Log in
Resources & News

IRS Mandated WISP: What Happens if Your Business Lacks a WISP?

January 30, 2025
IRS WISP Builder Tool | IRS Mandated WISP: What Happens if Your Business Lacks a WISP?

 

What is an IRS mandated WISP?

Tax accountants, payroll companies, and businesses that handle Personal Identifiable Information, or PII, have an important responsibility when it comes to gathering and storing sensitive client data – maintaining an IRS mandated WISP. This reason is why the FTC along with the IRS requires all tax and accounting firms to have a WISP (Written Information Security Plan) in order to stay compliant. This cyber security plan should include your firm’s policies and procedures for handling client data and other sensitive information. Every employee is required to review and acknowledge the company’s WISP to be able to prove compliance. Without an IRS WISP in place, there are significant penalties along with major issues that threaten your practice.

How having an IRS mandated WISP helps with data security and compliance.

This cybersecurity plan, or WISP, maps out important details to identify data breach risks within the company, how the business plans to monitor any systems that are in place, and even includes how you train employees around these safety protocols. Any business that handles sensitive financial data, like tax and accounting firms, is required by the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission Financial Privacy and Safeguards Rule to create an IRS WISP, or Written Information Security Plan.

The Safeguard Rule was put in place to help ensure more security around your client’s personal and confidential information. In case of a data breach, the IRS will ask firms if they have a written information security plan in place which means every firm needs this important document to be able to prove compliance.

What happens if your Tax and Accounting Firm doesn’t have a WISP?

There are three major issues that firms risk without having a security plan in place – non-compliance penalties, higher risk of a data breach, and inconsistency in employee practices. All of these issues put the reputation and operation of your firm in jeopardy. These issues can be easily avoided by creating and updating your security plan at least annually.

Without a WISP you are not compliant according to the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission Financial Privacy and Safeguards Rule. Non-compliance could cost your firm up to $100,000 in fines, loss of license, and up to 5 years in prison. Not to mention the financial cost of any legal repercussions caused by a data breach and the possibility of insurance claims being rejected due to the lack of the legally required plan being in place.

In the case of a data breach, the IRS will ask for your WISP. They will want to see that your WISP was created, approved, and acknowledged by all staff and contractors. The IRS will also look to see if you have been updating your WISP annually (or more often if changes had been made within the company) and that all employees acknowledge they have reviewed the plan and are properly trained. More importantly, when you have a WISP in place and a data breach happens, your firm and all employees are able to use the security plan to quickly report the incident and clean it up. The ability to act efficiently in this situation, helps you to protect your firm’s reputation and stay focused on your clients.

An important note about staying compliant after the WISP is created is that when hiring new employees they will also need to be trained on the company’s WISP and officially acknowledge the plan. Without the ability to prove this training and acknowledgement from new employees takes place, you could face charges for non-compliance. Similarly, if you create a WISP initially, but don’t keep it updated at least annually, you’ll also risk non-compliance resulting in even more penalties. To stay fully compliant and avoid fines your WISP needs to be acknowledged by all employees and users, updated annually, and be used to train all staff.


What happens to your company’s reputation and finances without a WISP?

Without a plan to mitigate risks of a data breach, your company is exposing itself to cyber security threats. In the case of a data breach, your company would have to spend large amounts of money on lawsuits and recovery.

In December 2024, the IRS stated that it received over 250 reports of data breaches from tax professionals in 2024 impacting over 200,000 clients. You don’t want your firm to be a part of these statistics. Since client satisfaction is key to a thriving practice, it’s important to know that a data breach could cause a loss of trust from your clients. So it’s in your best interest and your clients to be thorough and create a solid security plan for your firm.

How to stay compliant and lower risk for your firm.

To get compliant with the IRS first you need to create your own IRS WISP using the guidelines required by the Safeguard Rule including risk assessment, policies, and training. Second, you need to train all employees and contractors that handle client data and have each of them officially acknowledge having reviewed the plan. To stay compliant, remember to update your WISP at least annually or anytime you have changes to your firm’s personnel, technology, or policies.

Tools like WISP Builder simplify the process of creating your WISP with an editable template as well as resources to train your employees and reminders to keep your plan updated so that you can get and stay compliant.

do i need a wispirs mandated wispIRS WISPpub 5709written information security plan
Next
IRS WISP Compliance: How to Effectively Record and Store for Proof
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Save