Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax31 min readDeep Dive

Ultimate WISP Requirements Guide 2025: Essential Compliance Steps for Tax Professionals

WISP requirements for tax professionals explained: all 9 FTC Safeguards Rule elements, 2026 compliance deadlines, and implementation steps. Protect your practice.

Ultimate WISP Requirements Guide 2025: Essential Compliance Steps for Tax Professionals - wisp requirements 2025

What WISP Requirements Actually Mandate for Tax Professionals

Every tax preparer, CPA, enrolled agent, and accounting firm operating in the United States must maintain a Written Information Security Plan (WISP)—a documented cybersecurity program that satisfies both Federal Trade Commission (FTC) and IRS mandates. Understanding wisp requirements 2025 and the 2026 updates that build on them has become essential, as these regulations carry federal legal authority enforced through substantial financial penalties and, in cases of false attestation, criminal liability.

The legal foundation runs through two parallel regulatory tracks. The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, classified tax professionals as financial institutions subject to the same data protection obligations as banks and investment firms. GLBA Section 501(b) requires these institutions to establish administrative, technical, and physical safeguards to protect customer information. The FTC translates this statutory obligation into enforceable rules through the Standards for Safeguarding Customer Information (16 CFR Part 314)—commonly called the FTC Safeguards Rule. The 2021 amendments strengthened enforcement significantly by mandating specific technical controls, including multi-factor authentication (MFA) and encryption, that were previously recommended but not required.

The IRS reinforces these mandates through IRS Publication 4557 and the Security Summit initiative, a public-private partnership launched in 2015 between the IRS, state tax agencies, and the private tax industry. The August 2024 update to IRS Publication 5708 introduced material changes applying to the 2026 filing season, making compliance more stringent than at any point in the program's history.

According to the IBM Cost of Data Breach Report 2024, the average breach now costs $4.88 million—a figure that contextualizes why regulators have escalated enforcement. This guide covers every element regulators examine, the 2026 updates you must act on now, and the implementation mistakes most commonly cited in enforcement actions.

Tax Preparer Cybersecurity By The Numbers

$4.88M
Avg. Cost of a Data Breach

IBM Cost of Data Breach Report 2024

68%
of Breaches Involve Human Element

Verizon Data Breach Investigations Report 2024

$100K
Max FTC Penalty Per Violation

FTC Safeguards Rule — 16 CFR Part 314

Who Must Comply: Clearing Up the 5,000-Consumer Myth

A persistent and dangerous misconception circulates among small tax practices: that firms serving fewer than 5,000 clients are fully exempt from WISP requirements. This misreading of FTC regulations exposes thousands of solo practitioners and small practices to significant compliance violations and real security gaps.

The FTC Safeguards Rule's 5,000-consumer threshold creates only limited exemptions for specific subsections—it does not eliminate the obligation to maintain an information security program. Every tax professional handling customer information, including solo practitioners preparing returns for a single client, must document and implement security programs covering all fundamental safeguard categories.

Firms with fewer than 5,000 consumers may have reduced requirements for written risk assessment documentation and incident response testing records, but they must still conduct these activities and implement the controls they identify. The exemption lightens paperwork on certain subsections; it does not remove the underlying security obligations.

The enforcement mechanism with the sharpest teeth is PTIN renewal. Tax professionals must certify compliance with security requirements when renewing their Preparer Tax Identification Numbers. A false certification constitutes federal fraud subject to criminal prosecution under 18 U.S.C. § 1001. For a complete breakdown of what this attestation requires, see our guide to PTIN and WISP requirements for tax preparers.

2026 Filing Season Compliance Deadline

The IRS and FTC require all covered tax professionals to have an updated, compliant WISP in place before the start of the 2026 filing season. Practices that have not addressed the August 2024 Publication 5708 updates—particularly the universal MFA requirement and revised password standards—face potential PTIN suspension and FTC enforcement exposure. Review and update your WISP before the season opens.

The Nine Mandatory WISP Elements Under 16 CFR §314.4

The FTC Safeguards Rule section 314.4 enumerates nine required components of a compliant information security program. Every covered entity must address all nine with policies, procedures, and technical controls proportionate to their size and risk profile. Weakness in any single element undermines the entire program—regulators evaluate all nine during audits, not a subset.

