What is a WISP? A Security Blueprint for Tax and Accounting Firms

Executive Summary

• Data breaches in financial services cost an average of $5.9 million per incident, with tax and accounting firms facing even higher risks due to the sensitivity of client data [1].
• Federal law now requires every tax and accounting firm, regardless of size, to maintain a Written Information Security Plan (WISP) [2] [3].
• Non-compliance can result in loss of credentials, regulatory penalties, and severe reputational damage [4].
• A robust WISP is not just a compliance checkbox—it’s a strategic asset that protects your clients, your reputation, and your business continuity [1].
• Verito delivers purpose-built, SOC 2-compliant cloud hosting and managed IT services to help firms implement and maintain effective WISPs [1].

Why Does Your Tax or Accounting Firm Need a WISP?

The Stakes: Data Breaches and Regulatory Pressure

Tax and accounting firms are prime targets for cybercriminals. The financial services sector saw average data breach costs reach $5.9 million in 2023, with tax professionals facing unique risks due to the volume and sensitivity of client data they manage [1]. Regulatory bodies like the IRS, FTC, and state authorities now require every tax and accounting firm to maintain a Written Information Security Plan (WISP), regardless of firm size [2] [3].

What’s at risk if you don’t have a WISP?

• Loss of PTIN credentials, which are required to practice as a tax professional [4].
• Regulatory penalties and potential legal action
• Financial losses from data breaches, which average nearly $6 million per incident [2].
• Reputational damage and loss of client trust

Example: A small CPA firm without a WISP suffered a ransomware attack during tax season. The breach led to client attrition, regulatory fines, and months of operational disruption.

What Is a Written Information Security Plan (WISP)?

A Written Information Security Plan (WISP) is a comprehensive document that details how your firm protects sensitive information. The Federal Trade Commission defines it as a required written program designed to ensure the security and confidentiality of customer information, protect against anticipated threats, and prevent unauthorized access [2] [3].

For tax and accounting firms, a WISP covers:

• Client financial information and tax documents
• Personally identifiable information (PII)
• Administrative, technical, and physical safeguards

Key regulatory requirements:

The IRS enforces these requirements through Publication 4557 and Publication 5708, which provide step-by-step guidance for creating a WISP [2] [3].

What Should a WISP Include? Key Components for Compliance and Security

1. Risk Assessment

Start by identifying what sensitive information your firm collects, where it resides, and how it’s protected. Evaluate current safeguards and identify potential threats and vulnerabilities. This assessment forms the foundation of your security program [1].

2. Administrative Safeguards

• Security policies and procedures
• Employee training programs
• Access control policies
• Vendor management procedures
• Incident response plans
• Regular security assessments

For example, policies on client data retention and secure communication protocols are essential for tax firms.

3. Technical Safeguards

• Encryption for data at rest and in transit
• Secure authentication methods (e.g., 2FA)
• Firewalls and intrusion detection systems
• Endpoint protection
• Regular software updates and patch management
• Secure backup solutions
• Email security measures

Encrypted client portals and secure document management systems are especially important for accounting and tax firms.

4. Physical Safeguards

• Secure office access and restricted areas
• Clean desk policies
• Secure shredding and disposal of physical documents
• Locked filing cabinets and controlled access areas
• Device protection

Physical safeguards remain critical, even as firms move toward digital solutions.

5. Monitoring and Testing

• Regular vulnerability scanning
• Penetration testing
• Log monitoring
• Security incident tracking
• Compliance audits

Ongoing monitoring ensures your security measures remain effective as threats evolve.

6. Incident Response Plan

• Roles and responsibilities during an incident
• Steps for containing and mitigating breaches
• Communication protocols
• Documentation requirements
• Recovery procedures
• Post-incident analysis

Include specific procedures for notifying affected clients and authorities like the IRS if tax data is compromised.

How to Build and Maintain a WISP: Practical Steps

Getting Started

1. Use templates: The IRS and FTC provide guidance documents and templates to help you get started [2] [3].
2. Customize for your firm: Adapt templates to reflect your operations, client base, and technology.
3. Involve key stakeholders: Security is everyone’s responsibility.
4. Consider expert assistance: Information security consultants can provide valuable guidance.

Making It Effective

• Train your team on the WISP and their roles
• Make the plan accessible to those who need it
• Review and update regularly as threats and regulations change
• Test your safeguards to confirm they work as intended
• Document all security activities, training, incidents, and updates

Common WISP Mistakes to Avoid

• Treating the WISP as a “set and forget” document
• Overlooking third-party risks (e.g., software vendors)
• Focusing only on digital threats and ignoring physical security
• Neglecting employee training
• Making the plan too complex to follow

How Verito Supports Your WISP and Security Goals

Verito specializes in secure cloud hosting and managed IT services designed for tax and accounting firms. Our solutions help you implement and maintain the technical safeguards required by your WISP, including:

• VeritSpace: Dedicated private server hosting for QuickBooks, Drake, Lacerte, and more, with 99.999% uptime, daily backups, 2FA, and secure remote access.
• VeritGuard: Proactive managed IT services with 24/7 U.S.-based support, threat monitoring, patch management, and built-in compliance with IRS and FTC standards.
• VeritComplete: A fully integrated platform combining hosting and IT into one seamless service, with one bill and one support team.

Why firms choose Verito:

• Purpose-built for tax and accounting software
• SOC 2 Type II compliant infrastructure
• Transparent pricing with no surprise fees
• Live 24/7 expert support
• Seamless, secure migrations—often completed in under 72 hours

With Verito, your technology just works. Securely.

Comparison: WISP Implementation Approaches

Key Takeaways

• Every tax and accounting firm is legally required to maintain a WISP [2] [3].
• A WISP protects your clients, your reputation, and your business continuity [1].
• Effective WISPs include risk assessment, administrative, technical, and physical safeguards, ongoing monitoring, and incident response planning [1].
• Avoid common mistakes like neglecting third-party risks or treating your WISP as a static document.
• Verito delivers purpose-built, compliant solutions to help you implement and maintain your WISP with confidence [1].

Ready to protect your firm and clients with a WISP that just works? Secure your data and compliance with Verito’s dedicated cloud hosting and managed IT services. Contact us today or schedule a demo to see how we can help your firm stay secure, compliant, and focused on what matters most.

Citations