The Cyber Theft Gap: Why an ERISA Fidelity Bond May Not Respond to Modern Cyber-Enabled Losses, and How Sponsors Close the Exposure

The retirement plan ecosystem has become a high-value target for cybercriminals because defined contribution plans concentrate liquid assets, personal data, and payment workflows all in one convenient place, . . . one that can be manipulated remotely. Plan sponsors face a recurring and uncomfortable question when a cyber event causes a loss. Will the ERISA fidelity bond respond, or will the plan discover a coverage gap after the fact? The gap is not a loophole in the law. It is the predictable result of an older statutory trigger, a modern threat model, and the difference between a fidelity regime that is keyed to dishonest acts by “plan officials” and a cyber risk landscape that frequently involves external threat actors, credential compromise, and social engineering. In 2026, the prudent sponsor treats the ERISA bond as necessary but not sufficient, and designs a control and insurance architecture that is compatible with ERISA § 412 while directly addressing cyber-enabled theft pathways (29 U.S.C. § 1112; U.S. Department of Labor, EBSA, 2008).

The statutory trigger is narrow by design: “fraud or dishonesty” by bonded persons

ERISA § 412, codified at 29 U.S.C. § 1112, requires that every fiduciary and every person who “handles” plan funds or other property be bonded. The bond must protect the plan against loss “by reason of acts of fraud or dishonesty” on the part of the bonded person, whether acting alone or in collusion (29 U.S.C. § 1112; U.S. Department of Labor, EBSA, 2008). EBSA’s guidance emphasizes that an ERISA bond or ERISA fidelity bond is not the same as fiduciary liability insurance. The ERISA bond is a plan-protective crime instrument; fiduciary liability insurance is typically a duty-breach instrument that insures fiduciaries and sometimes the plan against claims alleging fiduciary misconduct (U.S. Department of Labor, EBSA, 2008; U.S. Department of Labor, EBSA, 2015).

This distinction matters because many cyber losses do not begin as “dishonesty by a plan official.” They begin as a compromise of credentials, a diversion of funds through a manipulated workflow, or an exploitation of weak authentication controls in a vendor environment. Those fact patterns may involve theft in the ordinary sense, but the legal and contractual question for an ERISA bond is more technical. Did a bonded “plan official” commit, participate in, or collude in a dishonest act that caused the loss, and was the person required to be bonded because they handled plan funds (29 U.S.C. § 1112; U.S. Department of Labor, EBSA, 2008).

The “handling” concept is the bridge between cyber operations and ERISA fidelity bond language

EBSA interprets “handling” functionally, focusing on whether duties create an opportunity to cause a loss through fraud or dishonesty, including through authority, access, or the ability to initiate or direct disbursements (U.S. Department of Labor, EBSA, 2008). In a cyber era, “handling” should be mapped not only to who touches cash, but to who can change bank instructions, reset participant credentials, approve distributions, alter addresses, or override controls. Those are the points at which cyber-enabled theft becomes feasible. If the plan’s handling map is outdated and fails to identify individuals who can unilaterally initiate or release plan funds through electronic workflows, the plan can end up with two problems at once: bonding noncompliance and a claims posture that is difficult to prove because access and authority were not adequately governed (U.S. Department of Labor, EBSA, 2015; U.S. Department of Labor, EBSA, 2008).

The “cyber theft gap” is a causation problem: external actor loss is not always a fidelity loss

The recurring misconception is that because an ERISA bond covers “theft,” it automatically covers theft accomplished by cyber means. That is not guaranteed. Fidelity coverage is triggered by dishonest acts of bonded persons, not merely by the fact that a theft occurred (U.S. Department of Labor, EBSA, 2008; U.S. Department of Labor, EBSA, 2015). A classic cyber-enabled loss scenario illustrates the issue. A participant’s credentials are compromised through phishing or device malware. The attacker logs into the recordkeeper portal, changes banking instructions, requests a distribution, and the funds are transmitted. In this scenario, the “actor” is an external criminal. Unless the facts show dishonesty by a bonded plan official, collusion, or an internal abuse of authority, the loss may not fit the statutory peril even though money was stolen.

