In 2026, the Department of Labor (DOL) has fundamentally shifted the goalposts for plan fiduciaries. For years, cybersecurity was treated by many as a “technical annex” to the main business of plan administration. That era is over. The Employee Benefits Security Administration (EBSA) recently announced a major overhaul of its FY 2026 National Enforcement Projects, placing Cybersecurity and Retirement Asset Management at the center of its investigative focus.

As a fiduciary who has managed risk at the quadrillion-dollar level, I know that the difference between an investigation target and a compliance ally is one thing: documented diligence. This guide maps your path to aligning with the EBSA’s 2026 priorities, transforming potential scrutiny into a strategic defense.

1. The 2026 Shift: Why Cybersecurity is Now a “National Project”

Previously, cybersecurity was often a secondary inquiry during a broader plan audit. In 2026, EBSA has designated it as a standalone National Enforcement Project.

The EBSA 2026 Hit List

Investigators are now prioritizing resources toward areas that produce the highest impact for participants, specifically:

• Cybersecurity Governance: Evaluating how plans and service providers protect sensitive information from fraud and financial loss.

• Benefit Distributions: Ensuring that the movement of money—the most vulnerable moment for a plan—is protected from criminal interference.

• Retirement Asset Management: Focusing on the prudent process of fiduciary decision-making regarding investment choices and fees.

“By recalibrating the areas our investigators focus on, EBSA investigations will be more efficient, responsive, and prioritize serious misconduct rather than minor foot faults.” — Deputy Secretary of Labor Keith Sonderling

2. The Fiduciary Mandate: Mapping to the 12 Best Practices

The 2026 enforcement project builds directly upon the 2021 and 2024 guidance, which established that cybersecurity is a core fiduciary obligation under ERISA. To be seen as a “Compliance Ally,” your program must reflect the 12 Best Practice approaches.

The Core Pillars of the 2026 Program

3. Beyond “Check-the-Box”: The Requirement for Penetration Testing

One of the most significant focus areas for 2026 is the reliability of your security controls. The DOL explicitly expects to see Penetration Test Reports as part of an effective audit program.

The Secure SDLC and Testing

If your organization maintains any internal environments or in-house applications, you must implement a Secure System Development Life Cycle (SDLC).

• Architecture Analysis: Ensuring security is baked into the design, not added later.

• Code Review: Identifying vulnerabilities before software is deployed.

• System Alerts: Configuring triggers to alert fiduciaries when sensitive account information is changed.

4. Vendor Oversight: The Fiduciary’s Greatest Risk

Since most plans rely on third-party administrators (TPAs) and recordkeepers, the DOL’s 2026 priorities place a heavy emphasis on Service Provider Oversight. You are responsible for the security of data you do not directly control.

Contractual Sovereignty

EBSA expects fiduciaries to conduct due diligence that includes:

• Right-to-Audit: Contractual provisions that allow the plan sponsor to audit the provider’s cybersecurity practices.

• Breach Notification: Clear timelines and protocols for when a vendor must report a security incident.

• Liability Insurance: Inquiring about and documenting the service provider’s cybersecurity liability insurance coverage.

5. Resilience: Preparing for the “After-Action” Report

The final stage of becoming a “Compliance Ally” is having an effective Business Resiliency Program. This addresses business continuity, disaster recovery, and incident response.

The 2026 Standard for Incident Response

An effective resiliency program must include:

1. Remediation Plans: Clear steps to identify and fix weaknesses discovered in your systems.

2. After-Action Reports: Formal discussions on how the plan will be evaluated and updated following a cybersecurity event or disaster.

3. Communication Protocols: Clearly defined roles and authority levels for internal and external notification.

Conclusion: Diligence as a Fiduciary Asset

The EBSA’s 2026 enforcement priorities are not just a threat—they are a roadmap. By proactively mapping your program to these standards, you move your plan from an investigation target to a model of Fiduciary Sovereignty. In the age of $13.8 trillion in plan assets, the most valuable asset you can have is a documented, prudent process.