Mercury · San Francisco, CA, New York, NY, Portland, OR, or Remote within United States

Deputy Chief Information Security Officer - Bank

🏢 Mercury📍 San Francisco, CA, New York, NY, Portland, OR, or Remote within United States🕐 Posted 10 days ago
⏱ Full-time🌐 RemoteInformation Security✅ Direct from employer ATS
Apply on Mercury
ℹ️ Please note: This listing is sourced from a third-party job board. Jobnique is a job search platform and is not the employer for this role. The hiring company is Mercury.

About this role

The role: You will be the operating second to the CISO and own the bank-entity scope of Mercury's 2LOD Information Security program. You'll be the person who keeps the program examiner-ready by default: coherent policy architecture, evidenced controls, a credible gap-remediation track record, and a tested incident response program with documented exercise history

This is not a research or strategy role. It is a build-and-defend role. You will sit across the table from OCC examiners, FFIEC IT audit teams, our Chief Risk Officer, and the board's risk committee, and you will be expected to answer for every line in our policies and every status in our control inventory

*Mercury is a fintech company, not an FDIC-insured bank. Banking services provided through Choice Financial Group and Column N.A., Members FDIC What you'll own: Bank-entity 2LOD InfoSec program

Governance, policy, risk, and oversight scoped to the chartered bank

OCC, FFIEC, FDIC and FRB examiner inquiries; ownership of the examiner-ready narrative; coordination of the evidence

Lead remediation of identified FFIEC IT control deficiencies to charter readiness ahead of the OCC pre-opening examination Policy architecture

Carry the bank-scoped policy stack (Policy / Standard / Procedure), including ratification cycles, MRCC memos, and board approvals

Partner with the Chief Risk Officer on bank continuity, resilience, and recovery, including tabletop exercises and full-scale drills

Manage relationships with internal audit (3LOD) and external assessors (SOC 2, FFIEC CAT, regulator-led IT examinations)

Ensure TPRM evidence holds up to bank-grade scrutiny for critical service providers and material outsourcing arrangements

Coach and grow the GRC sub-team; run a recurring training cadence; build the bench depth a national bank requires

What we need: 8+ years in Information Security , with 3+ years inside a regulated bank, trust bank, or de novo bank charter effort

Mercury is a startup chartering a national bank — this experience is non-negotiable

You have deep working knowledge of the FFIEC CAT, the FFIEC IT Examination Handbook, BSA/AML IT supervisory expectations, and the OCC Heightened Standards

Direct examiner-facing experience

You have defended a control to an OCC, FDIC, or Federal Reserve examiner. You know what good evidence looks like before it gets challenged

Apply on Mercury