solanasis_adjacent_market_plays_handoff_2026-03-14

Solanasis Adjacent Market Plays for GTM

Research-grade extraction, verification pass, playbook, and handoff memo
Prepared: 2026-03-14
Prepared for: Dmitri / Solanasis
Document type: Verified briefing memo + playbook + AI handoff artifact
Review mode: Serious self-review pass completed (no separate reviewer agent/tool was available in this environment)

---

Executive Summary

This document extracts, organizes, verifies, and improves the key parts of the discussion about how Solanasis should enter the wealth / deep-wealth / impact-investing ecosystem without starting with the hardest possible wedge.

Headline conclusion

• [Assistant-stated, strengthened by verification] Solanasis should not treat “direct-to-RIA cold outreach” as the primary first wedge.
• [Verified + strategic inference] A better entry strategy is to win the trusted perimeter around wealth first: premium CPA/tax firms, estate/trust/elder-law boutiques, selective compliance consultants / outsourced CCOs, and selected insurance / cyber-insurance channels.
• [User-stated] The user wants a path that:
  • gets to roughly $10k/month,
  • avoids cheap, high-friction buyers,
  • keeps Solanasis inside or adjacent to the wealth management / deep wealth / impact investing ecosystem,
  • is workable with one founder full-time, amplified by AI and contractors.

Most important verified findings

• [Verified] The SEC’s amended Regulation S-P has a June 3, 2026 compliance date for smaller covered entities, and it applies to SEC-registered investment advisers and certain other covered institutions—not to all state-registered advisers.
• [Verified] The SEC’s 2025 exam priorities emphasize cybersecurity, operational resiliency, third-party/vendor oversight, Regulation S-P/S-ID, and AI-related supervision/representations.
• [Verified] The RIA market is mostly small firms, but it is also increasingly professionalized and crowded with specialist compliance/cyber vendors.
• [Verified] CPAs/tax preparers have a clear security/WISP obligation under the FTC Safeguards Rule and related IRS/AICPA guidance.
• [Verified] Estate / trust / elder-law work sits directly in the path of the great wealth transfer and increasing elder exploitation / cybersecurity concerns.
• [Verified] COI (center-of-influence) relationships such as CPAs and attorneys remain a significant source of client growth for advisors.
• [Verified] Family offices report operational pain around manual processes, spreadsheets, staffing difficulty, and outsourcing specialized functions including legal, tax planning, IT, and cybersecurity.

Smart-cut / cheat-code framing

• [Tentative / strategic] The highest-leverage move is not “sell cyber to everyone.”
• [Tentative / strategic] The move is to sell a premium operational resilience baseline to small trust-based professional firms whose failure is expensive:
  • private-client CPAs,
  • estate/trust law firms,
  • select compliance partners,
  • selective insurance / cyber-insurance channels,
  • then selective RIAs by referral/introduction rather than cold.

---

Purpose of This Document

This artifact is meant to function as all of the following:

• a guide for Solanasis GTM thinking,
• a playbook for first-wedge execution,
• a briefing memo summarizing the state of the market and the discussion,
• a handoff document for another AI so it can continue the work without needing the original conversation.

This is not just a summary. It separates:

• what the user said,
• what was verified,
• what is still uncertain,
• what should be treated as strategic inference rather than fact.

---

Evidence Status Legend

Every important point is labeled as one of the following:

• Verified — confirmed against a credible source during this pass.
• User-stated — provided by the user; included as context or goals, not independently verified unless noted.
• Assistant-stated but unverified — previously suggested in discussion but not verified here.
• Tentative / speculative — strategy, inference, hypothesis, or an open claim that still needs validation.

---

Discussion Context

User goals and constraints

• [User-stated] Solanasis wants to build within or adjacent to the wealth management / deep wealth / impact investing ecosystem.
• [User-stated] The user believes breaking directly into RIA compliance and the “deep wealth” world is hard and wants adjacent plays that still move Solanasis closer to that world.
• [User-stated] Solanasis is effectively an AI-native agency / consultancy with the founder doing most of the work initially and using AI tools plus contractors who can follow SOPs.
• [User-stated] A practical near-term target is to reach ~$10k/month.
• [User-stated] The user wants to avoid low-budget, nitpicky, price-sensitive buyers and prefers a more premium / high-stakes / “Alex Hormozi”-style approach.
• [User-stated] Founder-led sales is expected to be the main sales motion, at least initially.

Original thesis under review

• [User-stated] Original wedge thesis:
  • SEC Reg S-P deadline is creating urgency.
  • Smaller RIAs cannot justify a full-time CISO.
  • Cyber talent is scarce.
  • Therefore smaller RIAs may need a fractional / outsourced option.

What this document does with that thesis

• [Verified + strategic analysis] It partially validates the thesis but narrows and reframes it:
  1. The regulatory pressure is real.
  2. The commercial accessibility of RIAs for a brand-new entrant is less attractive than it first appears.
  3. Adjacent, trust-heavy professional firms may offer a better first wedge.

