LHV Bank, a fully licensed UK bank, specialises in Banking Services for global fintechs and SME Lending solutions for UK businesses. The SME Lending division offers commercial real estate investment loans and trading loans from £0.5m to small and medium-sized businesses in the UK.

As a leading Banking Services provider, LHV Bank delivers a wide range of services, including real-time multi-currency payments, accounts, acquiring, indirect scheme access, open banking, and FX solutions. Over 200 renowned fintech companies, such as Airwallex, Currencycloud, Truelayer, and Wise, utilise LHV Bank to serve more than 10 million end customers and access a pool of 500 million potential customers across the UK and Europe.

LHV Bank gained its UK banking licence in May 2023 and launched into the retail savings market through deposit aggregators in August 2023. It is in the process of developing its direct to customer retail banking proposition for launch in 2024. More information: lhv.com

We are currently looking for an Information Security GRC Analyst who will help shape our cybersecurity posture. You will be central to identifying and mitigating security risks, ensuring compliance with regulatory requirements, and developing robust security frameworks.

You will also be tasked with managing data privacy, crafting business continuity plans, and leading our security awareness initiatives. This position offers a unique opportunity to safeguard our digital infrastructure and contribute significantly to our overall security strategy.

Please note that we are asking the successful candidate to be in our London Office 2-3 days a week

Duties and responsibilities:

Third party security (clients, partners and suppliers)

Manage and maintain client due diligence questionnaires on behalf of InfoSec and IT to include maintaining repository of responses and ensuring timely responses to requesting team
Support with onboarding new suppliers as part of Project Management and Supplier Risk Management maintaining and reviewing third party questionnaires, collating responses, identifying gaps within baselines controls and proposing recommendations where appropriate
Respond to due diligence questionnaires to assist with client onboarding

Information Risk Management

Work closely with ERM and Audit and other teams where required to ensure risks are managed within risk appetite and audit findings are closed within an agreed timeframe.
Demonstrated expertise in implementing risk frameworks and applying risk management principles.

Maintain Policies and standards

Maintain ISMS related policies, guidance, and procedures to include document management, version control.
Support the design and execution of the Information Security Governance, Risk and Compliance roadmap.

Consulting with the business to identify risks and implement mitigations and actions

Work with IT Security Operations and IT in general to ensure that baseline security processes are documented and followed in line with ISO27001 and regulatory requirements
Information security incident management liaising with Security Operations Team to include reporting, advising, response and escalation to management
Advise IT with managing technical risks & issues through vulnerability management oversight, gap analysis and ensure that findings are documented and assigned for remediation
Manage DLP related incidents and support with policy changes of DLP tool

Data Privacy

Develop the Personal Information Management System (PIMS) in line with ISO 27701
Conduct DPIA’s, Article 30 (record of processing activity), data privacy notice, data privacy policy, data retention audits
Consult with DPO
Develop and test procedures for breach notification and escalation

Business Continuity and Disaster Recovery

Implement the Business Continuity and Disaster Recovery Framework in line with ISO 22301
Conduct risk assessment, Business Impact Analysis and guide DR plans with business owners

Training and Awareness

Support with Information Security Education and Awareness strategy to include delivery of training using various methods, simulation exercises, communication, reporting and trend analysis

Compliance

Support in establishing Information Security governance forum.
Support team with various ISO27001 related project to include planning internal and external audits, risk treatment and improvement plans, maintenance of information security risk register, and support with implementation of control objectives.
Generate monthly security metrics, dashboards and reporting for management review
Work closely with the staff across firm to gather information on working practices to identify security risk and exposure and recommend steps to improve security posture and processes
Keeping abreast of latest IT security measures and controls
Support alignment and reviews of our maturity against security frameworks as agreed with the CISO, such as NIST CSF.

