Andrew Tannenbaum
Image of Andrew Tannenbaum

Andrew Tannenbaum

Partner

Email

andrew.tannenbaum@aoshearman.com

Phone

+1 2127561157

Offices

New York

V-CARD
Andrew is Global Co-Head of Cybersecurity.

Andrew is a leading cybersecurity and technology lawyer with more than two decades of experience in financial services, technology, government, and national security. With his unique background combining senior in-house and government roles, Andrew brings a deep and first-hand understanding of the challenges clients face navigating high-stakes and emerging technology risks in highly regulated industries. As Global Co-Head of Cybersecurity, his practice includes advising global enterprises on some of the largest and most complex cybersecurity and data incidents, as well as end-to-end governance and compliance for AI, privacy, and cyber programs. 

Prior to joining A&O Shearman, Andrew served as General Counsel for Barclays Execution Services, the global services company of the Barclays Group. In that role, Andrew led Barclays’ legal teams worldwide across all areas of technology and operations, including cyber, data privacy, AI, emerging technologies, intellectual property, operational resilience, and crisis management. 

Andrew has pioneered cybersecurity and technology roles for lawyers at the top levels of industry and government. He was the first Chief Cybersecurity Counsel at IBM, where he founded one of the earliest global corporate cyber legal teams, and he was Barclays’ first global legal head of cyber, data, and AI. During a decade in government, Andrew served as the National Security Agency’s first Deputy General Counsel for Cyber and held prominent positions in the White House and Department of Justice. He has overseen hundreds of cyber incidents and data breach investigations at all levels of severity, guiding clients through cross-border crisis response and regulatory investigations. 

A trusted advisor to boards, C-suite executives, general counsels, and CISOs, Andrew provides practical, business-focused counsel in highly dynamic and operational environments. Recognized for his thought leadership, Andrew teaches cybersecurity, privacy, and government surveillance law at Columbia Law School, has testified before Congress on cybersecurity law, and has contributed to leading publications such as The Wall Street Journal and Harvard Business Review.

Expertise

Industries

Experience

Representative matters

  • A global luxury retailer on a sophisticated cyberattack exposing client personal data. Advised on all aspects of the incident, including rapid containment and evidence preservation, supervision of a top-tier digital forensics partner, coordination with law enforcement, regulatory and customer communications, and post-incident remediation planning.
  • An AI platform company on a ransomware incident involving encryption and exfiltration of data. Led the investigation and response including forensic oversight, data review and impact assessment, enterprise customer engagement, individual and regulator notifications, law enforcement coordination, Board updates, and post-incident security program uplifts.
  • A U.S. multinational bank on an end-to-end AI compliance risk assessment and strategy for a novel customer-facing use of AI, as well as the bank’s internal use of AI tools. Advised across all areas of AI governance, including regulatory compliance, risk mitigation controls, privacy and transparency considerations, vendor diligence, record retention, testing and monitoring, and alignment with evolving global AI legal frameworks.
  • A Canadian bank on biometrics privacy compliance across multiple global jurisdictions and on expanded multifactor authentication requirements under New York Department of Financial Services (NYDFS) Part 500 cybersecurity regulations.
  • Multiple global financial institutions and fintech companies on compliance with the U.S. Department of Justice rule on the transfer of bulk sensitive personal data to China, Hong Kong, and other designated countries of concern, including data mapping, security and access controls, contractual safeguards, and compliance program documentation and approach.
  • Several major financial institutions on a high-profile supplier data breach targeting large volumes of consumer loan application materials.

Published Work

  • Author, Why Do IoT Companies Keep Building Devices With Huge Security Flaws?, Harvard Business Review, 2017
  • Author, To Prevent Cyberattacks, Share the Threat Data, Op-Ed, Wall Street Journal, 2015
  • Author and Testifying Witness, The Growing Cyber Threat and its Impact on American Business, Statement for the Record, United States House of Representatives Permanent Select Committee on Intelligence, 2015

Speaking Engagements

  • Moderator, Cybersecurity in Focus, IAPP Chicago, October 2025 
  • Moderator, Cybersecurity – You’ve Been Hacked, International Bar Association Boston Conference, June 2025 
  • Panelist, Building Cyber Resilience: Defending Against Fraud and Cybercrime in Digital Age, IAPP London, March 2025 
  • Panelist, Cybersecurity, Hacking, and Data Breach – Scenarios for Preparedness, PLI TechLaw Institute, March 2024 
  • Law & Technology Practitioner in Residence, Perspectives in Cybersecurity and Informational Privacy, Indiana University Maurer School of Law, February 2024 
  • Guest Lecturer, Cyber Law & Ethics, Dartmouth College Computer Science Program, November 2023
  • Panelist, Cyber Issues: Traps for the Unwary, SIFMA Annual C&L Seminar, March 2022
  • Panelist, Cybersecurity Update: Combating an Evolving Threat, SIFMA C&L Forum, July 2021

Leadership Positions And Professional Affiliations

  • Adjunct Faculty, Lecturer in Law, Columbia Law School
  • Founding Board Member, Cyber Counsel Group

Awards

  • Cybersecurity & Data Privacy Trailblazer, National Law Journal, 2016
  • Attorney General’s Distinguished Service Award, 2010

Qualifications

Admissions

New York, 2001

Academic

JD, Columbia Law School, 2000

AB, Dartmouth College, 1997

Disclaimer
A&O Shearman was formed on May 1, 2024 by the combination of Shearman & Sterling LLP and Allen & Overy LLP and their respective affiliates (the legacy firms). Any matters referred to above may include matters undertaken by one or more of the legacy firms rather than A&O Shearman.