solanasis_ria_estate_planning_wedge_gtm_research_grade_handoff_playbook_2026-03-17 (2)

Solanasis Research Handoff: RIA / Estate-Planning Cybersecurity Wedge GTM, Channel Strategy, and Productized Entry Offers — 2026-03-17

Executive Summary

This document converts the prior discussion into a research-grade handoff memo and playbook for another AI or strategist working on Solanasis’s entry strategy into the RIA (Registered Investment Adviser) and adjacent estate-planning / trust-and-estates attorney markets.

Highest-confidence conclusions

• [Verified] The strongest evidence-supported market entry lane is the RIA market, especially smaller SEC-registered RIAs that are operationally lean and exposed to the amended Regulation S-P requirements.
  Evidence:

  • SEC adopted amendments to Regulation S-P in 2024, including written incident-response requirements and customer notification obligations.
  • Smaller entities generally have a June 3, 2026 compliance date.
    Sources:
  • SEC Small Entity Compliance Guide: https://www.sec.gov/files/rules/final/2024/regulation-s-p-small-entity-compliance-guide.pdf
  • SEC Final Rule release: https://www.sec.gov/files/rules/final/2024/34-100155.pdf
  • Federal Register version: https://www.federalregister.gov/documents/2024/06/03/2024-11116/regulation-s-p-privacy-of-consumer-financial-information-and-safeguarding-customer-information

• [Verified] The SEC provides downloadable monthly RIA data and historical Form ADV data, so Solanasis can build target lists without relying only on paid lead vendors.
  Sources:

  • SEC adviser data landing page: https://www.sec.gov/data-research/sec-markets-data/information-about-registered-investment-advisers-exempt-reporting-advisers
  • SEC Data Library: https://www.sec.gov/data-research/sec-markets-data

• [Verified] The field appears to be moving from policy templates toward examable operational proof. SEC outreach for small firms emphasizes mock exams, document requests, tabletop scenarios, and books-and-records expectations.
  Source:

  • SEC Compliance Outreach Program page on Regulation S-P for small firms: https://www.sec.gov/newsroom/meetings-events/compliance-outreach-regulation-s-p-small-firms

• [Verified] Threat actors are actively targeting wealth-management firms with regulator-themed phishing. FINRA published 2024 and 2025 alerts about phishing campaigns impersonating FINRA employees or executives and targeting broker-dealers, investment advisers, wealth management entities, and private equity firms.
  Sources:

  • FINRA alert, Mar. 2025: https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-ongoing-phishing-campaign-impersonating-finra-employees
  • FINRA alert, May 2025: https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-ongoing-phishing-impersonating-finra-executives
  • FINRA cyber topic hub / oversight references: https://www.finra.org/rules-guidance/key-topics/cybersecurity

• [Verified] A practical wedge for RIAs is email-compromise / phishing / incident-readiness, because it ties directly to:

  • actual current threat patterns,
  • customer-information exposure,
  • regulator anxiety,
  • and the new incident-response / notification requirements.
    Supporting sources:
  • FINRA alerts above
  • SEC Reg S-P materials above
  • SEC enforcement order involving M Holdings, 2025: https://www.sec.gov/files/litigation/admin/2025/34-104255.pdf

• [Verified] The estate-planning / trust-and-estates lane also has real fraud and cybersecurity concerns, especially around wire fraud, impersonation, client communications, and elder financial exploitation, but the evidence base in this discussion is weaker and less direct than the RIA lane.
  Sources:

  • ABA article on AI-powered scams and phishing attacks: https://www.americanbar.org/groups/law_practice/resources/law-technology-today/2025/scams-and-phishing-attacks-powered-by-ai/
  • ABA article on what estate planners should tell clients about security: https://www.americanbar.org/groups/real_property_trust_estate/resources/ereport/2025-winter/what-estate-planners-should-tell-clients-about-security/
  • IC3 2024 annual report: https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf

Strategic implication

• [Verified + interpretive] Solanasis should likely prioritize RIAs first, with a highly specific, productized wedge such as:

  • Phish-to-Incident Readiness Sprint for Lean RIAs
  • RIA Wire / Money-Movement Verification Baseline
  • Vendor Oversight + Incident Evidence Binder Sprint

• [Tentative / speculative] Estate-planning attorneys may still be a good secondary lane, especially if Solanasis frames the offer around wire-fraud prevention, impersonation defense, and client-protection workflows, but this needs more direct market research into buyer behavior, competition, and budget realities.

---

Purpose of This Document

This artifact is intended to serve as all of the following:

• a guide,
• a briefing memo,
• a playbook,
• a research handoff,
• and a continuation document for another AI.

