Ultimate WISP Requirements Guide 2025: Essential Compliance Steps for Tax Professionals

What WISP Requirements Actually Mandate for Tax Professionals

Every tax preparer, CPA, enrolled agent, and accounting firm operating in the United States must maintain a Written Information Security Plan (WISP)—a documented cybersecurity program that satisfies both Federal Trade Commission and IRS mandates. Understanding wisp requirements 2025 has become essential as these regulations carry federal legal authority, enforced through substantial financial penalties and, in cases of false attestation, criminal liability.

The legal foundation runs through two parallel regulatory tracks. The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, classified tax professionals as financial institutions subject to the same data protection obligations as banks and investment firms. GLBA Section 501(b) requires these institutions to establish administrative, technical, and physical safeguards to protect customer information.

The FTC translates this statutory obligation into enforceable rules through the Standards for Safeguarding Customer Information (16 CFR Part 314)—commonly called the FTC Safeguards Rule. The 2021 amendments strengthened enforcement significantly by mandating specific technical controls—including multi-factor authentication (MFA) and encryption—that were previously recommended but not required.

The IRS reinforces these mandates through IRS Publication 4557 and the Security Summit initiative, a public-private partnership launched in 2015. The August 2024 update to IRS Publication 5708 introduced material changes that apply to the 2026 filing season, making compliance with wisp requirements 2025 framework even more stringent.

Who Must Comply: Clearing Up the 5,000-Consumer Myth

A dangerous misconception circulates among small tax practices: that firms serving fewer than 5,000 clients are fully exempt from WISP requirements. This misreading of FTC regulations exposes thousands of solo practitioners and small practices to significant compliance violations and security gaps.

The wisp requirements 2025 framework applies universally to tax professionals, with the FTC Safeguards Rule's 5,000-consumer threshold creating only limited exemptions. The exemption reduces documentation requirements for specific subsections—it does not eliminate the obligation to maintain an information security program. Every tax professional handling customer information, including solo practitioners preparing returns for a single client, must document and implement security programs covering all fundamental safeguard categories.

Firms with fewer than 5,000 consumers may have reduced requirements for written risk assessment documentation and incident response testing records, but they must still conduct these activities and implement the controls they identify. The exemption lightens paperwork on certain subsections; it does not remove the underlying security obligations.

The enforcement mechanism with the sharpest teeth is PTIN renewal. Tax professionals must certify compliance with security requirements when renewing their Preparer Tax Identification Numbers. A false certification constitutes federal fraud subject to criminal prosecution under 18 U.S.C. § 1001. For a full breakdown of what this attestation requires, see our guide to PTIN and WISP requirements for tax preparers.

The Nine Mandatory WISP Elements

The FTC Safeguards Rule section 314.4 enumerates nine required components of a compliant information security program. Every covered entity must address all nine with policies, procedures, and technical controls proportionate to their size and risk profile. Weakness in any single element undermines the entire program—regulators evaluate all nine during audits, not a subset.

1. Designated Qualified Individual

Every covered entity must designate a qualified individual to oversee, implement, and enforce the information security program. This person coordinates all security activities, manages vendor relationships, oversees incident response, and reports to practice leadership. For solo practitioners, you serve as your own qualified individual—formal documentation of your responsibilities is essential for compliance verification.

2. Risk Assessment

Risk assessments form the analytical foundation of your WISP. They identify threats to customer information and evaluate whether existing safeguards adequately address those threats. Assessments must examine both internal threats—employee errors, inadequate training, system misconfigurations, insider access abuse—and external threats including phishing campaigns, malware infections, physical theft, and social engineering attacks.

3. Safeguard Design and Implementation

Based on risk assessment findings, design and implement administrative, technical, and physical safeguards proportionate to identified risks. Technical safeguards include firewalls, intrusion detection systems, encryption protocols, access controls, and security monitoring tools. Administrative safeguards cover policies, procedures, and employee training programs.

4. Service Provider Oversight

Tax practices must select service providers capable of maintaining appropriate safeguards for customer information and require those safeguards through written contracts. This applies to tax software vendors, cloud storage providers, IT support firms, payroll processors, and any entity accessing customer information on your behalf. If internal expertise is insufficient, partnering with a cybersecurity specialist for tax and accounting firms satisfies this element while ensuring qualified oversight.

5. Program Evaluation and Adjustment

Information security programs require regular evaluation based on monitoring results, testing outcomes, operational changes, and regulatory updates. Conduct annual reviews examining all nine WISP elements for continued relevance and effectiveness.

