Frequently Asked Questions
Tax cybersecurity questions answered
Everything tax professionals need to know about WISP requirements, IRS compliance, data protection, and cybersecurity best practices, answered in plain English.
WISP Requirements
Understanding your WISP obligations
What is a WISP and why does the IRS require one?
A Written Information Security Plan (WISP) is a formal document that describes how your tax practice protects sensitive taxpayer information. The IRS requires all tax professionals with a PTIN to maintain a WISP under IRS Publication 4557 and the FTC Safeguards Rule. It serves as both your compliance documentation and your operational playbook for data security. Without one, you are in violation of federal regulations and at significant risk if audited or breached.
What must be included in a WISP?
Your WISP must include nine key components: a designated security officer, a documented risk assessment, administrative and technical and physical safeguards, employee management and training procedures, information systems management policies, detection and monitoring procedures, data retention and disposal policies, an incident response plan, and a schedule for annual review and updates. Each section must be specific to your practice rather than generic boilerplate.
How often do I need to update my WISP?
The IRS and FTC require you to review and update your WISP at least annually. You should also update it whenever there is a material change in your business operations, such as adding new staff, changing technology systems, moving offices, or identifying new threats. Each update should be dated and documented to show regulators that your WISP is a living document.
Can I use a template for my WISP or do I need a custom one?
Templates are an excellent starting point and are perfectly acceptable to the IRS, provided you customize them to reflect your specific practice. A generic template that has not been tailored to your actual systems, workflows, and risks will not hold up under audit. Our free WISP template is designed to be customized in under two hours and covers all required sections.
Is a WISP the same as a data security policy?
A WISP is more comprehensive than a typical data security policy. While a security policy might address password rules or acceptable use, a WISP encompasses your entire information security program including risk assessment, safeguards implementation, employee training, incident response, and ongoing management. Your data security policies are components within your broader WISP.
IRS Compliance
IRS rules and enforcement
Which IRS publications govern cybersecurity for tax professionals?
The primary guidance comes from IRS Publication 4557, "Safeguarding Taxpayer Data." This publication references the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule (16 CFR Part 314), which classify tax preparers as financial institutions with mandatory security obligations. Publication 5293, "Data Security Resource Guide for Tax Professionals," provides additional technical guidance.
Does the IRS actually enforce cybersecurity requirements?
Yes, and enforcement has increased significantly in recent years. The IRS works with the Security Summit, a partnership between the IRS, state tax agencies, and the tax industry. Enforcement includes PTIN revocation, civil penalties under IRC Section 6713, and criminal referrals under IRC Section 7216. The FTC separately enforces the Safeguards Rule with its own penalties that can reach $100,000 per violation.
What is the FTC Safeguards Rule and how does it apply to tax preparers?
The FTC Safeguards Rule requires financial institutions, which includes all tax return preparers, to develop, implement, and maintain a comprehensive information security program. The 2023 amendments added specific technical requirements including encryption, multi-factor authentication, access controls, and the designation of a qualified individual to oversee the program. Non-compliance can result in FTC enforcement actions and significant financial penalties.
Do I need to report data breaches to the IRS?
Yes. If you experience a data breach involving taxpayer information, you must report it to your local IRS Stakeholder Liaison and to the relevant state attorney general. You should also file a complaint with the FBI Internet Crime Complaint Center (IC3). Additionally, all 50 states have their own breach notification laws requiring you to notify affected individuals within a specified timeframe, typically 30 to 60 days.
Security Best Practices
Protecting your practice day to day
What are the most important security controls for a tax practice?
The five most critical controls are: multi-factor authentication on all accounts that access taxpayer data, endpoint detection and response software on every workstation, encrypted backups tested regularly for successful restoration, email security including phishing filtering and encryption, and employee security awareness training with simulated phishing. These controls address the most common attack vectors targeting tax practices.
How should I securely share documents with clients?
Never send taxpayer documents via unencrypted email. Use a secure client portal with encryption in transit and at rest, multi-factor authentication for client access, and audit logging. Avoid consumer file-sharing services like personal Dropbox or Google Drive accounts. Purpose-built tax portals or encrypted file-sharing platforms designed for financial services are the appropriate choice.
What should I do if I think my practice has been breached?
Act immediately. Isolate affected systems by disconnecting them from the network. Do not turn them off, as forensic evidence may be lost. Contact your incident response team or a cybersecurity professional. Notify your local IRS Stakeholder Liaison. Begin your documented incident response plan. Preserve all logs and evidence. Notify affected clients as required by your state breach notification law. Document every step you take and when you take it.
Working with Bellator
How we can help
Do I need managed cybersecurity services or can I handle compliance on my own?
It depends on your technical expertise and available time. A solo practitioner who is tech-savvy can achieve basic compliance using our free WISP template and this guide. However, most tax professionals prefer managed services because cybersecurity requires ongoing monitoring, updates, and expertise that takes time away from client work. Our managed plans start at $200 per month and cover everything from compliance documentation to continuous threat monitoring.
How long does it take to get my practice compliant?
With our managed services, most practices achieve full compliance within two weeks. The first week covers documentation, risk assessment, and control implementation. The second week covers training, testing, and final adjustments. For practices that prefer a self-service approach, our WISP template can be customized in under two hours, and the remaining steps typically take two to four weeks of part-time effort.
What ongoing support do you provide after initial setup?
Our managed security plans include continuous threat monitoring and rapid incident response, quarterly vulnerability assessments, annual WISP review and update, ongoing employee security training with simulated phishing, dark web monitoring for leaked credentials, monthly security posture reports, and a dedicated account manager who understands tax industry requirements. We handle the security so you can handle the taxes.
Still have questions?
Our team specializes in cybersecurity for tax professionals and can answer any questions specific to your practice.
Contact Our TeamReady to get compliant?
Start with our free WISP template or schedule a consultation with our team to get a personalized compliance plan for your practice.