What Is a WISP (Written Information Security Plan) and Who Must Have One?

If you have access to your clients’ sensitive data like Social Security numbers, income details, addresses, and financial accounts you need a WISP in order to be compliant with the FTC. A WISP isn’t just for tax preparers, Enrolled Agents, CPAs, and bookkeepers. 

Who Is Mandated to Have a WISP?

• Wealth management positions like financial planners, investment advisors, and broker-dealers
• Legal professionals like attorneys, paralegals, and compliance officers
• IT roles such as IT consultants, SaaS providers and software companies, and IT security officers and compliance managers
• Insurance agencies including agents, brokers, insurance agencies and firms, and health and life insurance professionals

The IRS requires everyone with access to PII (or Personally Identifiable Information) to have a Written Information Security Plan (WISP) in place.

A WISP is an official outline detailing how your business aims to protect client information. It’s required under the Gramm-Leach-Bliley Act (GLBA), which was created to safeguard consumer financial information, and it was put into action by the IRS through the Federal Trade Commission (FTC) Safeguards Rule.

4 Ways a WISP Protects Your Clients and Business

Cybercriminals are getting smarter every year through a continued rise in data breaches, ransomware, and phishing attacks. Having a WISP helps you:

1. Protect your clients’ data from a security breach
2. Stay compliant with IRS and federal regulations in order to do business 
3. Avoid penalties for failing to meet data security and compliance standards 
4. Build client trust by showing them that you take their privacy seriously

Your WISP is like your business’s safety net. It’s your plan to help prevent a data breach and, equally important, a quick plan of action in case something goes wrong.

The 6 Core Elements Required in Your IRS WISP

To ensure your IRS WISP, or Written Information Security Plan, is not an empty checklist but a legally defensible document, it must be structured around six mandatory components. The FTC Safeguards Rule requires that your plan is comprehensive and appropriately scaled to the complexity of your business.

These six elements are the pillars of every compliant WISP, defining how your firm identifies, protects, and responds to threats against client data. They are the details IRS auditors will look for to prove your commitment is active, trackable, and reliable.: 

1. Company overview with details about your business and the data you collect.
2. Risk assessment including a list of potential weak areas vulnerable to threats (like weak passwords, lost devices, or phishing emails).
3. Safeguards with specific steps that you are taking to protect data such as encryption, firewalls, secure Wi-Fi, and regular software updates.
4. Employee training with proof that everyone on your staff and all third party providers know and follow the company’s policies on how to handle sensitive information and report issues.
5. Incident response plan with clear instructions for what to do (and who is assigned to each step) if a data breach occurs
6. Regular review and updates made to your WISP when there are changes to technology, risks, and staff.  This should be done at least annually. 

WISP Builder provides easy-to-use solutions to help you create, maintain, store, and train your staff on your WISP. 

Creating your WISP doesn’t have to be complicated, but it does need to be intentional. By taking time to put one in place you protect your clients, your reputation, and your business future.  WISP Builder makes checking this off your list easy.