Ultimate WISP Requirements Guide 2025: Essential Compliance Steps for Tax Professionals

What WISP Requirements Actually Mandate for Tax Professionals

Every tax preparer, CPA, enrolled agent, and accounting firm operating in the United States must maintain a Written Information Security Plan (WISP)—a documented cybersecurity program that satisfies both Federal Trade Commission and IRS mandates. This is a federal legal requirement, enforced through substantial financial penalties and, in cases of false attestation, criminal liability.

The legal foundation runs through two parallel regulatory tracks. The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, classified tax professionals as financial institutions subject to the same data protection obligations as banks and investment firms. GLBA Section 501(b) requires these institutions to establish administrative, technical, and physical safeguards to protect customer information. The FTC translates this statutory obligation into enforceable rules through the Standards for Safeguarding Customer Information (16 CFR Part 314)—commonly called the FTC Safeguards Rule. The 2021 amendments strengthened enforcement significantly by mandating specific technical controls—including multi-factor authentication (MFA) and encryption—that were previously recommended but not required.

The IRS reinforces these mandates through IRS Publication 4557 and the Security Summit initiative, a public-private partnership launched in 2015. The August 2024 update to IRS Publication 5708 introduced material changes—universal MFA for all system access, updated password standards aligned with NIST SP 800-63B, and clarified breach notification timelines—that apply to the 2026 filing season. According to the IBM Cost of Data Breach Report 2024, the average breach costs $4.88 million per incident, a figure that underscores why regulators treat security program failures as violations warranting serious financial penalties.

The enforcement mechanism with the sharpest teeth is PTIN renewal. Tax professionals must certify compliance with security requirements when renewing their Preparer Tax Identification Numbers. A false certification is not a paperwork error—it constitutes federal fraud subject to criminal prosecution under 18 U.S.C. § 1001. For a full breakdown of what this attestation requires, see our guide to PTIN and WISP requirements for tax preparers.

Who Must Comply: Clearing Up the 5,000-Consumer Myth

A dangerous misconception circulates among small tax practices: that firms serving fewer than 5,000 clients are fully exempt from WISP requirements. This misreading of FTC regulations exposes thousands of solo practitioners and small practices to significant compliance violations and security gaps.

The FTC Safeguards Rule does reference a 5,000-consumer threshold, but the exemption is narrow. It reduces documentation requirements for specific subsections—it does not eliminate the obligation to maintain an information security program. Every tax professional handling customer information, including solo practitioners preparing returns for a single client, must document and implement security programs covering all fundamental safeguard categories.

Firms with fewer than 5,000 consumers may have reduced requirements for written risk assessment documentation and incident response testing records, but they must still conduct these activities and implement the controls they identify. The exemption lightens paperwork on certain subsections; it does not remove the underlying security obligations.

The IRS applies an equally expansive interpretation. WISP requirements attach to access to taxpayer data—not client volume. Any entity that accesses, stores, processes, or transmits nonpublic personal information—Social Security numbers, income data, financial account details—falls under the mandate. For a step-by-step approach to building your plan, see our guide on how to create a WISP.

The Nine Mandatory WISP Elements

The FTC Safeguards Rule section 314.4 enumerates nine required components of a compliant information security program. Every covered entity must address all nine with policies, procedures, and technical controls proportionate to their size and risk profile. Weakness in any single element undermines the entire program—regulators evaluate all nine during audits, not a subset.

1. Designated Qualified Individual

Every covered entity must designate a qualified individual to oversee, implement, and enforce the information security program. This person coordinates all security activities, manages vendor relationships, oversees incident response, and reports to practice leadership. For solo practitioners, you serve as your own qualified individual—formal documentation of your responsibilities is essential for compliance verification. If internal expertise is insufficient, partnering with a cybersecurity specialist for tax and accounting firms satisfies this element while ensuring qualified oversight.

