Senior Vendor Security Risk Management Analyst
Listed on 2026-07-18
-
IT/Tech
Cybersecurity, Information Security, Data Security
Established nearly two centuries ago, FM is a leading mutual insurance company whose capital, scientific research capability and engineering expertise are solely dedicated to property risk management and the resilience of its policyholder-owners. These owners, who share the belief that the majority of property loss is preventable, represent many of the world’s largest organizations, including one of every four Fortune 500 companies.
They work with FM to better understand the hazards that can impact their business continuity to make cost-effective risk management decisions, combining property loss prevention with insurance protection.
Work Schedule
This position requires on-site work one day per week at our Corporate Headquarters and flexibility to be on-site when needed based on the demands of the business
Relocation is not offered for this position.
Position Summary
FM is seeking a Senior Information Security Analyst with deep expertise in Third-Party Risk Management (TPRM), you will play a critical role in protecting FM by assessing how external vendors, SaaS platforms, and cloud solutions interact with our systems and data. This high-impact role where your expertise in cyber risk, vendor security, and cloud architecture will help shape business decisions, strengthen our security posture, and support innovation in a secure way.
This includes reviewing both the vendor’s security control environment and the specific solution being implemented, with a focus on data handling, storage, and integration with internal systems.
You will partner closely with business, technology, and procurement teams to identify risks and recommend practical, business-aligned mitigation strategies.
You will lead end-to-end cybersecurity risk assessments of third-party vendors and solutions—going beyond standard due diligence to evaluate real-world risk across systems, data, and integrations.
Key Responsibilities
- Lead end-to-end third-party solution risk assessments and vendor security reviews across the vendor lifecycle, including due diligence, onboarding, ongoing monitoring, and reassessments.
- Evaluate vendor security programs, control effectiveness, and governance, along with deep-dive assessment of the specific product being implemented including solution architecture, data flows, and integration points.
- Identify and communicate inherent and residual cyber risks related to data protection, privacy, IAM, privileged access, system connectivity, and external attack surface exposure.
- Review and interpret security documentation, including SOC 1/SOC 2 reports, ISO 27001 certifications, audit reports, architecture diagrams, data flow diagrams, and technical configurations.
- Recommend practical risk mitigation strategies, including compensating controls, secure design changes, and contractual safeguards to support risk-informed decisions.
- Partner with business, technology, procurement, and legal teams to support risk acceptance, exception management, and third-party risk governance.
- Contribute to the evolution of FM’s third-party risk management framework, methodology, and standards in alignment with NIST, ISO 27001, NYDFS, and other applicable regulatory expectations.
- 5+ years of experience in cybersecurity, information security, or cyber risk, with a background in third-party risk management (TPRM), IT risk, audit, incident response, or access management.
- Experience assessing vendor security posture in cloud (SaaS/PaaS) and enterprise environments.
Technical Expertise
- Strong understanding of systems, networks, application architecture, cloud security, and secure system design across AWS, Azure, SaaS, PaaS, APIs, and enterprise integrations.
- Experience evaluating data flows, data classification, data protection, data governance, and secure data handling practices.
- Knowledge of IAM, SSO, federation, privileged access, cyber threats, vulnerabilities, and attack methodologies.
- Ability to interpret SOC 1, SOC 2, ISO certifications, and other third-party assurance artifacts to identify control gaps and residual risk.
Risk & Analysis:
- Ability to identify, assess, and clearly communicate complex cyber risks,…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).