Skills and Experience:

Prior experience in Information Security with a focus on governance, risk, and compliance (Financial Services or Consulting background is preferable)
An information security related qualification or certificates such as CISM, CISA, CISSP; CRISC, ISO27001 Lead Implementer or Lead Auditor is preferable
Experience and knowledge of IT systems, networking principles and associated technology-based security controls
Experience in facilitating and supporting internal and/or external audit activities.
Experience in applying and implementing ISO related controls both technical and operational.
Understanding of general information security management principles and data protection.
Knowledge and experience of logical access control management and administration.
Experience working within Information Security or IT Security, Data Protection.
Experience in working Information Security training and awareness tools.
Excellent written and verbal communication skills.
Strong MS and Atlassian skills using MS Word, Excel, PowerPoint, SharePoint and Outlook and Confluence.

Some of our benefits

• Competitive salary & progression
• Open and inclusive culture
• Hybrid working
• Fantastic offices and great working environment
• Vitality Health Plan (includes private health insurance, travel insurance, gym discounts)
• Medicash health plan (Level 3)
• 5% employer pension contribution
• Life assurance
• Income protection insurance
• 28 days holiday plus 3 additional days, bank holidays & further days for various key life events
• Team socials

Apply for this Job

* Required

First Name *

Last Name *

Email *

Phone *

Resume/CV *

Dropbox Google Drive

(File types: pdf, doc, docx, txt, rtf)

Cover Letter

Dropbox Google Drive

(File types: pdf, doc, docx, txt, rtf)

This is a Hybrid role but we ask you to be in the London Office at least 2-3 days a week, can you commit to this? *

What is your current eligibility to work in the UK? *

Are you currently Interviewing anywhere else and if so what stage are you at? *

What is your current salary, broken down by base, bonus if applicable and other discretionary benefits? *

What are your salary expectations moving forward? *

What is your current notice period. *

LinkedIn Profile (Optional)

Please confirm that you have read and understood the Privacy Notice and that you agree to LHV processing your personal data in accordance with this policy. *

LHV Candidate Privacy Notice

Who are we?

LHV UK Limited (“LHV”, “we”, “our”, “us”) is the Controller responsible for your Personal Data under this LHV Candidate Privacy Notice. LHV is registered with the UK data protection authority, the Information Commissioner’s Office (the “ICO”), with the reference ZB323856. This notice explains what Personal Data we collect on you when you apply for a job at LHV and how we use it. Defined terms used in this Privacy Notice are explained at the end of this document.

If you have a question about the contents of this notice, e-mail us at recruitment@lhv.com, write to us at LHV, One Angel Court, London, EC2R 7HJ, or call us on +44 20 3005 0150.

If you want to contact our Data Protection Officer (the “DPO”), email us at dataprotection@lhv.com

The information we collect about you

When you apply for a job or let us know you’re interested in working at LHV, we may ask for:

• Your name and contact details, such as your address, phone number and e-mail address
• The type of work you are looking for
• Your professional and educational background (typically in your CV)
• The country you are applying from and whether you have the right to work in the UK
• Your responses to application questions and other information you give us through any other forms of assessment in relation to your suitability
• Details of your current and/or desired salary and other details relating to compensation and benefits packages
• Your current notice period.

If we invite you for an interview, we collect:

• Details about any condition that you believe may affect your performance during our selection process and any adjustments you may need us to consider making throughout the process.
• Any other information you give us, or observations we make through interviews, that are relevant for your application
• A form of identification, proof of address and current and previous addresses, and insurance numbers so that we can carry out “Right to Work” checks.
• Details about former employers, managers or colleagues you want us to contact as part of our referencing process.
Giving this information is optional but, if you choose not to provide this, we may not have enough information about you to consider your application.

Information we get from outside LHV

We may also obtain your contact details and professional profile from:

• Recruitment or executive search agencies
• Professional networking sites or other public sources such as social media and job boards such as LinkedIn

If you are invited for an interview and are offered a position at LHV we will also collect the results of your background checks from background checking agencies we work with.

Background checks (where applicable) cover the following information:

• Identity Check
• Adverse Financial Check
• Professional/Technical Membership Check
• Directors Search
• Sanctions File Check
• Media Searches Check
• FCA Check
• Immigration status check if you are not a British national
• References from previous employers, managers or colleagues.

How we use your information

• We organise the recruitment process and assess your qualifications and suitability. That includes e.g. communicating with you, evaluating and analysing your application data, verifying the data you presented us, getting references, organising recruitment interviews.