It is designed so that another AI should be able to continue the work without needing the original conversation.

This document does not assume all assistant claims made in the prior conversation were correct. Important claims have been re-checked where possible, labeled by evidence status, and corrected or qualified where necessary.

---

Discussion Context

User goals and operating constraints

• [User-stated] Solanasis is a new fractional CIO / CISO / COO-style firm in Boulder, Colorado.
• [User-stated] The user wants smart cuts, not slow or generic enterprise GTM.
• [User-stated] Solanasis wants a specific wedge offer that is easy to understand, risk-reducing, not necessarily expensive, and expandable into a retainer / operational partnership.
• [User-stated] The user is exploring both:
  • RIAs / wealth management / RIA compliance consultants / RIA-serving MSPs
  • estate-planning attorneys / trust-and-estates / elder-law adjacent firms
• [User-stated] The user wants a strategy that fits a small, savvy, AI-native agency that can build tools and SOPs quickly using AI coding agents.
• [User-stated] The user is especially interested in:
  • phishing,
  • operational failures,
  • reputationally ugly incidents,
  • and packages that can prevent painful losses and open the door to broader retained work.

What this document focuses on

1. What is verified about the RIA market, Reg S-P, and data availability.
2. What is likely but not fully verified about smaller-firm buying behavior and wedge offers.
3. What the strongest initial offers appear to be.
4. Which channel / GTM approaches look most realistic for Solanasis.
5. What remains uncertain and should be researched next.

---

Key Facts and Verified Findings

1) Regulation S-P changed the operating burden for RIAs

• [Verified] In May 2024, the SEC adopted amendments to Regulation S-P.

• [Verified] The amendments require covered institutions to adopt written policies and procedures reasonably designed to safeguard customer records and information.

• [Verified] The amendments also require a written incident response program for unauthorized access to or use of customer information.

• [Verified] The amendments include a customer notification requirement under specified circumstances.

• [Verified] For service providers maintaining customer information on behalf of a covered institution, the amended rule requires notice to the institution as soon as possible, but no later than 72 hours after becoming aware of a breach involving customer information.
  Sources:

  • SEC Small Entity Compliance Guide: https://www.sec.gov/files/rules/final/2024/regulation-s-p-small-entity-compliance-guide.pdf
  • SEC Final Rule release: https://www.sec.gov/files/rules/final/2024/34-100155.pdf
  • Federal Register text: https://www.federalregister.gov/documents/2024/06/03/2024-11116/regulation-s-p-privacy-of-consumer-financial-information-and-safeguarding-customer-information

• [Verified] Compliance dates are tiered. For smaller entities, the compliance date is generally June 3, 2026; for larger entities, December 3, 2025.
  Sources:

  • SEC Small Entity Compliance Guide
  • SEC rule release / Federal Register

2) The practical market size is large enough, but “small entity” and “small firm” are not the same

• [Verified] SEC statistics for 2023 show 15,441 SEC-registered RIAs.

• [Verified] The same SEC report shows:

  • 8,411 RIAs with fewer than 10 non-clerical employees
  • 5,017 with 10–49 non-clerical employees
    Source:
  • SEC Investment Adviser Statistics 2023: https://www.sec.gov/files/im-investment-adviser-statistics-20240515.pdf

• [Verified] SEC rulemaking materials indicate only a minority of RIAs qualify as “larger entities” under the relevant threshold; many firms therefore fall into the later compliance bucket.
  Source:

  • Federal Register final rule text

• [Important nuance — Verified] The SEC’s formal “small entity” definition is narrower than normal business usage. A firm can be operationally small and still not meet the formal SEC “small entity” test.
  Source:

  • SEC Small Entity Compliance Guide
  • SEC statistics report

3) Solanasis can obtain usable target data without depending entirely on vendors

• [Verified] The SEC publishes monthly downloadable files for Registered Investment Advisers and Exempt Reporting Advisers.
• [Verified] The SEC says these files contain information drawn largely from Form ADV and include many fields suitable for segmentation.
• [Verified] The SEC also provides historical Form ADV data and points users to IAPD for current firm-level information.
• [Verified] The SEC notes that it does not provide the same central bulk access to all state-registered adviser data; state-registered coverage is more fragmented.
  Sources:
  • SEC adviser data page: https://www.sec.gov/data-research/sec-markets-data/information-about-registered-investment-advisers-exempt-reporting-advisers
  • Investor.gov / IAPD overview: https://www.investor.gov/introduction-investing/getting-started/working-investment-professional/using-iapd

4) Current threat patterns strongly support a phishing / email-compromise wedge for RIAs

• [Verified] FINRA issued alerts in 2024 and 2025 warning about phishing campaigns impersonating FINRA personnel.

