GRC & Incident Manager

Lendistry is an Equal Opportunity/Affirmative Action Employer. We consider applicants without regard to race, color, religion, age, national origin, ancestry, ethnicity, gender, gender identity, gender expression, sexual orientation, marital status, veteran status, disability, genetic information, or membership in any other group protected by federal, state, or local law.

If you need assistance or accommodation due to a disability, you may contact us at hr@lendistry.com

Lendistry does not accept unsolicited resumes from recruiters, employment agencies, or staffing firms. To conduct business with Lendistry, a Master Services Agreement (MSA) must be executed and confirmed prior to submitting any information relating to a potential candidate. Without a signed MSA, Lendistry shall not be responsible to any individual or entity for any payment relating to any form of fee or compensation.

And, in the event that a resume or candidate is submitted by a recruiter, an employment agency, or a staffing firm without a fully executed MSA, Lendistry has the unrestricted right to pursue and hire any of those candidate(s) without any legal or financial responsibility to the recruiter, agency, and/or firm.

A Day in the Life

The GRC & Incident Manager is responsible for leading and maturing the organization’s governance, risk, compliance, and data privacy programs across IT systems, cloud environments, and third-party vendors. This role partners with Security, Engineering, and Compliance to ensure regulatory requirements and privacy obligations are translated into practical controls that protect sensitive data while supporting business operations.

In addition to incident command duties, this role leads the organization’s GRC program, including SOC 2 compliance, GLBA Safeguards Rule obligations, ISO/IEC 27001 alignment, and third-party risk management. Data privacy responsibilities are performed in a supporting capacity, ensuring privacy obligations are integrated into incident response, compliance documentation, and vendor oversight.

This role operates at the intersection of security operations, IT, compliance, and executive leadership—translating chaos into structured response and measurable improvement, and ensuring the organization’s controls, frameworks, and risk posture remain audit-ready at all times.

Lendistry: Who We Are

We’re proud to be the nation’s largest minority-led, tech-savvy lender for small businesses and commercial real estate. As a certified Community Development Financial Institution (CDFI) and Community Development Entity (CDE), our mission is all about creating economic opportunities and fueling growth for small business owners and their communities. Join us as we pave the way with innovative financing and financial education!

What You’ll Be Doing

Incident Command & Crisis Leadership

• Serve as Incident Commander during security incidents, exercising full command and control over response operations.

• Collaborate with stakeholders to develop, execute, and maintain Incident Action Plans (IAPs) to drive structured, measurable response.

• Make high-impact decisions under pressure, balancing safety, regulatory risk, and business continuity.

• Coordinate internal response teams including Security Operations, Engineering, IT, Legal, Compliance, Communications, and Executive Leadership.

• Participate in post-incident reviews and drive corrective actions to close gaps and reduce recurrence.

Physical Security Operations

• Manage physical security incidents including unauthorized access, safety threats, and facility disruptions.

• Coordinate with Facilities, HR, Legal, and local authorities as needed during physical security events.

• Ensure physical security controls align with cybersecurity, business continuity, and compliance programs.

Coordination & Stakeholder Communication

• Act as the central coordination point between technical response teams and non-technical stakeholders during incidents.

• Coordinate with external parties including law enforcement, emergency services, regulators, and vendors when required.

Metrics, Analysis & Continuous Improvement

• Collaborate with stakeholders to improve incident response playbooks, escalation models, and readiness posture.

• Participate in tabletop exercises and incident simulations to validate response capability and team readiness.

Governance, Risk & Compliance

• Maintain and operate the organization’s SOC 2 compliance program (Type I and Type II), including control ownership, evidence collection, auditor coordination, and remediation tracking.

• Support alignment with ISO/IEC 27001, including risk assessments, Statement of Applicability support, and control mapping.

• Manage compliance obligations under GLBA, including Safeguards Rule requirements, vendor oversight, and risk documentation.

• Conduct periodic risk assessments and control effectiveness reviews across people, process, and technology.

• Maintain GRC documentation, policies, standards, procedures, and risk registers in a continuous-compliance model.

• Partner with internal stakeholders to translate regulatory requirements into practical, auditable controls.

Third-Party & Vendor Risk

• Support third-party risk assessments with a focus on data handling, privacy, and regulatory exposure.

• Review vendor security and privacy documentation (SOC reports, SIGs, DPAs).

• Track remediation items and ensure vendors meet contractual and regulatory obligations.

Data Privacy & Protection

• Support the organization’s data privacy program by maintaining data inventories, data flow diagrams, and privacy documentation aligned to applicable U.S. state privacy laws and GLBA.

