WISP: The Four Letters Every Tax Preparer Is Ignoring (And Shouldn't Be)
Jul 9, 2026
A Written Information Security Plan is federally required for every paid tax preparer — but most solo firms check the box and move on. Here is what that actually costs you, and a five-minute test to find the gaps in your practice right now.
Let's talk about WISP. And no, it's not an insect. WISP stands for Written Information Security Plan, and it is more important than most tax professionals think.
A WISP defines how you are handling your clients' most valuable possessions. Not having one is like leaving the bank doors wide open with no security guard in sight. As a paid tax preparer, you are the guardian of your clients' valuables. And the most valuable things you are storing are not gold or cash. They are Social Security Numbers, dates of birth, current addresses, email addresses, and financial account details. I will stop there because for the sake of everyone's safety, I don't need to spell out what someone with bad intentions can do with that combination.
Now think about this. If you have 300, 500, or 1,000 clients, you probably have all of their personal information sitting in the open right now. A pile of 1040s on your desk. W-2s floating around in email threads. Maybe a client even gave you their bank login so you could download their statements. Yes, that happens more than you think.
This is no longer just about whether a hacker would bother targeting a small CPA or EA. It is about your duty. Just like a bank is expected to protect every customer's cash, you are expected to protect every client's data. No exceptions based on firm size.
And the stakes are real. A breach without a WISP on record can significantly increase your exposure to client claims, regulatory fines, and civil litigation. Most cyber liability insurers now require evidence of a WISP before binding coverage. No WISP means higher premiums, denied claims, or no coverage at all. The FTC can impose penalties up to $100,000 per violation. The IRS can suspend your EFIN, which means you cannot e-file returns. These are not hypothetical consequences. They are happening to real firms right now.
Add to this the fact that AI works both ways. If the good guys are getting more efficient, so are the bad guys. Cybercriminals are using the same tools to find vulnerabilities faster, target more firms at once, and make breaches harder to detect. The threat environment has changed and your security plan needs to reflect that.
The IRS Is No Longer Quietly Pushing on This
I saw this firsthand at Latino Tax Fest this year. IRS agents were on site, not just handing out brochures but actively conducting education sessions on data security. I had a one-on-one conversation with one of those agents, and the message was very clear. WISP is no longer something you think about once a year when you renew your PTIN.
Speaking of PTIN, this is something a lot of tax professionals do not realize. Form W-12 Line 11 asks you to certify, under penalty of perjury, that you maintain a Written Information Security Plan. That is a federal form. A lot of people just check the box to move on. But if you get breached and cannot produce an actual WISP, that checkbox becomes evidence against you. False certification on a federal form is not a minor issue.
The IRS has called this out specifically for solo and small firms through IRS Publication 4557, which covers safeguarding taxpayer data broadly, and Publication 5708, which provides an actual sample WISP built specifically for tax and accounting practices. These are not long complicated documents. They are practical starting points written for people exactly like you.
What a WISP Actually Covers
A WISP is not as complicated as it sounds. At its core it answers these questions for your practice:
- Who is responsible for your security program and what happens if that person leaves
- What sensitive information your firm possesses and where it lives
- How you store and transmit tax documents, whether that is email, a portal, or a USB drive
- What your password policies, device rules, and Wi-Fi policies are
- Who has access to what and how that access is controlled, including former employees
- Whether multifactor authentication is enabled on your email, tax software, and document storage
- How your vendors handle client data and what their security commitments are in writing
- What your response plan looks like if there is a data breach
- How you dispose of old client records securely
The Five-Minute WISP Test
Before you decide whether your practice needs work, answer these honestly:
- Can you identify every single place where client documents are stored right now?
- Can a former employee still access any of your systems?
- Is multifactor authentication turned on for your email, tax software, and document storage?
- Do you know which of your vendors have access to taxpayer data?
- Does your staff know what to do if they suspect a breach?
- Are client files still being sent back and forth over regular email?
- When did you last review and update your security practices?
If you hesitated on even two or three of those, the problem is not just that your WISP is incomplete. Your actual security process is incomplete. And that is what the IRS and FTC are starting to look at much more seriously.
You Do Not Need an Expensive Consultant to Get Started
One of the biggest reasons small and midsize firms ignore WISP is the assumption that it requires hiring a security consultant. For most solo practitioners it does not. The real answer is simpler than that.
As you move toward automating your practice, ask each software vendor you work with these same questions. If a vendor is touching your client data or documents in any way, they need to have documented security protocols. Ask them. Get it in writing. Keep that documentation alongside your WISP. And go further than just collecting it. Document what data each vendor receives, why they need it, who at their end can access it, and what happens if they get breached. The FTC specifically holds you responsible for your vendors, not just your own systems.
How NILA Fits Into Your WISP
When we built NILA from the ground up, security was not an afterthought. We were thinking about automation, yes, but equally about how to keep your clients' data safe.
Here is what that looks like in practice:
- Every document your client sends through NILA is encrypted in transit and at rest
- When clients submit documents through NILA instead of email, sensitive files stop living scattered across inboxes and email threads
- We have implemented roles and access controls so the right people see only what they need to see
- Centralized document storage makes it much easier to document your data handling in your WISP
- Because everything flows through one system with one process, writing the "how we collect and store client data" section of your WISP becomes straightforward
Take This Seriously
No more piles of 1040s with SSNs sitting on your desk. No more W-2s flying back and forth over email. No more clients handing over their bank passwords so you can pull statements yourself.
Start with the free IRS template and build from there:
Download IRS Publication 5708 — free WISP sample for tax practices
And when you book a demo with us, ask us directly how we are keeping your data safe. We welcome that conversation.