Lead GRC Analyst

About The Position

Requirements

• 5–8+ years of experience in GRC, IT risk management, IT audit, or information security
• Hands-on experience with regulatory compliance, audits, or risk assessments
• Working knowledge of NYDFS Cybersecurity Regulation (23 NYCRR 500) and at least one major framework (NIST CSF, ISO 27001, etc.)
• Experience maintaining risk registers, audit evidence, or compliance documentation
• Strong written communication skills with the ability to document risks, controls, and findings clearly

Nice To Haves

• Experience in insurance or financial services
• Familiarity with GRC tools (e.g., ServiceNow GRC, Archer, OneTrust, or similar)
• Exposure to cloud environments (Azure and/or AWS)
• Relevant certifications such as CISA, CRISC, CISM, or CISSP (or actively pursuing)

Responsibilities

• Maintain and operate MSIG’s security governance and compliance program
• Support compliance with key regulations and frameworks (e.g., NYDFS 23 NYCRR 500, HIPAA, GDPR, NIST CSF, ISO 27001)
• Track compliance obligations, evidence, and deadlines using defined processes and tools
• Assist with monitoring regulatory changes and assessing their operational impact
• Conduct and support IT and security risk assessments across infrastructure, applications, and cloud environments
• Maintain the IT risk register, including risk documentation, remediation tracking, and status updates
• Partner with technical teams to document controls and support risk remediation efforts
• Coordinate internal and external audit activities, including evidence collection and response tracking
• Support interactions with auditors and regulators, with senior leadership leading formal communications
• Track audit findings and assist with remediation planning and follow-up
• Support the development, review, and maintenance of security and IT policies and standards
• Manage policy review cycles and ensure documentation remains current and accessible
• Help promote awareness and adoption of security policies across the organization
• Perform vendor and third-party security risk assessments
• Maintain vendor risk documentation, findings, and remediation tracking
• Partner with Procurement and Legal to support security due diligence activities
• Prepare GRC metrics, dashboards, and summary reports for security leadership
• Contribute to leadership and management-level reporting on risk and compliance posture
• Support continuous improvement initiatives across the GRC program

Benefits

• Equal employment opportunity (EEO) to all persons regardless of age, color, national origin, citizenship status, physical or mental disability, race, religion, creed, gender, sex, sexual orientation, gender identity and/or expression, genetic information, marital status, status with regard to public assistance, veteran status, or any other characteristic protected by federal, state or local law.
• Reasonable accommodations for qualified individuals with disabilities.