2026 EBSA Cybersecurity Enforcement and ERISA Fidelity Bonds: Compliance, Claims Causation, and Control Frameworks. First installment of our ERISA bond special report.

Plan sponsors have always understood that the ERISA fidelity bond is mandatory, but too often it is treated as an annual administrative task rather than a risk instrument linked to real loss pathways. That posture is getting harder to defend in 2026. The Employee Benefits Security Administration’s updated national enforcement projects expressly elevate cybersecurity as a priority area, signaling continued scrutiny of how plans and their service providers protect accounts, authenticate distributions, and prevent asset diversion (U.S. Department of Labor, EBSA, 2026a; Groom Law Group, 2026). In that environment, ERISA Section 412 bonding should be reinterpreted as a compliance baseline plus an operational control that must match how modern plans actually “handle” funds and transmit value.

It is useful to distinguish this 2026 cyber lens from another DOL and EBSA theme you have already addressed in your prior Surety One blog, which analyzed how policy shifts around evolving investment options can indirectly change bonding exposure without changing statutory coverage. This essay instead focuses on the increasingly central 2026 reality that cyber enabled theft and payment diversion can look like ordinary plan operations until the loss has already occurred, and that this reality intersects with the fidelity bond through the statutory “fraud or dishonesty” trigger, the “handling” concept, and the plan’s control environment (29 U.S.C. § 1112; U.S. Department of Labor, EBSA, 2008).

ERISA §412 is a crime protection regime, not a fiduciary liability backstop

ERISA’s bonding mandate is codified at 29 U.S.C. § 1112 and requires that every fiduciary and every “plan official” who handles plan funds or other property be covered by an acceptable ERISA fidelity bond, protecting the plan against loss by reason of acts of fraud or dishononesty by the bonded person, whether acting alone or in collusion (29 U.S.C. § 1112; U.S. Department of Labor, EBSA, 2008). The Department of Labor has consistently explained that an ERISA bond is intended to protect plans from theft and similar dishonest takings, not from investment losses, administrative errors, or fiduciary breach claims, which are typically addressed by fiduciary liability insurance rather than Section 412 bonding (U.S. Department of Labor, EBSA, 2015; ASPPA, 2017).

The “amount” mechanics reinforce that this is a targeted crime regime. The temporary bonding rules in 29 CFR Part 2580 generally tie required coverage to a percentage of funds handled, subject to minimum and maximum thresholds, with the well known $500,000 maximum for most plans and a higher cap for certain plans holding employer securities reflected in the regulatory framework and common compliance guidance (29 C.F.R. § 2580.412 11; U.S. Department of Labor, EBSA, 2015). The practical takeaway is that penalties (coverage limits) of ERISA fidelity bonds are keyed to the plan’s handling profile and exposure pathways, not to a generalized sense of “fiduciary risk.”

What changed in 2026 is not the statute, but the enforcement lens

EBSA’s January 15, 2026 announcement updating national enforcement projects is important precisely because it does not rewrite ERISA. It telegraphs the investigative bandwidth and the fact patterns investigators will treat as salient, including cybersecurity (U.S. Department of Labor, EBSA, 2026a). Third-party analyses of the announcement likewise highlight cybersecurity and service provider oversight as continuing focal points (note the rebalancing of attention across enforcement categories) (Groom Law Group, 2026; Hylant, 2026). For bonding, the implication is not that cyber events are automatically covered, but that cyber control failures will be more visible in examinations and investigations, and that “who handles funds” is increasingly determined by digital authority, credentialed access, and payment initiation rights rather than by physical custody.

EBSA’s own enforcement materials show that investigators are trained to test bonding compliance as part of fiduciary investigations. The Fiduciary Investigations Program manual instructs investigators to use bonding checklists and bonding computation checklists to determine whether a plan’s fidelity bond complies with ERISA Section 412 (U.S. Department of Labor, EBSA, n.d.). In other words, bonding is not merely a Form 5500 file attachment issue. It is a substantive compliance element evaluated in the same ecosystem as governance, reporting, and operational integrity.

Cybersecurity guidance translates directly into a modern “handling” map

DOL’s cybersecurity guidance, first issued in 2021 and clarified through an update confirming broad applicability across ERISA plans, is especially relevant because it operationalizes what good control environments look like in a world where participants, recordkeepers, trustees, payroll departments, and third party administrators interact through credentialed systems (U.S. Department of Labor, EBSA, 2024; U.S. Department of Labor, EBSA, 2024a). The guidance stresses due diligence and ongoing monitoring of service providers, access controls, multi factor authentication, incident response readiness, and contractual protections, all of which matter because a significant percentage of retirement plan theft scenarios now begin as a compromise of identity, authentication, or workflow controls rather than as a classic in office embezzlement (U.S. Department of Labor, EBSA, 2024a).

