What the IRS Requires and Why It Matters
If you’re a tax preparer or accounting professional, you’ve likely heard the term “WISP” thrown around recently—and for good reason. WISP stands for Written Information Security Plan, and as of June 2023, it’s not just a best practice—it’s a requirement enforced by the IRS and the Federal Trade Commission (FTC).
Today, we’re breaking down exactly what a WISP is, why the IRS implemented it, what legislation it stems from, and how adopting one ultimately protects both your firm and your clients. Whether you’re a sole practitioner or part of a mid-sized firm, understanding and complying with WISP requirements is essential to running a modern, secure, and reputable accounting business.
What Is a WISP?
A Written Information Security Plan (WISP) is a documented strategy that outlines how your firm protects sensitive client information—especially Personally Identifiable Information (PII) and financial data. A properly constructed WISP includes administrative, technical, and physical safeguards to protect data against breaches, theft, unauthorized access, and other security threats.
Your WISP should explain how files are stored, how passwords are managed, what to do during a security incident, and how your firm trains employees on data safety.
Why the IRS Requires a WISP
The requirement to implement a WISP isn’t arbitrary. It’s a response to the escalating cyber threats targeting financial and tax-related information. Every year, the IRS receives thousands of reports from tax professionals whose client data was breached. These incidents lead to identity theft, fraudulent returns, IRS investigations, and often lost business.
To fight this growing threat, the IRS partnered with the FTC and state tax agencies under the Security Summit initiative, promoting best practices like WISP adoption across the industry.
The Legal Foundation: Gramm-Leach-Bliley Act and the FTC Safeguards Rule
The requirement for a WISP is rooted in the Gramm-Leach-Bliley Act (GLBA), enacted in 1999. This law requires financial institutions—including accounting and tax professionals—to protect customer data.
In 2003, the FTC implemented the Safeguards Rule, which mandates that institutions develop and maintain a written information security program. In December 2021, the FTC revised the Safeguards Rule to include more specific requirements for the protection of customer information.
These revisions became effective June 9, 2023 and officially pulled tax preparers, accountants, and bookkeepers into the realm of required compliance.
IRS Reinforcement of WISP Requirements
The IRS hasn’t just echoed the FTC’s recommendations—they’ve made data security a critical part of the tax preparer ecosystem. As threats to taxpayer data rise, the IRS has taken a strong position on cybersecurity, especially for the professionals they authorize to prepare and file returns.
To that end, the IRS has published and promoted key materials that support and reinforce the WISP requirement:
-
Publication 4557: Safeguarding Taxpayer Data (Download PDF)
This guide outlines essential security practices and reminds preparers that protecting client data is not optional—it’s a legal obligation.
-
Publication 5708: Creating a Written Information Security Plan (Download PDF)
This document provides a step-by-step roadmap for tax and accounting professionals to create a compliant WISP.
-
PTIN Renewal Process (More Info)
Each year, tax preparers must renew their Preparer Tax Identification Number (PTIN). As of recent updates, the renewal process now requires confirmation that the preparer is aware of—and working to comply with—the IRS and FTC security requirements, including the presence of a WISP.
The IRS isn’t conducting random checks for WISPs (yet), but failure to comply may come to light during:
-
Data breach investigations
-
Client complaints or audits
-
Professional license or PTIN reviews
-
E-file application reviews
If you prepare returns for compensation and don’t have a WISP, you’re already in violation of these expectations—and risk penalties and exclusion from IRS-authorized services.
What Happens If You Don’t Comply?
Not having a WISP isn’t just a bad idea—it’s a business risk with real consequences. Here’s what could happen if your accounting firm ignores the WISP requirement:
1. Regulatory Penalties
The FTC has authority under the Safeguards Rule to impose civil penalties on businesses that fail to protect consumer data. Fines can range from thousands to millions of dollars, depending on the severity and scale of the incident.
2. IRS Sanctions
If the IRS determines that you are not taking proper steps to protect taxpayer data, you could face sanctions, including:
-
Loss or suspension of your e-File privileges
-
Denial or revocation of your PTIN
-
Ineligibility to participate in IRS programs or audits
3. Client Trust and Legal Liability
A single data breach could compromise hundreds of client records. If it becomes clear that you had no security plan or documentation in place, you could face:
-
Lawsuits from affected clients
-
Data breach notification costs (required by many state laws)
-
Reputational damage that may permanently impact your business
4. Loss of Insurance Coverage
Some cyber liability insurance providers require proof of a formal WISP. If you suffer a breach and don’t have one, your coverage may be denied.
