Company Description Privia Health™ is a technology-driven, national physician enablement company that collaborates with medical groups, health plans, and health systems to optimize physician practices, improve patient experiences, and reward doctors for delivering high-value care in both in-person and virtual settings. The Privia Platform is led by top industry talent and exceptional physician leadership, and consists of scalable operations and end-to-end, cloud-based technology that reduces unnecessary healthcare costs, achieves better outcomes, and improves the health of patients and the well-being of providers. Job Description Overview of the Role: Reporting to the Chief Information Security Officer (CISO) the Third-Party Enterprise Risk Manager is responsible for managing and growing a comprehensive third-party risk management program across the organization. This role is responsible for ensuring that Privia Health's information assets are safeguarded against cyber threats originating from third and fourth parties. The position involves leading the Third Party Access Committee (TPAC), driving compliance with federal and state regulations (such as HIPAA, SOX, HITRUST, and state privacy laws), and implementing industry best practices for vendor risk management. The manager will collaborate cross-functionally to identify, evaluate, and mitigate risks associated with all third-party engagements, contributing to the organization's strategic objectives and security posture. Essential Job Duties: - Maintain and grow the Third-Party Risk Management (TPRM) Framework: Design, implement, and continuously improve the organization's TPRM framework, policies, and procedures, including the management and governance of: - Third Party Access Committee (TPAC) and oversee the review and approval process for all third parties. - Third-party review process, ensuring that qualifying vendors submit required documentation in a timely manner and that our evaluation process complies with industry standards and Privia’s administrative, technical, and cybersecurity controls. - Maintain the Approval / Revocation List for internal and external stakeholders and appropriate communications when vendors change status - Be the TPRM team liaison to the AI Governance Committee and work with the Privacy Officer, The Chief Technology officer and other key members of the organization to ensure that AI is incorporated into our Third-Party Risk Management processes and is aligned to organizational objectives. - Work with organizational stakeholders to ensure the TPRM is comprehensive and inclusive of all types of third parties, that stakeholders understand how to engage with TPAC, and that the appropriate mechanisms exist for ongoing training and awareness, and meet changing business needs and demands. Establish alignment between TPAC vendors and national operating teams. - Evaluate third-party access requests in collaboration with the committee to ensure Privia Policies, federal, state laws, and industry best practices. Ensure the third parties have the appropriate cybersecurity controls and liability insurance so that they do not present undue risk. - Track and maintain records of all TPAC submissions, approvals, and denials, and publish a list of approved solutions on PriviaConnect. - Coordinate periodic reviews of approved third parties at least every two years, or for the term of the contract, if shorter, and manage corrective action plans when necessary. - Collaborate with the Privacy & Data Analyst to review reports of API activity in the EMR and present findings to TPAC - Work with the Cybersecurity Analyst and other IT Security teams to ensure comprehensive third-party inventory and robust security controls are in place and aligned with industry standards - Oversee the implementation and maintenance of Third-Party Risk Management (TPRM) software solutions to streamline assessment, monitoring, and reporting processes. Maintain existing systems and processes. - Work with senior and executive leadership on new business models, including potential vendor partner models that may involve developing a preferred vendor program or savings guides. - Develop and maintain an inventory of all third parties, including all data exchanges and validating its completeness and accuracy annually by comparing it against systems actively connected to the EMR. - Manage cybersecurity risks associated with third-party vendors and service providers, including implementing security requirements in vendor contracts. - Perform other duties as assigned. Qualifications - Education: Bachelor's Degree in Information Technology, Cybersecurity, Risk Management, or a related field, or equivalent work experience preferred. - Years of experience: 5+ years of progressive experience in third-party risk management, information security, or a related field, with at least 2 years in a lead role. - Experience with/ Technology being used: - Demonstrated experience managing Third-Party Risk Management (TPRM) software. - Strong knowledge of security frameworks (e.g., NIST, HITRUST) and regulatory compliance requirements (e.g., SOX, HIPAA). - Experience in conducting risk assessments and developing mitigation strategies. - Experience managing vendors and third-party relationships. - Familiarity with EHR/EMR systems (e.g., athenaOne) is a plus. - Experience with data inventory and auditing processes. - Proficiency in analytical tools (e.g., Excel, Google Sheets) for data analysis and reporting. - Experience with Monday.com or Form Assembly a plus - Excellent written and oral communication skills, with the ability to articulate complex concepts to various stakeholders. - Strong project management skills and a collaborative mindset. - Ability