Vacancies at CIC Insurance

About the Role

Reporting to the Group Director – Risk and Compliance, the role holder will be responsible for embedding cybersecurity and information risk disciplines into the organization’s broader ERM framework ensuring technology-related risks are identified, assessed, quantified, and treated in a manner consistent with the organization’s risk appetite and governance structures.  In addition to cybersecurity risk, the role carries oversight responsibility for the full spectrum of ICT risk across the Group’s technology estate, supervising the ICT Risk Specialist and ensuring that infrastructure, system, and change-related risks are integrated into the Group’s enterprise risk register alongside cybersecurity threats.

Key Responsibilities

• Support the Director, Risk and Compliance in embedding cybersecurity and ICT risk within the enterprise risk management framework, ensuring that technology risks are consistently captured in the organizational risk register, assessed against agreed risk appetite, and reported to governance forums in clear business terms.
• Provide direct line management and professional development for the ICT Risk Specialist, Cyber Risk Specialist, Project and Innovation Risk Specialist setting clear objectives, coordinating workplans, conducting performance reviews, and ensuring high-quality delivery across all four disciplines.
• Implement the CIC Group Cybersecurity Strategy and preparing reports on the Group’s cybersecurity risk appetite, monitoring quantified thresholds and for quarterly and annual cybersecurity risk reports to Management, regulators and Board of Directors.
• Lead the Group’s cybersecurity incident response capability directing the technical and governance response to material incidents in accordance with the Cyber Incident Response Plan.
• Direct the Group’s red and blue teaming programme commissioning annual red team adversarial simulation exercises, overseeing blue team defensive monitoring and response capability, reviewing findings from both disciplines, and driving remediation to strengthen the Group’s overall security posture.
• Provide expert input into the security design of IT architectures, system implementations, and digital transformation initiatives, ensuring security-by-design and privacy-by-design principles are embedded from project initiation.
• Implement the Group’s Third-Party Risk Management Framework for ICT-related vendors ensuring all such relationships are assessed, classified, and managed proportionately to their risk tier, and monitoring for supply chain cyber threats and third-party data breaches in line with the Framework’s escalation timelines.
• Supporting digital forensic investigations, maintaining chain of custody, and producing reports suitable for management, board and regulatory submission or legal proceedings.

General Responsibilities;

• Participate in budgeting and resource allocation for the Risk and Compliance function.
• Manage internal, external audit and regulatory engagements related to cybersecurity and information risk, coordinating audit responses and tracking remediation of findings.
• Maintain current knowledge of developments in cybersecurity legislation, regulatory guidance, threat intelligence, and industry best practice across all operating jurisdictions, disseminating relevant updates to stakeholders.
• Maintain and enforce cybersecurity risk policies and standards, reviewing them periodically to reflect changes in the threat landscape, regulatory environment, and organizational risk appetite, and ensuring compliance across all nine subsidiaries.

Who We’re Looking For

Essential Knowledge/Skills and Experience Required:

• Bachelor’s degree in Computer Science, Information Technology, Cybersecurity, or a related field.
• A Master’s degree in Information Security, Risk Management, or a related discipline is an added advantage.
• Mandatory: One or more of CISSP, CISM, CISA, or equivalent senior cybersecurity certification.
• Desirable: CGEIT, CRISC, CEH, cloud security certifications (AWS Security Specialty, Microsoft SC-100/AZ-500), ISO 27001 Lead Implementer/Auditor, or a risk management qualification (IRM, CRMA).
• Total Experience: Minimum of eight (6) years of progressive cybersecurity or IT risk experience.
• Leadership Experience: At least four (3) years in a management or team lead role with direct reports across multiple security or risk disciplines.
• Industry Experience: Prior experience in financial services, insurance, or a regulated industry is strongly preferred.
• Frameworks & Standards: Strong working knowledge of ISO 27001, NIST CSF, and enterprise risk frameworks (e.g. COSO ERM, ISO 31000), with practical experience applying these in a compliance-driven environment

go to method of application »

About the Role

Reporting to the Technology Risk and Cybersecurity Manager, the role holder will be responsible for the identification, assessment, monitoring, and reporting of cybersecurity risks across CIC Insurance Group’s technology estate. The role supports the Technology Risk and Cybersecurity Manager in executing the ICT and cybersecurity risk programme.  The role holder brings specialist cyber risk expertise that complements the broader ICT risk function focusing specifically on cybersecurity threat assessment, vulnerability management, security monitoring, and third-party cyber risk and is expected to operate with a high degree of technical competence, independence, and initiative across CIC Group.