---

Key Facts and Verified Findings

1) Regulation S-P pressure is real, but narrower than “all advisors”

• [Verified] The SEC’s small entity compliance guide for amended Regulation S-P confirms that the amendments apply to:
  • brokers and dealers,
  • funding portals,
  • investment companies,
  • investment advisers registered with the Commission, and
  • transfer agents registered with the Commission or another appropriate regulatory agency.
    Source: SEC Small Entity Compliance Guide – Regulation S-P
• [Verified] SEC outreach materials and later SEC releases indicate the small-firm compliance date is June 3, 2026.
  Sources:
  • SEC Compliance Outreach on Regulation S-P (Feb. 5, 2026)
  • SEC release referencing June 3, 2026
• [Verified] This means the deadline is relevant to SEC-registered RIAs / covered institutions, not all state-registered advisers.

Why it matters

• [Tentative / strategic] The deadline is a valid trigger, but the initial TAM is smaller than a casual “advisors need cyber help” framing suggests.

---

2) SEC exam focus supports operational resilience, vendor oversight, and AI governance concerns

• [Verified] The SEC’s Fiscal Year 2025 Examination Priorities explicitly highlight:
  • cybersecurity,
  • operational disruption and resiliency,
  • governance,
  • data loss prevention,
  • access controls,
  • incident response,
  • third-party products/services and shadow IT,
  • Regulation S-ID and Regulation S-P compliance,
  • AI-related representations and supervision,
  • risk of loss/misuse of client records through third-party AI tools.
    Source: SEC Fiscal Year 2025 Examination Priorities
• [Verified] The SEC’s Fiscal Year 2026 Examination Priorities continue to reference operational resiliency and vendor/service supervision, though the cited passage is more broker-dealer-focused than adviser-specific.
  Source: SEC Fiscal Year 2026 Examination Priorities

Why it matters

• [Verified + strategic inference] Solanasis’s strongest offer should not be framed as generic IT help. It should map to:
  • documented policies,
  • resilience controls,
  • vendor oversight,
  • incident response readiness,
  • AI-use guardrails.

---

3) The adviser market is mostly small firms — but that does not automatically make it easy to penetrate

• [Verified] The SEC’s 2024 Investment Adviser Statistics page reports 21,669 investment advisers in 2024.
  Source: SEC Investment Adviser Statistics
• [Verified] The Investment Adviser Association’s 2025 snapshot reports:
  • 92.7% of advisers employed 100 or fewer employees,
  • 68.5% managed less than $1 billion,
  • advisers focused on individuals averaged about 8 employees and $393 million AUM.
    Source: IAA Industry Snapshots / 2025 Snapshot by the Numbers
• [Verified] DeVoe & Company data and trade coverage indicate RIA M&A activity hit record levels in 2025 and consolidators gained share.
  Sources:
  • DeVoe Q1 2025 RIA Deal Book
  • InvestmentNews coverage of record 2025 activity
  • DeVoe in the News page referencing 2025 as most active year ever

Why it matters

• [Verified] There are lots of small firms.
• [Tentative / strategic] But a market being fragmented does not mean it is easy for a new entrant:
  • consolidation increases sophistication,
  • many firms already have incumbent compliance relationships,
  • referrals and trust matter heavily.

---

4) State-registered advisers are a real adjacent segment, but not the main federal-reg-deadline story

• [Verified] NASAA reported in 2025 that state securities regulators oversee 16,575 investment advisers with $100 million or less in AUM.
  Sources:
  • NASAA press release (Sept. 8, 2025)
  • NASAA 2025 IA Section Report PDF
• [Verified] NASAA provides a Cybersecurity Checklist for Investment Advisers and has model-rule / resource material aimed at state-registered advisers.
  Sources:
  • NASAA Investment Adviser Resources page
  • 2018 NASAA IA report mentioning the Cybersecurity Checklist

Why it matters

• [Verified + strategic inference] State-registered advisers are probably easier to access than prestige RIAs, but they are not the cleanest Reg S-P urgency play.

---

5) The original “3.5 million cyber talent gap” claim is outdated

• [User-stated] The original thesis cited a global cyber talent gap of 3.5M+.
• [Verified] ISC2’s 2024 Cybersecurity Workforce Study said the global workforce gap reached 4.8 million.
  Source: ISC2 Publishes 2024 Cybersecurity Workforce Study – First Look
• [Verified] ISC2’s 2025 workforce study shifted emphasis toward skills shortages eclipsing staff shortages alone.
  Source: 2025 ISC2 Cybersecurity Workforce Study

Why it matters

• [Verified + strategic inference] This actually strengthens a fractional / AI-amplified model:
  • the market does not only need “more heads”;
  • it needs usable skill coverage and execution.

---

6) Private-client CPA / tax firms have a concrete security-compliance forcing function

• [Verified] The FTC Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program.
  Source: FTC Safeguards Rule: What Your Business Needs to Know
• [Verified] The IRS states that tax professionals must have a written data security plan / WISP and points them to Publication 4557 and Publication 5708/5709.
  Sources:
  • IRS Publication 4557 – Safeguarding Taxpayer Data
  • IRS Publication 5708 – Creating a Written Information Security Plan
  • IRS newsroom note stating tax professionals must have a written data security plan
• [Verified] AICPA guidance also states that tax preparers / financial institutions covered by GLBA need a written information security plan.
  Sources:
  • AICPA: GLBA and the FTC Safeguards Rule
  • AICPA WISP template landing page

Why it matters

• [Verified + strategic inference] CPA/tax firms have:
  • sensitive data,
  • a real compliance obligation,
  • direct proximity to business owners, affluent families, trusts, estates, and advisors,
  • a lower trust barrier than direct family-office cold outreach.