• [Verified] The 2025 alerts specifically mention targets including:

  • broker-dealers,
  • investment advisers,
  • wealth management entities,
  • and private equity firms.

• [Verified] The campaigns used authority and urgency themes, including allegations tied to client investment mismanagement or requests for firm information.
  Sources:

  • https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-ongoing-phishing-campaign-impersonating-finra-employees
  • https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-ongoing-phishing-impersonating-finra-executives

• [Verified] FINRA’s annual regulatory oversight materials continue to emphasize cybersecurity risk, customer-information exposure, financial loss, and operational failure as ongoing concerns.
  Sources:

  • FINRA 2025 Annual Regulatory Oversight Report: https://www.finra.org/sites/default/files/2025-01/2025-annual-regulatory-oversight-report.pdf
  • FINRA 2026 cybersecurity page: https://www.finra.org/rules-guidance/guidance/reports/2026-finra-annual-regulatory-oversight-report/cybersecurity

5) SEC enforcement and exam posture support a “proof over paper” positioning

• [Verified] The SEC’s small-firm outreach around Regulation S-P includes:

  • sample document requests,
  • mock exam concepts,
  • tabletop exercise discussion,
  • and expectations around books and records.
    Source:
  • SEC small-firm outreach page: https://www.sec.gov/newsroom/meetings-events/compliance-outreach-regulation-s-p-small-firms

• [Verified] The SEC’s 2025 administrative action involving M Holdings is a practical example of the risk of incomplete implementation. The order discusses failures or gaps involving items such as written policies, MFA, awareness training, and incident-response policies, along with email-account takeover and phishing-related harm to customers.
  Source:

  • SEC order: https://www.sec.gov/files/litigation/admin/2025/34-104255.pdf

• [Assistant-stated but only partially verified] The prior discussion characterized the market shift as “from templates to examable operational proof.” That exact phrase is interpretive, not a quoted regulator statement. However, it is a reasonable synthesis of the SEC’s outreach focus and enforcement posture.
  Evidence note:

  • The phrase itself is not sourced.
  • The underlying signals are sourced.

6) Estate-planning / trust-and-estates firms have real adjacent risk, but the market proof is weaker here

• [Verified] ABA materials in 2025 discuss AI-powered scams, phishing, impersonation, and law-firm exposure.

• [Verified] ABA trust-and-estates material also argues that estate planners should help protect clients from financial abuse and cybersecurity-related harm.

• [Verified] IC3’s 2024 report documents enormous total cybercrime loss figures and ongoing BEC / impersonation / fraud risk generally.
  Sources:

  • ABA AI scams article: https://www.americanbar.org/groups/law_practice/resources/law-technology-today/2025/scams-and-phishing-attacks-powered-by-ai/
  • ABA estate planners and security: https://www.americanbar.org/groups/real_property_trust_estate/resources/ereport/2025-winter/what-estate-planners-should-tell-clients-about-security/
  • IC3 annual report: https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf

• [Important correction — Verified] A prior assistant turn referenced **2024 BEC complaints of 21,442 with losses over $2.7billion\ast \ast .Thatexactcombinationappearsinconsistentwiththe2024IC3report.The2024reportmustbeciteddirectlyforcurrentyearnumbers;olderIC3reportscontainthe2022figureofroughly21,832complaintsandover$2.7 billion in adjusted losses.
  Sources:

  • IC3 2024 report
  • IC3 2022 report: https://www.ic3.gov/AnnualReport/Reports/2022_ic3report.pdf Evidence note:
  • Treat the prior 2024-specific claim as unreliable unless re-checked directly from the 2024 report.

7) Public directories and ecosystem overlays can help with targeting

• [Verified] NAPFA has a public advisor directory.

• [Verified] XY Planning Network markets compliance and support services to independent fee-only advisors.

• [Verified] Schwab Advisor Services maintains provider / ecosystem materials relevant to RIAs.
  Sources:

  • NAPFA directory: https://www.napfa.org/find-an-advisor
  • XYPN compliance page: https://www.xyplanningnetwork.com/compliance
  • Schwab Advisor Services provider solutions: https://advisorservices.schwab.com/provider-solutions

• [Tentative / speculative] These ecosystems may be useful both for direct targeting and for partner-channel strategy, but this has not yet been validated through outreach data or conversion evidence.

---

Major Decisions and Conclusions

A. Primary beachhead market

• [Verified + strategic conclusion] The RIA market is the strongest primary beachhead because:
  1. the regulatory trigger is clear,
  2. the data is obtainable,
  3. the threat pattern is current,
  4. the problem links directly to operations, documentation, and trust,
  5. and the offer can be productized.

