8 elements in your Written Info Security Plan (WISP)

The pandemic accelerated the adoption of digital technologies and intensified the risks associated with cybersecurity. As tax professionals and accounting firms continue to adapt to a post-pandemic reality, the need for a robust cybersecurity framework has never been more pronounced. No firm is exempt from the threat of cyberattacks. It’s imperative that all practices adopt a fundamental set of policies to secure their operations and their clients’ trust.

The financial sector, particularly tax and accounting practices, has become a prime target for cybercriminals. Recent breaches have shown that no entity, regardless of its size, is immune to these threats. The consequences of such breaches are severe, ranging from substantial financial losses to irreparable damage to the reputation and trust clients place in these services. It’s not just large firms that are at risk; small practices often lack the resources for comprehensive cybersecurity, making them particularly vulnerable.

Your Written Information Security Plan

Developing a comprehensive cybersecurity framework starts with a thorough assessment of current security measures. Identifying vulnerabilities and gaps in existing protocols is a vital step. The IRS requires tax preparers and accountants to create and maintain a Written Information Security Plan (WISP) as part of their efforts to secure taxpayer data. A WISP should be a formal document that outlines the administrative, technical, and physical safeguards implemented to protect client data. The plan must be tailored to the firm’s size, complexity, and scope of activities. It’s a legal requirement under the Gramm-Leach-Bliley Act and the Federal Trade Commission’s Safeguards Rule—not just a good thing for your practice.

A robust WISP typically includes the following eight elements:

1. Risk assessment: Regular evaluations of the potential risks to client data and the internal systems used to process that data.

• Security policies and procedures: Detailed written policies regarding data security, including how to handle, and protect, personally identifiable information throughout its lifecycle.

• Employee training program: A program to educate employees about their roles in protecting sensitive data, recognizing phishing and social engineering attacks, and reporting suspected breaches.

• Access controls: Systems to ensure that only authorized personnel have access to sensitive data, including the use of strong passwords and two-factor authentication where possible.

• Data encryption: Measures to encrypt data at rest and in transit, using strong encryption methods.

• Secure data disposal: Policies and procedures for the secure disposal of obsolete data that is no longer required for business or compliance purposes.

• Incident response plan: A formal plan that outlines the steps to be taken in the event of a data breach or security incident, including notification procedures.

• Regular monitoring and compliance: Ongoing activities to monitor the effectiveness of security measures and to update the WISP as necessary when new threats are identified or when the firm undergoes changes that could affect security.

The IRS emphasizes that a WISP is not a “set it and forget it” exercise, but a living document that requires regular updates and reviews to adapt to new threats and changes in the firm’s operations. By adhering to these guidelines, tax and accounting professionals can ensure they are taking the necessary steps to protect client data and comply with IRS requirements.

Responding to a security breach

An often-overlooked aspect of cybersecurity is having a well-prepared response plan in the event of a breach. This plan should include immediate steps to mitigate damage, methods to investigate and resolve the breach, and strategies for communicating with affected parties.

Experiencing a security breach can be one of the most trying times for any firm. The moment you discover that your firm’s, and more critically, your clients’ confidential data may have been compromised, obligations and concerns begin to unfold.

The immediate response must be swift and effective, involving containment and assessment of the breach. But what follows is an equally critical phase—notification. The law often requires that clients be informed of data breaches, a process that is not just a procedural formality but also a test of the firm’s transparency and integrity.

Drafting the notification to clients is a delicate task; it is an admission of a lapse in the very promise of confidentiality that lies at the heart of client relationships. The embarrassment that accompanies this admission is profound. 

I run a small firm of 3 remote members

Investing in cybersecurity is not a matter of if, but when. For me, the realization came when I understood that our remote setup could be at risk. We operate as a 100% remote tax and bookkeeping practice, and enjoy the freedom to work from anywhere. As a result, it was clear that we needed to enhance our firm’s cybersecurity. We partnered with a reliable IT provider—Visory—and opted for a fully managed IT and cybersecurity services that were comprehensive and tailored to our unique needs. Our plan includes IT helpdesk support, remote management, next-gen threat hunting, phishing/spam filtering, and cybersecurity awareness training for our team, along with a secure VPN solution.

For a small practice of three, we found the balance between security and efficiency. Safeguarding our own information—and our clients’ information—is paramount, even when working beyond U.S. borders. In today’s globalized workforce, ensuring the security of remote team members, especially those outside our borders, is not just essential; it’s critical.

As we wrap up, let’s embrace a simple truth: Cybersecurity is our strong ally in the world of tax and accounting. It doesn’t matter if you’re a solo practitioner or part of a larger firm—the commitment to safeguarding client trust remains paramount. Through clear policies and ongoing adaptation, we not only meet compliance standards, but uphold a fundamental promise. By investing in cybersecurity, we’re not just protecting data; we’re securing a resilient future where our clients can always trust us.