---

7) Estate / trust / elder-law boutiques are directly adjacent to wealth transfer and cyber-sensitive client work

• [Verified] Cerulli projects roughly $124 trillion in wealth will transfer through 2048, with more than 50% coming from current HNW/UHNW households.
  Source: Cerulli wealth transfer press release
• [Verified] The ABA published a 2025 article specifically titled “What Estate Planners Should Tell Clients about Security Including Cybersecurity?”
  Source: ABA RPTE eReport article
• [Verified] That ABA article cites FinCEN’s finding that financial institutions reported more than $27 billion in suspicious activity linked to elder financial exploitation in one year.
  Sources:
  • ABA article
  • FinCEN press release on elder financial exploitation
  • FinCEN financial trend analysis PDF
• [Verified] The ABA also continues to publish current cybersecurity guidance for lawyers, including mobile-lawyering risk and AI/security issues.
  Sources:
  • ABA: The Cybersecurity Risks of Mobile Lawyering
  • ABA: Security and Best Practices for Lawyers Using Generative AI

Why it matters

• [Verified + strategic inference] Estate/trust law is not only adjacent to wealthy families; it sits inside high-stakes confidentiality, aging-client risk, and wealth-transfer workflows.

---

8) COI relationships are a real distribution mechanism in wealth-adjacent markets

• [Verified] Cerulli’s 2026 research found that:
  • referrals from clients/friends/family generated 54.2% of new clients for advisors,
  • referrals from centers of influence (CPAs, attorneys, other professionals) were the second most common source at 13.9%.
    Source: Cerulli: Financial Advisors Increasingly Leverage COIs

Why it matters

• [Verified + strategic inference] This supports a partner-first distribution motion:
  • compliance consultants,
  • CPAs,
  • estate attorneys,
  • cyber-insurance brokers,
  • other professional-service COIs.

---

9) Family-office operations show real demand for modernization and outsourced specialists

• [Verified] The 2025 North America Family Office Report says family offices most frequently cited manual processes and over-reliance on spreadsheets as operational risks.
  Sources:
  • RBC summary page for the 2025 North America Family Office Report
  • RBC/Campden 2025 report PDF
• [Verified] The same report says family offices are interested in using AI operationally; the RBC summary notes around 29% were using AI for investment reporting and 30% for research.
  Source: RBC summary page
• [Verified] Campden / AlTi’s 2025 Operational Excellence Report says smaller and midsize family offices rely more heavily on outsourcing to access specialized capabilities, and North American offices frequently outsource:
  • legal services,
  • tax planning,
  • IT services,
  • cybersecurity,
  • estate planning.
    Source: Campden / AlTi Family Office Operational Excellence Report 2025
• [Verified] Campden / RBC’s 2024 report also found that some family offices follow responsible-investing principles and that around half of those were engaged in outcome-focused impact investing.
  Source: North America Family Office Report 2024

Why it matters

• [Verified + strategic inference] Family-office-adjacent work is attractive, but probably easier to reach via trusted perimeter relationships first.

---

10) Insurance is relevant, but the best play is narrower than “independent agencies” in general

• [Verified] The NAIC Insurance Data Security Model Law (#668) exists and imposes data-security / cyber-event requirements on licensees in adopting states.
  Source: NAIC Model Law #668 PDF
• [Verified] NAIC materials have indicated that 21 states had adopted the model law (this data point appears in NAIC committee materials and may have changed since then; verify current count before using publicly).
  Sources:
  • NAIC committee minutes reference to 21 states
  • NAIC model-law site / state action references
• [Verified] Cyber insurers and brokers continue to care about specific controls such as MFA, patching, backups, and incident response; market update material from Marsh and control guidance from Travelers support this general direction.
  Sources:
  • Marsh U.S. cyber insurance market update
  • Travelers cyber readiness practices

Why it matters

• [Tentative / strategic] The best insurance-related wedge is likely:
  • cyber-insurance brokers,
  • commercial lines / affluent personal lines agencies,
  • executive-benefits / risk-advisory shops, not generic small agencies.

---

Competitive Analysis and Current Market Implications

A) Direct RIA / wealth-compliance market appears crowded

• [Verified] ACA markets cybersecurity and risk technology specifically for financial firms / wealth managers.
  Sources:
  • ACA cybersecurity and risk technology
  • ACA homepage / scalable managed services and advisory
• [Verified] Smartria markets vendor management / due diligence / incident documentation specifically for RIAs and similar firms.
  Source: Smartria Vendor Management
• [Verified] Salus GRC markets regulatory compliance, operational, and cybersecurity services to wealth managers, hedge funds, broker-dealers, and related firms.
  Sources:
  • Salus GRC – team / market positioning
  • Salus GRC due diligence services
  • Salus whitepaper on Reg S-P
• [Verified] Armanino and similar accounting / advisory firms also market vCISO and ongoing cybersecurity support.
  Source: Armanino cybersecurity services

Competitive implication

• [Tentative / strategic] The implication is not “don’t enter.”
• [Tentative / strategic] The implication is:
  • do not enter by sounding like another generic cybersecurity consultancy,
  • do not assume cold RIA outreach is the fastest route,
  • do enter with a more specific wedge:
    • operational resilience,
    • artifact-heavy delivery,
    • founder-led trust,
    • selected adjacent segments,
    • partner-led access.

