It all started with the growing realization that financial and tax professionals hold some of the most sensitive client data imaginable: Social Security numbers, bank details, income information, and more. As cyber threats surged over the past two decades, regulators recognized that data security couldn’t rely solely on good intentions; it needed structure, accountability, and documentation. That’s how the concept of the Written Information Security Plan (WISP) came to life.
The origins of WISP date back to the early 2000s, when the Gramm-Leach-Bliley Act (GLBA) created the basis for protecting consumer financial information. Subsequently, the FTC’s Safeguards Rule built upon this, requiring financial institutions, including most CPA firms, to create detailed, written security programs. Over time, a number of states, beginning with Massachusetts (201 CMR 17.00) in 2010, enacted their own WISP mandates to better ensure consistent protection of residents’ personal data.
Now, the need for WISP compliance is underscored by alarming data. According to the IRS Security Summit, tax professionals continue to be a high-value target for cybercriminals. Since 2019, the IRS has received more than 1,600 reports of data theft incidents from tax practitioners, and these breaches typically lead directly to stolen client identities and fraudulent tax returns.
In 2024 alone, hundreds of tax preparers were affected by credential theft and system intrusions that could have been prevented with strong written security controls, staff training, and multi-layer cybersecurity procedures.
These statistics highlight that WISP is not just a regulatory checkbox, it is a practical safeguard against financial loss, liability exposure, reputational damage, and client trust erosion.
For CPA firms, WISP compliance is all about gaining and maintaining client trust in a day and age when a single data breach can undo years of credibility. As the pace of digital transformation goes faster, cybercrime also becomes more advanced, and firms have to shift their security posture and workflow in line with federal and state WISP regulations.
This blog serves as an all-inclusive guide for CPA firms that want to learn all about WISP so that they can meet IRS data security requirements.
What is WISP?
A Written Information Security Plan (WISP) is an official, written program that documents a firm’s methods of protecting sensitive information, specifically client information, using a mix of administrative, technical, and physical controls. It’s essentially the roadmap of a CPA firm’s data protection plan, promoting compliance with IRS, FTC, and state laws.
One thing to get straight: a WISP isn’t a matter of check-the-box, single-document compliance; it’s a template that needs to continually adapt. As a company’s systems, staff, and technology change, so should its WISP. Periodic reviews, testing, and revision are needed to keep it current against new threats and maintain alignment with changing data security standards.
A well-drafted WISP generally includes the following minimum elements:
- Governance: identification of the accountable individual (e.g., information security officer) and description of decision-making
- Risk assessment: listing of potential threats that may advertently or inadvertently cause harm to your systems advertently or inadvertent.
- Access controls & authentication (least privilege, MFA, strong passwords)
- Encryption and data-in-transit / data-at-rest protection
- Employee training and background checks
- Incident response and breach notification processes
- Data retention and secure disposal policies
- Vendor management and due diligence
What does the IRS expect from CPA firms
The IRS mandates that tax preparers keep a current and thorough Written Information Security Plan (WISP) in place to safeguard sensitive taxpayer data from cyber-attacks and identity theft, as directed by the Gramm-Leach-Bliley Act and the FTC Safeguards Rule. The plan must be a dynamic, living plan that is routinely evaluated, tested, and updated to reflect changes in business operations or newly discovered threats.
A state-wise look at WISP standards
Although federal regulations, i.e., the FTC Safeguards Rule of the GLBA, establish the national minimum standard for data security, numerous U.S. states have in place WISP or parallel information security standards. The state-specific requirements differ as to scope, language, and enforcement, which implies that CPA firms with clients from more than one state need to know and comply with the most stringent prevailing standard.
Massachusetts (201 CMR 17.00):
Massachusetts was the initial state to directly mandate that all companies that process personal data of its residents to have a Written Information Security Program. The law is extremely comprehensive since it outlines administrative, technical, and physical controls, it requires encryption of individual information, and it necessitates companies to appoint one or more individuals to maintain the WISP. This statute is popularly known as the gold standard and has set many other states’ models.
New York (SHIELD Act):
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act calls for companies to “develop, implement, and maintain reasonable safeguards” to secure the private data of New York residents. Although it doesn’t specify a WISP format, it essentially calls for the same things: employee training, risk assessments, and incident response protocols. Small companies have little leeway, but written documentation is still necessary to prove compliance.
