Advance your potential – and reach your goals

The Cybersecurity Third Party Risk Analyst is responsible for identifying, assessing, and managing cybersecurity risks arising from the organization’s use of third parties. This role performs risk-based cyber due diligence in alignment with a defined assessment schedule and risk tiering methodology to ensure that third-party controls are commensurate with the sensitivity, criticality, and regulatory impact of the services provided.

The Analyst evaluates the design and effectiveness of third-party cybersecurity controls, validates alignment with regulatory requirements and internal standards, and drives remediation of identified control gaps. This role serves as a key liaison between business stakeholders, third parties, and cybersecurity leadership to ensure risks are clearly understood, documented, and mitigated in a manner that balances regulatory obligations with business objectives.

The position requires strong technical acumen, regulatory awareness, and the ability to translate complex cybersecurity risks into clear, actionable insights for both technical and non-technical audiences.

Responsibilities:

• Perform cybersecurity due diligence of third parties across the vendor lifecycle, including onboarding, periodic reassessments, and trigger-based reviews.
• Identify control gaps, residual risks, and non-compliance issues; partner directly with third parties and internal stakeholders to develop and track remediation plans.
• Track and monitor the status of each due diligence review and communicate the status with management and key stakeholders on a regular basis.
• Clearly articulate risk exposure, business impact, and remediation options, including compensating controls where appropriate.
• Prepare comprehensive, audit-ready documentation that supports regulatory examinations, internal audit reviews, and management reporting.
• Monitor remediation progress and provide regular status updates to leadership and key stakeholders.
• Continuously evaluate and enhance third-party risk management processes, documentation standards, and assessment methodologies to improve efficiency and risk visibility.
• Support a strong risk culture by promoting transparency, collaboration, and accountability across business and vendor relationships.

Qualifications:

• 3–7+ years of experience in cybersecurity risk management, information security governance, control testing, audit, or information security.
• Working knowledge of regulatory frameworks and expectations, including NYDFS 23 NYCRR 500 and industry standards such as NIST CSF and CIS Controls.
• Demonstrated ability to identify control deficiencies and assess their impact on organizational risk.
• Experience preparing documentation suitable for regulatory review and audit scrutiny.
• Strong written and verbal communication skills, with the ability to translate technical risk into concise executive-level summaries.
• Ability to manage competing priorities in a fast-paced, regulated environment.
• Proven ability to balance risk mitigation with practical business considerations.

Cybersecurity Risk, a team within OneMain’s Enterprise Risk Management organization, is a fast-growing team focused on providing expert insight into risk, developing team members, and effective oversight of cybersecurity and technology risk. This is a team where you can work with talented team members across Cyber Risk, Cyber Tech, Risk Management, and Technology organizations. You will be challenged to excel with exciting and challenging opportunities daily. There is transparency and great support from management teams to allow team members to be effective, grow their careers, and meet company goals. Hard work and initiative are rewarded and recognized by management and colleagues alike, which promotes a culture of respect and value across the organization. Within the Cybersecurity Risk team, you will be conducting meaningful work and making a difference in the lives of OneMain’s customers and team members by promoting a cybersecurity culture, optimizing cybersecurity capabilities, protecting data, and developing cyber resilient programs.