1. Designated Qualified Individual

Every covered entity must designate a qualified individual to oversee, implement, and enforce the information security program. This person coordinates all security activities, manages vendor relationships, oversees incident response, and reports to practice leadership. For solo practitioners, you serve as your own qualified individual—formal documentation of your responsibilities is essential for compliance verification during an audit.

2. Risk Assessment

Risk assessments form the analytical foundation of your WISP. They identify threats to customer information and evaluate whether existing safeguards adequately address those threats. Assessments must examine internal threats—employee errors, inadequate training, system misconfigurations, and insider access abuse—alongside external threats including phishing campaigns, malware infections, physical theft, and social engineering attacks. The assessment is not a one-time event; it must be repeated annually and whenever your technology or operations change materially.

3. Safeguard Design and Implementation

Based on risk assessment findings, design and implement administrative, technical, and physical safeguards proportionate to identified risks. Technical safeguards include firewalls, intrusion detection systems, encryption protocols, access controls, and security monitoring. Administrative safeguards cover policies, procedures, and employee training programs. Physical safeguards—frequently overlooked by practices focused on technology—include locked document storage, screen privacy filters, and visitor access restrictions. All three categories must appear in your written WISP.

WISP Implementation: All Nine Elements Step by Step

1

Designate a Qualified Individual

Formally assign one person (or yourself, for solo practices) to own and coordinate your entire information security program. Document this appointment in writing and include the role's specific responsibilities.

2

Conduct a Written Risk Assessment

Inventory all systems holding customer data. Identify internal and external threats, evaluate current safeguard effectiveness against each threat, and document all findings. Repeat this process annually.

3

Design and Implement Safeguards

Deploy technical controls (MFA, encryption, firewalls), administrative controls (policies, training), and physical controls (locked storage, access restrictions) based on your risk assessment findings.

4

Vet and Contract Service Providers

Evaluate every vendor that touches customer data—tax software providers, cloud storage, IT support, payroll processors. Require written, enforceable security commitments in all service agreements.

5

Test and Monitor Your Controls

Continuously monitor systems for unauthorized access and anomalies. Conduct annual penetration testing or vulnerability scans. Verify that your implemented controls are functioning as documented.

6

Maintain an Incident Response Plan

Document detection, containment, response, recovery, and notification procedures. Define breach notification timelines for the IRS, affected clients, and state regulators—72 hours is the current federal expectation.

7

Train Employees Regularly

Deliver annual security awareness training at minimum; quarterly reinforcement better matches the pace of evolving attack techniques. Cover phishing recognition, password hygiene, and incident reporting procedures.

8

Implement Secure Disposal Procedures

Use certified data destruction tools for electronic records and cross-cut shredding for paper documents. Document disposal activities with dates and methods to demonstrate compliance during an audit.

9

Review and Update the WISP Annually

Evaluate all nine elements each year—and whenever technology, regulations, or your operational environment changes. Maintain an audit trail of every review, update, and approval.

2026 Regulatory Updates Every Tax Preparer Must Act On Now

The August 2024 update to IRS Publication 5708 introduced the most significant changes to wisp requirements 2025 and forward since the FTC's 2021 Safeguards Rule amendments. Four changes carry particular weight for practices entering the 2026 filing season.

Universal MFA Eliminates the In-Office Exception

Previous guidance created ambiguity about whether multi-factor authentication was required for local network access or only remote connections. The updated Publication 5708 resolves that ambiguity: MFA is required for all users accessing systems containing customer information, regardless of whether access originates inside or outside the office network. Every in-office workstation used to access tax software, client portals, or any system storing Personally Identifiable Information (PII) now falls under this requirement.

Password Standards Align With NIST SP 800-63B

Password management requirements shifted from mandatory 90-day change cycles to minimum 365-day intervals, reflecting NIST SP 800-63B guidance that frequent forced changes often produce weaker passwords as employees resort to predictable patterns. Minimum length requirements are now 12 characters with complexity requirements including uppercase letters, lowercase letters, numbers, and special characters. Practices still enforcing 90-day rotations must update their written password policies before the 2026 filing season to close this documentation gap.

Breach Notification Timelines Are Now Explicit

Updated guidance clarifies that tax professionals must notify the IRS, affected clients, and potentially state regulators when data breaches occur. The federal expectation is notification without unreasonable delay—typically within 72 hours of breach discovery. Your written incident response plan for tax practices must now include documented notification procedures with specific contact information for your state's IRS Stakeholder Liaison office, not just generic language about notifying regulators.