B. Best initial positioning

• [Verified + strategic conclusion] Solanasis should not lead with generic language such as:

  • “we do cybersecurity for financial firms,”
  • “fractional CIO/CISO for RIAs,”
  • or “we help with compliance and tech.”

• [Strategic conclusion] Better positioning is something like:

  • Operational Reg S-P Readiness for Lean RIAs
  • Phish-to-Incident Readiness Sprint for Lean RIAs
  • RIA Incident Response + Vendor Oversight Baseline
  • Exam-Ready Cyber Operations for RIAs Under 50 Employees
    Evidence status:
  • Assistant-stated but grounded in verified market signals
  • These are proposed offer names / positioning, not verified market facts.

C. Best initial channels

• [Verified + strategic conclusion] A multi-lane approach is stronger than relying on direct outbound alone.

Proposed lane ranking:

1. RIA compliance consultants / outsourced CCOs

   • [Assistant-stated but plausible] Likely high-potential channel because they already have trust and may not want to own technical remediation and operational follow-through.
   • Needs direct partner validation.

2. RIA-specialist MSPs / IT providers

   • [Assistant-stated but plausible] Likely strong because they already manage technical controls, while Solanasis can add regulator-aligned operationalization and evidence structure.
   • Needs partner validation.

3. Direct micro-targeting of lean SEC-registered RIAs

   • [Verified + plausible] Feasible because data is available.
   • [Tentative] May be harder to break through without a sharply differentiated wedge.

4. Estate-planning / trust-and-estates attorneys as a secondary lane

   • [Tentative / speculative] Worth exploring, but not as well validated by the evidence in this project so far.

---

Reasoning, Tradeoffs, and Why It Matters

Why RIAs appear to be the stronger first lane

• [Verified] Clear regulatory event and deadline.
• [Verified] Public target data is easier to assemble centrally.
• [Verified] Threat patterns map neatly to email, phishing, incident response, and vendor oversight.
• [Verified] SEC posture supports evidence-driven operational work rather than abstract consulting alone.
• [Assistant-stated but plausible] Smaller RIAs likely lack internal capacity for this cross-functional work.
  • Needs direct validation from firm interviews / outreach.

Why the estate-planning lane is attractive but riskier

• [Verified] The pain is emotionally legible:
  • wire fraud,
  • client trust,
  • elder exploitation,
  • impersonation,
  • sensitive family and asset information.
• [Uncertain] The buyer motion is less clear in this project.
• [Uncertain] Budget size, buying urgency, and competitive landscape were not verified deeply enough here.
• [Assistant-stated but plausible] This lane may work better if framed as client protection / workflow fraud prevention rather than generic cyber.

Why the wedge must be narrow

• [User-stated] Solanasis wants a clever, fast, AI-native, low-friction entry point.
• [Assistant-stated but strongly supported] Narrow offers are easier to sell because the buyer can connect:
  • the scary incident,
  • the likely cost,
  • and the operational fix.

Why “email / phishing / impersonation / wire workflow” is a good wedge family

• [Verified] Current threat campaigns target RIAs and wealth-management organizations.
• [Verified] Email compromise can trigger customer-information exposure and response obligations.
• [Verified] Email- and instruction-based fraud is also a live issue in legal / fiduciary contexts.
• [Assistant-stated but plausible] These problems are easier to map into SOPs, call scripts, verification steps, runbooks, tabletop drills, and lightweight AI-assisted tooling than broad infrastructure overhauls.

---

Recommended Playbook / Process

Phase 1 — Define the narrowest validated wedge

Recommended primary offer family for RIAs

Offer 1: Phish-to-Incident Readiness Sprint for Lean RIAs

• Evidence status: Assistant-stated but strongly grounded
• Core promise:
  • reduce the odds that one bad email becomes a client-impacting incident and compliance scramble.
• Example deliverables:
  • executive/staff phishing risk review,
  • mailbox-compromise response checklist,
  • fake regulator / fake vendor handling SOP,
  • 1 tabletop scenario,
  • evidence-retention starter kit,
  • prioritized 30-day remediation roadmap.
• Why this works:
  • tightly tied to FINRA alerts and Reg S-P operational burden.

Offer 2: RIA Money-Movement / Instruction Verification Baseline

• Evidence status: Assistant-stated but grounded
• Core promise:
  • reduce the risk that a compromised mailbox or impersonated client/vendor triggers a funds-movement or account-change mistake.
• Example deliverables:
  • map every money-movement and change-of-instructions workflow,
  • create out-of-band verification rules,
  • define escalation and approval matrix,
  • create client/staff verification SOPs.

