Trillium

The Clock is Ticking: A Practical Regulation S-P Compliance Roadmap for Small Private Equity Managers

Category :

SEC Rules and Guidance

Posted On :

April 23, 2026

Share This :

Akram huseyn f3nGngsnp3A unsplash

The SEC’s amended Regulation S-P is slated to take effect for smaller investment advisers — those with less than $1.5 billion in assets under management — on June 3, 2026. For many small private equity managers, this deadline has arrived with less preparation than it deserved. The rule is not optional, the SEC is actively examining compliance, and the reputational and regulatory consequences of a poorly handled data breach now extend well beyond the incident itself.

The good news: for a smaller PE manager with a lean investor base and a straightforward operating structure, building a compliant Regulation S-P program does not require a major technology overhaul or a team of cybersecurity consultants. What it requires is a disciplined, proportionate approach — one that accurately maps where investor data actually lives, puts the right policies and procedures in place, and ensures the firm’s service providers are contractually aligned with the new requirements.

What Changed: The Core Requirements

Regulation S-P has governed the privacy of nonpublic personal information since 2000, but the May 2024 amendments substantially expanded what it requires. The original rule focused primarily on privacy notices and opt-out rights. The amended rule adds four substantive new obligations that apply to all SEC-registered investment advisers, including private equity fund managers:

  • Incident Response Program (IRP): A written program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The IRP must address how the firm will assess the scope of an incident, contain further unauthorized access, investigate whether notification is required, and coordinate with service providers.

  • Breach Notification: If unauthorized access to sensitive customer information has occurred or is reasonably likely to have occurred, the adviser must notify each affected individual as soon as practicable but no later than 30 days after becoming aware of the incident. The notification must describe what happened, what information was involved, and what steps affected individuals can take.

  • Service Provider Oversight: Advisers must implement policies and procedures to oversee service providers that receive, maintain, process, or otherwise are permitted access to customer information. This includes contractual requirements obligating service providers to notify the adviser of any incident involving customer information, typically within 72 hours.

  • Recordkeeping: Advisers must maintain written records documenting compliance with the amended rule, including copies of policies and procedures, documentation of detected incidents, records of notification decisions, and evidence of service provider oversight. Records must be retained for five years, with the first two years in an accessible location.

What Is “Customer Information” and Why It Matters for PE Managers

Many smaller PE managers assume Regulation S-P is primarily a retail investor protection rule and therefore of limited relevance to institutional-facing private equity firms. This assumption is worth examining carefully.

The amended rule defines “customer information” broadly — it includes any record containing nonpublic personal information about a customer, whether in paper or electronic form. For PE managers, this most commonly includes the personal information of individual investors in the fund, including natural persons who invest through family offices, trusts, or individually managed vehicles. This means Social Security numbers, dates of birth, addresses, taxpayer identification numbers, banking details, and financial account information collected through subscription documents, KYC/AML processes, and capital call and distribution notices.

The key practical question for each PE manager is: where does this information live, and who has access to it? The answer is almost always more distributed than it appears on first glance.

Step 1: Map Your Customer Information

Before you can build a compliant program, you need to know where your sensitive investor data actually resides. For most small PE managers, customer information is scattered across more systems and parties than a single compliance policy can address without a deliberate inventory. Start with an honest internal audit:

  • Investor subscription documents and KYC/AML files (often held by fund counsel or the administrator)

  • Capital call and distribution notices, which typically include bank account information

  • Investor portal data maintained by the fund administrator or third-party platform

  • Email communications containing investor financial information

  • Tax documents (K-1s) prepared by the fund’s accountants

  • CRM systems or spreadsheets used to track investor contact and financial information internally

Document this inventory in writing. The map of where investor data lives is the foundation on which every other element of your program is built.

Step 2: Review and Update Your Written Policies and Procedures

If your existing compliance manual includes a Regulation S-P privacy policy, it almost certainly predates the 2024 amendments and does not address the new incident response, breach notification, and service provider oversight requirements. Your policies need to be amended to cover each of the four new obligations described above.

