Log in
Resources & News

IRS WISP Requirements: 5,000 Consumer Confusion

April 3, 2025
IRS WISP Builder Tool | IRS WISP Requirements: 5,000 Consumer Confusion

The 5,000 Consumer Confusion

All Tax Professionals have IRS WISP requirements.  However, many believe they do not need to have an active Written Information Security Plan (WISP) if they have less than 5,000 clients.  This assumption, though understandable given the way the FTC Safeguard Rule is written, is incorrect. It is correct to assume, however, that smaller firms can simplify their plan to accommodate the size and scope of their practice.

Confusing FTC Language

In the FTC Safeguards Rule that sets up the requirement for Tax Professionals to have an IRS WISP, there is a clause that reads:

The FTC has exempted from certain provisions of the Rule financial institutions that “maintain customer information concerning fewer than five thousand consumers.”

It is easy to see the “five thousand consumers” but miss the important clause:

“exempted from certain provisions of the Rule”

What is exempted?

Without going into the exact details, there are four sub-sections of the FTC Safeguards Rule that the law seems to imply its IRS WISP requirements may be too much of a burden for smaller firms.  They are:

  • The need to base your security plan on a detailed risk assessment analysis. Section 314.4 (b)(1)
  • Develop and maintain continuous monitoring. Section 314.4 (d)(2)
  • Develop and maintain an incidence response written plan. Section 314.4 (h)
  • Create and present a required annual security report to the board of directors. Section 314.4 (i)

But to be clear, the 5,000 consumer limit ONLY relates to these four sub sections of the Rule.  It helps small firms create a cybersecurity plan that is not overwhelming to put together, but still addresses the critical need to secure nonpublic personal information of their clients.

An article in the May 2023, Tax Advisor recaps the requirement for small firms nicely when it states:

“As part of the Safeguards Rule, covered financial services institutions — even sole proprietors and small firms — must develop, implement, and maintain a written information security plan that describes how the business will safeguard and protect its clients’ nonpublic personal information. The plan must address administrative, technical, and physical safeguards to protect this information, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the financial services institution.”

Pamala Slattan, CPA, J.D. and Larry Marietta, CPA, “Complying with the Safeguards Rule for information security”, The Tax Advisor, May 1, 2023

So what is the minimum?

If you have Personally Identifiable Information (Pii) and you are in the defined business categories of the Rule you need to have a written security plan.  This includes Tax Professionals.

  • The remaining sections of the Safeguard Rule still apply and include the written security plan requirement with no firm size restrictions.
  • The IRS is clear on this within their required check off box as everyone renewed their PTINs. You have acknowledged your understanding of the security requirement.
  • The FTC Safeguard Rule requires disclosure of any exposed information that impacts more than 500. You cannot begin to measure this impact if you do not have a plan.

The message about IRS WISP Requirements

The FTC Safeguard Rule applies to Tax Firms.  But beyond having a Rule in place to require security plans, it is best practice to have one.  Just imagine the damage to your practice and to the lives of your clients if you are hacked due to lack of awareness that your security plan could help mitigate.

Need help with your IRS WISP?

When choosing the right tool for creating and maintaining your WISP, you want to choose one that helps keep you get and stay compliant for peace of mind, so you can focus on serving your clients well.  WISP Builder is an evergreen tool designed to help you to not only get compliant, but also to stay compliant as the world of cybersecurity changes.  And the best part?  WISP Builder really is the most cost-effective tool of its kind.  Review the annual pricing and what’s inside at WISP Builder.    

 

data breach preventiondo i need a wispirs mandated wispIRS WISPpub 5709written information security plan
Next
Which is Best for You – Using the Free WISP IRS Template or an Automated Tool?
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Save