---

Claims From the Discussion That Were Corrected, Narrowed, or Flagged

1) “3.5M cyber talent gap”

• Status: Outdated
• Correction: Latest validated figure found was 4.8M from ISC2’s 2024 study.
• Implication: If reused in sales material, update it.

2) “RIA cyber rules in 2025 requiring 48–72 hour reporting”

• Status: Flagged / partially outdated
• Why: Some cybersecurity rule proposals for investment advisers / funds were withdrawn by the SEC in June 2025.
  Sources:
  • SEC Notice of Withdrawal of Proposed Regulatory Actions
  • SEC rule page on withdrawn cyber proposal
• Implication: Do not rely on blog summaries or vendor marketing that imply those proposed rules are now in force.
• Nuance: Reg S-P amendments are real and in force; the withdrawn proposal is a separate issue.

3) “State-registered RIAs”

• Status: Terminology issue
• Correction: “RIA” usually refers to SEC-registered investment advisers; state-registered investment advisers are a distinct category under state oversight.
• Implication: Use precise language in positioning and outreach.

4) “Direct RIA wedge is obviously the best first play”

• Status: Not verified; strategic thesis only
• Correction: Current evidence supports RIA urgency, but not the conclusion that direct cold RIA outreach is the highest-leverage first wedge for a new entrant.

---

Major Decisions and Conclusions

Conclusion 1: Do not make direct-to-RIA cold outbound the only or primary wedge

• Status: Assistant-stated, now strengthened by verified market evidence
• Why: Real regulatory pressure exists, but direct RIA entry is crowded and trust-gated.

Conclusion 2: Use a “trusted perimeter of wealth” entry strategy

• Status: Assistant-stated, supported by verified COI and market-structure evidence
• Priority targets:
  1. private-client / premium CPA and tax firms,
  2. estate / trust / elder-law boutiques,
  3. compliance consultants / outsourced CCOs / exam-prep partners,
  4. selective insurance / cyber-insurance channels,
  5. selective RIAs via introductions and referrals.

Conclusion 3: Lead with “operational resilience,” not “AI agency”

• Status: Tentative / strategic
• Rationale: In trust-based markets, “AI agency” may sound experimental or low-trust.
• Recommended lead message:
  “Operational resilience for trust-based firms handling sensitive financial, legal, and donor data.”

Conclusion 4: Package the service around concrete artifacts, not abstract strategy

• Status: Tentative / strategic
• Rationale: The strongest pain is around “having to show proof”:
  • WISP,
  • policy set,
  • backup / recovery verification,
  • incident mini-playbook,
  • AI-use policy,
  • vendor/data inventory,
  • remediation roadmap.

Conclusion 5: Optimize for buyers whose failure is expensive

• Status: Tentative / strategic
• Meaning: Avoid cheap buyers; pursue firms where:
  • client confidentiality matters,
  • regulation matters,
  • reputation matters,
  • partner bill rates are high,
  • the cost of preventable embarrassment is non-trivial.

---

Reasoning, Tradeoffs, and Why It Matters

Path A: Direct-to-RIA

Pros

• [Verified] Real regulatory pressure.
• [Verified] Firms are often small.
• [Verified] SEC exam priorities support resilience/cyber relevance.

Cons

• [Verified + inference]
  • crowded specialist market,
  • trust-heavy buying process,
  • more incumbents,
  • more credential signaling pressure,
  • harder for a new brand to win cold.

Best use

• [Tentative / strategic] As a secondary motion via referrals, white-label partners, or compliance consultants.

---

Path B: Premium CPA / tax firms

Pros

• [Verified]
  • real WISP/security obligation,
  • sensitive data,
  • direct access to affluent client circles,
  • less obviously crowded niche than direct RIA cyber.

Cons

• [Tentative / strategic]
  • low-end tax shops are cheap and operationally messy,
  • some firms may default to MSPs rather than resilience consulting.

Best use

• [Tentative / strategic] Best near-term wedge if tightly filtered for premium/private-client profile.

---

Path C: Estate / trust / elder-law boutiques

Pros

• [Verified]
  • strongest adjacency to wealth transfer,
  • confidentiality / cyber stakes are real,
  • wealthy client proximity is high.

Cons

• [Tentative / strategic]
  • slower trust-building,
  • referral and ethics considerations,
  • may require more careful positioning.

Best use

• [Tentative / strategic] Excellent “prestige adjacency” wedge, especially with warm introductions.

---

Path D: Compliance consultants / outsourced CCOs

Pros

• [Verified + strategic inference]
  • lets Solanasis piggyback on existing trust,
  • avoids fighting for every logo directly,
  • maps well to missing technical/resilience coverage.

Cons

• [Tentative / strategic]
  • margin may be lower,
  • brand visibility may be lower,
  • partner economics and scope boundaries must be clean.

Best use

• [Tentative / strategic] One of the strongest “smart cuts.”

---

Path E: Insurance / cyber-insurance channels

Pros

• [Verified]
  • underwriting/control requirements create real need,
  • agencies/brokers may see who is exposed.

Cons

• [Tentative / strategic]
  • state rules vary,
  • broad “agency” positioning may be too diffuse,
  • some buyers are still price-sensitive.

