Are CPA’s Required to Have a Written Information Security Plan (WISP)?

Yes.

As a CPA, you manage sensitive client data every day, including personal financial details, social security numbers, tax information, and more. Protecting this information isn't just good business sense; it's a legal and regulatory requirement. The Federal Trade Commission (FTC) requires every tax professional to implement and maintain a Written Information Security Plan (WISP). Not only does this safeguard your clients’ valuable data, but it also protects your firm from costly breaches, fines, and reputational damage.

In addition, tax pros now need to report a security event affecting 500 or more people to the Federal Trade Commission (FTC) as soon as possible, but no later than 30 days from the date of discovery. This is in addition to reporting the incident to an IRS Stakeholder Liaison and state tax authorities.

For tax professionals, when renewing your PTIN (Preparer Tax Identification Number) on IRS form W-12, Question 11 requires you to confirm that you have a WISP in place.

Why a WISP Matters 

In a world of increasing cyber threats, identity thieves and hackers target CPA firms because of the treasure trove of valuable data they handle.

According to Kimberly Rogers, director of the IRS Return Preparer Office and co-chair of the Summit's Tax Pro Working Group:

“It’s more important than ever for tax pros to protect their data, passwords, and other information. The updated Written Information Security Plan is a result of months of work by tax professionals across the country. The Security Summit members worked together on this plan to make it easier for all tax professionals to develop a plan and an approach that is right for them.”

The Basics of a WISP

The Written Information Security Plan (WISP) infographic flyer guides tax professionals through creating a security plan, highlighting key compliance requirements and professional obligations. It serves as a starting point rather than a comprehensive solution, intended to help professionals understand and begin drafting an effective security plan tailored to their business.

The security plan should reflect the specific size, scope of activities, complexity, and sensitivity of the data the firm manages. There is no universal WISP suitable for every organization.

Developing a WISP

Furthermore, the IRS emphasizes that a WISP is only one component of a broader strategy necessary to protect both clients and the firm. Given the constantly changing nature of cyber threats, the IRS and the Security Summit strongly recommend consulting cybersecurity experts for additional guidance and assistance in securing sensitive information and safeguarding firm systems.

A good WISP should identify the risks of data loss for the types of information handled by a company and focus on three areas:

1. Employee Management and Training

Your employees are the front line of defense against data breaches. A well-structured WISP should detail regular cybersecurity training, policies for securely handling sensitive information, and clearly defined responsibilities for every employee.

• FTC Requirement: Designate one or more employees responsible for overseeing and coordinating the security program.

Your WISP should clearly outline the safeguards implemented within your firm's IT systems, including encryption, multi-factor authentication, secure data backups, and restricted system access.

• FTC Requirement: Identify and assess risks in every area of your firm, evaluate the effectiveness of existing safeguards, and implement necessary improvements.

3. Detecting and Managing System Failures

Even the best security systems can fail. Your WISP must include a clear incident response plan, detailing how your firm identifies, manages, and mitigates the impact of cybersecurity incidents.

• FTC Requirement: Regularly monitor and test your security safeguards to ensure they're effective and up-to-date.

FTC Compliance Requirements for Your CPA Firm’s WISP

To remain compliant, your firm must fulfill these FTC-required steps within your WISP:

• Assign Responsibility:
  Designate at least one employee to oversee the information security program.
• Perform Risk Assessments:
  Regularly assess and document potential risks to client information, evaluating your current safeguards and identifying areas needing improvement.
• Develop and Maintain Safeguards:
  Design a safeguards program tailored to your firm’s size and complexity, ensuring it’s regularly tested, monitored, and updated.
• Vendor Management:
  Only work with service providers who maintain strict safeguards for handling customer information. Ensure that contracts explicitly require vendors to uphold appropriate security standards.

Maintaining an Effective WISP

Regular maintenance is required for your Written Information Security Plan (WISP) to remain effective and compliant. Here are some tips:

• Accessibility: Keep your completed WISP in an easy-to-read format, such as PDF or Word, and make it readily available to your employees for training and reference purposes.

• Regular Updates: Remember that your WISP should be a living document. Periodically review and update it to reflect changes in your firm’s size, complexity, and scope of operations, as well as evolving security threats.

• Incident Response: The IRS recommends integrating a detailed data theft response plan into your WISP. This plan should include immediate steps, such as reporting the incident to your IRS Stakeholder Liaison, and complying with FTC data breach response guidelines.

Benefits For Your Accounting Firm and Your Clients

Creating and maintaining a robust WISP brings significant advantages, including:

• Enhanced protection against cyber threats and identity thieves.
• Improved compliance with IRS and FTC regulations, avoiding costly penalties.
• Increased trust from clients knowing their personal information is secure.
• Peace of mind for you, your employees, and your clients.

Cybersecurity is an essential part of responsible client management for all Accounting Firms. Ensure your firm is protected, compliant, and ready to respond effectively to threats. 

Additional Resources

• IRS -  How to Create a Written Information Security Plan for Data Safety PDF
• Review Publication 5293, Data Security Resource Guide for Tax Professionals PDF, which provides an overview and resources about how to avoid data theft.
• Information from the IRS' Identity theft information page for tax pros.

Teknologize is a SOC 2 certified, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:

• Tri-Cities, Washington 509.396.6640
• Yakima, Washington 509.396.6640
• Bend, Oregon 541.848.6072
• Seattle, Washington 206.743.0981

Questions about your IT or Cybersecurity? Give us a call today!