Baker McKenzie announced that cybersecurity and data privacy attorney Katherine Hanniford has joined the firm's Washington, DC office. While this is a law firm hiring announcement rather than a regulatory action, the move reflects a broader trend worth noting for compliance officers.
Why Cybersecurity Counsel Demand Keeps Growing
When major law firms expand their cybersecurity practices in Washington, it tells you something about where regulatory enforcement is heading. The SEC has made cybersecurity a priority. FINRA has too. State regulators are piling on.
Receive future blog posts by email.
I've seen it time and again: rulemaking hits, enforcement follows, and suddenly everyone's dialing outside counsel.
We saw this play out with the SEC's cybersecurity disclosure rules adopted in 2023. We're seeing it now with intensified examination focus on Regulation S-P compliance following the 2024 amendments. Firms that handle customer data, which is essentially every broker-dealer and investment adviser, are squarely in the crosshairs.
What This Means Operationally
Hiring announcements don't change your compliance obligations. But they do serve as a useful signal. When sophisticated legal practices grow their cybersecurity benches, it means their clients are facing more regulatory scrutiny in this area.
For compliance officers, the practical implications are straightforward:
- Incident response preparedness matters more than ever. The SEC has made clear it will pursue firms that fail to respond appropriately to cyber incidents.
- Vendor oversight is non-negotiable. Regulation S-P's safeguards rule requires written policies for overseeing service providers with access to customer information.
- Documentation is your defense. When examiners ask about your cybersecurity program, they want to see evidence -- not assurances.
The Enforcement Trajectory
I've seen firms treat cybersecurity as an IT problem. It's not. It's a compliance problem with IT components. The regulators have been clear on this point. The enforcement actions confirm it.
Last year alone, the SEC brought multiple actions against firms for failures in cybersecurity policies and procedures. Not for breaches themselves, but for inadequate programs. That's a meaningful distinction.
Practical Takeaway
Don't wait for an incident to assess your cybersecurity posture. Review your written supervisory procedures. Test your incident response plan. Document your vendor oversight. These aren't theoretical exercises. They're the specific items examiners will ask about.
The growing demand for cybersecurity legal counsel in Washington tells you the regulatory pressure isn't easing. It's building. Your compliance program should reflect that reality.
Subscribe to Regulated Intelligence Brief
Get new compliance intelligence delivered to your inbox.
Key Takeaways
Does this law firm hiring affect my compliance obligations?
No. A law firm hire doesn't change your regulatory requirements. However, the expansion of cybersecurity legal practices signals continued enforcement focus in this area, which should inform your compliance priorities.
What cybersecurity rules should I be focused on right now?
For broker-dealers and RIAs, Regulation S-P's safeguards rule is the primary focus. The 2024 amendments strengthened requirements around incident response and vendor oversight. Your written policies should address both.
How often should we test our incident response procedures?
At minimum, annually. But the SEC has indicated that firms should conduct tabletop exercises and update procedures based on emerging threats. Document every test and any resulting changes to your program.
The content in this blog is for informational purposes only and does not constitute legal advice, regulatory guidance, or an offer to sell or solicit securities. GiGCXOs is not a law firm. Compliance program requirements vary based on business model, customer base, and regulatory classification.