6. Multi-Factor Authentication

The 2021 Safeguards Rule amendments established universal MFA requirements for any individual accessing customer information systems, including in-office staff on the internal network. Acceptable implementations combine at least two authentication factors from different categories: something you know, something you have, or something you are.

7. Encryption

Encrypt customer information both in transit over external networks and at rest on all storage systems. Transit encryption protects email transmissions, cloud synchronization, remote access sessions, and file transfers—use TLS 1.2 or higher for web traffic.

8. Secure Disposal

Implement documented procedures for secure disposal of customer information when retention is no longer legally required. Electronic data requires secure deletion tools, while paper records require cross-cut shredding or professional document destruction services.

9. Incident Response Plan

Maintain a written incident response plan addressing detection, containment, response, recovery, and notification. The plan must define what constitutes a security incident, establish clear roles and responsibilities, and outline step-by-step response procedures. For detailed setup instructions, see our guide on how to set up two-factor authentication.

2026 Regulatory Updates Every Tax Preparer Must Know

The August 2024 update to IRS Publication 5708 introduced the most significant changes to wisp requirements 2025 since the FTC's 2021 Safeguards Rule amendments. Three changes carry particular weight for practices entering the 2026 filing season.

Universal MFA eliminates the in-office exception. Previous guidance created ambiguity about whether MFA was required for local network access or only remote connections. The updated Publication 5708 resolves that ambiguity: MFA is required for all users accessing systems containing customer information, regardless of whether access originates inside or outside the office network.

Password standards align with NIST guidance. Password management requirements shifted from mandatory 90-day change cycles to minimum 365-day intervals, reflecting NIST SP 800-63B guidance that frequent forced changes often produce weaker passwords. Minimum length requirements are now 12 characters with complexity requirements including uppercase, lowercase, numbers, and special characters.

Breach notification timelines are now explicit. Updated guidance clarifies that tax professionals must notify the IRS, affected clients, and potentially state regulators when data breaches occur. The federal expectation is notification without unreasonable delay—typically within 72 hours of breach discovery.

Common WISP Implementation Mistakes to Avoid

Regulatory audits in 2026 focus increasingly on five specific deficiencies. Each represents a gap between documented security posture and actual practice—the exact disconnect regulators examine first.

Treating the WISP as a one-time document. Filing a WISP and never revisiting it is the most widespread failure. Plans must be reviewed annually and updated whenever technology, operations, regulatory requirements, or the threat environment changes. A WISP describing systems you no longer use fails on its face.

Using generic templates without customization. Template language that does not reflect your specific software applications, network architecture, vendor relationships, and physical locations fails to satisfy the regulatory requirement. Every section must describe your actual controls and procedures.

Skipping ongoing employee training. Annual training is the regulatory minimum; quarterly reinforcement better addresses how quickly attack techniques evolve. Our resources on security awareness training for tax firms address the specific social engineering tactics most commonly used against tax professionals.

Failing to document security activities. During a regulatory audit or legal proceeding following a breach, undocumented activities are treated as if they never occurred. Document risk assessments, testing results, training completions, vendor evaluations, incident investigations, and program reviews without exception.

Neglecting physical security. Many practices implement thorough technical controls while overlooking physical threats. Physical safeguards—locked storage for sensitive documents, screen privacy filters, visitor access controls, and secure paper destruction—must be documented alongside technical controls in your WISP.

Building a Durable, Audit-Ready Security Program

A compliant WISP is not the same thing as a secure practice—but the two are closely related. The nine mandatory elements exist because they collectively address the most common and damaging threat vectors targeting tax professionals: phishing attacks that harvest credentials, ransomware that encrypts client data, insider errors that expose sensitive records, and vendor breaches that compromise downstream clients.

Firms that treat compliance as a floor rather than a ceiling consistently achieve better security outcomes. Annual WISP reviews become genuine opportunities to assess whether controls remain effective as your technology changes. Vendor contract reviews surface providers whose security posture has degraded since onboarding. Incident response tabletop exercises build the procedural muscle memory that determines whether a breach becomes a recoverable event or a practice-ending one.

For tax professionals formalizing their security program, understanding FTC Safeguards Rule requirements provides essential context for compliance planning. The intersection between federal requirements and practical security operations becomes clearer when you understand both the letter and spirit of these regulations.

Beyond compliance documentation, consider how your WISP integrates with broader cybersecurity concerns. Cyberattacks on tax firms continue evolving, requiring security programs that adapt to emerging threats while maintaining regulatory compliance with wisp requirements 2025 and upcoming 2026 enhancements.