.

• The Cyber Resilience department is a 1st Line of Defense (LOD) in its role of monitoring and assessing business practices, security, and technology as it related to Resilience. The Information Security Group implements a framework designed to protect data and information assets from a wide range of threats to ensure resilience, business continuity, minimize disruption, and to maximize returns on investments and business opportunities.

• Reporting to the Director of Cyber Resilience Governance, the Director supports the 1st LOD Information Security Group Department Americas Division’s (GPDAD) managing activities related to Cyber Incident Readiness focusing on Third-Party Resilience for the Combined U.S. Operations (CUSO) in accordance with US Regulations, Head Office policies and industry practices for Information Security and Operational Resilience

Role Objectives

• Maintain approved annual budgetary amount for the approved cyber incident readiness and third-party cyber resilience related projects.

• Maintain interfaces /relationships with Business, Technology, Operational Resilience including Business Continuity, other SMBC AD entities and other SMBC regions’ key stakeholders

• Develop, enhance, and implement cyber incident readiness and third-party resilience processes, policies, standards, and controls aligning with and complementing the existing business and technology incident response processes and plans.

• Lead cyber incident readiness maturity related projects to achieve organizational objectives.

• Actively participate in Cyber Incident Response Team in managing third-party incidents to provide resilience guidance and management through resolution including post analysis review of vendor and remediation activities.

• Review vendor (third-party) contracts and recommend changes to improve third-party cyber resilience capabilities, incident response communication, and increased visibility with third parties.

• Support communication with third parties during cyber incident, zero-day threat or high vulnerability environment event. Obtain third-party situational awareness and status on threat mitigation instructions.

• Design and participate in cybersecurity exercising involving third-party incident and crisis response engagement. Coordinate continuous improvement of third-party incident response coordination.

• Support group companies and Incident Response SOC in the creation of scenario-based workarounds, communications, and cyber playbooks for critical vendors and important business services.

• Partner with Third Party Risk Management, Vendor Management and Threat & Vulnerability Management to create resilience alignment to include information sharing, controls aggregation, risk management, data management, creation of real time data analysis and threat statistic to the Information Security Group and Operational Resilience functions.

• Support coordination of cyber resilience related diagnostic statements during the annual Cyber Risk Institute (CRI) profile validation effort including reporting status, maturity determination, evidence gathering from internal stakeholders and identifying improvement recommendations/new projects.

• Develop cyber incident readiness and third-party cyber resilience readiness related reporting to support cyber resilience governance executive reporting.

• Plan and deliver cyber incident readiness and third-party resilience related education to the cross-functional and cross-entity stakeholders.

• Understand the impact of third-party risk as it relates to both firm and industry wide impacts to technical and security dependencies and single points of failure.

• Understand changes related to regulatory, new product/initiative, processes, controls, events, issues, etc., in the IT, data management, cybersecurity, third party, and operational resiliency domains that may impact the operational risk profile of the bank.

• Develop increased awareness of third-party resilience working with business, functional and SMBC AD entity stakeholders.

Qualifications and Skills

• Well-versed in Third Party Resilience to include technology, incident response and cyber risk practices with the ability to connect and align with the firm’s operational resilience processes and framework.

• Significant direct work experience within the financial services industry with focus on incident management, risk management, regulatory, information technology, data management, cybersecurity, operational resilience, compliance, or audit experience.

• Foundational knowledge of enterprise risk management industry practices

• Working knowledge of Third Party/ Vendor/Supplier related technology and cyber risk management process and controls, industry practices, and frameworks (e.g., NIST, ISO).

• Detail oriented, with proven ability to question the status quo and apply resilience activities to enhance capabilities, as appropriate

• Strong organizational skills, with proven ability to successfully manage multiple, concurrent priorities and team members as the program is built out.

• Demonstrated ability to influence a group of diverse stakeholders

• Ability to communicate and work effectively in a matrixed environment and across various organizational levels, where flexibility, collaboration, and adaptability are important

• Ability to work independently and attention to detail

• Foundational knowledge of banking laws and regulations (FFIEC, BCBS, FCA, PRA, BoE, etc.)

• Maintain a cyber threat mindset to understand underlying risks and weaknesses to properly assist in mitigating and enhancement activities

Education & Qualifications

• Bachelor’s/University degree

• Professional certifications such as Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), AWS Certified Practitioner, Microsoft Certified Azure Fundamentals etc. are preferred

Additional Requirements

D&I Commitment

Responsible for fostering a culture of diversity and inclusion, holding leaders accountable for creating an inclusive environment through awareness and practice of equity in recruiting, developing, and promoting diverse talent.

SMBC’s employees participate in a hybrid workforce model that provides employees with an opportunity to work from home, as well as, from an SMBC office. SMBC requires that employees live within a reasonable commuting distance of their office location. Prospective candidates will learn more about their specific hybrid work schedule during their interview process.

We are an equal employment opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, national origin, disability status, protected veteran status or any other characteristic protected by law. SMBC provides reasonable accommodations for employees and applicants with disabilities consistent with applicable law. If you need a reasonable accommodation during the application process, please let us know at accommodations@smbcgroup.com.