Industry commentary aimed at auditors and plan governance teams increasingly warns that sponsors should not assume ERISA fidelity bonds automatically cover cyber theft, and encourages sponsors to evaluate the need for complementary crime or cyber coverages while maintaining ERISA-compliant bonding for plan officials (BDO, 2025). That warning is consistent with EBSA’s own framing of the bond as protection against fraud or dishonesty by plan officials who handle plan assets (U.S. Department of Labor, EBSA, 2015; U.S. Department of Labor, EBSA, 2008). The result is the “gap”, i.e., cyber events can create plan losses that look like theft but do not meet the fidelity trigger unless the loss can be causally tied to dishonest acts by bonded persons.

DOL cybersecurity guidance reframes the sponsor’s duty: control failures can convert cyber events into plan losses

EBSA’s cybersecurity guidance, originally issued in 2021 and later clarified to apply across all ERISA plans through Compliance Assistance Release No. 2024-01, establishes an expectation that plan fiduciaries use prudent processes to assess and monitor cybersecurity risks and service provider security practices (U.S. Department of Labor, EBSA, 2024). EBSA’s cybersecurity materials emphasize program best practices, due diligence in vendor selection, ongoing monitoring, incident response readiness, and participant security practices (U.S. Department of Labor, EBSA, 2024; U.S. Department of Labor, EBSA, n.d.). These are not “bonding” documents per se, but they are directly relevant to the ERISA bond because they govern the integrity of the very workflows through which plan funds are handled and transmitted.

This creates an analytically clean thesis for an essay on the cyber theft gap. The ERISA fidelity bond is a statutory minimum crime instrument, while the DOL’s cybersecurity framework is the operational control standard that determines how likely it is that cyber-enabled theft will succeed and, if it does, how well the plan can reconstruct the event, assign authority, and pursue recovery. When controls are weak, the plan’s exposure becomes two-dimensional: it faces the financial loss and it faces the possibility that the loss will not be indemnified under the ERISA bond because the event may be characterized as external theft rather than internal dishonesty (U.S. Department of Labor, EBSA, 2008; U.S. Department of Labor, EBSA, 2024).

Closing the gap requires a layered architecture: compliance, controls, and complementary coverage

A sponsor that wants to close the cyber theft gap should proceed in three coordinated layers, to wit;

Ensure strict ERISA bonding compliance. The plan should identify every fiduciary and plan official who handles plan funds or other property, and confirm that the ERISA bond names or otherwise blanket-covers those persons in the proper amounts. EBSA’s bonding guidance and bonding publication make clear that fidelity bonding is mandatory and that fiduciary liability insurance does not substitute for it (U.S. Department of Labor, EBSA, 2008; U.S. Department of Labor, EBSA, 2015). Compliance also requires correct amount calculation tied to funds handled and adherence to regulatory requirements applicable to deductibles and bond form features as interpreted in EBSA guidance (U.S. Department of Labor, EBSA, 2008; U.S. Department of Labor, EBSA, 2015).

Align cybersecurity controls with the plan’s handling map. EBSA’s cybersecurity best practices emphasize access controls, strong authentication, secure systems development, vendor oversight, and incident response planning (U.S. Department of Labor, EBSA, n.d.; U.S. Department of Labor, EBSA, 2024). For sponsors, the highest-value control focus is the distribution chain: identity verification, address and banking change controls, multi-factor authentication, segregation of duties for approvals, call-back verification protocols, and exception reporting for anomalous activity. These controls reduce the probability of loss and, critically, improve post-event attribution by documenting who approved what and under what process. That documentation is often the difference between a loss that is merely “a cyber incident” and a loss that can be causally tied to a dishonest act by a plan official if internal abuse or collusion occurred.