Offer 3: Vendor Oversight + Incident Evidence Binder Sprint

• Evidence status: Assistant-stated but grounded
• Core promise:
  • help the firm prove it can identify vendors touching customer information, respond coherently, and produce records.
• Example deliverables:
  • vendor inventory by customer-information exposure,
  • breach-notice escalation tree,
  • service-provider risk checklist,
  • evidence binder / recordkeeping structure,
  • incident log template,
  • customer-notification decision checklist.

Recommended secondary offer family for estate-planning attorneys

Offer 4: Wire Fraud & Client Impersonation Prevention Protocol

• Evidence status: Assistant-stated but plausible
• Core promise:
  • make it harder for bad instructions, compromised email threads, or fake family/client requests to cause financial or reputational harm.
• Example deliverables:
  • “never trust email alone” rule set,
  • client warning language,
  • approved callback procedure,
  • staff verification script,
  • suspicious-payment escalation flow.

Offer 5: Client Protection & Elder-Fraud Safeguard Pack

• Evidence status: Tentative / speculative
• Core promise:
  • help firms protect vulnerable clients and communicate safer verification expectations.
• Example deliverables:
  • client-facing fraud warning handout,
  • policy language,
  • intake red flags,
  • trusted-contact and verification workflow suggestions.
• Caution:
  • This should be validated carefully to avoid drifting into legal advice or overclaiming.

---

Phase 2 — Build target lists and segmentation

RIA list-building workflow

1. Download current SEC RIA data

   • Source: SEC adviser data page.
   • Pull current monthly registered adviser file.

2. Add historical / form-level context

   • Source: Form ADV / IAPD.

3. Filter for likely-fit firms

   • Suggested segmentation fields to explore:
     • employee count or size proxies,
     • AUM bands,
     • states served,
     • office count,
     • custody / client asset complexity,
     • affiliation structure,
     • likely outsourced operating model.

4. Overlay ecosystem and niche signals

   • NAPFA
   • XYPN
   • Schwab ecosystem
   • advisor directories
   • conference attendee / sponsor / exhibitor ecosystems where available

5. Enrich manually or via approved tooling

   • website tech stack,
   • M365 / Google Workspace clues,
   • use of custodians / CRMs / client portals,
   • visible compliance / ops headcount,
   • likely partner candidates.

Partner-list workflow

Build separate lists for:

• outsourced CCO / compliance consultants,
• RIA-specialist MSPs,
• RIA-focused IT / cyber firms,
• custodial or ecosystem-adjacent providers,
• possibly law-firm consultants if validating the legal lane.

---

Phase 3 — Validate demand before overbuilding

Interviews / validation calls to run

For RIAs

Ask:

• what cyber / phishing / impersonation incident worries you most?
• who currently owns this internally?
• how confident are you in the first 24 hours after suspected mailbox compromise?
• how are service providers expected to notify you?
• what would be painful to produce in an exam?
• do you feel your compliance consultant and IT provider cover this fully, partially, or awkwardly?

For compliance consultants

Ask:

• where do your clients stall after you recommend changes?
• which incident-response or evidence issues do they routinely mishandle?
• what work do you not want to own directly?
• what would make a technical / operational partner useful to you?

For MSPs

Ask:

• where do clients ask for “compliance help” that falls outside normal IT delivery?
• how do you currently handle incident-response playbooks, evidence, and regulator-facing documentation?
• what would you need from a partner to feel comfortable referring them?

Validation output required before scaling

• 10–20 discovery conversations minimum per lane
• top 3 repeated pains by lane
• objections and procurement blockers
• real pricing tolerance
• words the market uses, not just Solanasis language

---

Phase 4 — Convert wedge into retainer motion

Example expansion path after initial sprint

Initial wedge

• phishing / incident sprint
• or wire / verification baseline
• or vendor oversight / evidence binder sprint

Then expand to retainer

• monthly cyber-ops / compliance-ops working session
• quarterly tabletop / testing
• vendor oversight maintenance
• onboarding / offboarding controls
• M365 / identity posture review coordination
• evidence binder upkeep
• awareness refreshers
• backup / recovery verification
• broader operational resilience projects

Message transition

• “We did not just find risks. We now know exactly where your operational weak points are.”
• “The fastest way to prevent recurrence is to keep this as a light monthly operating rhythm.”
• “We can serve as the connective tissue between your compliance advice, your IT provider, and your operational reality.”