How Long Do You Have to Get Compliant?
The clock already ran out.
The FTC’s revised Safeguards Rule—which explicitly includes tax preparers and accounting firms—took effect on June 9, 2023. That was the compliance deadline. By that date, all covered businesses were expected to have a written, documented, and implemented WISP in place.
There is no current grace period.
However, enforcement is typically triggered by events—such as a data breach, complaint, or audit—not random inspections. That means:
✅ If you’re not yet compliant, you still have time to get ahead of enforcement.
🚫 But if something goes wrong before you act, you may not have much of a defense.
Some firms mistakenly believe this is just a “big firm” rule, or that using antivirus software counts as compliance. It doesn’t. The FTC and IRS expect your firm to maintain a living document that reflects how you identify risks, protect client information, and respond to threats.
The good news? A small firm’s WISP doesn’t need to be complex—it just needs to be relevant, thoughtful, and implemented.
What Must Be in Your WISP?
According to the FTC Safeguards Rule and IRS guidance, your WISP should include:
-
Designated Security Coordinator
-
Risk Assessment Procedures
-
Employee Training Programs
-
Safeguards for Information Systems
-
Vendor Oversight
-
Incident Response Plan
-
Ongoing Testing and Monitoring
-
Periodic Review and Updates
How a WISP Benefits Your Firm
Compliance aside, building and maintaining a WISP can add meaningful value to your accounting practice in several ways:
1. It Demonstrates Professionalism
When clients choose an accountant, they’re trusting you with their most sensitive data. A documented WISP shows that your firm takes that trust seriously and has taken proactive steps to earn it.
2. It Reduces Risk Exposure
A WISP is designed to reduce the likelihood of costly problems:
-
Identity theft
-
Ransomware attacks
-
Email phishing scams
-
Employee negligence
Even if you can’t eliminate every threat, a WISP ensures you’re aware of your risks and actively working to mitigate them.
3. It Prepares You for Cyber Insurance and Legal Protection
Many cyber insurance providers now require a written WISP before issuing a policy or processing a claim. Courts may also look more favorably on your business if you can demonstrate that you had reasonable and documented security practices in place.
4. It Empowers Your Team
A WISP is also a training tool. It helps standardize employee behavior, outlines response plans for emergencies, and defines what’s expected from everyone who touches client data.
5. It Makes You More Competitive
Clients are asking tougher questions about security. A WISP helps you serve commercial clients, government entities, or any organization that requires its vendors to prove cybersecurity practices.
Common WISP Myths Busted
“I’m just a small firm—they won’t bother with me.”
Actually, small firms are often top targets because they typically lack advanced defenses.
“We already use antivirus, so we’re covered.”
Cybersecurity isn’t just about software—it’s about people, policies, and planning.
“It’s too complex or time-consuming.”
Not with the right partner. A professional can help you get compliant fast and with confidence.
How to Get Started
If you haven’t created your WISP yet, don’t panic—but don’t wait either. Here’s how to begin:
-
Download IRS Publication 5708 – This free guide walks you through WISP creation.
-
Conduct a Risk Assessment – Evaluate vulnerabilities in your systems and staff habits.
-
Designate a Security Coordinator – Assign someone responsible for managing the WISP.
-
Work With a Security Partner – This step is where Eagle IT can help.
Eagle IT specializes in helping accounting firms create and implement IRS-compliant WISPs.
We understand the legal and technical details and take the stress off your shoulders. We’ll walk you through risk assessments, employee training, documentation, and ongoing reviews—so you can focus on what matters most: serving your clients.
-
Train Your Team – Security awareness is only as strong as your least-prepared employee.
Final Thoughts
The WISP requirement isn’t just another government mandate. It’s a blueprint for how to protect your firm, safeguard your clients, and operate with peace of mind.
By taking steps today to get compliant, you’ll position your firm for long-term success—secure, trusted, and protected.
Eagle IT is here to help. As a local, relationship-focused IT partner, we guide accounting professionals like you through the entire WISP journey. From plan creation to ongoing support, we handle the details while keeping IT simple.
📞 Ready to protect your firm and your clients?
Call Eagle IT at (321) 558-7761 or click here to schedule a no-pressure consultation.
Let’s protect what matters—together.