Contact us
KKnowledge Base

Written Information Security Plan: A Must for Firms

Written Information Security Plans The Strategic Framework for Tax & Accounting Firms - Verito Technologies

Written Information Security Plan (WISP):

Tax and accounting firms are prime targets for cybercriminals. In 2023, the financial services sector saw average data breach costs reach $5.9 million, with tax and accounting professionals facing unique risks due to the sensitive nature of client data they manage[1]. Regulatory bodies like the IRS, FTC, and state authorities now require every tax and accounting firm, regardless of size, to maintain a Written Information Security Plan (WISP)[1][2]. But a WISP is more than a compliance checkbox. It’s a strategic asset that protects your clients, your reputation, and your business continuity.

This guide explains what a WISP is, why it matters, and how your firm can build and maintain one that meets both regulatory demands and real-world security threats.

Why Every Tax and Accounting Firm Needs a WISP

The Regulatory Mandate

Tax and accounting firms are legally required to have a WISP. The Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule both mandate that financial institutions—including tax preparers and accounting firms—implement written plans to protect client data[1][2]. The IRS enforces this through Publication 4557 and Publication 5708, which provide step-by-step guidance for creating a WISP[1][3].

Consequences of Non-Compliance

  • Loss of PTIN credentials, which are required to practice as a tax professional[2][4]
  • Regulatory penalties and potential legal action
  • Financial losses from data breaches, which average nearly $6 million per incident[1]
  • Reputational damage and loss of client trust

Example: A small CPA firm without a WISP suffered a ransomware attack during tax season. The breach led to client attrition, regulatory fines, and months of operational disruption.

Core Components of a Written Information Security Plan

A WISP is a living document that outlines how your firm protects sensitive information. According to IRS Publication 5708 and industry best practices, a comprehensive WISP should include[1][3]:

1. Objectives, Scope, and Roles

  • Define the purpose and scope of your WISP
  • Designate a qualified individual or team responsible for security
  • List all authorized users, their access levels, and responsibilities

2. Risk Assessment

  • Identify the types of information your firm handles (e.g., PII, tax data)
  • List potential internal and external risks (e.g., phishing, unauthorized access)
  • Outline procedures for monitoring and testing these risks

3. Inventory and Asset Management

  • Document all hardware and software used to store or process sensitive data
  • Record physical locations and types of data handled by each asset

4. Security Controls

  • Administrative: Policies, procedures, employee training, vendor management
  • Technical: Access controls, encryption, firewalls, endpoint protection
  • Physical: Facility security, equipment protection, secure disposal

5. Incident Response Plan

  • Step-by-step procedures for detecting, containing, and recovering from security incidents
  • Communication protocols for notifying clients, regulators, and law enforcement

6. Implementation and Review

  • A phased approach: assessment, planning, implementation, monitoring, and annual review
  • Documentation of all updates and changes

Callout: The IRS expects your WISP to be updated at least annually, or whenever your business or technology environment changes[1][2].

Building a WISP: Step-by-Step Process

Step 1: Assess Your Current Security Posture

  • Review existing policies, controls, and vulnerabilities
  • Identify gaps using IRS checklists and templates[1][3]

Step 2: Develop the WISP Document

  • Use IRS Publication 5708 as a template[1]
  • Tailor policies to your firm’s size, technology, and risk profile

Step 3: Implement Security Controls

  • Deploy multi-factor authentication (MFA) for all systems with client data
  • Encrypt data at rest and in transit
  • Set up firewalls, intrusion detection, and endpoint protection

Step 4: Train Your Team

  • Conduct regular security awareness training
  • Define clear roles and responsibilities for all staff

Step 5: Monitor, Test, and Review

  • Use security monitoring tools to detect threats
  • Test your incident response plan with tabletop exercises
  • Review and update your WISP annually

Example: A mid-sized accounting firm uses Verito’s VeritGuard managed IT services to automate patch management, monitor threats, and maintain compliance with IRS and FTC standards.