- Data we process for that purpose: name, personal identification number, data in the CV and covering letter (inc. education, prior work experience, training certificates) and references.

- Legal basis: preparations for entering into a contract for employment or consultancy.

• We carry out background checks.

- Data we process for that purpose: name, personal identification number, data on prior warnings and convictions, data concerning ongoing judicial proceedings, data on international sanctions, payment default data, residence, contact details, affiliations with companies, references and immigration status.

- Legal basis: With respect to senior management positions, the relevant legal basis is legal obligation. With respect to other positions, the relevant legal basis is our legitimate interest to ensure than an LHV employee has an impeccable reputation and cannot be subjected to the influence of third persons.

• We learn about your fitness and suitability for senior management position as part of the Financial Conduct Authority’s (“FCA”) Fit and Proper test for Employees and Senior Personnel.

- Data we process for that purpose: name, employment record, education, past convictions, payment default information, disciplinary record and any other data we are required to collect to meet the prevailing FCA regulations.

- Legal basis: legal obligation.

• We make sure you have the right to work in the UK.

- Data we process for that purpose: passport, ID card, Immigration Status Documents, birth or adoption certificate, Certificate of Registration or Naturalisation, Certificate of Application, Application Registration card, Positive Verification Notice, Share Code and information on right to work in UK from Government portal, Biometric Residence Card, National Insurance Number and any other documents provided by you as evidence of right to work in the UK.

- Legal basis: legal obligation.

• We run our recruitment and selection process, including our applicant tracking system.

- Data we process for that purpose: name, data in the CV and the covering letter, references, data in application forms, technical tests, employment applications you have sent to LHV.

- Legal basis: legitimate interest to promote our recruitment process.

• We share your contact details with our travel provider if you need to travel to an interview or stay at a hotel.

- Data we process for that purpose: name, e-mail address, telephone number.

- Legal basis: legitimate interest to facilitate our recruitment process for candidates.

• We keep a copy of your application data if you let us know you want to be considered for other roles (see for how long we store your data below).

- Data we process for that purpose: name, data in the CV and covering letter, data in application forms, technical tests and references.

- Legal basis: your consent.

• We use the data you share with us on a voluntary basis for our diversity and inclusion monitoring.

- Data we process for that purpose: e.g. diversity monitoring form data, information you share with us contained in your CV or covering letter.

• Legal basis: your consent.

How we use your ‘special category’ data

We may need to process Sensitive Personal Data about job applicants that data protection laws refer to as “special category” data. Data protection laws require a second lawful basis to process “special category” data in addition to consent, contractual duty, compliance with legal obligations, protection of vital interests, performance of a task in the public interest or the pursuit of legitimate interests.

We will mostly only process Sensitive Personal Data where it is necessary for complying with our obligations under the law or where we have your explicit consent to do so (which can be withdrawn at any time). However, we may not always need your explicit consent to process your Sensitive Personal Data, such as where you have clearly made such Sensitive Personal Data publicly known, it is necessary for compliance with our obligations under employment law, for the avoidance of harm to yourself or anyone else, it is necessary for a substantial public interest, it is necessary for the purposes of a legal claim or for reasons of public interest in the area of public health.

For example, we may use Sensitive Personal Data with respect to your health for health and safety purposes, and we may use Sensitive Personal Data with respect to your racial or ethnic origins or religious and philosophical beliefs or sexual orientation to ensure meaningful equal opportunity monitoring and reporting.

Who we share your data with?

We share your Personal Data with companies that help us recruit and need to process your details.

This includes:

• Recruitment or executive search agencies that help us with the recruitment process
• Other companies in the LHV group
• Personnel Checks, a screening company who run Disclosure and Barring Service (the “DBS”), background checks (including identity, credit, FCA, Media & Sanctions checks) and reference checks on our behalf (read Personnel Check’s Privacy Notice to learn more)
• Recruitment software service providers, including Greenhouse Software
• Psychometric assessment providers, including Predictive Index (https://www.predictiveindex.com/privacy/)
• Benefits broker and third-party providers such Private Health Insurance, Life Assurance
• Pensions provider
• Outsourced payroll provider
• UK visa sponsorship management system
• Occupational health services providers
• Cloud computing power, storage and software providers, including AWS and Google Cloud
• Your referees, if your application is successful.