Best use

• [Tentative / strategic] Narrowly targeted channel and referral play.

---

Recommended Playbook / Process

1) Recommended market ranking for Solanasis right now

Tier 1 — Best first wedges

1. Premium private-client CPA / tax firms
2. Estate / trust / elder-law boutiques
3. Compliance consultants / outsourced CCOs serving RIAs or adjacent firms

Tier 2 — Strong adjacent expansions

4. Selective cyber-insurance / risk-advisory / commercial-lines partners
5. Selective state-registered investment advisers
6. Donor-heavy nonprofits / private foundations / community foundations (especially if Solanasis wants philanthropic adjacency)

Tier 3 — Phase-two prestige targets

7. Small family-office-adjacent operators
8. Selective RIAs with warm access
9. Trust companies / outsourced family office service providers

---

2) Premium-client filters (to avoid the “cheap people” problem)

Only pursue prospects that meet several of the following:

• [Tentative / strategic] 8–50 staff or multiple partners/principals
• [Tentative / strategic] serves business owners, affluent families, trusts/estates, foundations, or high-income professionals
• [Tentative / strategic] has multiple offices, remote staff, or visible operational complexity
• [Tentative / strategic] already sells high-trust / premium services
• [Tentative / strategic] has compliance, confidentiality, or underwriting pressure
• [Tentative / strategic] would find a breach / outage / poor documentation embarrassing or costly
• [Tentative / strategic] is not competing primarily on price

Disqualify aggressively when:

• the firm is a soloist shopping for “cheap IT help,”
• leadership treats security only as a nuisance line item,
• the buyer is unwilling to own internal process changes,
• the environment is too messy for premium delivery without a paid baseline.

---

3) Recommended initial offer

Offer name

• [Tentative / strategic] Operational Resilience Baseline
• Alternate versions:
  • Operational Resilience Baseline for Private-Client Firms
  • Operational Resilience Baseline for Trust-Based Firms

What the package should include

• [Tentative / strategic, but aligned with verified market needs]
  • systems / identity / access inventory,
  • written information security baseline / WISP where applicable,
  • AI-use policy / AI guardrails,
  • backup and recovery verification,
  • incident-response mini-playbook,
  • vendor / data-flow inventory,
  • leadership readout,
  • 90-day remediation roadmap.

Vertical-specific tuning

• CPA/tax firms: WISP, IRS/FTC-oriented controls, MFA/email posture, secure file/data handling
• Estate/trust law: confidentiality, remote/mobile-lawyering risk, secure comms, AI use, incident readiness
• RIA/compliance partner: Reg S-P readiness, vendor oversight, incident process, evidence pack, AI-use guardrails

---

4) Recommended go-to-market motion

Motion A: Partner-first distribution

• [Tentative / strategic] Prioritize conversations with:
  • compliance consultants,
  • outsourced CCOs,
  • private-client CPAs,
  • estate/trust attorneys,
  • cyber-insurance brokers,
  • selective MSPs that do not want to own governance/resilience.

Motion B: Trigger-based outreach

Lead with a specific forcing function, not a generic capability pitch:

• [Tentative / strategic]
  • “You may have a WISP template, but do you have operational proof behind it?”
  • “Do you have documented recovery verification, or just backups?”
  • “Do you know what staff are doing with AI tools and where client data may be going?”
  • “If an examiner, insurer, major client, or managing partner asked for your resilience evidence, what would you show?”

Motion C: Joint-credibility plays

• [Tentative / strategic]
  • co-host a short webinar with a compliance consultant or CPA,
  • offer a diagnostic / checklist session,
  • create a short private-client-firm resilience checklist,
  • run briefings on WISP-to-proof, AI governance, backup validation, or incident prep.

Motion D: Land-and-expand

• [Tentative / strategic]
  • baseline project first,
  • retainer second,
  • referrals / COI expansion third.

---

5) 90-day founder-led execution plan

Days 1–14: tighten market and offer

• Finalize one core offer and 2–3 light vertical variants.
• Build a target list:
  • 25 premium CPA/tax firms,
  • 20 estate/trust firms,
  • 15 compliance consultants / outsourced CCOs,
  • 10 cyber-insurance / risk partners.
• Create a one-page “Operational Resilience Baseline” brief.
• Draft 3 outreach angles by segment.

Days 15–30: channel-first outreach

• Book exploratory calls with partners before chasing many end clients.
• Use warm intros wherever possible.
• Test which phrasing gets traction:
  • compliance-ready,
  • resilience-proof,
  • AI governance,
  • backup/recovery proof,
  • vendor/data exposure.

Days 31–60: sell first baseline projects

• Aim for 2–4 paid baselines, not mass lead volume.
• Use small paid discovery if needed.
• Capture case-study material carefully (even anonymized).

Days 61–90: convert to retainers and referrals

• Convert baseline clients into:
  • monthly resilience oversight,
  • policy / vendor / AI governance support,
  • quarterly backup/recovery verification,
  • annual review / update cadence.
• Ask for introductions to:
  • advisors,
  • trust officers,
  • foundations,
  • other partner firms.

---

6) “Cheat codes” / smart cuts

Cheat code 1: Sell to the people wealthy clients already trust

• Status: Verified market logic + strategic recommendation
• Why: Cerulli’s COI data supports this distribution logic.

