GRC & Incident Manager

Lendistry is an Equal Opportunity/Affirmative Action Employer. We consider applicants without regard to race, color, religion, age, national origin, ancestry, ethnicity, gender, gender identity, gender expression, sexual orientation, marital status, veteran status, disability, genetic information, or membership in any other group protected by federal, state, or local law. If you need assistance or accommodation due to a disability, you may contact us at View email address on click.appcast.io Lendistry does not accept unsolicited resumes from recruiters, employment agencies, or staffing firms. To conduct business with Lendistry, a Master Services Agreement (MSA) must be executed and confirmed prior to submitting any information relating to a potential candidate. Without a signed MSA, Lendistry shall not be responsible to any individual or entity for any payment relating to any form of fee or compensation. And, in the event that a resume or candidate is submitted by a recruiter, an employment agency, or a staffing firm without a fully executed MSA, Lendistry has the unrestricted right to pursue and hire any of those candidate(s) without any legal or financial responsibility to the recruiter, agency, and/or firm. A Day in the Life The GRC & Incident Manager is responsible for leading and maturing the organization’s governance, risk, compliance, and data privacy programs across IT systems, cloud environments, and third-party vendors. This role partners with Security, Engineering, and Compliance to ensure regulatory requirements and privacy obligations are translated into practical controls that protect sensitive data while supporting business operations. In addition to incident command duties, this role leads the organization’s GRC program, including SOC 2 compliance, GLBA Safeguards Rule obligations, ISO/IEC 27001 alignment, and third-party risk management. Data privacy responsibilities are performed in a supporting capacity, ensuring privacy obligations are integrated into incident response, compliance documentation, and vendor oversight. This role operates at the intersection of security operations, IT, compliance, and executive leadership—translating chaos into structured response and measurable improvement, and ensuring the organization’s controls, frameworks, and risk posture remain audit-ready at all times. What You’ll Be Doing Serve as Incident Commander during security incidents, exercising full command and control over response operations. Collaborate with stakeholders to develop, execute, and maintain Incident Action Plans (IAPs) to drive structured, measurable response. Make high-impact decisions under pressure, balancing safety, regulatory risk, and business continuity. Coordinate internal response teams including Security Operations, Engineering, IT, Legal, Compliance, Communications, and Executive Leadership. Participate in post-incident reviews and drive corrective actions to close gaps and reduce recurrence. Manage physical security incidents including unauthorized access, safety threats, and facility disruptions. Coordinate with Facilities, HR, Legal, and local authorities as needed during physical security events. Ensure physical security controls align with cybersecurity, business continuity, and compliance programs. Act as the central coordination point between technical response teams and non-technical stakeholders during incidents. Coordinate with external parties including law enforcement, emergency services, regulators, and vendors when required. Collaborate with stakeholders to improve incident response playbooks, escalation models, and readiness posture. Participate in tabletop exercises and incident simulations to validate response capability and team readiness. Maintain and operate the organization’s SOC 2 compliance program (Type I and Type II), including control ownership, evidence collection, auditor coordination, and remediation tracking. Support alignment with ISO/IEC 27001, including risk assessments, Statement of Applicability support, and control mapping. Manage compliance obligations under GLBA, including Safeguards Rule requirements, vendor oversight, and risk documentation. Conduct periodic risk assessments and control effectiveness reviews across people, process, and technology. Maintain GRC documentation, policies, standards, procedures, and risk registers in a continuous-compliance model. Partner with internal stakeholders to translate regulatory requirements into practical, auditable controls. Support third-party risk assessments with a focus on data handling, privacy, and regulatory exposure. Review vendor security and privacy documentation (SOC reports, SIGs, DPAs). Track remediation items and ensure vendors meet contractual and regulatory obligations. Support the organization’s data privacy program by maintaining data inventories, data flow diagrams, and privacy documentation aligned to applicable U.S. state privacy laws and GLBA. Assist in privacy and data protection impact assessments (PIAs/DPIAs) and contribute to privacy-by-design reviews across systems and product initiatives. Support breach assessment activities for incidents involving personal data, including scope determination, regulatory notification analysis, and impact documentation. Coordinate with Legal and Compliance to ensure privacy obligations are reflected in incident response, vendor contracts, and control documentation. Work closely with Security, Engineering, Product, Legal, Compliance, and Operations teams to