This is where the ERISA Section 412 “handling” concept becomes contemporary again. FAB 2008 04 frames bonding as a response to the opportunity for loss through dishonest acts in the handling of plan funds or other property. It emphasizes that ERISA fidelity bonds must protect the plan against losses caused by fraud or dishonesty by persons required to be bonded (U.S. Department of Labor, EBSA, 2008). In modern plans, the individuals and entities with the opportunity to cause a loss may be those who can reset credentials, approve address changes, release distributions, change banking instructions, create payee profiles, or authorize wires through a recordkeeping portal. The plan’s handling map, therefore, has to be drawn through permissions, approvals, and segregation of duties, not merely through job titles.

The core analytical issue is causation: when is a cyber event a Section 412 event

The most technically important issue for a 2026 cyber lens essay is claims causation. ERISA requires a bond that protects the plan from loss due to of acts of fraud or dishonesty by bonded persons. A loss caused entirely by an external threat actor, with no dishonest act by a bonded plan official, may fall outside the statutory peril even if the loss feels like theft in the ordinary sense. Conversely, an external compromise that succeeds because a bonded person participates, colludes, or abuses granted authority may present a clearer fidelity posture. This is why “bonding as control” is the right framing. The sponsor should be able to show that it identified the persons and functions that create the opportunity for dishonest diversion, ensured proper bonding for those roles, and implemented cybersecurity governance that reduces the chance that a fraud pathway becomes feasible (U.S. Department of Labor, EBSA, 2015; U.S. Department of Labor, EBSA, 2024a).

A practical 2026 viewpoint is that the plan should maintain a defensible compliance file that aligns three items: the bonded persons analysis, the bond amount computation tied to funds handled, and the cyber control environment for distributions and account changes. That file is not merely defensive. It is also claim-enabling: in a contested loss scenario, the plan’s ability to demonstrate who had authority, how approvals worked, what controls existed, and whether dishonesty occurred can be the difference between a resolved claim and a prolonged dispute.

Why the timing matters: EBSA’s current enforcement results add urgency

EBSA’s FY 2025 results press release reported recoveries of more than $1.4 billion for plans, participants, and beneficiaries, with more than half resulting from enforcement actions (U.S. Department of Labor, EBSA, 2026b). That level of enforcement output, coupled with an explicit 2026 cybersecurity focus, underlines that plan operations are being examined in a high-scrutiny environment. Even when a specific investigation is not initiated as a “cyber” matter, cybersecurity weaknesses can surface as part of distribution testing, service provider oversight, and internal controls review, all of which are upstream of the fidelity bond’s fraud and dishonesty peril (U.S. Department of Labor, EBSA, 2026a; U.S. Department of Labor, EBSA, 2024a).

The best way to think about ERISA fidelity bonds in 2026 is as a statutory minimum that should be engineered into a broader control architecture. That architecture begins with an accurate “handling” map, continues through strong authentication and distribution controls consistent with DOL’s cybersecurity guidance, and ends with a bond placement that is correct in form, amount, and bonded parties. Surety One, Inc. is particularly well-positioned in this environment. Our ERISA bond underwriters understand the statutory mechanics of Section 412, the practical realities of modern plan operations, and the way cyber-enabled fraud pathways can convert a routine distribution workflow into a fidelity loss event. That class-specific expertise helps plans and plan advisers move beyond checkbox bonding toward compliance files and bond placements that are genuinely defensible.

~ C. Constantin Poindexter, MA, JD, CPCU, AFSB, ASLI, ARe, AINS, AIS

Bibliography

  • ASPPA. (2017). 5 Things People Get Wrong About ERISA Fidelity Bonds. American Society of Pension Professionals & Actuaries.
  • Groom Law Group. (2026). DOL Enforcement Priorities Change in 2026.
  • Hylant. (2026). EBSA Updates National Employee Benefit Plan Enforcement Projects for 2026.
  • 29 U.S.C. § 1112. (Bonding, ERISA § 412).
  • 29 C.F.R. § 2580.412 11. (Statutory provision, temporary bonding rules).
  • U.S. Department of Labor, Employee Benefits Security Administration. (2008). Field Assistance Bulletin No. 2008 04: Guidance Regarding ERISA Fidelity Bonding Requirements.
  • U.S. Department of Labor, Employee Benefits Security Administration. (2015). Protect Your Employee Benefit Plan with an ERISA Fidelity Bond.
  • U.S. Department of Labor, Employee Benefits Security Administration. (2024). Compliance Assistance Release No. 2024 01: Cybersecurity Guidance Update.
  • U.S. Department of Labor, Employee Benefits Security Administration. (2024a). Cybersecurity Program Best Practices.
  • U.S. Department of Labor, Employee Benefits Security Administration. (2026a, January 15). Learn more about EBSA’s national enforcement projects.
  • U.S. Department of Labor, Employee Benefits Security Administration. (2026b, January 30). EBSA recovered over $1.4B in FY 2025 for workers, families, benefit plans.
  • U.S. Department of Labor, Employee Benefits Security Administration. (n.d.). Enforcement Manual: Fiduciary Investigations Program.