Information Risk Officer

BNY Mellon
London, United Kingdom
28 May 2022
03 Jun 2022
Job Function
Risk Management
Industry Sector
Finance - General
Employment Type
Full Time

The Newton Investment Management Group describes a group of affiliated companies that provide investment advisory services under the brand name 'Newton' or 'Newton Investment Management'. Those companies are Newton Investment Management Ltd, registered in the UK, and Newton Investment Management North America LLC, registered in the US, and both are indirect subsidiaries of The Bank of New York Mellon Corporation ('BNY Mellon').
We focus on delivering outcomes for our clients across:
  • Equity opportunities - including small and mid cap, regional and thematic capabilities
  • Income - equity, fixed income and multi-asset
  • Absolute return - fixed income and multi-asset
  • Multi-asset solutions
  • Thematic and sustainable strategies

These capabilities are driven by our global investment platform which harnesses both fundamental and quantitative research, alongside a thematic framework and, where appropriate and as applicable, environmental, social and governance (ESG) analysis.

With offices in London, New York, Boston and San Francisco, Newton manages £103 billion of assets (as at 30 Sept 2021). Newton provides discretionary and non-discretionary investment advice to institutional clients, including US and global pension funds, sovereign wealth funds, central banks, endowments, foundations, insurance companies, registered mutual funds, other pooled investment vehicles and other institutions, and, via BNY Mellon, to individuals.

Newton is one of the BNY Mellon Investment Management (BNYM) family of eight boutique investment firms. BNYM IM is the global investment management arm of BNY Mellon, one of the world's major financial services groups with operations in 35 countries. BNYM IM's goal is to build and manage investment strategies that address the ever-changing needs of its clients, through a model that offers the best of both worlds: specialist expertise through eight forward-thinking investment firms, offering solutions across every major asset class, backed by the strength, scale and proven financial stewardship of BNY Mellon. The 7th largest asset manager worldwide, with $2.2 trillion AUM (as of 31 March 2021) BNYM IM provides a robust corporate foundation, together with worldwide resources and administrative support, while its investment boutiques are free to concentrate on what they do best - delivering specialist and focused investment performance to clients. This structure encourages an entrepreneurial, focused approach to investment and creates an environment in which each firm can perform and build on its individual experience and strengths in the development of new products.

Job Purpose

Newton contributes, and adheres to, BNYM centrally maintained policies and procedures covering all aspects of Cybersecurity. The Information Risk Officer (IRO) oversees, monitors, and reports on all areas that relate to technology controls / information risk activities. In addition, the IRO acts as a liaison between the Newton business and central BNYM control functions to ensure risks are minimised and controls are well understood by our business. The IRO role continually evolves as new risks are identified or the way in which we can present them is enhanced. This individual manages individuals in India and the US. There are high levels of interaction with Newton's Development team and business areas.