WISP Implementation: Tailoring to Firm Size

Firm Size Security Coordinator Documentation Depth Technology Controls Training Approach
Small (1-10) Owner or senior staff Basic, template-based Cloud-based, core controls Informal, regular updates
Mid-sized (11-50) Dedicated coordinator Detailed policies Advanced access controls Formal training program
Large (50+) Security committee Enterprise-level Comprehensive monitoring Robust, ongoing program

Insight: Even solo practitioners working remotely must have a WISP that covers all locations and devices used for client work[4].

Advanced Security Architecture for Tax and Accounting Firms

Multi-Factor Authentication and Access Control

The FTC Safeguards Rule and IRS guidance now require MFA for all systems containing client information. Role-based access control ensures staff only access data necessary for their job, reducing the risk of internal breaches.

Data Encryption and Secure Disposal

  • Encrypt all client data, both at rest and in transit
  • Use secure protocols for file transfers and remote access
  • Implement strict procedures for data retention and secure disposal of physical and electronic media

Incident Response and Business Continuity

  • Prepare for security incidents with a documented response plan
  • Define roles, escalation paths, and notification requirements
  • Test your plan regularly to minimize downtime and data loss

Example: During a simulated breach, a Verito client restored operations within hours using daily backups and a tested incident response plan.

Addressing the Unique Threats Facing Tax and Accounting Firms

Tax and accounting firms face:

  • High-value data concentration (PII, tax IDs, financial records)
  • Seasonal spikes in cyberattacks, especially during tax season
  • Targeted phishing, ransomware, and credential theft

Mitigation Strategies:

  • Advanced email security and phishing protection
  • Endpoint detection and response (EDR)
  • Regular vulnerability scanning and patching
  • Security awareness campaigns before and during tax season

Callout: The accounting industry has seen a 300% increase in cyberattacks since 2020, driven by remote work and increased digitalization.

Turning Compliance into Client Trust

A well-communicated WISP is not just about compliance—it’s a competitive advantage. Clients want to know their data is safe. Firms that demonstrate robust security practices win trust and stand out in a crowded market.

Best Practices for Client Communication:

  • Share your security philosophy and measures on your website
  • Include security commitments in client onboarding materials
  • Provide regular updates on security improvements

Quote: “How you handle your clients’ sensitive financial and personal information is fundamental to your firm’s relationships and reputation.” — Andrew Lassise, Rush Tech Support

Why Verito Is the Trusted Partner for Secure Cloud Hosting

Verito specializes in secure cloud hosting and managed IT services built for tax and accounting professionals. Our solutions—VeritSpace, VeritGuard, and VeritComplete—combine always-on, isolated servers with 99.999% uptime, daily backups, 2FA, and 24/7 U.S.-based support. We help firms of all sizes meet compliance standards, eliminate downtime, and offload IT burdens so you can focus on serving clients, not fixing tech.

Verito’s Differentiators:

  • SOC 2 Type II compliant infrastructure
  • Seamless, secure migrations—often completed in under 72 hours
  • Transparent pricing with no surprise fees
  • Live expert support, day or night

Example: A multi-location CPA firm moved its QuickBooks and Lacerte environments to Verito’s dedicated servers, achieving full compliance and zero downtime during tax season.

Next Steps: Building Your Firm’s Security Future

A Written Information Security Plan is not just a regulatory requirement—it’s a foundation for operational resilience, client trust, and professional credibility. Whether you’re a solo practitioner or a large firm, the right WISP protects your business and your clients.

Ready to build or upgrade your WISP? Verito’s security-first solutions and expert team can guide you through every step, from assessment to ongoing management. Contact us to see how we can help your firm turn compliance into a strategic advantage.

Citations

0
0
0
0
0

Jatin Narang, founder and CEO of Verito, is a Microsoft Certified System Engineer and Forbes Technology Council member with over two decades of experience in IT service delivery. Identifying key gaps in traditional IT support for accounting professionals, he built Verito to deliver high-performance cloud solutions that are secure, always available, and fully optimized for financial firms.

— Previous article

Top Cloud Models for QuickBooks Desktop You Can Adopt

Next article —

Why Do Tax Professionals Need Software-Specific Hosting Solutions: A Comprehensive Guide

You May Also Like