Key Responsibilities

• Conduct cyber risk assessments across the Group’s IT infrastructure, systems, applications, and data assets, documenting threats, vulnerabilities, likelihood, impact ratings, and recommended treatment actions in the Group’s cyber risk register.
• Maintain and update the cyber risk register, ensuring all identified risks are classified, prioritised, assigned to risk owners, and tracked through to treatment or acceptance in line with the Group’s risk appetite framework.
• Work closely with the ICT Risk Specialist to ensure that cybersecurity risks within the broader IT risk landscape are consistently identified, cross-referenced, and reported avoiding duplication while maintaining complete coverage of the technology risk environment.
• Support the Project and innovation Risk Lead by providing specialist cyber risk input into project and innovation risk assessments, ensuring that cybersecurity threats and control requirements are identified and incorporated into project plans, Risk register, and change requests from initiation through to delivery.
• Lead vulnerability screening across the Group’s technology environment, develop curative strategies for identified vulnerabilities, and track remediation progress.
• Conduct real-time security monitoring, investigate and respond to security alerts from firewalls, intrusion detection systems, anti-malware software, and other monitoring tools, and escalate material incidents in accordance with the Cyber Incident Response Plan.
• Support the Technology Risk and Cybersecurity Manager in leading the response to cybersecurity incidents, including triage, containment, evidence documentation, and preparation of incident reports suitable for internal governance or IRA submission.
• Conduct cyber risk assessments for third-party vendors and technology partners, reviewing security questionnaires, certifications, penetration test reports, and incident history maintaining the third-party cyber risk register and escalating material findings to the Cybersecurity Manager.
• Support annual penetration testing exercises and red / blue teaming activities, reviewing findings with technical teams and tracking remediation actions to closure.
• Prepare cyber risk reports, dashboards, and management information for the Technology Risk and Cybersecurity Manager, including quarterly emerging ICT risk research reports and risk presentations for governance committees.
• Support the delivery of cybersecurity awareness activities, contribute to staff training materials, and share threat intelligence and security alerts with relevant stakeholders across the Group.

General Responsibilities;

• Participate in departmental planning, budgeting, and various governance meetings and committees as required.
• Stay current with developments in the cybersecurity field, share emerging threat intelligence with the Cybersecurity Manager and relevant teams, and recommend new security technologies where appropriate.
• Support internal and external audit engagements on cybersecurity matters, providing evidence, analysis, and technical input as required.

 Who We’re Looking For

Essential Knowledge/Skills and Experience Required:

• Bachelor’s degree in Computer Science, Information Technology, Cybersecurity, or a related field.
• Relevant certifications such as CISA, CISM, CISP, CEH or similar.
• Additional certifications are a plus, including cloud security certifications (AWS, Azure, GCP).
• Minimum of four (4) years of hands-on IT security experience
• Experience in financial services and insurance is preferred
• Proven experience in conducting penetration tests vulnerability assessments and leading closure of findings through collaborating with various stakeholders (Internal & External IT Auditors, IT Risk, External Pentesters etc)
• Strong knowledge of security frameworks and standards (e.g., ISO 27001, NIST).
• Experience working across multiple African jurisdictions is an advantage.

Key Competencies:

• Strong technical knowledge of cybersecurity risk management principles.
• Ability to conduct and document structured cyber risk assessments, maintain risk registers, and produce clear risk reports and dashboards for non-technical management audiences.
• Strong analytical, report-writing, and presentation skills.
• High personal integrity, discretion, and reliability in handling sensitive security information.
• Exceptional personal integrity, absolute reliability, and the highest standards of professional conduct.
• Intellectual authority and technical confidence.
• Stakeholder management and communication skills.
• Established strategic planning and organizational skills.
• Deep awareness of both the internal and external threat environment, including sector-specific attack patterns and adversary motivation.

go to method of application »

About the Role

Reporting to the Technology Risk and Cybersecurity Manager, the role holder will support in the identification, assessment, monitoring, and reporting of risks associated with projects, programmes, and innovation initiatives across CIC Insurance Group. The Project and Innovation Risk lead assists in ensuring that risk management is consistently applied throughout the project lifecycle and across the Group’s innovation agenda, in alignment with the enterprise risk management framework and applicable regulatory requirements. The incumbent will play a key role in helping the Group pursue innovation safely, ensuring that emerging risks from new technologies, digital initiatives, and business model changes are identified and managed proactively.