Service Provider Security Documentation Requirements Tightened

The updated IRS guidance emphasizes that written contracts with service providers must explicitly address cybersecurity obligations. Generic service agreements without specific security language no longer satisfy this element. Review all vendor contracts—particularly with tax software providers and cloud storage vendors—to confirm they contain enforceable security commitments before the 2026 season begins.

2026 WISP Compliance Checklist for Tax Professionals

  • Designate a qualified individual responsible for your information security program in writing
  • Complete an annual risk assessment documenting all threats and current safeguard effectiveness
  • Deploy multi-factor authentication on all systems accessing customer information, including in-office workstations
  • Update password policy to require 12-character minimum and 365-day change intervals per NIST SP 800-63B
  • Implement encryption for customer data in transit (TLS 1.2 or higher) and at rest on all storage systems
  • Execute written security agreements with all service providers handling customer data
  • Create or update your incident response plan with explicit 72-hour breach notification procedures
  • Establish documented secure disposal procedures for paper and electronic customer information
  • Conduct annual employee security awareness training and document completion records
  • Test your incident response plan through annual tabletop exercises and document the results
  • Review and update your WISP document to reflect any changes in technology, operations, or regulations

Common WISP Implementation Mistakes That Draw Regulatory Scrutiny

Regulatory audits focus increasingly on the gap between what a WISP says and what a practice actually does. The five deficiencies below are the most common findings in enforcement reviews—each representing a breakdown between documented security posture and real-world controls.

Treating the WISP as a One-Time Document

Filing a WISP and never revisiting it is the most widespread failure. Plans must be reviewed annually and updated whenever technology, operations, regulatory requirements, or the threat environment changes. A WISP describing systems you no longer use, or omitting software added since the last update, fails on its face. Auditors compare WISP documentation against your actual technology inventory and will identify discrepancies.

Using Generic Templates Without Customization

Template language that does not reflect your specific software applications, network architecture, vendor relationships, and physical locations fails to satisfy the regulatory requirement. A WISP referencing "the firm's network" without identifying specific systems, or listing generic vendor categories without naming actual providers, is a documentable compliance gap. A starting-point template is valuable—our free 2026 WISP template includes section-by-section customization guidance—but every element must be completed with your real environment in mind.

Skipping Ongoing Employee Security Training

Annual training is the regulatory minimum; quarterly reinforcement better addresses how quickly attack techniques evolve. Tax firms are high-value targets precisely because they hold Social Security numbers, financial records, and bank routing information for large client bases. Training must cover recognition of phishing attempts, safe handling of client data, password hygiene, and the internal procedure for reporting suspected security incidents. Undocumented training sessions carry no compliance value—keep attendance records for every session.

Failing to Document Security Activities

During a regulatory audit or legal proceeding following a breach, undocumented activities are treated as if they never occurred. Document risk assessments, testing results, training completions, vendor evaluations, incident investigations, and program reviews without exception. The standard IRS records retention period of five years is a reasonable minimum for WISP documentation—long enough to demonstrate compliance history if an incident surfaces after the fact.

Neglecting Physical Security Controls

Many practices deploy thorough technical controls while overlooking physical threats. Client files left unattended on desks, unlocked filing cabinets, uncontrolled visitor access to workstations, and inadequate screen privacy all represent WISP compliance gaps. Physical safeguards must be documented alongside technical controls. Practices handling Federal Tax Information (FTI) face additional physical security requirements under IRS Publication 1075.

Bottom Line

WISP requirements apply to every tax professional handling client data—from solo preparers to large accounting firms. The 5,000-consumer exemption reduces paperwork on specific subsections; it does not eliminate your obligation to maintain and document an information security program. False certification of compliance during PTIN renewal constitutes federal fraud under 18 U.S.C. § 1001, carrying potential criminal prosecution.

Building a Durable, Audit-Ready Security Program

A compliant WISP is not the same thing as a secure practice—but the two are closely related. The nine mandatory elements exist because they collectively address the most common and damaging threat vectors targeting tax professionals: phishing attacks that harvest credentials, ransomware that encrypts client data, insider errors that expose sensitive records, and vendor breaches that compromise downstream clients.

Practices that treat compliance as a floor rather than a ceiling consistently achieve better security outcomes. Annual WISP reviews become genuine opportunities to assess whether controls remain effective as your technology changes. Vendor contract reviews surface providers whose security posture has degraded since onboarding. Incident response tabletop exercises build the procedural muscle memory that determines whether a breach becomes a recoverable event or a practice-ending one.

