Why accountants are legally required to maintain a WISP
If you operate as a tax professional or CPA, you aren’t just “encouraged” to have a WISP — regulatory rules effectively demand it. Under the FTC Safeguards Rule (implementing obligations under GLBA for financial institutions), tax preparers and accounting firms are classified as “financial institutions” and must establish and maintain a Written Information Security Plan (WISP). SmartVault+4Internal Revenue Service+4SmartVault+4
Further, the IRS requires tax professionals to attest to having a data security plan during PTIN renewal, and it references WISP principles in IRS Publication 4557 and IRS’s “Creating a Written Information Security Plan” guidelines (Publication 5708) as the standard to follow. Blog+3Internal Revenue Service+3CPA Practice Advisor+3
State CPA societies also reinforce this requirement. For example, Oregon’s CPA society recently circulated a notice: “As a tax professional, you are legally required under the FTC Safeguards Rule to maintain a Written Information Security Plan (WISP).” orcpa.org
In short: no WISP ≠ compliance, and lacks of WISP can expose a firm to FTC enforcement, professional discipline, civil liability, or insurance denial.
What a compliant WISP must include (from a legal standpoint)
Your WISP should document:
-
Designation of responsible individuals (e.g. Data Security Coordinator) Internal Revenue Service+1
-
Risk assessment / inventory of client data & infrastructure Internal Revenue Service+1
-
Safeguards program: administrative, technical, and physical controls Internal Revenue Service+1
-
Vendor / service provider oversight with contractual obligations to maintain safeguards Internal Revenue Service+1
-
Incident response & breach reporting procedures, including rules for notifying FTC when 500+ individuals are affected within 30 days. CPA Practice Advisor+2Internal Revenue Service+2
-
Regular review / testing / updating of the plan, especially after changes in operations, IT, or security incidents. Internal Revenue Service+2CPA Practice Advisor+2
Review frequency & responsible parties
To maintain compliance and relevance:
-
Review & update your WISP at least annually, or more frequently when significant changes occur (new systems, mergers, remote work adoption, cybersecurity incidents). CPA Practice Advisor+2Internal Revenue Service+2
-
Test and audit key safeguards (vulnerability scans, penetration tests, simulated breaches) semi-annually or quarterly, depending on firm size.
Who’s responsible?
The WISP should name a Data Security Coordinator (or equivalent) who is accountable for managing the plan, compliance, training, audits, and updates. That person (or persons) must be empowered with authority and access. Internal Revenue Service+3Internal Revenue Service+3SmartVault+3
Additionally, the firm’s leadership (partners, owners, managing directors) must support and sponsor the WISP, allocate resources, and enforce compliance.
Consequences of non-compliance
-
FTC enforcement / penalties
-
Insurance denial in the event of a breach (if insurer requires existence of a WISP)
-
Professional discipline by CPA boards or licensing agencies
-
Liability in breach litigation — plaintiffs may argue lack of WISP is evidence of negligence or breach of standard of care
Want to build your own WISP in minutes?
Generate and download your own WISP PDF (tailored to accounting firms) in 5 minutes