Overview:

This position is responsible for the execution of second line cybersecurity risk management oversight and effective challenge in line with Bank policies, standards, and management expectations. This position will be responsible for continuously monitoring the evolving cybersecurity risk landscape and assisting in the evaluation of key cybersecurity control and governance processes to ensure they are designed appropriately and operating effectively. The position requires the ability to function with a high degree of independence while executing a variety of risk functions including risk identification, assessment, escalation, and reporting. The position has a solid understanding of cybersecurity principles and proactively works toward expanding knowledge and pursuing professional certification(s).  The position requires the establishment of relationships with members of the first line Cybersecurity team to remain apprised of changes to key security control processes and supporting technologies. The role also stays apprised of emerging risks and changes to the regulatory landscape.  

Primary Responsibilities:

• Meet regularly with process and control owners in the first line Cybersecurity department to stay apprised of changes to the cyber risk and control environment.
• Independently evaluate the Cybersecurity department’s management of key control processes for the effective and efficient mitigation of operational risk. Develop reports to document and explain observations.
• Ensure first line adherence to key operational risk policies and procedures. 
• Help the first line understand and utilize the Enterprise Risk Framework, which includes assisting in the development and implementation of risk control self assessments (RCSAs), key risk indicators (KRI), and risk escalation processes.  
• Collect and analyze Cybersecurity risk data to identify anomalies or potential risk factors. Summarize findings for presentations to Cybersecurity management and relevant risk committees.
• Work with the Cybersecurity department to evaluate new technologies or changes to existing technologies to ensure key risks are appropriately identified and mitigated, and residual risk is appropriately defined. 
• Effectively communicate with others throughout the Bank, including management, via phone, email or in person to obtain information necessary for the completion of reporting, project information and issue resolution.
• Assist in preparing materials/presentations for management and/or relevant risk committees. in some circumstances delivering presentations to management.
• Actively participate in relevant risk committees and other meetings, serving as the second line of defense representative in any discussions.  Ensure the communication of relevant concerns or positions taken to appropriate management. 
• Serve as a risk liaison to the Cybersecurity department.  Escalate significant and/or unresolved risk-related matters to Risk division management.
• Collaborate with first line risk and second line risk partners in a coordinated manner when addressing risk events of the business line. 
• Interact with external peers and members of professional organizations to remain aware of changing or emerging risks and proactively bring key information to team for inclusion/consideration in continuous monitoring and/or other oversight activities. 
• Discern and formalize the impact, likelihood and root cause of issues and/or violations of policy.
• Identify areas of opportunity for efficiency or further effectiveness in departmental processes, and make recommendations to management on the enhancements.   
• Meet training requirements assigned by the Bank, Division and Department through self-management of appropriate, applicable, cost-effective  training opportunities.  Proactively pursue knowledge of new bank initiatives (i.e. Agile project management methodology).
• Support levels of change internally within the department or externally within the Bank, in a positive manner. Develop solutions to issues and make adjustments to expected or normal external requirements.
• Adhere to applicable compliance/operational risk controls in accordance with Company or regulatory standards and policies.
• Promote an environment that supports diversity and reflects the M&T Bank brand.
• Maintain M&T internal control standards, including timely implementation of internal and external audit points together with any issues raised by external regulators as applicable.
• Complete other related duties as assigned.

Supervisory/ Managerial Responsibilities:

No direct management but may provide guidance to other team members.

Education and Experience Required:

Bachelor’s degree and five years' experience in compliance, legal, audit, risk or other relevant function,
OR in lieu of degree,
A combined minimum nine years’ higher education and/or work experience including five years’ experience in compliance, legal, audit, risk or other relevant function.
Proficient computer skills (including spreadsheet and word processing software), analytical skills, working knowledge of applicable laws, written and verbal communications w/ all levels.

Ideal Qualifications:

Previous experience with the NIST Cybersecurity Framework (CSF) is preferred.

Relevant certification(s) including CISA, CISM, CRISC and/or CISSP are preferred.   

Location

Buffalo, New York, United States of America