Title: Security Compliance Manager

Location: Austin, TX / Dallas, TX / San Francisco Bay Area, CA / Morristown, NJ (hybrid)

Reports To: Sr. Manager, Cybersecurity

About Hippo

Hippo exists to protect the joy of homeownership. We believe that insurance should protect the things you treasure through an intuitive, modern experience. We provide tailored insurance coverage and preventative maintenance plans that keep you protected throughout your homeowner journey. We’ll also help you find coverage for everything life brings—from auto to flood—reimagining how you care for your home.

About the Role

The Security Compliance Manager owns and evolves Hippo’s governance, risk, and compliance (GRC) program, ensuring the company maintains strong, defensible security controls and meets regulatory and audit requirements. This role leads the design, execution, and maturity of IT general controls (ITGC), SOX compliance, SOC 2 readiness and audits, and alignment with industry frameworks such as ISO 27001 and NIST.

Partnering closely with Security Engineering, IT, Finance, Legal, and Internal and External Audit, the Security Compliance Manager delivers rigorous risk assessments, effective control testing, and clear assurance reporting. The role plays a critical part in ensuring regulatory compliance, including NYCRR 500, while continuously improving compliance efficiency through standardization and automation.

About You

You are a seasoned security compliance and risk professional with a strong command of audit, controls, and regulatory frameworks. You are comfortable owning complex compliance programs end-to-end and translating regulatory requirements into practical, scalable controls.

You thrive in cross-functional environments, communicate clearly with both technical and non-technical stakeholders, and bring a structured, detail-oriented approach to risk management. You balance rigor with pragmatism, helping the organization meet compliance obligations while enabling the business to move efficiently and confidently.

What You'll Do:

Own and mature the end-to-end GRC program, including ITGC, SOX, SOC 2, ISO 27001 alignment, and NYCRR 500 compliance.

Design, execute, and test IT general controls across access management, change management, operations, backup and disaster recovery, and vendor/SaaS environments.

Lead SOX activities including scoping, walkthroughs, design and operating effectiveness testing, deficiency evaluation, and remediation tracking.

Manage SOC 2 readiness and annual Type 1 and Type 2 audits, including control mapping, evidence collection, and exception management.

Align security policies, standards, and procedures with ISO 27001 Annex A, NIST CSF, COBIT, and CIS Controls, ensuring regulatory applicability.

Conduct enterprise and IT risk assessments, document risk treatment plans, and track remediation through closure.

Establish continuous control testing and assurance practices, including testing scripts, sampling methodologies, and evidence standards.

Develop and report on key risk and performance indicators (KRIs/KPIs) such as control pass rates, audit findings, evidence SLAs, and vendor risk trends.

Serve as the primary point of contact for Internal Audit and external auditors, producing executive- and board-ready compliance reporting.

Lead third-party and vendor risk assessments, including SIG/CAIQ reviews, contract control requirements, and ongoing monitoring.

Map and validate cloud controls (AWS, Azure, GCP) against SOX, SOC 2, ISO 27001, and NYCRR 500 expectations.

Maintain security policies, control catalogs, control narratives, and RACI documentation.

Drive security awareness, control owner training, and process maturity, including identifying opportunities for automation and continuous monitoring.

Must Haves:

6+ years of experience in security compliance, IT audit, or IT risk management.

Hands-on ownership of ITGC, SOX, SOC 2, and policy frameworks such as ISO 27001.

Strong expertise in risk assessments, control testing, assurance practices, and audit methodologies.

Practical knowledge of enterprise and cloud control domains, including IAM, SDLC/change management, vulnerability management, logging and monitoring, incident response, and BC/DR.

Experience interpreting and applying regulatory requirements such as NYCRR 500 or similar industry regulations.

Proven ability to lead cross-functional initiatives with Security, IT, Finance, Legal, and Audit teams.

Excellent written and verbal communication skills, with experience delivering executive-level reporting.

Nice to Have:

Security or audit certifications (CISA, CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor, CIA, CPA).

Experience with GRC and compliance tooling (e.g., One Trust, Drata, Vanta, Secureframe, Jira, Confluence).

Financial services or insurance industry experience, including GLBA, NAIC, and customer security questionnaires (SIG, CAIQ).

Benefits and Perks:

Hippo treats its team members with the same level of dedication and care as we do our customers, which is why we’re fortunate to provide all of our Hippos with:

• Healthy Hippos Benefits - Multiple medical plans to choose from and 100% employer covered dental & vision plans for our team members and their families. We also offer a 401(k)-retirement plan, short & long-term disability, employer-paid life insurance, Flexible Spending Accounts (FSA) for health and dependent care, and an Employee Assistance Program (EAP)

• Equity-This position is eligible for equity compensation

• Training and Career Growth - Training and internal career growth opportunities

• Flexible Time Off - You know when and how you should recharge

• Little Hippos Program - We offer 12 weeks of parental leave for primary and secondary caregivers

• Hippo Habitat - Snacks and drinks available and catered lunches for onsite employees

The Morristown, NJ and San Francisco Bay Area base pay range for this role is $175,000.00 - $265,000.00. Exact compensation may vary based on several job-related factors that are unique to each candidate, including but not limited to: skill set, experience, education/training, location, business needs and market demands.

Hippo is an equal opportunity employer, and we are committed to building a team culture that celebrates diversity and inclusion. Hippo’s applicants are considered solely based on their qualifications, without regard to an applicant’s disability or need for accommodation. Any Hippo applicant who requires reasonable accommodations during the application process should contact the Hippo’s People Team to make the need for an accommodation known.

Hippo CCPA