Evaluate complementary insurance designed for external cyber and funds transfer risks. An ERISA bond is required for plan officials, but it is not designed to be a comprehensive cyber policy. Many organizations therefore structure separate cyber insurance or commercial crime coverages to address third-party hacking, funds transfer fraud, and social engineering scenarios, while still maintaining the ERISA bond to satisfy § 412 and protect against dishonest acts by persons who handle plan assets. Professional literature aimed at plan auditors and risk managers increasingly frames this as a myth-busting exercise: the bond may include cyber provisions in some forms, but sponsors should not assume broad coverage by default and should assess what is actually insured (BDO, 2025). The key compliance discipline is to avoid treating supplemental coverages as substitutes for ERISA bonding; they are complements, not replacements (U.S. Department of Labor, EBSA, 2015).

A compliance file that is also a claims file: the practical sponsor playbook

From a governance standpoint, the most defensible approach is to maintain a written file that integrates bonding, cybersecurity controls, and service provider oversight into one coherent risk narrative. That file should document the plan’s “handling” analysis, the bond amount computation, the roles and permissions that can initiate or release funds, and the cybersecurity controls that govern those workflows, consistent with EBSA’s published best practices and the clarification that cybersecurity guidance applies broadly to ERISA plans (U.S. Department of Labor, EBSA, 2024; U.S. Department of Labor, EBSA, 2008). If a loss occurs, the file becomes a claims support instrument because it allows the plan to reconstruct how the loss happened, identify whether a plan official acted dishonestly or colluded, and pursue the appropriate recovery channel, whether under the ERISA bond, a crime policy, cyber insurance, or vendor contractual remedies.

The central insight is that the cyber theft gap is not closed by buying “more ERISA bond.” It is closed by precision, i.e., correct identification of who handles funds, correct ERISA bond placement for those persons, robust cyber controls over the distribution chain, and complementary coverage for external actor scenarios that do not fit the statutory fidelity trigger. That is the 2026-ready posture for plans that want both compliance and resilience in an era where retirement plan theft increasingly occurs through keyboards rather than cash drawers (U.S. Department of Labor, EBSA, 2024; U.S. Department of Labor, EBSA, 2008). Now comes a bit of marketing, . . . Surety One, Inc. and its underwriters bring sixty-plus years of bonding experience to the table. Technical skill, deep knowledge of the product and seasoned underwriting tradecraft proffer plan sponsors and benefit plan architects unparalleled support. Non-qualified asset balances, unions, multi-employer, ESOP, 403(b)s, . . . there is no plan design for which terms are unavailable. Quick-issue options are at https://ERISA-Bonds.com or reach out to a Surety One, Inc. expert through the web portal. Cyber coverage is a separate issue (coverage which we STRONGLY urge regardless of operational size and scope). Visit https://cyberriskpolicy.com/ for more on that item.

~ C. Constantin Poindexter, MA, JD, CPCU, AFSB, ASLI, ARe, AINS, AIS

Bibliography

  • BDO. (2025, May 5). Busting 5 Common ERISA Fidelity Bond Misconceptions.
  • 29 U.S.C. § 1112. (Bonding, ERISA § 412).
  • U.S. Department of Labor, Employee Benefits Security Administration. (2008, November 25). Field Assistance Bulletin No. 2008-04: Guidance Regarding ERISA Fidelity Bonding Requirements.
  • U.S. Department of Labor, Employee Benefits Security Administration. (2015). Protect Your Employee Benefit Plan with an ERISA Fidelity Bond.
  • U.S. Department of Labor, Employee Benefits Security Administration. (2024, September 6). Compliance Assistance Release No. 2024-01: Cybersecurity Guidance Update.
  • U.S. Department of Labor, Employee Benefits Security Administration. (n.d.). Cybersecurity: Program Best Practices, Tips for Hiring a Service Provider with Strong Security Practices, and Online Security Tips.

Need a new good read on contract surety bonds? Try The Contractor’s Guide to Surety Bonds: A Primer on Contract Surety Bonding for Construction Professionals