Next Insurance, founded in 2016 and headquartered in Palo Alto, is an insurtech company offering digital insurance solutions tailored to small businesses across the U.S. By leveraging AI and machine learning, the company provides customized policies for sectors such as general liability, professional liability, and commercial auto insurance. Business owners can easily receive quotes and purchase coverage through the platform online.

To date, Next Insurance has raised over $1.1 billion in funding, including a $265 million strategic round in November 2023, led by Allstate and Allianz X. This funding is intended to accelerate the company's path to profitability and expansion. A strategic partnership with Allstate enables Next Insurance to develop new commercial auto products and extend its offerings to Allstate’s customer base.

Serving more than 500,000 small businesses nationwide, Next Insurance employs around 700 people, with offices in Palo Alto, Waltham, Rochester, Israel, and some remote roles.

We seek a Head of GRC who is passionate about assessing and quantifying Information Security risks to develop practical standards and guidelines.

The Head of Governance, Risk & Compliance (GRC) has a critical leadership role and is responsible for setting the vision and strategy for cyber governance, risk management, and

compliance. This individual will lead a team dedicated to ensuring that NEXT meets established security requirements, adheres to industry standards, and complies with external and internal policies.

The ideal candidate is a strategic thinker with strong leadership abilities, a deep understanding of relevant laws and regulations, and a proven ability to collaborate across multiple departments.

Key areas of responsibility include policy development and enforcement, regulatory compliance, cyber risk management, partnerships and assurance support, training and awareness, audit coordination, and cross-functional collaboration.

Reporting directly to the CISO, the Head of GRC will serve as a trusted advisor to the senior leadership team, providing education, awareness, and guidance on risk and compliance matters.

What You’ll Do:

• Plan, build, run, and manage an enterprise-wide governance, risk, and compliance program for NEXT, including awareness and training, partnerships, and business support.
• Develop and oversee security audit processes and risk assessments.
• Collaborate with various business units to ensure security compliance considerations are integrated into business processes.
• Maintain a current understanding of the threat landscape that could impact NEXT operations and translate that knowledge into potential risks and actionable plans to protect the business.
• Enhance and maintain a risk register to monitor and track risk mitigation activities.
• Develop policy framework and update organizational policies and procedures to ensure compliance with relevant laws, regulations, and industry standards.
• Third-party risk management is responsible for the vendor assessment program, which includes ongoing processes and new initiatives to improve process efficiency and risk measurements.
• Lead the development of security awareness training to increase security awareness and ensure understanding of relevant security practices and procedures and our regulatory landscape.
• Simplifying and articulating deep technical concepts and requirements into easily understood terms.
• Translating compliance requirements into operational procedures.

What We Need:

• 5+ years of audit, risk, and/or compliance experience as an external or internal function, primarily in regulated environments such as insurance, healthcare or financial services
• 2+ years of people management experience,e preferably in global companies.
• Deep understanding of Information Security risk management concepts from both enterprise and start-up perspectives (e.g., ITIL Change Management vs. DevOps Continuous Delivery)
• Knowledge of pragmatic security controls across all domains, such as access management, encryption methods, vulnerability management, network security, etc.
• Have start-up DNA: You have demonstrated an ability to thrive in a dynamic start-up environment or have the DNA to do so.
• Understanding security assurance and trust frameworks ( NIST 800-53, ISO2700x, 23 NYCRR 500, etc.)
• Good understanding of privacy and data protection laws (CCPA, GDPR, GLBA Privacy and Safeguards Rules)