For practices building their program from the ground up, our detailed guide on how to create a WISP walks through each element with tax-practice-specific examples. Pair it with the all-in-one compliance package for documentation templates covering every FTC Safeguards Rule element.

If building internal security expertise is not feasible for your practice size, the FTC Safeguards Rule permits you to engage a qualified external specialist—and doing so simultaneously satisfies the qualified individual requirement and the service provider oversight element, provided you document the relationship in a written security agreement. The regulation does not require you to build this expertise in-house; it requires you to ensure it exists and is applied to your program.

Free WISP Template for Tax Professionals

Download our 2026-ready WISP template built specifically for tax preparers, CPAs, and accounting firms. Covers all nine FTC Safeguards Rule elements with tax-practice customization guidance included.

Book a Free Tax Cybersecurity Assessment

Our security experts will evaluate your current WISP compliance, identify gaps against the 2026 FTC Safeguards Rule requirements, and provide a prioritized action plan for the filing season ahead.

Frequently Asked Questions About WISP Requirements

A Written Information Security Plan (WISP) is a documented cybersecurity program that describes how a tax practice protects client data. The Gramm-Leach-Bliley Act classifies tax professionals as financial institutions, requiring them to implement administrative, technical, and physical safeguards for customer information. The FTC's Safeguards Rule (16 CFR Part 314) specifies exactly what those safeguards must include. Without a compliant WISP, tax professionals risk FTC civil penalties up to $100,000 per violation, IRS PTIN suspension, and potential criminal liability for false compliance certifications made during PTIN renewal.

Yes. The FTC Safeguards Rule's 5,000-consumer threshold creates only limited documentation exemptions for specific subsections—it does not eliminate the requirement to maintain an information security program. Solo practitioners preparing even a single return must document and implement security safeguards for all customer information they handle. The exemption reduces paperwork obligations for certain risk assessment and testing records, but the underlying security activities are still required for every covered tax professional.

Penalties operate on three levels. The FTC can impose civil penalties up to $100,000 per violation for institutions and $10,000 per violation for individual officers and directors under the Safeguards Rule. The IRS can suspend or revoke a tax professional's PTIN for non-compliance, effectively ending their ability to prepare returns for compensation. Most seriously, falsely certifying compliance during PTIN renewal constitutes federal fraud under 18 U.S.C. § 1001, carrying potential criminal prosecution and imprisonment of up to five years.

The FTC Safeguards Rule requires annual evaluation and update of your information security program at minimum. You must also update your WISP whenever material changes occur—adding new software applications, changing service providers, onboarding remote employees, relocating offices, or experiencing a security incident. The August 2024 IRS Publication 5708 update is a current example: practices must revise their WISPs now to reflect the universal MFA requirement and revised password standards before the 2026 filing season opens.

Yes, as of the August 2024 IRS Publication 5708 update. Previous guidance created ambiguity about whether MFA applied only to remote access. The updated guidance resolves that question clearly: MFA is required for all users accessing systems containing customer information, regardless of whether access originates inside or outside the office network. Every in-office workstation used to access tax software, client portals, or systems storing Personally Identifiable Information must have MFA enabled.

You can use a WISP template as a starting point, but the IRS and FTC require your WISP to reflect your specific practice. Generic language about "the firm's network" or unnamed vendor categories does not satisfy the regulatory requirement. Every section must describe your actual software applications, network architecture, service providers, and physical locations. A well-structured template reduces the work significantly—but each section requires customization to accurately describe your real environment and controls.

The updated IRS Publication 5708 guidance specifies that tax professionals must notify the IRS, affected clients, and potentially state regulators when data breaches occur. The federal expectation is notification within 72 hours of breach discovery. Failure to notify can result in additional regulatory action on top of the breach itself, increased civil liability to affected clients, and state-level data breach notification penalties that vary by jurisdiction. Your written incident response plan must document specific notification procedures and contact information before a breach occurs—not after.

You are not required to hire an external expert, but the FTC Safeguards Rule does require you to designate a qualified individual to oversee your information security program. For solo practitioners and small firms without internal cybersecurity expertise, working with a specialist who understands both the regulatory requirements and the specific threat environment facing tax professionals is often the most practical path. Engaging an external provider also satisfies the service provider oversight element of the Safeguards Rule, provided you document the relationship with a written security agreement that specifies security obligations.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.