---

Tools, Resources, Links, and References

Primary sources

1. SEC — Enhancements to Regulation S-P: A Small Entity Compliance Guide
   https://www.sec.gov/files/rules/final/2024/regulation-s-p-small-entity-compliance-guide.pdf

2. SEC — Final Rule release for Regulation S-P amendments
   https://www.sec.gov/files/rules/final/2024/34-100155.pdf

3. Federal Register — Regulation S-P final rule
   https://www.federalregister.gov/documents/2024/06/03/2024-11116/regulation-s-p-privacy-of-consumer-financial-information-and-safeguarding-customer-information

4. SEC — Information About Registered Investment Advisers and Exempt Reporting Advisers
   https://www.sec.gov/data-research/sec-markets-data/information-about-registered-investment-advisers-exempt-reporting-advisers

5. SEC — Data Library
   https://www.sec.gov/data-research/sec-markets-data

6. SEC — Investment Adviser Statistics 2023
   https://www.sec.gov/files/im-investment-adviser-statistics-20240515.pdf

7. Investor.gov — Using IAPD
   https://www.investor.gov/introduction-investing/getting-started/working-investment-professional/using-iapd

8. SEC — Compliance Outreach for Regulation S-P Small Firms
   https://www.sec.gov/newsroom/meetings-events/compliance-outreach-regulation-s-p-small-firms

9. SEC — Administrative Proceeding / M Holdings order (2025)
   https://www.sec.gov/files/litigation/admin/2025/34-104255.pdf

10. FINRA — Cybersecurity Alert: Ongoing Phishing Campaign Impersonating FINRA Employees
    https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-ongoing-phishing-campaign-impersonating-finra-employees

11. FINRA — Cybersecurity Alert: Ongoing Phishing Campaign Impersonating FINRA Executives
    https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-ongoing-phishing-impersonating-finra-executives

12. FINRA — Cybersecurity topic hub / oversight materials
    https://www.finra.org/rules-guidance/key-topics/cybersecurity

13. FINRA — 2025 Annual Regulatory Oversight Report
    https://www.finra.org/sites/default/files/2025-01/2025-annual-regulatory-oversight-report.pdf

14. FINRA — 2026 Cybersecurity oversight page
    https://www.finra.org/rules-guidance/guidance/reports/2026-finra-annual-regulatory-oversight-report/cybersecurity

15. IC3 — 2024 Annual Report
    https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf

16. IC3 — 2022 Annual Report
    https://www.ic3.gov/AnnualReport/Reports/2022_ic3report.pdf

17. ABA — Scams and Phishing Attacks Powered by AI
    https://www.americanbar.org/groups/law_practice/resources/law-technology-today/2025/scams-and-phishing-attacks-powered-by-ai/

18. ABA — What Estate Planners Should Tell Clients about Security
    https://www.americanbar.org/groups/real_property_trust_estate/resources/ereport/2025-winter/what-estate-planners-should-tell-clients-about-security/

Secondary ecosystem / directory references

19. NAPFA Find an Advisor
    https://www.napfa.org/find-an-advisor

20. XY Planning Network — Compliance
    https://www.xyplanningnetwork.com/compliance

21. Schwab Advisor Services — Provider Solutions
    https://advisorservices.schwab.com/provider-solutions

22. IAA Compliance Conference
    https://www.investmentadviser.org/events/compliance-conference/

23. IAA Compliance Conference sponsors / exhibitors
    https://www.investmentadviser.org/events-education/2026-compliance-conference-sponsors/
    https://www.investmentadviser.org/events-education/2026-compliance-conference-exhibitors/

Discussion-supporting but weaker / anecdotal sources

24. Reddit — solo RIA compliance discussion
    https://www.reddit.com/r/CFP/comments/1b75i9o/solo_ria_compliance/

25. Reddit — new RIA overwhelmed by stack and compliance
    https://www.reddit.com/r/CFP/comments/1iks8ek/new_ria_overwhelmed_by_tech_stack_and_compliance/

26. Reddit — RIA firm owners / cybersecurity handling
    https://www.reddit.com/r/CFP/comments/1af9ifo/ria_firm_owners_how_are_you_guys_handling/

27. Reddit — MSP serving small SEC-regulated financial firm
    https://www.reddit.com/r/msp/comments/1bimm3m/first_small_financial_firm_sec_compliance/

28. Law-firm scam anecdote / practitioner chatter
    https://www.reddit.com/r/Lawyertalk/comments/1i1hl1y/scam_warning_lawpay_or_any_payment_processor_and/
    Evidence note:

    • anecdotal; not a market-size or frequency source

---

Risks, Caveats, and Red Flags

1) Do not overstate estate-planning certainty

• [Verified] The estate-planning lane has relevant adjacent threat evidence.
• [Verified] It does not yet have the same degree of channel validation, market segmentation work, or public-data ease as the RIA lane in this project.
• Action implication: treat it as a secondary hypothesis, not a fully validated GTM lane.

