As a follow-up to Cybersecurity Awareness Month, we are publishing the second part of frequent columnist, Sid Yenamandra’s, panel discussion with several of his colleagues from across the wealth management and regtech space, where he gathered their insights into cybersecurity challenges and opportunities. If you missed it, you can review the first part of their discussion here.
- Sid Yenamandra is Founder and CEO of Surge Ventures, a fintech venture studio, and CEO of RegVerse, a regtech firm that aims to revolutionize the regulatory landscape by providing financial firms with AI solutions.
- Aaron Spradlin is Chief Information Officer at United Planners, a national wealth management firm that provides financial planning, investment management and insurance services.
- Melinda “Mimi” LeGaye is President and Founder of MGL Consulting, a financial services compliance consulting firm with more than 40 years of operating history helping clients minimize regulatory threats and capitalize on business opportunities with ongoing compliance services, professional development programs, and strategic consulting services covering a broad spectrum of managerial, financial, regulatory and business expansion challenges.
- Srikanth Chavali is Co-Founder and Chief Product Officer of Kitecyber, a provider of protection technologies working with service providers to support customers with a hyper-converged endpoint management, security and compliance solution.
Yenamandra: Thank you all for joining today. We’ve got a great panel to dive into one of the most critical areas of cybersecurity – data security – particularly considering the recent regulatory changes. Let’s start with you, Aaron. From a wealth management firm’s perspective, what impact have the new SEC cybersecurity regulations had on your firm’s operations?
Spradlin: It’s been a significant shift for us. The SEC’s focus on notification periods and vendor due diligence has meant we’ve had to overhaul our incident response protocols. We now have much tighter timeframes for breach notifications, requiring investment in technology and personnel. However, the new vendor management component of the SEC rule is taking much of our attention.
Yenamandra: Mimi, I know you’ve been working with firms on their compliance strategies for these new requirements. What are you seeing in the marketplace as the biggest compliance challenges related to data security?
LeGaye: I’m not surprised that Aaron and his team are spending time to ensure they get the vendor part of the rule right. Many firms were underprepared for the rigor of vendor due diligence and are finding it challenging. It’s not just about having security in place anymore; it’s also about proving that your vendors meet those security standards. This has become an even bigger issue with SaaS platforms, which many firms increasingly rely on.
Ensuring compliance up and down the chain is critical. When it comes to vendor due diligence, technology governance and evidencing a firm’s compliance with their supervisory obligations, documentation is key, as the burden of proof is on the regulated entities and their chief compliance officers, not on their vendors.
We are also advising firms not to forget about their obligations to establish a technology governance framework across their registered and associated persons as recent regulatory actions against “off-channel communications” have highlighted the risks to regulated firms created by the use of “off-channel” technology solutions by registered individuals. Vendor due diligence and tracking are critical to minimizing a firm’s exposure to these high-dollar compliance and supervisory risks.
Chavali: And that’s where we, as SaaS providers, come in. The expectations for data security from our clients have skyrocketed. We’ve invested significantly in architectures designed to identify sensitive business data, trace its lineage, and monitor for unauthorized transfers. This approach ensures we’re not just aware of where risks lie but also actively manage and mitigate them throughout their lifecycle. However, providing a seamless user experience while maintaining these heightened security measures can be challenging because there’s often tension between usability and security.
Yenamandra: That’s a great point. From an investor perspective, we’re seeing a significant shift toward solutions that balance both. Investors want to see innovation, but security must be baked into the product, not bolted on as an afterthought. Srikanth, how are you addressing this balance in your platform?
Chavali: It’s tricky, but we’re using AI to mitigate some of that friction. For example, we’re employing machine learning models to proactively identify threats before they become an issue, reducing the need for intrusive security measures on the user side. But that opens up another discussion about the ethics of AI in security.
Yenamandra: Exactly, AI is changing the landscape, but it’s also introducing new compliance challenges. Mimi, how are firms managing the compliance risks associated with AI-driven security solutions?
LeGaye: It’s a developing area and one the regulators are very focused on. We’re still defining best practices, but firms are starting to develop compliance policies around the use of AI and implement governance frameworks to ensure that AI tools approved by their firm are both transparent and explainable. Regulators are watching closely to ensure that AI doesn’t inadvertently introduce new risks, like Regulation SP privacy risks, system bias and or over-reliance on algorithms.
Spradlin: And let’s not forget vendor risk. We rely on a lot of third-party providers for various services. The new SEC rules mean we’re scrutinizing those relationships more than ever. But it’s difficult when some vendors, especially smaller SaaS providers, may not have the same security posture we do.
Yenamandra: Vendor risk is a massive focus for us as well. We’re actively investing in solutions that help firms manage third-party risk more effectively. Tools that can provide continuous monitoring of vendors’ security postures are in high demand right now. Where do you see the future of this conversation going, Srikanth? Are SaaS providers prepared to step up to this challenge?
Chavali: Cybersecurity is a shared responsibility, highlighted by the recent Snowflake data breach. SaaS vendors are increasingly pushing their partners to meet minimum data security standards. Until formal requirements emerge, those with strong security practices will stand out. It’s no longer just about compliance, it’s about building and maintaining trust.
Yenamandra: I’m sure we all agree that trust is everything. That’s a big part of why Surge Ventures is investing so heavily in regtech and cybersecurity right now. Firms are looking for solutions that integrate security, compliance and efficiency. At the end of the day, it’s about building systems that allow companies to operate with confidence in a highly regulated environment.
Janeesa Hollingshead, Contributing Editor at Wealth Solutions Report, can be reached at editor@wealthsolutionsreport.com.