Cheat code 2: Use artifact-heavy delivery

• Status: Tentative / strategic
• Why: buyers can justify spending when there are concrete outputs:
  • policies,
  • inventories,
  • playbooks,
  • evidence packs,
  • roadmaps.

Cheat code 3: Position AI as backstage leverage, not frontstage identity

• Status: Tentative / strategic
• Why: trust-first markets may respond better to “better execution and lower overhead” than to “AI agency.”

Cheat code 4: Narrow to high-stakes subsegments

• Status: Tentative / strategic
• Examples:
  • private-client CPA instead of generic tax prep,
  • trust/estate boutiques instead of general law,
  • cyber-insurance brokers instead of generic P&C agencies,
  • compliance partners with adviser clientele instead of generic consultants.

Cheat code 5: Enter through partners who already own trust

• Status: Tentative / strategic
• Best forms:
  • referral partner,
  • co-delivery,
  • white-label / behind-the-scenes support,
  • joint educational content.

Cheat code 6: Build one engine, not a custom service zoo

• Status: Tentative / strategic
• One core offer should service multiple adjacent niches with minor tuning.

---

Tools, Resources, Links, and References

Core regulatory / market references

1. SEC — Regulation S-P Small Entity Compliance Guide
   https://www.sec.gov/files/rules/final/2024/regulation-s-p-small-entity-compliance-guide.pdf
   Supports: scope of covered institutions and compliance obligations.

2. SEC — Compliance Outreach on Regulation S-P for Small Firms (2026)
   https://www.sec.gov/newsroom/meetings-events/compliance-outreach-regulation-s-p-small-firms
   Supports: small-firm June 3, 2026 compliance focus.

3. SEC — Fiscal Year 2025 Examination Priorities
   https://www.sec.gov/files/2025-exam-priorities.pdf
   Supports: cyber, resiliency, third-party oversight, AI, Reg S-P/S-ID.

4. SEC — Investment Adviser Statistics
   https://www.sec.gov/data-research/statistics-data-visualizations/investment-adviser-statistics
   Supports: adviser market size.

5. IAA — 2025 Snapshot by the Numbers
   https://www.investmentadviser.org/industry-snapshots/
   Supports: adviser firm size distribution and average employee size.

6. NASAA — 2025 IA Section Report / press release
   https://www.nasaa.org/77071/nasaa-releases-annual-report-on-state-registered-investment-advisers-2025/
   https://www.nasaa.org/wp-content/uploads/2025/09/IA-Section-2025-Report-FINAL.pdf
   Supports: state-registered adviser counts and profile.

CPA / tax references

7. FTC — Safeguards Rule overview
   https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

8. IRS Publication 4557 — Safeguarding Taxpayer Data
   https://www.irs.gov/pub/irs-pdf/p4557.pdf

9. IRS Publication 5708 — Creating a WISP
   https://www.irs.gov/pub/irs-pdf/p5708.pdf

10. AICPA — GLBA / Safeguards Rule resources
    https://www.aicpa-cima.com/resources/landing/gramm-leach-bliley-act-glba-and-the-safeguards-rule

Wealth-adjacent / COI references

11. Cerulli — COIs as growth source
    https://www.cerulli.com/press-releases/financial-advisors-increasingly-leverage-cois-to-capture-new-client-growth

12. Cerulli — Great wealth transfer
    https://www.cerulli.com/press-releases/cerulli-anticipates-124-trillion-in-wealth-will-transfer-through-2048

13. ABA — Estate planners and security
    https://www.americanbar.org/groups/real_property_trust_estate/resources/ereport/2025-winter/what-estate-planners-should-tell-clients-about-security/

14. FinCEN — Elder financial exploitation
    https://www.fincen.gov/news/news-releases/fincen-issues-analysis-elder-financial-exploitation

15. ABA — Mobile lawyering cybersecurity risks
    https://www.americanbar.org/groups/gpsolo/resources/magazine/2025-may-jun/cybersecurity-risks-mobile-lawyering/

Family office references

16. RBC / Campden — North America Family Office Report 2025
    https://www.rbcwealthmanagement.com/assets/wp-content/uploads/documents/campaign/the-north-america-family-office-report-2025.pdf
    Summary page: https://www.cnb.com/business-banking/insights/2025-family-office-report.html

17. Campden / AlTi — Family Office Operational Excellence Report 2025
    https://www.campdenwealth.com/sites/default/files/FO_Op_Exc_2025_report_digital.pdf

18. RBC / Campden — North America Family Office Report 2024
    https://www.rbcwealthmanagement.com/assets/wp-content/uploads/documents/campaign/the-north-america-family-office-report-2024.pdf

Cyber workforce and competitive landscape

19. ISC2 — 2024 Cybersecurity Workforce Study (4.8M gap)
    https://www.isc2.org/Insights/2024/09/ISC2-Publishes-2024-Cybersecurity-Workforce-Study-First-Look

20. ISC2 — 2025 Workforce Study (skills shortage emphasis)
    https://www.isc2.org/Insights/2025/12/2025-ISC2-Cybersecurity-Workforce-Study

21. ACA — cybersecurity and risk technology
    https://www.acaglobal.com/technology/cybersecurity-and-risk-technology/

22. Smartria — vendor management for RIAs
    https://smartria.com/vendor-management

23. Salus GRC — due diligence / market positioning
    https://www.salusgrc.com/due-diligence-services/
    https://www.salusgrc.com/our-team/