2) Do not claim all smaller RIAs are panicking

• [Assistant-stated but unverified] The market may feel urgency, but this was not quantified in the research completed so far.
• Action implication: validate actual urgency through interviews and outreach response.

3) Do not imply Solanasis is giving legal advice

• [Verified operational risk] Some offerings—especially around law firms or customer notifications—can drift toward legal-advice territory.
• Action implication: position Solanasis as:
  • operational,
  • technical,
  • workflow-focused,
  • and working alongside compliance consultants / counsel where needed.

4) Do not oversimplify implementation burden

• [Verified] Regulation S-P touches policies, incident response, service providers, notifications, and recordkeeping.
• Action implication: offers must be scoped tightly to avoid accidental underpricing or hidden labor.

5) Channel conflict risk

• [Tentative / speculative] Compliance consultants or MSPs may perceive Solanasis as competitive unless positioning is carefully framed.
• Action implication: partner messaging should emphasize “we make your recommendations operational,” not “we replace you.”

6) Data-list quality risk

• [Verified] SEC data is available.
• [Unverified] How cleanly that data maps to ideal outreach segmentation still needs hands-on testing.
• Action implication: do a pilot list build and spot-check quality before scaling outreach.

7) Incident-response offer risk

• [Verified] Incident response is a strong wedge area.
• [Practical caveat] If marketing language implies full emergency response capability, that could create expectation risk.
• Action implication: clearly scope whether Solanasis is selling:
  • preparedness,
  • tabletop and workflow readiness,
  • or actual 24/7 response support.

---

Open Questions / What Still Needs Verification

1. What are the best segmentation fields in the SEC RIA files for outreach?
   Status: Unverified operational question

2. Which smaller RIAs are most likely to buy quickly?
   For example:

   • newly independent firms,
   • firms under 10 employees,
   • firms with specific AUM bands,
   • firms with custody or more vendor complexity,
   • firms in specific geographies.
     Status: Unverified

3. How many compliance consultants are open to a white-label / partner delivery model?
   Status: Unverified

4. Which RIA-specialist MSPs are the best partner candidates?
   Status: Unverified

5. Which wedge offer name and framing converts best?
   Status: Unverified Needs:

   • landing-page tests,
   • cold outreach tests,
   • interview feedback.

6. What is realistic pricing tolerance for small-firm RIAs?
   Status: Unverified

7. How competitive is the estate-planning lane specifically for wire-fraud prevention / phishing readiness?
   Status: Unverified

8. What state-specific legal / professional-responsibility issues matter if targeting law firms?
   Status: Partially verified only

9. Can Solanasis create lightweight AI-assisted internal tools that materially improve delivery without increasing liability?
   Status: Strategic hypothesis needing design and testing

10. What are the cleanest boundaries between Solanasis, compliance counsel, MSPs, and cyber-insurance requirements?
    Status: Unverified

---

Suggested Next Steps

Immediate next steps (highest leverage)

1. Build a pilot SEC RIA target sheet

   • pull latest downloadable RIA file,
   • create initial segmentation model,
   • identify 100–300 likely-fit firms.

2. Create 2–3 tightly scoped offer one-pagers

   • one for RIAs,
   • one for compliance consultants,
   • one for MSP partners.

3. Run 10–20 validation conversations

   • mixed across RIAs, compliance consultants, and MSPs.

4. Test offer language Recommended tests:

   • “Phish-to-Incident Readiness Sprint”
   • “RIA Incident Response + Vendor Oversight Baseline”
   • “Email Compromise & Exam Readiness Sprint”

5. Map partner ecosystem

   • outsourced CCOs,
   • RIA-focused compliance shops,
   • RIA-focused MSPs,
   • custodial and advisor ecosystems.

6. Decide whether estate-planning remains lane #2

   • only after direct validation,
   • not based solely on general cyber fear.

Near-term deliverables another AI should create next

• a scored ICP matrix for smaller RIAs,
• a sample SEC-data enrichment schema,
• partner brief for compliance consultants,
• partner brief for RIA-serving MSPs,
• productized offer sheets with scope boundaries,
• discovery call scripts,
• objection handling,
• landing page drafts,
• outreach copy variants,
• simple ROI / incident-cost framing.

---

Handoff Notes for Another AI

1. Treat the RIA lane as the current lead thesis.
   It has the strongest combination of:

   • verified regulation,
   • available list data,
   • recent threat activity,
   • and productizable wedge logic.

