Your Tax Practice Is Required to Have a WISP. Here's What That Actually Means.

If you run a tax or accounting practice, you're legally required to have a Written Information Security Plan (WISP). The Gramm-Leach-Bliley Act and the FTC Safeguards Rule have made that clear since 2003, with updated requirements taking effect in 2023.

A WISP isn't a checklist you file away. It's a working document that governs how your practice protects client data, responds to incidents, and stays accountable over time. Many practices have something that looks like a WISP. Fewer have one that meets the full scope of what the rule requires.

This post walks through what the law demands, where the gaps tend to show up, and what a solid plan includes.

Legal Requirements

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect customer data. Under the GLBA and the FTC Safeguards Rule, tax and accounting professionals are classified as financial institutions regardless of size. A sole practitioner with 50 clients carries the same legal obligations as a 20-partner regional CPA practice.

The Safeguards Rule requires you to designate a qualified individual to oversee your security program, document a risk assessment, design and implement safeguards, monitor and test those safeguards regularly, and vet your service providers for security compliance. You're also required to enforce multi-factor authentication (MFA) for anyone accessing your systems, and to report any security event affecting 500 or more people to the FTC within 30 days of discovery. Failure to comply exposes your practice to FTC enforcement, state regulatory action, and civil liability if a breach occurs.

That's the legal floor. A good WISP builds well above it.

Many Practices Still Exposed

The most common WISP problem isn't refusal to comply. It's underestimating what a compliant plan requires, or treating the document as a one-time project rather than a living part of how your practice operates.

"When a CPA practice already has a strong IT foundation in place, WISP compliance doesn't have to be a heavy lift," said Rich Miller, President and CEO of STACK Cybersecurity. "We recently worked through the WISP requirements with a practice in Greater Orlando that was already on our Cyber STACK. They were nearly 99% compliant and needed only one minor policy adjustment."

But most accounting firms don't leverage best-in-class cybersecurity tools like those offered by STACK.

The practices that struggle are usually the ones trying to retrofit compliance onto a technology environment that was never built with security in mind. Gaps often arise around vendor oversight, incident response procedures, and documentation of who has access to client data. Those are exactly the areas regulators and plaintiff attorneys focus on after a breach.

Three Pillars of a Sound WISP

The IRS Security Summit, a partnership between the IRS, state tax agencies, and private-sector tax groups, outlines three core areas every WISP must address: physical safeguards, technical safeguards, and administrative safeguards. Weakness in any one of them creates exposure across all three.

Physical safeguards govern how paper records and physical devices are stored, accessed, and destroyed. This includes locked filing cabinets, clean desk policies, visitor escort procedures in areas where client PII is stored, and secure destruction of paper records at the end of their retention life. You also need to track every device that touches client data: computers, laptops, cell phones, printers, and removable media.

Technical safeguards cover your network, devices, and data in transit. Firewalls, endpoint protection, and current operating system patches are the baseline. Multi-factor authentication is required by rule for any system access, not just remote login. You need encrypted file transfer protocols for any electronic exchange of client PII, and passwords for sensitive accounts must never travel through the same channel as the files themselves. Event logging should be enabled on all systems containing PII, with logs reviewed at regular intervals. For a deeper look at how these technical controls connect to your broader compliance posture, our post on cybersecurity and GRC covers that framework in detail.

Administrative safeguards are where most practices have the largest gaps. This pillar covers personnel accountability: background checks for new hires who'll access client data, signed acknowledgment of the WISP by every employee and contractor, annual security training, and a clearly documented process for cutting off access when someone leaves. You also need to designate a Data Security Coordinator responsible for implementing the plan and a Public Information Officer who handles all external communications if an incident occurs.

Vendor Oversight

One of the most overlooked provisions of the Safeguards Rule is the obligation to vet and oversee third-party service providers. Your IT support company, payroll vendor, cloud storage provider, document management platform, and even your cleaning service are all within scope if they have any access to systems or physical areas where PII is stored.

Your contracts with those vendors must require them to maintain appropriate safeguards, and you're expected to actively oversee their handling of your client information. Passing client data to a vendor who hasn't agreed in writing to meet your security standards is a compliance failure, regardless of whether a breach ever happens.

Incident Response: The Section Most Plans Skip

A WISP without a documented incident response plan is an incomplete one. When a breach happens, the decisions that matter most shouldn't be made under pressure for the first time.

Your plan needs both a response procedure and a breach notification procedure. The response side outlines the immediate steps to contain the incident and re-secure affected systems. The notification side identifies who gets contacted and in what order: the IRS Stakeholder Liaison, your state Attorney General's office, the FTC if 500 or more individuals are affected, and state tax authorities. If the incident involves electronic data theft, the FBI's Internet Crime Complaint Center should also be notified. Clients whose information was exposed must be notified consistent with applicable law.

Practices that work through these steps in advance and document them clearly respond faster, limit damage more effectively, and face lower regulatory and legal exposure than those improvising. The same principle applies in other regulated industries. Our post on The Cost of Compliance Failures under the False Claims Act shows what's at stake when documentation and controls aren't in order before an incident.

Living Document

The IRS Security Summit is explicit: your WISP must evolve with your practice. Adding a remote work policy, onboarding a new cloud platform, or bringing on a new partner all trigger a review. At minimum, review and update the plan annually, and get signed acknowledgment from staff they've been trained on the current version.

Record retention is part of this as well. Keeping client records longer than legally required increases your exposure and adds to the volume of PII you're responsible for protecting. A current retention schedule, with clear procedures for secure destruction of both paper and electronic records, should be a formal attachment to your WISP, not an afterthought.

Compliance Risks The IRS and FTC require that every employee, from seasonal staff to senior partners, understands and applies WISP policies in daily work. Human error is a leading cause of data breaches so training reduces risk.

Frequently Asked Questions

Do I need a WISP if I'm a solo practitioner? Yes. The FTC Safeguards Rule applies to tax and accounting professionals classified as financial institutions under the GLBA, and that includes sole practitioners. The rule does allow you to scale the plan to the size and complexity of your practice, so a one-person shop doesn't need the same document as a regional practice. But you still need one.

Can I use a template? Templates are a starting point, not a finish line. The IRS Security Summit provides a sample WISP framework in IRS Publication 5708, but the rule requires your plan to reflect your actual environment: your specific hardware, your vendors, your staff, your risk profile. A template that hasn't been customized to your practice doesn't meet the standard.

How often does my WISP need to be updated? At minimum, annually. You also need to review and update it whenever there's a material change to your operations, such as new technology, new staff, new vendors, or changes in the services you offer. Each update should be dated, and staff should acknowledge the revised version in writing.

What happens if I have a breach and no WISP? The absence of a WISP is itself a regulatory violation, separate from the breach. It also removes any argument that you had reasonable safeguards in place. That matters in FTC enforcement proceedings, state regulatory actions, and civil litigation. It can also affect your cyber insurance coverage if your policy requires documented security controls.

Does my cyber insurance require a WISP? Most policies require documented security controls as a condition of coverage. If you file a claim and the insurer discovers you lacked a compliant WISP, they may deny it. For more on how documentation gaps affect insurance outcomes, see our post on SOC 2 Type 2 readiness, which covers the same principle in the context of formal audits.

What's the difference between a WISP and a cybersecurity policy? A cybersecurity policy is typically a high-level statement of intent. A WISP is a structured, operational document with named responsible individuals, specific procedures, risk assessments, vendor requirements, and incident response steps. The Safeguards Rule requires the latter.