to work independently and with a team in a fast-paced environment, managing multiple competing priorities. - Must comply with HIPAA rules and regulations and other State and Federal rules, regulations, and statutes. The salary range for this role is $125,000.00-$155,000.00 in base pay and exclusive of any bonuses or benefits (medical, dental, vision, life, and pet insurance, 401K, paid time off, and other wellness programs). This role is also eligible for an annual bonus targeted at 15% and restricted stock units. The base pay offered will be determined based on relevant factors such as experience, education, and geographic location. Additional Information All your information will be kept confidential according to EEO guidelines. Technical Requirements (for remote workers only, not applicable for onsite/in office work): In order to successfully work remotely, supporting our patients and providers, we require a minimum of 5 MBPS for Download Speed and 3 MBPS for the Upload Speed. This should be acquired prior to the start of your employment. The best measure of your internet speed is to use online speed tests like https://www.speedtest.net/. This gives you an update as to how fast data transfer is with your internet connection and if it meets the minimum speed requirements. Work with your internet provider if you have questions about your connection. Employees who regularly work from home offices are eligible for expense reimbursement to offset this cost. Privia Health is committed to creating and fostering a work environment that allows and encourages you to bring your whole self to work. We understand that healthcare is local and we are better when our people are a reflection of the communities that we serve. Our goal is to encourage people to pursue all opportunities regardless of their age, color, national origin, physical or mental (dis)ability, race, religion, gender, sex, gender identity and/or expression, marital status, veteran status, or any other characteristic protected by federal, state or local law. - Department: IT Security

• Manage day‑to‑day operations of the CMS EDGE server, including file ingestion, error resolution, and submission monitoring • Coordinate execution of baseline, incremental, and command‑driven processes for Cigna’s AWS‑hosted EDGE environment • Monitor release updates, reference data changes, and deployment timelines to keep the system in sync with CMS schedules • Oversee troubleshooting and remediation of file processing, configuration, and validation errors within the EDGE environment • Interpret CMS technical guidance, ICD updates, O&MM manual changes, and regulatory communications to ensure aligned EDGE operations • Conduct quality checks, reconcile enrollment and claims data, and support risk score accuracy and regulatory compliance • Collaborate with IT security and infrastructure teams to monitor and maintain EDGE instances in accordance with CMS requirements and Cigna policies • Maintain documentation of procedures, system configurations, data flows, and operational controls • Collaborate with teams to maintain and optimize data pipelines using AWS, Databricks, Python, SAS, and Oracle to support EDGE submissions and related analytics

• Manage a full suite of commercial insurance lines, including general liability, property, workers’ compensation, D&O, EPLI, cyber liability, umbrella/excess, commercial auto, and fiduciary liability • Lead the annual insurance renewal process, including preparing and submitting applications, loss history, and supplemental underwriting information • Evaluate coverage terms, limits, retentions, and premiums; negotiate with brokers and carriers to optimize program value • Maintain the master certificate of insurance schedule and respond to requests from landlords, joint venture partners, health systems, and other stakeholders • Review and provide guidance on insurance-related provisions in contracts, leases, and vendor agreements • Conduct periodic risk assessments to identify emerging exposures across the ASC portfolio and corporate operations • Analyze claims data and loss history to identify trends, cost drivers, and opportunities for risk mitigation • Maintain and update the organization’s risk register and provide regular reporting to senior leadership on key risk indicators • Serve as the primary contact for all non-clinical claims, including property, auto, workers’ compensation, and general liability • Coordinate with third-party claims administrators, defense counsel, and carriers to ensure timely and appropriate resolution • Track open claims, monitor reserves, and report on status to leadership • Support litigation management in collaboration with legal counsel • Ensure insurance programs comply with applicable regulations, lender covenants, management agreements, and joint venture obligations • Prepare and present periodic risk management and insurance program reports to the CFO, executive team, and board/committees • Maintain organized records of all policies, binders, endorsements, and correspondence • Manage ongoing relationships with insurance brokers, specialty consultants, and other risk-related service providers • Conduct periodic broker performance reviews and lead competitive broker or market solicitations as needed • Stay informed of market trends, emerging products, and best practices in risk management for healthcare and ASC operations

