Affirm - Director, Affirm Bank Information Security

• 1. Information Security Program Development • Design, implement, and maintain a comprehensive Information Security Program consistent with FDIC guidance (e.g., FIL-66-2019, FIL-13-2021) and the Interagency Guidelines Establishing Information Security Standards. • Develop and oversee policies, standards, and procedures governing cybersecurity, data protection, and incident response. • Ensure alignment with the Bank’s overall risk management and governance frameworks. • Provide regular reporting to executive management and the Board on the Bank’s security posture, emerging risks, and mitigation efforts. • 2. Cybersecurity and Threat Management • Establish and manage a threat monitoring and detection capability to identify, assess, and respond to cybersecurity risks. • Oversee implementation of layered security controls (e.g., network segmentation, encryption, access controls, endpoint protection, vulnerability management). • Lead the Bank’s Incident Response Program, ensuring timely escalation and coordination with regulators when required. • Maintain relationships with information-sharing groups (e.g., FS-ISAC) and law enforcement to stay informed of emerging threats. • 3. Third-Party and Affiliate Risk Oversight • Evaluate the information security posture of third-party and affiliate service providers in accordance with the Bank’s Vendor Management Program and FDIC third-party risk guidance. • Establish due diligence, ongoing monitoring, and contractual requirements for vendors handling sensitive data or performing critical services. • Coordinate with Operations, Compliance, and Internal Audit to ensure third-party risks are identified, assessed, and mitigated. • 4. Data Governance and Privacy Protection • Ensure compliance with applicable privacy and data protection requirements (e.g., GLBA, Regulation P, state privacy laws). • Implement processes to safeguard customer information and prevent unauthorized access, disclosure, or misuse. • Partner with business and technology teams to integrate privacy-by-design principles into new products and services. • 5. Business Continuity and Resilience • Lead development and testing of the Bank’s Business Continuity and Disaster Recovery (BC/DR) plans, ensuring they are integrated with information security objectives. • Coordinate regular testing and simulations to validate readiness for cyber incidents and system disruptions. • Support resilience planning for key systems, vendors, and communication protocols. • 6. De Novo and Pre-Opening Readiness • Build and document the Bank’s information security program as part of the de novo application process. • Establish security architecture, monitoring tools, and vendor relationships prior to launch. • Prepare readiness materials for FDIC and state examinations related to cybersecurity and operational resilience. • Ensure security risk assessments and third-party reviews are completed and incorporated into pre-opening milestones. • 7. Leadership and Culture • Serve as the Bank’s senior advocate for cybersecurity and data protection, promoting a culture of security awareness and accountability. • Provide training and guidance across the organization to enhance information security awareness. • Collaborate with peers in Risk, Compliance, Operations, and Technology to align security priorities with business strategy. • Build and lead a capable, mission-driven security team to support the Bank’s evolving needs. • What We Look For • What We Look For • What We Look For • Minimum of 10 years of information security and technology risk management experience, with at least 5 years in a leadership capacity at a regulated financial institution or Fintech. • Demonstrated experience designing and implementing information security programs compliant with FDIC and FFIEC standards. • Strong familiarity with third-party risk frameworks and financial services cybersecurity expectations. • Experience leading incident response, penetration testing, and security operations in cloud-based and hybrid environments. • Proven ability to communicate complex technical topics to executive leadership, the Board, and regulators. • Strong leadership, analytical, and problem-solving skills with a risk-based and pragmatic approach to decision-making. • Core Competencies • Core Competencies • Core Competencies • Expert knowledge of information security principles, frameworks, and regulatory requirements. • Strategic thinker with strong operational execution and control discipline. • Effective communicator capable of influencing across technical and business functions. • Collaborative leader who fosters a culture of accountability, awareness, and continuous improvement. • Affirm Values • At Affirm, we live by our values: People Come First, No Fine Print, It’s On Us, Simplify, and Push the Envelope. As CCO, you will embody these principles while building the foundation of Affirm Bank as a trusted, transparent, and innovative financial institution.