California (CCPA & CPRA):
The CCPA and CPRA do not specifically demand a WISP, but they require reasonable security procedures and practices in place for protecting consumer information. In the case of CPA firms, having a WISP is evident proof of compliance, particularly when dealing with the sensitive financial data of California residents.
Texas & Illinois:
These states mandate that companies put in place reasonable data security practices and adhere to breach notice statutes, but they fall short of requiring a written WISP. Texas’s Identity Theft Enforcement and Protection Act, though, suggests written policies that reflect WISP guidelines, so having a written plan in place is a wise, proactive measure against liability.
Connecticut, Oregon, and Colorado
Such states have enhanced their laws on cybersecurity in recent years, mandating administrative, technical, and physical controls that closely align with the standards of WISP. For example, Colorado’s data protection legislation mandates covered entities to have a written policy for data disposal and breach response.
How Does WISP Impact CPA Firms?
1. Staff Roles and Responsibilities
A WISP mandates CPA firms to appoint a responsible individual or group, like a security officer or managing partner, to manage information security. Making sure that policies are enforced properly and compliance is checked regularly.
The employees have to undergo periodic security training, including topics such as phishing awareness, password handling, and proper data handling. Recording the staff involvement and knowledge creates clear responsibility and builds a culture of security within the firm.
2. Client Data Workflow and Handling Alterations
CPA firms deal with extremely sensitive data, such as Social Security numbers, bank account information, tax returns, and financial statements. All data collection, storage, and transmission are required to conform to standardized procedures through a WISP.
Ad-hoc activities, like sending client files over unsecured email or keeping them on unencrypted devices, are cut out. Access is limited according to employee job functions so that only the proper people deal with sensitive information.
They tend to demand changes in everyday workflows, including new approval processes, secure client portals, and routine data backups.
3. Technology and Security Controls
A WISP requires the adoption of strong technical controls. These consist of multi-factor authentication (MFA), data in transit and at rest encryption, tested and centralized backups, and endpoint protection with monitoring for breach detection.
Companies also might have to examine and update their cloud providers and software so they can meet WISP standards. This might alter IT processes but bolsters overall security and safeguards client data from evolving cyber-attacks.
4. Vendor and Third-Party Management
Most CPA firms rely on outside suppliers for services such as cloud storage, payroll, or tax preparation software. In order to be WISP compliant, firms must have a vendor inventory, due diligence to verify security procedures, written formal agreements with responsibility definitions, and periodic reviews to ensure compliance. Incorporating these procedures into processes creates oversight and significantly reduces the likelihood of breaches due to third-party vulnerabilities.
5. Incident Response and Reporting
A WISP puts in place explicit procedures for discovering, reacting to, and reporting data breaches. Exercising those procedures with tabletop exercises guarantees the firm is able to react under stress quickly, minimizing harm and regulatory risk. Integrating incident response into business as usual makes the firm more robust against unforeseen security incidents.
6. Operational Documentation and Continuous Compliance
A Written Information Security Plan (WISP) is only effective when supported by strong access controls that regulate who can view, modify, or transmit sensitive taxpayer data. Under IRS and FTC Safeguards Rule requirements, firms must implement role-based access, unique user credentials, multi-factor authentication, and routine permission reviews to ensure that only authorized personnel can access confidential information. This reduces the risk of internal misuse, credential theft, and unauthorized system entry. Incorporating these access controls directly into the WISP ensures that data protection protocols are not just documented, but also operationalized across daily workflows, helping prevent data breaches and maintaining compliance with regulatory expectations.
How Should CPA Firms Approach WISP Compliance
Step 1: Perform a Detailed Risk Assessment
Companies should also carry out a thorough risk analysis before writing a WISP. This involves listing all client information, reviewing the systems utilized for storage and transmission, and evaluating opportunities for vulnerability. Vendors and third-party risks should also be considered. Firms can then target the implementation of proper controls by identifying areas in which sensitive data are most vulnerable. A WISP that addresses real hazards accordingly can be formulated.
Step 2: Prepare a Written Information Security Plan
The second step is to prepare an official WISP, serving the company’s master plan for protecting data and compliance. It should explicitly define governance mechanisms and designate someone responsible for information security or a team. The plan should consist of access controls, encryption requirements, employee training practices, incident response actions, data retention rules, and vendor management processes. A well-drafted WISP addresses regulatory needs but also provides staff with a defined standard to follow for their everyday security routine.