Build and scale the underwriting foundation for our new consumer charge card (0→1). Mercury is building a banking* stack for startups. We work hard to create the easiest and safest banking* experience possible to simplify entrepreneurs' and business owners’ financial lives. We’re launching a premium consumer charge card and are looking for a senior credit risk leader to help build and scale the underwriting strategy from the ground up - and own its performance as the portfolio scales. Our goal is to build a consumer charge card that delivers a premium experience while maintaining disciplined, data-driven credit risk. This is a hands-on, senior individual contributor role. You’ll take an initial strategic direction and turn it into a scalable, data-driven underwriting program, then monitor, refine, and evolve that strategy post-launch. You’ll play a key role in shaping how risk decisions translate into customer experience, product growth, and long-term portfolio performance. As the portfolio grows, this role is expected to evolve into team leadership. *Mercury is a fintech company, not an FDIC-insured bank. Banking services provided through Choice Financial Group and Column N.A., Members FDIC. What You’ll Own: Build and operationalize the credit strategy - Translate underwriting vision into formal credit policy and decision frameworks - Define approval logic, segmentation strategy, and limit-setting methodology - Establish portfolio guardrails aligned to loss targets and unit economics - Design account management strategies across the customer lifecycle - Develop early portfolio management approaches including exposure adjustments, servicing strategies, and input into collections processes as the portfolio matures - Define portfolio monitoring frameworks and escalation triggers for emerging credit risk trends Build the data-driven risk engine - Implement credit policy in our underwriting platform - Evaluate and integrate key data sources (bureau, income, debt signals) - Ensure decision logic is structured, testable, and scalable - Partner with Engineering and Data to build monitoring and feedback loops Own portfolio performance post-launch - Define and track core KPIs (approval rate, early delinquency, loss rate, exposure, utilization, etc.) - Monitor vintage performance and segment behavior - Recommend and implement strategy adjustments based on observed risk trends - Present risk performance, insights, and recommendations to senior leadership Drive data-informed risk and growth decisions - Use SQL to independently evaluate underwriting decisions and trade-offs - Analyze drivers of credit performance and portfolio outcomes - Partner with Finance on forecasting and risk-adjusted economics Drive cross-functional execution - Partner with Compliance to ensure the underwriting program is well-documented and built to scale - Work with Partnerships, Procurement, and Legal on evaluating and onboarding credit data providers - Support broader risk initiatives across our business charge card portfolio during the build phase What We’re Looking For: - 6+ years of experience in consumer credit risk. Ideal candidates will have 8–12 years of experience across banking, fintech, or unsecured consumer lending - Experience launching or materially redesigning a consumer lending product - Experience implementing credit policy within a decisioning or underwriting platform is strongly preferred - Demonstrated experience owning risk strategy and monitoring portfolio performance - Deep familiarity with bureau data and core credit risk metrics (approval rate, loss rate, vintage curves, etc.) - Experience presenting risk insights and strategy recommendations to senior stakeholders - Experience translating policy into production decision logic - Strong SQL skills and comfort working directly with data - Comfortable building in ambiguity and operating in a 0→1 environment Why This Role Is Unique: You’ll join before launch - when foundational decisions are made - and remain accountable for how those decisions perform in-market. You won’t inherit a mature portfolio. You’ll help define how underwriting works, how risk scales, and how this product earns long-term customer trust. As the consumer portfolio grows, this role has the potential to evolve into a leadership position responsible for building and managing a dedicated consumer credit risk team. The total rewards package at Mercury includes base salary, equity, and benefits. Our salary and equity ranges are highly competitive within the SaaS and fintech industry and are updated regularly using the most reliable compensation survey data for our industry. New hire offers are made based on a candidate’s experience, expertise, geographic location, and internal pay equity relative to peers. Our target new hire base salary ranges for this role are the following: - US employees in New York City, Los Angeles, Seattle, or the San Francisco Bay Area: $171,000 - $213,700 - US employees outside of the New York City, Los Angeles, Seattle, or the San Francisco Bay Area: $153,900 - $192,300 - Canadian employees (any location): $161,600 - $201,900 CAD Mercury values diversity & belonging and is proud to be an Equal Employment Opportunity employer. All individuals seeking employment at Mercury are considered without regard to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, sexual orientation, or any other legally protected characteristic. We are committed to providing reasonable accommodations throughout the recruitment process for applicants with disabilities or special needs. If you need assistance, or an accommodation, please let your recruiter know once you are contacted about a role. We use Covey as part of our hiring and / or promotional process for jobs in NYC and certain features may qualify it as an AEDT. As part of the evaluation process we provide Covey with job requirements and candidate submitted applications. We began using Covey Scout for Inbound on January 22, 2024. [Please see the independent bias audit report covering our use of Covey for more information.] #LI-AR1