For small PE managers, the policy does not need to be complex — it needs to be accurate and proportionate to your actual operations. A policy that describes an incident response process suited to a 500-person financial institution creates more problems than it solves for a five-person firm. Design your policies around how your firm actually operates:

  • Who is responsible for detecting and escalating a potential incident? (Name the role or individual.)

  • What internal steps will be taken to assess scope and contain the incident?

  • Who makes the decision about whether customer notification is required?

  • What is the template for customer notification, and who sends it?

  • How will the firm document the incident and the decisions made?

The SEC’s standard is “reasonably designed” — not perfect, and not enterprise-grade. A well-documented, proportionate program built around your firm’s actual structure is both achievable and defensible.

Step 3: Identify and Assess Your Service Providers

This step is where many smaller PE managers will face their most meaningful compliance work. The amended rule requires advisers to have oversight procedures for service providers that handle customer information — and for most PE managers, the list of such providers is substantial:

  • Fund administrator (processes subscriptions, maintains investor records, handles distributions)

  • Fund accountants (prepare K-1s and tax documents containing investor TINs and financial data)

  • Fund counsel (often holds KYC/AML files and subscription agreements)

  • Transfer agent or investor portal provider (if applicable)

  • IT and cloud service providers that host email or file storage containing investor data

  • Placement agents (if still actively used and in possession of investor contact and financial data)

For each service provider, evaluate: (1) what customer information they receive or can access, (2) what their existing data security practices are, and (3) whether your current agreements with them address the amended rule’s requirements. The answers will drive your next step.

Step 4: Update Your Service Provider Agreements

The amended rule requires advisers to have contractual provisions in place with service providers that address their obligations with respect to customer information. At minimum, your agreements should include:

  • A requirement that the service provider notify the adviser of any incident involving customer information within 72 hours of becoming aware of it

  • A requirement that the service provider maintain appropriate data security practices and safeguards

  • An obligation to cooperate with the adviser’s incident response process

  • If the service provider will send breach notifications on the adviser’s behalf, clear authorization and delegation language (noting that the adviser remains legally responsible)

In practice, communicating with service providers about these requirements should begin with a straightforward outreach: identify the relevant contract, determine whether it already contains data security and incident notification language, and if not, request an amendment or addendum. Most institutional fund administrators and large accounting firms will already have standard data security addenda available — the conversation is typically not adversarial. Smaller or more bespoke providers may require more deliberate negotiation.

Document your outreach and the status of each provider’s agreement. This documentation is itself a required record under the amended rule.

Step 5: Train Your Team and Test Your Program

A written incident response program that no one has read or practiced is not a compliant program — it is a document. Before your compliance date, make sure the relevant personnel understand:

  • What constitutes a potential incident requiring escalation

  • Who to contact internally when an incident is suspected

  • What the first 24–48 hours of response look like in practice

  • How the 30-day notification clock runs and what it requires

A brief tabletop exercise — walking through a hypothetical incident scenario with the relevant team members — is one of the most efficient ways to identify gaps in your program before an actual incident does it for you. Document that you conducted the exercise. That documentation counts toward your recordkeeping obligations.

A Note on the SEC’s Exam Focus

The SEC’s Division of Examinations has explicitly flagged Regulation S-P compliance as an examination priority. Examiners have been asking firms about their progress in establishing incident response programs, and that scrutiny will only increase once the smaller adviser compliance date has passed. When an examiner asks to see your Regulation S-P program, they will expect to see written policies and procedures, evidence of service provider oversight, and documentation of any incidents and the decisions made in response to them — even if no notification was ultimately required.

Firms that can produce a proportionate, well-documented program will be in a materially better position than those who cannot, regardless of whether they have experienced a breach.

How Trillium Can Help

Compliance Program Support: Trillium works directly with smaller private equity managers to build Regulation S-P programs that are proportionate to the firm’s actual operations — including policy drafting, customer information mapping, service provider assessment, and staff training. The goal is a defensible, maintainable program that does not create unnecessary overhead for a lean team.

Testing and Surveillance: Trillium’s ongoing compliance support includes periodic review of your Regulation S-P program against your actual practices and any regulatory developments, helping ensure your program stays current as your service provider relationships and data environment evolve.

Contact Trillium today