embed security and compliance controls across the organization. Provide practical guidance that balances compliance, risk reduction, and business velocity. Assist with regulator, auditor, and customer due-diligence inquiries. Your Areas of Knowledge and Expertise 3–5 years of experience in Governance, Risk, and Compliance (GRC), data privacy, risk management, or a related field, preferably within a regulated environment such as fintech or financial services. Hands‑on experience supporting regulatory and compliance programs, including SOC 2 and GLBA Safeguards Rule, along with familiarity with U.S. state privacy laws (e.g., CA, CO, VA, CT, UT, TX, OR, MT, NJ, TN, IA, IN, DE, NE, NH, MD, MN) and global privacy frameworks such as GDPR, PIPEDA, LGPD, or DPDPA. Experience implementing and administering GRC platforms, including managing compliance workflows, evidence collection, audit readiness, and risk tracking across multiple workstreams. Demonstrated ability to perform privacy and security risk assessments, including privacy impact assessments (PIAs), data protection impact assessments (DPIAs), and data security risk assessments, with strong documentation and evidence‑management practices. Hands‑on experience developing and maintaining data inventories, data maps, and data flow diagrams to support privacy compliance and regulatory obligations. Technical literacy in modern enterprise environments, including familiarity with cloud platforms (AWS, Azure), data architecture, database management (SQL), automation tools, and scripting languages such as Python. Understanding of privacy engineering and secure system design, including familiarity with privacy‑enhancing technologies such as differential privacy, federated learning, and secure multi‑party computation (particularly in AI/ML pipelines). Working knowledge of data mapping and automation tools used to manage data subject rights requests and privacy operations workflows. Strong analytical, organizational, and documentation skills, with the ability to manage multiple compliance initiatives independently and communicate effectively across technical, legal, and business stakeholders. Professional certifications such as CIPT or CDPSE required; CIPM and CISSP preferred. Bachelor’s degree in Computer Science, Information Security, or a related field, or an equivalent combination of professional experience, certifications, and alternative education. Why You'll Love Working Here Comprehensive Medical, Dental, and Vision Insurance Generous Paid Time Off Birthday Day Off 12 Paid Company Holidays 401(k) Match FSA and HSA Paid Life Insurance Paid Disability Insurance Pet Insurance Employee Assistance Program (EAP) Professional Development Courses In‑Office Provided Snacks and Drinks Gym Facilities (LA & Tustin/CEC Offices) In‑Office Engagement Activities Compensation Range The US base salary range for this full‑time position is $145,000–$163,000 annually. Our salary ranges are determined by role, level, and location. The range displayed on each job posting reflects the minimum and maximum base salary for new hires for the position across all US locations. Within the range, individual pay is determined by multiple factors like job‑related skills, experience, and state of residence. Your recruiter can share more about the specific salary range during the interview process. Please note that the compensation details listed in US role postings reflect the base salary only, and do not include any variable compensation elements. Physical Requirements This is a stationary position that requires frequent sitting (approximately 95%), repetitive wrist motions, grasping, speaking, listening, close vision, and the ability to adjust focus. It also may require occasional standing, lifting, carrying of 20lbs or less, walking, kneeling, bending/stooping, twisting, pulling/pushing, and reaching above the shoulder. Employees in this position must be physically able to efficiently perform the essential functions of the position. ACKNOWLEDGEMENT B.S.D. Capital, Inc. dba Lendistry is an equal employment opportunity employer committed to providing its employees, applicants and other covered persons with equal opportunities without regard to race, color, age (40 or older), religious creed (including religious belief, practice or dress and grooming practices), national origin, ancestry, physical disability, mental disability, medical condition, genetic information, marital status, sex, gender (including pregnancy, childbirth or medical condition related to pregnancy or childbirth), gender expression, gender identity, sexual orientation, military or veteran status (including past, current or prospective service), or any other characteristic protected under applicable federal, state or local law. B.S.D. Capital, Inc. dba Lendistry is a minority‑led fintech lender and community development financial institution (CDFI). At Lendistry, we’re more than just a fintech company—we’re a mission‑driven team changing the game for small business owners and the communities they serve. As a national employer and proud recipient of 2025's Best Places to Work in Fintech, we believe in creating opportunity, driving equity, and delivering impact where it matters most. We’re looking for strategic thinkers and passionate doers—people who show up every day ready to make a real difference. If you’re driven by purpose and thrive in a culture of innovation and service, Lendistry might just be the place for you. #J-18808-Ljbffr B.S.D. Capital Inc. dba Lendistry