2. Do not assume the estate-planning lane is equally validated.
   It is promising, but still secondary.

3. Preserve the user’s preference for “smart cuts.”
   The user does not want a bloated enterprise strategy. The user wants:

   • narrow wedges,
   • strong perceived ROI,
   • quick implementation,
   • and natural upsell into retainer work.

4. Preserve the user’s preferred operating style.
   The user is:

   • AI-native,
   • lean,
   • SOP- and package-oriented,
   • and interested in fast builds using AI coding agents.

5. Do not flatten evidence levels.
   Keep distinguishing:

   • Verified
   • User-stated
   • Assistant-stated but unverified
   • Tentative / speculative

6. Watch for overclaiming.
   The previous conversation included some strong statements that were plausible but not fully proven. Another AI should avoid upgrading those into fact without new evidence.

7. Best next continuation task:
   Build a ranked wedge-offer matrix for RIAs and partner channels, tied to:

   • pain,
   • urgency,
   • deliverability,
   • differentiation,
   • likely price tolerance,
   • and upsell path.

---

Reviewer Notes and Improvements Made

Review method

• [Verified] Reviewer-agent capability was not available in this workflow.
• [Verified] A serious self-review pass was performed instead.

Improvements made versus the earlier draft / discussion

1. Corrected the artifact to be more than a narrative recap.
2. Separated verified facts from strategic inference.
3. Added an explicit correction where a prior BEC statistic appeared inconsistent.
4. Strengthened the distinction between the RIA lane and the estate-planning lane.
5. Added operational cautions around:
   • legal-advice boundaries,
   • channel conflict,
   • scope risk,
   • and expectation risk.
6. Added clearer next-step workflows:
   • list-building,
   • validation interviews,
   • partner mapping,
   • and offer testing.
7. Added explicit Handoff Notes for Another AI.
8. Added explicit Open Questions / What Still Needs Verification.
9. Added source sections that another AI can use directly.
10. Tightened language where earlier assistant claims were too confident relative to the evidence.

Remaining weaknesses in this document

• Some Reddit / practitioner-signal interpretation remains inherently anecdotal.
• Estate-planning buyer behavior still needs direct field validation.
• Competitive mapping of RIA cyber / compliance vendors is still incomplete.
• Pricing guidance remains under-validated.

---

Optional Appendix — Structured Summary (YAML-style)

project:
  name: "Solanasis RIA / Estate Planning Wedge GTM Research"
  date: "2026-03-17"
  primary_goal: "Find smart-cut entry wedges and channels for Solanasis"
  primary_lanes:
    - "RIAs / wealth management / compliance consultant channel"
    - "Estate-planning / trust-and-estates attorneys (secondary hypothesis)"
 
highest_confidence_findings:
  - status: "Verified"
    finding: "Reg S-P amendments create a real operational burden for covered institutions including RIAs"
    sources:
      - "SEC Small Entity Compliance Guide"
      - "SEC Final Rule"
      - "Federal Register"
  - status: "Verified"
    finding: "Smaller entities generally face a June 3, 2026 compliance date"
    sources:
      - "SEC Small Entity Compliance Guide"
  - status: "Verified"
    finding: "SEC publishes downloadable monthly RIA data"
    sources:
      - "SEC adviser data page"
  - status: "Verified"
    finding: "FINRA warned of phishing campaigns targeting investment advisers / wealth entities"
    sources:
      - "FINRA 2025 alerts"
 
best_current_market:
  lane: "RIA"
  why:
    - "Clear regulatory trigger"
    - "Accessible list data"
    - "Current threat pattern"
    - "Better evidence base than estate-planning lane"
 
recommended_wedges:
  - name: "Phish-to-Incident Readiness Sprint for Lean RIAs"
    status: "Assistant-stated but grounded"
  - name: "RIA Money-Movement / Instruction Verification Baseline"
    status: "Assistant-stated but grounded"
  - name: "Vendor Oversight + Incident Evidence Binder Sprint"
    status: "Assistant-stated but grounded"
  - name: "Wire Fraud & Client Impersonation Prevention Protocol"
    status: "Tentative / secondary-lane"
 
recommended_channels:
  - "RIA compliance consultants / outsourced CCOs"
  - "RIA-specialist MSPs"
  - "Direct micro-targeting of smaller SEC-registered RIAs"
  - "Estate-planning firms later, after validation"
 
biggest_open_questions:
  - "Which smaller RIAs buy fastest?"
  - "What exact segmentation fields matter most?"
  - "How willing are compliance consultants to partner?"
  - "What price points are realistic?"
  - "Is the estate-planning lane truly attractive enough to pursue now?"
 
next_ai_task:
  - "Create a ranked wedge-offer matrix and a target-account segmentation model"