Governance, Risk, and Compliance Lead

Summary

Join Extend, a venture-backed fintech startup modernizing the protection plan industry, as a GRC Manager. You will lead the compliance auditing process, manage annual SOC2 audits, and maintain DFS500 compliance. You will also develop and maintain GRC documentation, oversee risk management activities, and provide GRC guidance to senior management. This role requires 10+ years of experience in information security, risk management, or compliance, including 2+ years in a leadership role managing GRC programs. Strong knowledge of security frameworks (SOC2, NIST, ISO) and regulatory requirements is essential, with experience with DFS500 compliance preferred. Extend offers a competitive compensation and benefits package, a remote-first work environment, and the opportunity to make an impact while working with cutting-edge technology.

Requirements

• 10+ years of experience in information security, risk management, or compliance
• 2+ years in a leadership role managing GRC programs
• Strong knowledge of security frameworks (SOC2, NIST, ISO) and regulatory requirements
• Demonstrated ability to develop and implement risk management strategies
• Excellent communication skills - able to translate technical concepts for non-technical audiences
• Experience with compliance automation tools and GRC platforms
• Strong project management and organizational skills
• Ability to work effectively in a fast-paced, remote environment

Responsibilities

• Lead Compliance Auditing Process
• Manage annual SOC2 audit processes and maintain DFS500 compliance
• Coordinate with external auditors and internal stakeholders
• Develop and implement audit preparation procedures
• Track remediation efforts for audit findings
• Develop and Maintain GRC Documentation
• Compile and update security, privacy, and risk policies
• Ensure policies align with regulatory requirements and industry standards
• Create and maintain standards, procedures, and controls documentation
• Collaborate with cross-functional teams to implement GRC requirements
• Manage Risk Management Program
• Oversee risk assessment and analysis activities
• Develop risk mitigation strategies and track implementation
• Maintain risk register and reporting metrics
• Facilitate business continuity and disaster recovery planning
• Provide GRC guidance and thought leadership to senior management
• Oversee vulnerability management processes
• Lead security awareness and training initiatives
• Support incident response activities when needed
• Generate reports and metrics for executive leadership

Preferred Qualifications

• Experience with DFS500 compliance preferred
• Relevant certifications (CISA, CISSP, CRISC, etc.) preferred

Benefits

• Competitive compensation and benefits package
• Remote-first work environment
• Competitive salary based on experience, with full medical and dental & vision benefits
• Stock in an early-stage startup growing quickly
• Very generous, flexible paid time off policy
• 401(k) with Financial Guidance from Morgan Stanley