• Assist in privacy and data protection impact assessments (PIAs/DPIAs) and contribute to privacy-by-design reviews across systems and product initiatives.

• Support breach assessment activities for incidents involving personal data, including scope determination, regulatory notification analysis, and impact documentation.

• Coordinate with Legal and Compliance to ensure privacy obligations are reflected in incident response, vendor contracts, and control documentation.

Cross-Functional Collaboration

• Work closely with Security, Engineering, Product, Legal, Compliance, and Operations teams to embed security and compliance controls across the organization.

• Provide practical guidance that balances compliance, risk reduction, and business velocity.

• Assist with regulator, auditor, and customer due-diligence inquiries.

Your Areas of Knowledge and Expertise

• 3–5 years of experience in Governance, Risk, and Compliance (GRC), data privacy, risk management, or a related field, preferably within a regulated environment such as fintech or financial services.

• Hands-on experience supporting regulatory and compliance programs, including SOC 2 and GLBA Safeguards Rule, along with familiarity with U.S. state privacy laws (e.g., CA, CO, VA, CT, UT, TX, OR, MT, NJ, TN, IA, IN, DE, NE, NH, MD, MN) and global privacy frameworks such as GDPR, PIPEDA, LGPD, or DPDPA.

• Experience implementing and administering GRC platforms, including managing compliance workflows, evidence collection, audit readiness, and risk tracking across multiple workstreams.

• Demonstrated ability to perform privacy and security risk assessments, including privacy impact assessments (PIAs), data protection impact assessments (DPIAs), and data security risk assessments, with strong documentation and evidence-management practices.

• Hands-on experience developing and maintaining data inventories, data maps, and data flow diagrams to support privacy compliance and regulatory obligations.

• Technical literacy in modern enterprise environments, including familiarity with cloud platforms (AWS, Azure), data architecture, database management (SQL), automation tools, and scripting languages such as Python.

• Understanding of privacy engineering and secure system design, including familiarity with privacy-enhancing technologies such as differential privacy, federated learning, and secure multi-party computation (particularly in AI/ML pipelines).

• Working knowledge of data mapping and automation tools used to manage data subject rights requests and privacy operations workflows.

• Strong analytical, organizational, and documentation skills, with the ability to manage multiple compliance initiatives independently and communicate effectively across technical, legal, and business stakeholders.

• Professional certifications such as CIPT or CDPSE required; CIPM and CISSP preferred.

• Bachelor’s degree in Computer Science, Information Security, or a related field, or an equivalent combination of professional experience, certifications, and alternative education.

Why You'll Love Working Here:

• Comprehensive Medical, Dental, and Vision Insurance

• Generous Paid Time Off

• Birthday Day Off

• 12 Paid Company Holidays

• 401(k) Match

• FSA and HSA

• Paid Life Insurance

• Paid Disability Insurance

• Pet Insurance

• Employee Assistance Program (EAP)

• Professional Development Courses

• In Office Provided Snacks and Drinks

• Gym Facilities (LA & Tustin/CEC Offices)

• In Office Engagement Activities

Compensation Range

The US base salary range for this full-time position is $145,000-$163,000 annually.

Our salary ranges are determined by role, level, and location.

The range displayed on each job posting reflects the minimum and maximum base salary for new hires for the position across all US locations. Within the range, individual pay is determined by multiple factors like job-related skills, experience, and state of residence. Your recruiter can share more about the specific salary range during the interview process.

Please note that the compensation details listed in US role postings reflect the base salary only, and do not include any variable compensation elements.

Physical Requirements

This is a stationary position that requires frequent sitting (approximately 95%), repetitive wrist motions, grasping, speaking, listening, close vision, and the ability to adjust focus. It also may require occasional standing, lifting, carrying of 20lbs or less, walking, kneeling, bending/stooping, twisting, pulling/pushing, and reaching above the shoulder. Employees in this position must be physically able to efficiently perform the essential functions of the position.

ACKNOWLEDGEMENT
B.S.D. Capital, Inc. dba Lendistry is an equal employment opportunity employer committed to providing its employees, applicants and other covered persons with equal opportunities without regard to race, color, age (40 or older), religious creed (including religious belief, practice or dress and grooming practices), national origin, ancestry, physical disability, mental disability, medical condition, genetic information, marital status, sex, gender (including pregnancy, childbirth or medical condition related to pregnancy or childbirth), gender expression, gender identity, sexual orientation, military or veteran status (including past, current or prospective service), or any other characteristic protected under applicable federal, state or local law.