The Apex Group was established in Bermuda in 2003 and is now one of the world’s largest fund administration and middle office solutions providers.
Our business is unique in its ability to reach globally, service locally and provide cross-jurisdictional services. With our clients at the heart of everything we do, our hard-working team has successfully delivered on an unprecedented growth and transformation journey, and we are now represented by over circa 13,000 employees across 112 offices worldwide.Your career with us should reflect your energy and passion.
That’s why, at Apex Group, we will do more than simply ‘empower’ you. We will work to supercharge your unique skills and experience.
Take the lead and we’ll give you the support you need to be at the top of your game. And we offer you the freedom to be a positive disrupter and turn big ideas into bold, industry-changing realities.
For our business, for clients, and for you
Job Description: IT & Cyber Technical Risk Assurance Manager (Third Party / Supplier)
Role Overview:
Lead third-party/supplier technical risk assurance for banking/finance/hedge fund businesses, ensuring risk exposure from outsourced services, cloud providers, fintech partners, and critical ICT vendors is identified, assessed, controlled, and monitored in line with Cyber Strategy and Group CISO directives.
Design and operate a risk-based Third-Party Assurance (TPA) programme covering due diligence, onboarding, contractual security clauses, continuous monitoring, issue remediation, and offboarding/exit strategies. Provide decision-ready inputs to the Technology Risk Forum (TRF) and manage regional expertise/stakeholder communication.
Key Responsibilities:
· Third-Party Risk Framework & Governance: Establish policy, standards, and procedures for third-party technical risk; define tiers, inherent risk profiling, and control requirements based on service criticality and data sensitivity.
· Due Diligence & Onboarding: Perform technical/security due diligence (architecture, controls, certifications, testing); verify compliance to ISO/IEC 27001:2022, NIST CSF 2.0 outcomes, GDPR, DORA (EU) contractual obligations, EU AI Act responsibilities, PCI DSS for payment services, and COBIT-aligned governance.
· Contractual & SLA Controls: Embed DORA ICT contractual clauses (where applicable), breach notification, resilience testing/TLPT, data location, logging/monitoring, vulnerability/patch SLAs, incident reporting timelines, and audit rights.
· Continuous Monitoring & Assurance: Operate ongoing assurance (attestations, evidence reviews, targeted testing, control sampling); monitor cyber events, SLA breaches, and material changes; trigger escalation and remediation.
· Third-Party Resilience & Exit: Validate DR/BC/exit strategies; test data return/destruction; assess concentration risk; coordinate with procurement/legal for remediation and termination when required.
· Technology Risk Forum Inputs: Present supplier risk posture, top thematic third-party risks, remediation progress, and decisions required (e.g., onboarding approvals, remediation funding, exception handling).
· Stakeholder Engagement: Partner with business owners, procurement, legal, privacy, security engineering, SOC, IT Ops, and regulators/auditors to ensure clear accountability and timely closure of actions.
· Regional Enablement: harmonise assurance methods and reporting across countries; ensure cultural/regulatory nuances are addressed.
· Execute delegated tasks as deemed appropriate by the Group CISO and other empowered Group Cyber leadership authorities, ensuring timely and effective completion in alignment with organizational priorities.
· Support the Group Cyber Strategy end-to-end, driving alignment of all activities, decisions, and deliverables with strategic objectives and business outcomes.
Candidate Profile:
· 10–15+ years in third-party technical risk assurance/TPRM within financial services, including critical ICT providers and cloud services.
· Hands-on experience embedding DORA contractual clauses, GDPR DPAs, ISO/IEC 27001:2022, NIST CSF 2.0 outcomes, EU AI Act responsibilities, PCI DSS, COBIT governance, and ISO 31000 risk treatment.
· Exceptional communication, presentation, articulation, and stakeholder influence skills; effective at supplier engagement and executive reporting.
Success Indicators
· Third-party onboarding with complete due diligence and compliant contracts; clear risk decisions documented.
· Reduction in vendor-origin incidents and SLA breaches; timely breach notifications and effective remediation.
· Audit/regulator confidence in supplier controls; strong evidence quality and continuous monitoring performance.
· Clear TRF narratives enabling funding/prioritization and strategic decisions on vendors.
Disclaimer: Unsolicited CVs sent to Apex (Talent Acquisition Team or Hiring Managers) by recruitment agencies will not be accepted for this position. Apex operates a direct sourcing model and where agency assistance is required, the Talent Acquisition team will engage directly with our exclusive recruitment partners.
