The SEC’s May 16, 2024, adoption of enhancements to Regulation S‑P (Reg S‑P) has significantly broadened the obligations of registered entities following the detection of a cyber breach that has, or is reasonably likely to have, compromised sensitive customer data. Larger entities faced a compliance deadline of December 3, 2025, while smaller ones have until June 3, 2026. In addition to the strict requirements that Reg S‑P already imposed with regard to cybersecurity policies and procedures, fund managers must have policies and procedures in place that are reasonably designed to notify customers as soon as practicable, and not more than 30 days, after detection of a breach. As bad actors grow ever more sophisticated and resourceful, the cyber threat facing the private funds sector has never been more acute, as the SEC recognized when the agency devoted a large section of its new 2026 Examination Priorities to Reg S‑P compliance. This article summarizes the amendments to Reg S‑P; sets forth practical steps that fund managers should take upon discovery of a cyber incident; outlines best practices with regard to customer notification, including what to mention and what to exclude; and provides expert legal analysis. See “SEC Staff Discuss Regulation S‑P Amendments and Related Examination Process” (Oct. 23, 2025).