The relevant authorities

We have a legal duty to inform the Prudential Regulation Authority and the FCA about certain roles we fill. This includes declaring in certain circumstances if a candidate for a senior role has a criminal record.

Public bodies

We ask the Disclosure and Barring Service to check your criminal record, if this is necessary for the role. In some circumstances, we may share your details with other parties, for example, with the Home Office with respect to any visa sponsorship process. This is to comply with the law or to protect our rights, property or safety.

Consultants and legal advisors

We may share your details with consultants and legal advisors if this is necessary to resolve an issue or get advice on your suitability for a role. If you are offered a role with LHV, we will initiate background checks with our screening partner, Personnel Checks, and some of the Personal Data you have shared with us during the hiring process will be shared with them. Your Personal Data will also be used to verify your identity.

Where we store or send your data

We store the data we collect from you in the UK and the European Economic Area (the “EEA”). If we transfer the data we collect from you to organisations outside of the EEA, we ensure that your data is protected as follows:

- The European Commission has determined that the country offers an adequate level of data protection; or
- We have agreed to the European Commission’s standard contractual clauses on data protection with the relevant organisation.

How long do we store your Personal Data for?

If you are unsuccessful, but agree that we can keep your Personal Data for other job openings, we retain your Personal Data for 2 years after we close the hiring process.

If you are unsuccessful and do not agree for us to retain your data for future hirings, then we will keep your Personal Data for up to 2 years after we close the hiring process. The reason for keeping your Personal Data for that long is to protect ourselves in potential legal proceedings and the storage period reflects the statute of limitations for such matters.

If you are a successful candidate, we may preserve your Personal Data for longer, following the time limits for the storing of Personal Data established in various legislation and the expiration times of potential claims.

Your rights

You have a right to:

- Obtain information on whether LHV is processing your Personal Data and access the Personal Data we hold about you (make a data subject access request)
- Ask for a copy of your Personal Data in a portable (machine-readable) format or make us send it to someone else. Such right is restricted to data which we have obtained directly from you and which we process electronically based on your consent or for the performance of a contract
- Make us correct inaccurate, insufficient or incomplete data
- Ask us to delete, block or suppress your Personal Data. For legal reasons, we might not always be able to do so. There may be times when we continue to use your Personal Data when we are required to do so by law or when we need to continue processing, including retaining, your Personal Data on the basis of our legitimate interest, e.g. in legal disputes.
- Withdraw any consent you have given us
- Object to the processing of Personal Data we carry out based on our legitimate interest. You also have the right to request from us the legitimate interest assessments
- Ask us to restrict the processing of your Personal Data for one or several purposes.

To do any of the above, please email dataprotection@lhv.com with your request. In accordance with the UK GDPR, we have one month to take action. If necessary, we are allowed to extend that period by two further months, in which case we inform you of any such extension within one month of receipt of your request, together with the reason for the extension.

How to make a complaint

If you have any questions or concerns about how we use your information, please email recruitment@lhv.com and we will do our best to resolve it. You can also contact our Data Protection Officer by e-mail at dataprotection@lhv.com.

If you are still not happy with the response you receive, you can refer your complaint to the ICO or a data protection supervisory authority in any EEA country you live or work in, or where you think a potential breach has happened. For more details on the ICO, please visit their website at ico.org.uk.

Definitions

“Controller” means the entity that decides how and why Personal Data are processed. In many jurisdictions, the Controller has primary responsibility for complying with applicable data protection laws.

“Personal Data” means information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

“Sensitive Personal Data” means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that are deemed to be sensitive under applicable law.

“UK GDPR” means the GDPR as it forms part of the laws applicable in the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018, and as applied and modified by Schedule 2 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) or as modified from time to time by other laws applicable in the UK).

Our system has flagged this application as potentially being associated with bot traffic. Please turn off any VPNs, clear your browser cache and cookies, or try submitting your application in a different browser. If this issue persists, please reach out to our support team via our help center.

Please complete the reCAPTCHA above.

Information Security Analyst - GRC

Apply for this Job