Key Responsibilities
  • Deputise for Newton's SIRO, attending and presenting at Client Due Diligence meetings. Where required, present the Info/Tech Risk report at Risk committees. Deal with escalations and breaches interacting with various control functions across BNYM.
  • Construction of Information Risk Dashboards for NIM and NIMNA feeding into the respective Newton Risk and Operating Committees. Responsible for all content and accuracy of reporting coordinating the collection of data across Newton and BNY Mellon as appropriate. Have a clear understanding and be able to support all reported information. Continually question the value of included information and look to incorporate complementary statistics as appropriate.
  • Manage the Information Risk team with individuals in the US and India, allocating work as appropriate, overseeing and assuring quality, motivating and encouraging staff. Provide performance updates regularly and formally at the mid-year and end of year points.
  • Oversee and report on the resolution of system vulnerabilities, providing trend analysis and explanations where SLAs have been breached.
  • Manage Newton Policy Exceptions. The IRO needs to have a thorough technical and business understanding before Exceptions are submitted. Following submission, the IRO will be called upon by BNYM Technology Tower leads to justify the requirement and provide information on Newton's plans for resolution with accompanying timescales.
  • Perform analysis to identify Newton Ethical Hack issues. Work with Product Teams to track, justify, remediate and report, raising exceptions where absolutely necessary.
  • Email Surveillance - BNYM Tools: Understand the BNYM DLP programme, it's aims and impact to the Newton business. Help the Newton Business to cope with the implementation of new controls, showing them how to ensure their content is protected. Be the liaison between the Newton Business and DLP Operations function, providing rationale for quarantined emails. Arrange DLP exceptions where absolutely required being ready to report on these centrally justifying their creation.
  • Email Surveillance - eCommerce "Smarsh" Tool: Look to understand the surveillance rules Newton is screened against and as an escalation point, be ready to perform investigations, talking to business staff about content they have send or shared. Where appropriate escalate to line manager, SIRO, Compliance or HR. Always document within Smarsh actions you have taken.
  • Perform cyber induction training for Newton's new starters, explaining the control environment, how staff should work and where they are able to get help.
  • Communications: Draft informative communications explaining to staff where BNYM ISD controls are changing, and the impact business functions.
  • Manage Newton's UDT (User Defined Technologies) catalogue ensuring information on the central BNYM portal is accurate. Coordinate with the Newton Business to ensure all UDT BNYM specified controls are met in concert with the appropriate business representative.
  • Interact with Newton Compliance justifying how Information Risk data reconciles to central dashboards, providing sufficient information to enable Compliance to talk to this at senior meetings. Complete monthly KRIs and submit to Compliance.
  • Identity & Access Management. The IRO is responsible for ensuring access attestations for Newton systems are performed either via the central SailPoint automated tool or manually by the Information Risk team. Where attestations are centralised, the IRO must ensure Newton SAA (System Access Approvers) perform their attestations on time to prevent access revocations. Where access controls are performed manually, the process must be performed to the highest quality, open to scrutiny from both internal and external audit.
  • ISAE3402: Work to ensure declared controls are accurate and then during the KPMG audit, work to provide supporting information for a random sample. Look to review any findings, rejecting with evidence as appropriate.
  • Construction of Level 1 Information Risk Policies where the BNY Mellon policies are inadequate for Newton.
  • Growth and Interest: Look to learn about Information Risk bringing new ideas to the team, looking to improve the overall team offering.
  • Use JIRA and Confluence to document and manage all change, enabling transparency and oversight from other areas.

Experience and qualifications required:
  • Management of a geographically split team (India and US), including a demonstratable ability to mentor staff
  • knowledge of Data Life Cycle, Data Classification, Obfuscation, Authentication, Authorisation, Encryption, Identity and Access Management (IAM)
  • Experience / Appreciation of Technology Risks (KRIs, EOL, Vulnerabilities, etc)
  • Comfortable presenting to staff or clients
  • Operational Risk or Compliance line 2 background, with an eye for detail and thoroughness
  • Committee / stakeholder management
  • Experience of Cyber Assessments, NIST and domains
  • Cyber qualification - desirable but not essential

BNY Mellon Investment Management is an Equal Employment Opportunity Employer

Employer Description:

For over 230 years, the people of BNY Mellon have been at the forefront of finance, expanding the financial markets while supporting investors throughout the investment lifecycle. BNY Mellon can act as a single point of contact for clients looking to create, trade, hold, manage, service, distribute or restructure investments and safeguards nearly one-fifth of the world's financial assets. BNY Mellon remains one of the safest, most trusted and admired companies. Every day our employees make their mark by helping clients better manage and service their financial assets around the world. Whether providing financial services for institutions, corporations or individual investors, clients count on the people of BNY Mellon across time zones and in 35 countries and more than 100 markets. It's the collective ambition, innovative thinking and exceptionally focused client service paired with a commitment to doing what is right that continues to set us apart. Make your mark:
  • You need to sign in to save