GRC Analyst

Lendistry is an Equal Opportunity/Affirmative Action Employer. We consider applicants without regard to race, color, religion, age, national origin, ancestry, ethnicity, gender, gender identity, gender expression, sexual orientation, marital status, veteran status, disability, genetic information, or membership in any other group protected by federal, state, or local law.

If you need assistance or accommodation due to a disability, you may contact us at hr@lendistry.com

Lendistry does not accept unsolicited resumes from recruiters, employment agencies, or staffing firms. To conduct business with Lendistry, a Master Services Agreement (MSA) must be executed and confirmed prior to submitting any information relating to a potential candidate. Without a signed MSA, Lendistry shall not be responsible to any individual or entity for any payment relating to any form of fee or compensation.

And, in the event that a resume or candidate is submitted by a recruiter, an employment agency, or a staffing firm without a fully executed MSA, Lendistry has the unrestricted right to pursue and hire any of those candidate(s) without any legal or financial responsibility to the recruiter, agency, and/or firm.

A Day in the Life

The GRC Data Analyst within the Governance, Risk, and Compliance team within the Office of the CISO, reporting to the CISO or a designated GRC leader. This is a hands-on analytical role for someone who can turn raw evidence — control outputs, audit logs, vendor attestations, incident data, policy exceptions — into the signal that drives Lendistry's security, risk, and compliance posture.

You will operate the data side of GRC: building and maintaining the control inventory, tracking compliance against SOC 2, GLBA, SBA program requirements, state lending regulations, and CCPA/CPRA, running evidence collection for internal and external audits, analyzing vendor and third-party risk, and producing the metrics and reporting that inform the CISO, executive leadership, and the Board. You will partner closely with Security Engineering, IT, Legal, Compliance, the Data Privacy Officer, and every business unit whose work intersects controls.

Lendistry is a CDFI and SBA Preferred Lender operating under a dense, overlapping regulatory environment — SBA, state lending, banking partners, investor covenants, SOC 2, GLBA, and California privacy law. Controls are not a paperwork exercise here; they are the operating license. As GRC Data Analyst, you are the person who makes those controls legible, measurable, and auditable. The quality of your work determines how quickly Lendistry can close audits, onboard banking and capital-markets partners, respond to regulators, and earn the trust that lets us keep deploying capital to small businesses.

Lendistry: Who We Are

We’re proud to be the nation’s largest minority-led, tech-savvy lender for small businesses and commercial real estate. As a certified Community Development Financial Institution (CDFI) and Community Development Entity (CDE), our mission is all about creating economic opportunities and fueling growth for small business owners and their communities. Join us as we pave the way with innovative financing and financial education!

What You’ll Be Doing (General Responsibilities)

As GRC Data Analyst, you will own and evolve the operational core of Lendistry's compliance program, including:

• The Lendistry control library — a single, framework-mapped source of truth for how we meet SOC 2, GLBA, SBA, state lending, and CCPA/CPRA obligations.

• The evidence automation layer — the integrations and workflows that keep control evidence fresh without burning out the team.

• The GRC reporting stack — dashboards and narratives for the CISO, executive leadership, and the Board; audit packages for external parties.

• The vendor risk program — a defensible, documented record of who touches our data, how, and with what controls in place.

• The risk register — kept current, kept honest, and tied to real mitigation commitments.

Control Management & Evidence Operations

• Maintain the Lendistry control inventory — SOC 2, GLBA safeguards, SBA-aligned program controls, and state lending controls — mapped across frameworks so a single piece of evidence can satisfy multiple requirements.

• Run continuous evidence collection against the control inventory using Lendistry's GRC platform (Vanta, Drata, Hyperproof, AuditBoard, or equivalent), automating wherever possible and chasing manual evidence where not.

• Operate the control testing calendar — design sampling plans, pull evidence, document results, track exceptions, and drive remediation to closure.

• Own the audit cycle for SOC 2 Type II and other external examinations — liaise with auditors, manage evidence request lists, coordinate interviews, and keep the audit moving on schedule.

Risk Analysis & Reporting

• Build and maintain GRC dashboards and metrics — control coverage, evidence freshness, open findings, mean time to remediate, vendor risk posture, and trend lines — and publish them on cadence to the CISO, executive leadership, and the Board.

• Analyze control data for patterns and risk signals — repeated findings, drift in evidence quality, clusters of exceptions, and emerging gaps — and surface them early.

• Produce risk assessments for new products, new vendors, new data flows, and new regulatory obligations, including clear articulation of inherent risk, control coverage, and residual risk.

• Support the enterprise risk register — maintain it, drive quarterly reviews, and keep mitigation owners accountable for their commitments.

Vendor & Third-Party Risk

• Run the vendor risk management lifecycle — intake, tiering, due diligence, contract review support, ongoing monitoring, and offboarding — with full documentation and defensible decisions.

• Review SOC 2 reports, SIG questionnaires, and security attestations from vendors and capital-markets partners, identifying gaps and tracking remediation commitments.

• Maintain a current inventory of data flows and the vendors touching each category of Lendistry data, so the DPO and the CISO always have a clear picture of third-party exposure.

Regulatory & Policy Support

• Monitor regulatory change across SOC 2 criteria updates, SBA program requirements, state lending law changes, CCPA/CPRA enforcement, and GLBA Safeguards rule — and translate changes into concrete control updates.

• Maintain the policy library — keep policies current, drive annual reviews, track attestations, and ensure versioning and approval workflow integrity.

• Support incident documentation — contribute to after-action analyses, regulatory notifications, and the control updates that follow.

• Partner with the Data Privacy Officer on privacy impact assessments, data subject request metrics, and CCPA/CPRA compliance reporting.

Cross-Functional Collaboration

• Partner with Security Engineering and IT to turn technical control data (identity, access, vulnerability, configuration, logging) into GRC-grade evidence.