2. Risk Assessment

Risk assessments form the analytical foundation of your WISP. They identify threats to customer information and evaluate whether existing safeguards adequately address those threats. Assessments must examine both internal threats—employee errors, inadequate training, system misconfigurations, insider access abuse—and external threats including phishing campaigns, malware infections, physical theft, and social engineering attacks. Document your methodology, specific findings, likelihood and impact analysis, and prioritization criteria. Build a risk register listing each identified threat, current mitigation measures, and residual risk levels. Update assessments at minimum annually or whenever significant changes occur to your technology environment or business operations.

3. Safeguard Design and Implementation

Based on risk assessment findings, design and implement administrative, technical, and physical safeguards proportionate to identified risks. Technical safeguards include firewalls, intrusion detection systems, encryption protocols, access controls, and security monitoring tools. Administrative safeguards cover policies, procedures, and employee training programs. Physical safeguards address facility security, device management, and secure disposal. Verify safeguard effectiveness through vulnerability scanning, security audits, and continuous monitoring—then document all testing results and remediation actions to build an audit trail demonstrating ongoing program commitment.

4. Service Provider Oversight

Tax practices must select service providers capable of maintaining appropriate safeguards for customer information and require those safeguards through written contracts. This applies to tax software vendors, cloud storage providers, IT support firms, payroll processors, and any entity accessing customer information on your behalf. Written agreements must specifically address security obligations, data handling requirements, breach notification procedures, and audit rights. Conduct due diligence before engaging providers by reviewing their SOC 2 Type II reports and ISO 27001:2022 certifications. Annual vendor reassessments are now considered regulatory best practice—not optional follow-up.

5. Program Evaluation and Adjustment

Information security programs require regular evaluation based on monitoring results, testing outcomes, operational changes, and regulatory updates. Conduct annual reviews examining all nine WISP elements for continued relevance and effectiveness. Trigger additional evaluations after implementing new technology, expanding services, experiencing a security incident, or when the IRS or FTC issues updated guidance. Document all evaluation activities, findings, decisions, and program modifications—this record demonstrates continuous improvement rather than a one-time compliance effort.

6. Multi-Factor Authentication

The 2021 Safeguards Rule amendments established universal MFA requirements for any individual accessing customer information systems, including in-office staff on the internal network. Acceptable implementations combine at least two authentication factors from different categories: something you know (password or PIN), something you have (authenticator app, hardware security key, or smart card), or something you are (fingerprint or facial recognition). Authenticator apps such as Microsoft Authenticator and Google Authenticator are widely accepted. Hardware security keys such as YubiKey provide the strongest assurance level. SMS-based codes remain acceptable under current rules but offer lower security than app-based methods and should be treated as a fallback, not a primary method.

7. Encryption

Encrypt customer information both in transit over external networks and at rest on all storage systems. Transit encryption protects email transmissions, cloud synchronization, remote access sessions, and file transfers—use TLS 1.2 or higher for web traffic and SFTP or FTPS for file transfers. At-rest encryption protects data on servers, workstations, laptops, mobile devices, backup media, and cloud storage. Implement full-disk encryption on all devices containing customer data using BitLocker (Windows), FileVault (macOS), or enterprise encryption management platforms. For cloud storage, verify that providers encrypt data both in transit and at rest; consider client-side encryption for particularly sensitive information before upload.

8. Secure Disposal

Implement documented procedures for secure disposal of customer information when retention is no longer legally required. Electronic data requires secure deletion tools that overwrite storage multiple times, degaussing for magnetic media, or physical destruction of storage devices. Paper records require cross-cut shredding or professional document destruction services with certificates of destruction. Maintain disposal records documenting dates, methods, and responsible individuals for all disposal activities—covering paper files, electronic documents, backup tapes, decommissioned hardware, and temporary files.

9. Incident Response Plan

Maintain a written incident response plan addressing detection, containment, response, recovery, and notification. The plan must define what constitutes a security incident, establish clear roles and responsibilities, outline step-by-step response procedures, specify notification requirements for affected clients and regulators, and include forensic evidence preservation procedures. The IRS expects notification when taxpayer data is compromised—typically within 72 hours of breach discovery for federal requirements. Test the plan at minimum annually through tabletop exercises and update it based on lessons learned. A tested, documented response plan is a regulatory expectation; an untested plan is a liability.