Step 3: Deploy Security Controls and Embed into Workflow
A WISP will be as effective as the way it is put into practice. CPA firms must put technical controls into place, including MFA, encrypted storage, secure backup practices, and monitoring of endpoints. Employee processes might require tweaking to align with fresh guidelines for handling data, client interactions, and document exchange. Vendor contracts also need to be vetted to guarantee third-party operators adhere to the firm’s security requirements. Combining these steps guarantees that compliance is not only theoretical but also put into practice in all processes.
Step 4: Regular Testing, Monitoring, and Updates
Since a WISP is one that constantly requires revision, companies need to test and revise it on a regular basis. This involves performing tabletop exercises, breach simulations, security audits, and retraining staff. Updates must be based on changes in technology, personnel positions, types of client data, or new regulatory compliance needs. Ongoing monitoring and tuning maintain the WISP as effective in the face of changing threats and prove an active initiative to comply.
Step 5: Implement the Use of the Stricter Standards Across States
Since WISP requirements differ by state, the best way is to create one uniform comprehensive WISP that meets the stricter standard, typically Massachusetts 201 CMR 17.00. Other jurisdiction-specific addenda can be tacked on for clients or operations outside a specific area. It ensures absolute regulatory compliance, makes adherence easier, and reduces penalties or liability risks across jurisdictions.
Step 6: Document for Compliance Evidence
Lastly, documentation is essential. Companies must document risk assessments, employee training, audits, incident reports, and WISP revisions. Comprehensive documentation illustrates compliance to regulators, shields the company in case of a breach, and maintains client trust by ensuring that the company is actively engaged in securing sensitive information.
Risks of Compromising WISP Protocols
1. Legal and Regulatory Sanctions
CPA firms are subjected to immense regulatory attention when WISP compliance is lacking. Financial institutions under the FTC Safeguards Rule can be fined up to $50,120 a day per violation. Correspondingly, the IRS also imposes fines for failing to comply with its data security standards, in extreme circumstances that may result in suspending a firm’s operations until compliance is met.
Failure to maintain a WISP can also jeopardize professional credentials. Tax preparers are required to confirm WISP compliance when renewing their Preparer Tax Identification Number (PTIN). Falsely claiming compliance is considered perjury, potentially resulting in the loss of a PTIN and other professional licenses.
Furthermore, under the FTC Safeguards Rule, officers, partners, and directors can be held personally accountable for as much as $10,000 per violation. Companies lacking a WISP also risk high rates of audit failure by the IRS or state regulators, leading to heavy fines and business disruption.
2. Financial Penalties and Costs
The economic consequence of non-compliance can be devastating. IBM says the average cost of a tax and accounting firm data breach is $5.9 million per occurrence, while ransomware attacks had an average cost of $4.88 million in 2024. The costs cover regulatory penalties, legal costs, and recovery costs.
Numerous insurance companies have made WISP a requirement for coverage. Businesses that do not have a compliant WISP can have their claims rejected, leaving them paying all breach-related costs out of pocket. Further, customers can sue for monetary losses incurred as a result of the negligent processing of their sensitive information, and courts can consider the lack of a WISP as proof that adequate security measures are not in place.
3. Operational Disruption
In addition to fines and lawsuits, non-compliance can seriously hinder a company’s day-to-day business. Recovery from a cyberattack, e.g., a ransomware infection, can result in considerable downtime during peak periods such as tax season. Downtime can create missed deadlines, lost income, and compromised customer relations, multiplying the financial and reputational damage.
Conclusion
By being aware of WISP mandates, having multifaceted policies in place, performing ongoing risk assessments, and keeping current with changing standards, CPA firms can minimize such risks and ensure client confidence. Embracing the most stringent standards of each jurisdiction and having complete documentation further enhances compliance and preparedness for audits or surprise events.
For WISP compliance and data security streamlined operations, CPA firms can receive specialized support from AcoBloom in collaboration with Verito Technologies. Combining AcoBloom’s accounting expertise and Verito’s cutting-edge technology solutions, firms can benefit from customized WISP templates, automated compliance tracking, and data safeguarding tools.