Key Responsibilities

• Maintain and update project and innovation risk registers across all active Group projects, programmes, and innovation initiatives, ensuring risks, causes, likelihood ratings, impact scores, and treatment actions are accurately documented and current.
• Conduct structured risk assessments for new and ongoing projects and innovation initiatives including new product development, insurtech partnerships, digital transformation programmes, and emerging technology adoption gathering information from project teams and stakeholders to identify threats and opportunities, ensuring risks are captured in the risk register, and preparing draft assessment reports for review by the Technology Risk and Cybersecurity Manager.
• Prepare regular risk reports, dashboards, and status updates for project steering committees, governance bodies, and senior management, translating risk data from both project and innovation workstreams into clear and concise management information.
• Support project and innovation monitoring activities by tracking the implementation of agreed risk treatment actions, following up with risk owners, and flagging overdue or escalating risks to the Cybersecurity Manager in a timely manner.
• Support data protection and privacy risk reviews for projects and innovation initiatives that involve personal data processing or new data-driven business models, assisting in maintaining compliance with applicable data protection legislation across the Group’s operating jurisdictions.
• Collate and analyze risk data across the Group’s project and innovation portfolio to assist in identifying trends, concentration risks, and emerging threats, producing summary analysis for management review.
• Support post-project and post-innovation risk reviews and lessons-learned exercises by gathering data, preparing summary reports, and documenting improvement recommendations for future initiatives.

General Responsibilities;

• Participate in planning and budgeting for the Risk and Compliance department.
• Participate in various meetings and governance committees as required.
• Plan, promote, and support internal training activities related to risk management practices, frameworks, and enhancements.

 Who We’re Looking For

Essential Knowledge/Skills and Experience Required:

• Bachelor’s degree in Business Administration, Project Management or a related field.
• Project Management Certification, i.e. PMP, PMI-ACP or PRINCE II and PROSCI Change Management Practitioner is desirable.
• At least 2- 4 years relevant experience in project Management and Change Management.
• Significant work experience with emphasis on System Implementations

go to method of application »

About the Role

Reporting to the Data Protection Officer, the role holder will support in monitoring compliance with the Data Protection Act and all applicable data privacy regulations across CIC Insurance Group. The role provides essential operational and analytical support to ensure that the Group and its subsidiaries maintain robust data protection practices in line with regulatory requirements. The role holder assists in developing and maintaining the Group’s data protection framework, managing records of processing activities, supporting data protection impact assessments, coordinating training programmes, and acting as a point of contact for internal stakeholders on day-to-day data protection matters.

Key Responsibilities

• Support the Data Protection Officer in monitoring and implementing the Group’s Data Protection Framework, including assisting in updating policies, data collection templates, data mapping exercises, and the overall data protection implementation plan across all subsidiaries.
• Maintain and update the Group’s Records of Processing Activities (ROPA), ensuring all data processing activities across subsidiaries are accurately documented, classified by purpose and legal basis, and made available on request in accordance with the Data Protection Act.
• Assist in conducting Data Protection Impact Assessments (DPIAs) for new or changed processing activities, projects, and systems, documenting findings, risk ratings, and recommended mitigating controls for review and sign-off by the DPO.
• Coordinate and support the delivery of data protection training programs across CIC Group, maintaining training registers, updating training materials as regulatory requirements evolve, and tailoring sessions to specific processing functions or subsidiary requirements.
• Support the management of data subject rights requests, including Subject Access Requests, requests for erasure, rectification, or restriction of processing, ensuring responses are prepared within regulatory timeframes and referred to the DPO for approval where required.
• Assist in managing data security incidents and breaches, including initial assessment, documentation, impact assessment support, and coordination with the Information Security team to ensure timely escalation and regulatory notification in line with the Group’s incident management plan.
• Support the preparation of privacy statements for each processing operation and assist in ensuring these are incorporated into company forms, websites, correspondence, and other data collection touchpoints across all subsidiaries.
• Assist in compliance review exercises and audits, identifying gaps in data protection practices, documenting findings, and tracking remediation actions to closure in collaboration with relevant business units.
• Assist the DPO in preparing quarterly status reports on data protection compliance, highlighting emerging risks, incidents, or areas requiring immediate attention.
• Help coordinate with the Office of the Data Protection Commissioner and other supervisory authorities as directed by the DPO, including assisting in preparing responses to queries, complaints, or inspection requests.
• Monitor developments in data protection legislation, regulatory guidance, and best practice across the Group’s operating jurisdictions, preparing briefing notes and updates for the DPO and relevant stakeholders.

General Responsibilities;

• Participate in departmental planning and budgeting as required.
• Participate in relevant committees, working groups, and governance meetings as directed by the DPO.
• Liaise with internal audit, external auditors, and regulators on data protection matters as directed.
• Assist in planning and organizing internal awareness activities and campaigns related to data privacy and protection.

 Who We’re Looking For

Essential Knowledge/Skills and Experience Required:

• Bachelor’s degree in Law, Computer Science, Information Technology, Business Administration, or a related field.
• A data protection or privacy certification from a recognized body is preferred
• Additional qualifications in information security (CISA, CISM, or CISSP) are an added advantage
• At least 2–3 years’ relevant experience in a compliance, legal, audit, or data protection support role within the financial services industry, preferably insurance or banking.
• Demonstrated experience in maintaining compliance records, conducting assessments, or supporting regulatory reporting processes