24. Armanino — vCISO and cybersecurity support
    https://www.armaninollp.com/services/risk-assurance/cybersecurity/

Insurance-related references

25. NAIC Model Law #668 — Insurance Data Security Model Law
    https://content.naic.org/sites/default/files/model-law-668.pdf

26. NAIC references to adoption status / model-law tracking
    https://content.naic.org/model-laws
    https://content.naic.org/sites/default/files/national_meeting/MinutesPacket-HCmte.pdf

27. Marsh — U.S. cyber insurance market update
    https://www.marsh.com/en/services/cyber-risk/insights/cyber-insurance-market-update.html

28. Travelers — cyber readiness practices
    https://www.travelers.com/resources/business-topics/cyber-security/cyber-security-best-practices

Rule / referral caveat references

29. SEC — withdrawn proposed cybersecurity rule for advisers/funds
    https://www.sec.gov/rules-regulations/2025/06/cybersecurity-risk-management-investment-advisers-registered-investment-companies-business

30. ABA Model Rule 5.4 (fee sharing with nonlawyers)
    https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_5_4_professional_independence_of_a_lawyer/

31. ABA Model Rule 7.2 (recommendation / advertising limits)
    https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_7_2_advertising/

32. SEC marketing rule release discussing referral/solicitation framework
    https://www.sec.gov/files/rules/final/2020/ia-5653.pdf

---

Risks, Caveats, and Red Flags

1) Regulatory misuse risk

• [Verified] Some advisor-related cybersecurity proposals were withdrawn in 2025.
• [Risk] Do not cite proposed-but-withdrawn rules as if they are binding.

2) Overstating the “RIA urgency” story

• [Risk] The Reg S-P story is real, but only for covered entities in scope.
• [Risk] Overbroad language could undermine credibility.

3) Premium-buyer filtering is essential

• [Tentative / strategic] Without tight filtering, CPA/tax and law can devolve into low-budget IT cleanup work.

4) Partner economics / referral rules need careful treatment

• [Verified] Professional rules can constrain referrals / fee-sharing:
  • lawyers generally cannot share legal fees with nonlawyers under ABA Model Rule 5.4,
  • legal recommendation/advertising rules also matter under Rule 7.2,
  • advisor referral arrangements are regulated under the SEC marketing rule.
• [Open issue] State bar rules, AICPA rules, and insurance compensation rules vary and must be checked before building a formal referral-fee program.

5) Family offices are attractive but still hard to access directly

• [Tentative / strategic] Evidence shows outsourcing demand and operational pain, but direct access remains trust-gated and reputation-sensitive.

6) “AI-native” can help delivery but hurt trust if front-loaded

• [Tentative / strategic] In these markets, AI should usually be framed as execution leverage, not the entire identity of the firm.

---

Open Questions / What Still Needs Verification

1. What exact premium subsegment of CPA firms converts fastest?

   • private-client tax,
   • trusts/estates accounting,
   • family-office bookkeeping / CAS,
   • business-owner tax planning,
   • outsourced CFO/accounting hybrids.
     Status: Tentative; needs field validation.

2. Which partner channel is most open to Solanasis today?

   • compliance consultants,
   • cyber-insurance brokers,
   • MSPs,
   • estate attorneys,
   • CPAs.
     Status: Tentative; needs outreach testing.

3. What price point and packaging will the best-fit buyers accept fastest?
   Status: Unverified.

4. Which geographic footprint should be first?
   Colorado-only vs. national remote niche targeting.
   Status: Unverified.

5. How much brand/credential signaling is necessary to win premium trust early?
   For example:

   • certifications,
   • sample deliverables,
   • anonymized case studies,
   • partner logos,
   • advisory board / expert affiliations.
     Status: Unverified.

6. What are the exact referral / co-selling compliance limits by segment?

   • legal,
   • accounting,
   • insurance,
   • investment adviser relationships.
     Status: Partially verified; needs deeper jurisdiction- and profession-specific review.

7. Is nonprofit / foundation adjacency worth prioritizing as an impact-investing bridge?
   Status: Promising but not fully explored in this pass.

8. Which buyer language converts best?

   • compliance,
   • resilience,
   • confidentiality,
   • insurer readiness,
   • AI governance,
   • operational proof.
     Status: Needs testing.

---

Suggested Next Steps

Immediate next actions

1. Finalize a single flagship offer and two light vertical variants.
2. Build a ranked target list of:
   • 25 premium CPA/private-client accounting firms,
   • 20 estate/trust firms,
   • 15 compliance consultants/outsourced CCOs,
   • 10 cyber-insurance / risk partners.
3. Create a short one-pager:
   • problem,
   • deliverables,
   • why Solanasis,
   • who it is for,
   • why now.
4. Write 3 outreach scripts:
   • CPA version,
   • estate/trust law version,
   • compliance-partner version.
5. Validate with real calls which wedge gets traction fastest.

Next research tasks

1. Deeper competitor mapping by subsegment.
2. Pricing research by niche.
3. State / ethics / referral-rule review for partnership design.
4. Refined ICP scorecard for “premium, not cheap” buyers.
5. Prospecting map of associations, conferences, newsletters, and partner hubs for the selected niches.