2026 Regulatory Updates Every Tax Preparer Must Know

The August 2024 update to IRS Publication 5708 introduced the most significant changes to WISP requirements since the FTC's 2021 Safeguards Rule amendments. Three changes carry particular weight for practices entering the 2026 filing season.

Universal MFA eliminates the in-office exception. Previous guidance created ambiguity about whether MFA was required for local network access or only remote connections. The updated Publication 5708 resolves that ambiguity: MFA is required for all users accessing systems containing customer information, regardless of whether access originates inside or outside the office network. In-office staff accessing tax software, file servers, or cloud applications from within the building must use MFA. Every workstation, server connection, and application in your practice now requires multi-factor verification.

Password standards align with NIST guidance. Password management requirements shifted from mandatory 90-day change cycles to minimum 365-day intervals, reflecting NIST SP 800-63B guidance that frequent forced changes often produce weaker passwords and unsafe management practices such as writing them down. Passwords must still be changed immediately when compromise is suspected, when individuals with password knowledge leave the organization, or when unauthorized access is detected. Minimum length requirements are now 12 characters with complexity requirements including uppercase, lowercase, numbers, and special characters.

Breach notification timelines are now explicit. Updated guidance clarifies that tax professionals must notify the IRS, affected clients, and potentially state regulators and law enforcement when data breaches occur. The federal expectation is notification without unreasonable delay—typically within 72 hours of breach discovery. Failure to notify affected parties can result in additional penalties beyond those for the underlying security failure. Build notification procedures, contact lists, and communication templates before incidents occur; drafting them during a breach response adds hours to detection time and multiplies legal exposure.

Common WISP Implementation Mistakes to Avoid

Regulatory audits in 2026 focus increasingly on five specific deficiencies. Each represents a gap between documented security posture and actual practice—the exact disconnect regulators examine first.

Treating the WISP as a one-time document. Filing a WISP and never revisiting it is the most widespread failure. Plans must be reviewed annually and updated whenever technology, operations, regulatory requirements, or the threat environment changes. A WISP describing systems you no longer use fails on its face.

Using generic templates without customization. Template language that does not reflect your specific software applications, network architecture, vendor relationships, and physical locations fails to satisfy the regulatory requirement. Every section must describe your actual controls and procedures.

Skipping ongoing employee training. Annual training is the regulatory minimum; quarterly reinforcement better addresses how quickly attack techniques evolve. Simulated phishing campaigns test recognition in realistic conditions. Our resources on security awareness training for tax firms address the specific social engineering tactics most commonly used against tax professionals.

Failing to document security activities. During a regulatory audit or legal proceeding following a breach, undocumented activities are treated as if they never occurred. Document risk assessments, testing results, training completions, vendor evaluations, incident investigations, and program reviews without exception.

Neglecting physical security. Many practices implement thorough technical controls while overlooking physical threats. Laptop theft, unauthorized office access, and improper disposal of paper records remain significant risk vectors. Physical safeguards—locked storage for sensitive documents, screen privacy filters, visitor access controls, and secure paper destruction—must be documented alongside technical controls in your WISP.

Building a Durable, Audit-Ready Security Program

A compliant WISP is not the same thing as a secure practice—but the two are closely related. The nine mandatory elements exist because they collectively address the most common and damaging threat vectors targeting tax professionals: phishing attacks that harvest credentials, ransomware that encrypts client data, insider errors that expose sensitive records, and vendor breaches that compromise downstream clients.

Firms that treat compliance as a floor rather than a ceiling consistently achieve better security outcomes. Annual WISP reviews become genuine opportunities to assess whether controls remain effective as your technology changes. Vendor contract reviews surface providers whose security posture has degraded since onboarding. Incident response tabletop exercises build the procedural muscle memory that determines whether a breach becomes a recoverable event or a practice-ending one.

For tax professionals formalizing their security program, a free WISP template for 2026 provides a structured starting point built to reflect current IRS and FTC requirements. Use it as a framework—then customize every section with your specific software, network architecture, vendor relationships, and staff responsibilities. A template that goes unedited is a compliance gap, not a compliance solution.