• Partner with Legal and Compliance on regulator requests, examination responses, and contract commitments that translate into operational controls.

• Partner with Product and Engineering on control requirements for new features — particularly those touching borrower PII, financial data, or AI-driven decisioning.

• Communicate clearly with non-GRC audiences — executives, engineers, credit, servicing — explaining why a control matters in plain language.

AI-Assisted Work Practice

Lendistry expects its GRC team to be among the most effective users of AI tools in the company. AI is a force multiplier for analytical work, and the GRC function has more analytical work than people.

• Use AI tools daily — Claude, Copilot, or equivalents — for evidence review, policy drafting, control mapping, and summarization of long regulatory documents.

• Bring sound judgment about when to trust, verify, or override AI-generated analysis, particularly in regulated contexts where the output ends up in front of auditors or regulators.

• Help shape responsible AI use inside Lendistry — as AI is embedded deeper into lending operations, GRC must evolve the controls and evidence practices that keep those systems auditable.

Your Areas of Knowledge and Expertise (Education/Experience & Proficiencies)

• Analytical rigor. You work from data, not from narrative. Evidence either supports the conclusion or it does not.

• Ownership. Drives audit cycles, vendor reviews, and remediation items to closure without needing to be chased.

• Communication. Writes tight, argues precisely, and tailors the message to the audience.

• Integrity. The role only works if people trust your findings. That trust is earned.

• Collaboration. Partners effectively with Engineering, Legal, Compliance, Privacy, and business teams — including when the conversation is uncomfortable.

• Comfort with ambiguity. Thrives in a fast-moving, multi-framework environment where requirements evolve and priorities shift.

Core Experience

• 3+ years in GRC, IT audit, information security risk, or compliance analysis, preferably in fintech, banking, lending, SaaS, or another regulated industry.

• Working knowledge of SOC 2 — Trust Services Criteria, control design vs. operating effectiveness, evidence standards — from either the auditor or auditee side.

• Working knowledge of GLBA Safeguards Rule and the broader financial-services control environment.

• Familiarity with CCPA/CPRA and the data handling, notice, and consumer-rights obligations it creates for a California-headquartered business.

• Hands-on experience with a GRC platform — Vanta, Drata, Hyperproof, AuditBoard, OneTrust, LogicGate, or equivalent — for control tracking, evidence collection, and audit support.

Analytical & Tooling Skills

• Strong data analysis skills — Excel / Google Sheets at an advanced level, and ideally SQL, for pulling, joining, and cleaning control and audit data.

• Reporting and visualization experience — the ability to turn a messy evidence trail into a clear dashboard or Board-ready summary.

• Written and verbal communication — tight, precise, and audience-aware. Your audit narratives and risk memos will be read by engineers, executives, auditors, and regulators.

• Project management discipline — the ability to run an audit cycle, a vendor review queue, and a policy refresh at the same time without dropping any of them.

Integrity & Judgment

• Unimpeachable integrity — the evidence either supports the conclusion or it does not. You do not paper over gaps, and you do not let others.

• Sound risk judgment — ability to distinguish real risk from noise, and to communicate both in proportion.

• Discretion with sensitive material — incidents, examinations, vendor findings, and personnel issues.

Preferred Qualifications

• Relevant certification — CISA, CRISC, CISM, CIPP/US, CRCM, or equivalent.

• Experience supporting SBA 7(a), SBA 504, or CDFI program compliance.

• Experience with state lending regulator examinations or bank-partner audits.

• Experience with NIST CSF, NIST 800-53, or FFIEC frameworks.

• Exposure to AI/ML governance frameworks (NIST AI RMF) and controls for AI-driven decisioning.

• B.A. or B.S. in Accounting, Information Systems, Business, or a related field; or equivalent experience.

Why You'll Love Working Here:

• Comprehensive Medical, Dental, and Vision Insurance

• Generous Paid Time Off

• Birthday Day Off

• 12 Paid Company Holidays

• 401(k) Match

• FSA and HSA

• Paid Life Insurance

• Paid Disability Insurance

• Pet Insurance

• Employee Assistance Program (EAP)

• Professional Development Courses

• In Office Provided Snacks and Drinks

• Gym Facilities (LA & Tustin/CEC Offices)

• In Office Engagement Activities

Compensation Range

The US base salary range for this full-time position is $76,100 - $95,500 annually.

Our salary ranges are determined by role, level, and location.

The range displayed on each job posting reflects the minimum and maximum base salary for new hires for the position across all US locations. Within the range, individual pay is determined by multiple factors like job-related skills, experience, and state of residence. Your recruiter can share more about the specific salary range during the interview process.

Please note that the compensation details listed in US role postings reflect the base salary only, and do not include any variable compensation elements.

Physical Requirements

This is a stationary position that requires frequent sitting (approximately 95%), repetitive wrist motions, grasping, speaking, listening, close vision, and the ability to adjust focus. It also may require occasional standing, lifting, carrying of 20lbs or less, walking, kneeling, bending/stooping, twisting, pulling/pushing, and reaching above the shoulder. Employees in this position must be physically able to efficiently perform the essential functions of the position.

ACKNOWLEDGEMENT
B.S.D. Capital, Inc. dba Lendistry is an equal employment opportunity employer committed to providing its employees, applicants and other covered persons with equal opportunities without regard to race, color, age (40 or older), religious creed (including religious belief, practice or dress and grooming practices), national origin, ancestry, physical disability, mental disability, medical condition, genetic information, marital status, sex, gender (including pregnancy, childbirth or medical condition related to pregnancy or childbirth), gender expression, gender identity, sexual orientation, military or veteran status (including past, current or prospective service), or any other characteristic protected under applicable federal, state or local law.