---

Handoff Notes for Another AI

The next AI should assume the following working thesis unless new evidence disproves it:

1. Do not default to direct cold RIA outreach as the primary first wedge.
2. Treat the likely first-wedge stack as:
   • premium CPA/private-client tax,
   • estate/trust law,
   • compliance consultants / outsourced CCOs,
   • selective insurance / cyber-insurance channels,
   • then selective RIAs via trust transfer.
3. Keep Solanasis positioned as:
   • operational resilience for trust-based firms handling sensitive financial, legal, and donor data
   • not simply “an AI agency.”
4. Optimize for buyers with:
   • high confidentiality stakes,
   • real compliance or underwriting pressure,
   • enough margin to buy help,
   • aversion to embarrassment and disruption.
5. Preserve the distinction between:
   • verified facts (regulatory deadlines, counts, market reports),
   • strategic recommendations (market prioritization, positioning, outreach structure).

Recommended next artifact another AI should build

A strong next deliverable would be:

• a ranked target-market scorecard with columns for:
  • segment,
  • urgency trigger,
  • budget quality,
  • trust barrier,
  • competition density,
  • adjacency to wealth,
  • ease of founder-led outreach,
  • likely first offer,
  • likely partner channels,
  • key objections,
  • disqualification signs.

After that, another useful artifact would be a 90-day founder-led pipeline plan with:

• list-building criteria,
• outreach copy,
• call agenda,
• offer flow,
• follow-up sequence,
• referral ask template.

---

Reviewer Notes and Improvements Made

Because no separate reviewer agent/tool was available, a serious self-review pass was performed.

Improvements made during review

• Corrected the stale 3.5M cyber workforce-gap claim to the newer 4.8M figure.
• Tightened terminology around SEC-registered vs. state-registered investment advisers.
• Flagged that some cybersecurity rule discussions in the market are outdated or conflated because the SEC withdrew some proposed rules in 2025.
• Split clearly between:
  • user goals,
  • verified market facts,
  • strategic inferences,
  • open questions.
• Added missing competitive-analysis detail for:
  • ACA,
  • Smartria,
  • Salus GRC,
  • Armanino.
• Added missing caveats on:
  • referral-fee / fee-sharing constraints,
  • ethics / state-rule variation,
  • risk of over-positioning Solanasis as an “AI agency” in trust-heavy markets.
• Added family-office operational evidence to support a later-stage adjacency strategy.
• Strengthened the handoff utility by giving a recommended next artifact for another AI to build.

Remaining limitations

• This document verifies the macro/market/regulatory logic, but it does not validate actual close rates, pricing tolerance, or messaging conversion.
• Several important operational questions still require live market testing.

---

Optional Appendix — Structured Summary (YAML-style)

document:
  title: "Solanasis Adjacent Market Plays for GTM"
  prepared: "2026-03-14"
  review_mode: "serious self-review; no reviewer agent available"
 
user_context:
  goals:
    - "enter wealth / deep wealth / impact-adjacent ecosystem"
    - "reach roughly $10k/month"
    - "avoid cheap buyers"
    - "use founder-led sales with AI amplification"
  constraints:
    - "one founder full-time"
    - "new brand in a trust-heavy industry"
    - "desire for premium positioning"
 
verified_findings:
  - "Reg S-P small-firm compliance date is June 3, 2026"
  - "Reg S-P applies to SEC-registered advisers and other covered institutions, not all state-registered advisers"
  - "SEC exam priorities emphasize cyber, resilience, vendors, AI, Reg S-P/S-ID"
  - "RIA market is mostly small firms"
  - "state-registered adviser population is large but not the same federal deadline story"
  - "CPA/tax firms have WISP/security obligations under FTC/IRS/AICPA guidance"
  - "estate/trust work is adjacent to large wealth-transfer and cyber/confidentiality concerns"
  - "COI relationships are a meaningful source of advisor client growth"
  - "family offices cite manual processes/spreadsheets and use outsourcing for specialized services"
  - "cyber workforce gap figure used in original thesis was outdated"
 
core_strategy:
  primary_wedges:
    - "premium private-client CPA / tax firms"
    - "estate / trust / elder-law boutiques"
    - "compliance consultants / outsourced CCOs"
  secondary_wedges:
    - "select cyber-insurance / risk partners"
    - "select state-registered advisers"
    - "nonprofit / foundation adjacency"
  phase_two_targets:
    - "family-office-adjacent operators"
    - "select RIAs via warm access"
 
positioning:
  recommended:
    - "Operational resilience for trust-based firms handling sensitive financial, legal, and donor data"
  avoid:
    - "generic AI agency"
    - "generic SMB cybersecurity shop"
 
offer:
  flagship: "Operational Resilience Baseline"
  likely_deliverables:
    - "WISP / security baseline"
    - "AI-use policy"
    - "backup and recovery verification"
    - "incident mini-playbook"
    - "vendor/data inventory"
    - "90-day remediation roadmap"
 
major_risks:
  - "misstating withdrawn SEC proposals as active law"
  - "using imprecise adviser terminology"
  - "drifting into low-budget buyers"
  - "noncompliant referral arrangements"
  - "front-loading AI branding in trust-first markets"
 
next_best_artifacts:
  - "ranked target-market scorecard"
  - "90-day founder-led pipeline plan"
  - "outreach messaging pack by segment"