FTC Compliance & Your Written Information Security Plan (WISP)

VeritGuard Knowledge Base  |  Compliance

If your firm prepares tax returns, manages client financial data, or provides accounting services, you are legally required to maintain a cybersecurity program under federal regulations. This article explains the rules that apply to your firm, what a WISP is, why it matters, what Verito provides, and how to prepare for the process.

In This Article

1. What Is the FTC Safeguards Rule?
2. What Does IRS Publication 4557 Require?
3. What Is a WISP and Why Is It Required?
4. What Happens If You Don't Have a WISP?
5. What Verito Provides
6. How to Prepare for Your WISP Setup Call
7. Understanding Your FTC Compliance Audit
8. Your Ongoing Responsibilities
9. Frequently Asked Questions

1. What Is the FTC Safeguards Rule?

The FTC Safeguards Rule (part of the Gramm-Leach-Bliley Act) is a federal regulation that applies to "financial institutions" -- which includes tax preparers, accountants, and CPA firms. It requires your firm to design, implement, and maintain a documented security program that protects client data.

At a minimum, the Safeguards Rule requires:

1. A written risk assessment identifying threats to client data
2. Access controls limiting who can see what data
3. Encryption of client information in transit and at rest
4. Multi-factor authentication (MFA) for systems containing client information
5. Continuous monitoring or periodic testing of key security controls
6. An incident response plan for data breaches
7. Oversight of service providers (like IT companies) that handle client data
8. A designated "Qualified Individual" responsible for the firm's security program

The Safeguards Rule is not a suggestion -- it is enforceable, and the FTC actively pursues firms that fail to comply.

2. What Does IRS Publication 4557 Require?

IRS Publication 4557 ("Safeguarding Taxpayer Data") is the IRS's guide for how tax professionals should protect taxpayer information. While it overlaps significantly with the FTC Safeguards Rule, it adds IRS-specific expectations around:

1. Maintaining a Written Information Security Plan (WISP)
2. Implementing the "Security Six" protections (antivirus, firewalls, encryption, MFA, backups, and drive encryption)
3. Reporting data breaches to the IRS and affected taxpayers
4. Conducting employee background checks and security training

The most important practical outcome of IRS Pub 4557 is that your firm must have a WISP. If you prepare tax returns, the IRS expects this document to exist and to be current.

3. What Is a WISP and Why Is It Required?

A Written Information Security Plan (WISP) is a single, living document that explains how your firm protects client and taxpayer data. It is not a technical manual -- it is a compliance document that answers five fundamental questions:

1. What data do you hold? (Taxpayer SSNs, financial records, EINs, bank information, etc.)
2. Where does that data live? (Which computers, cloud services, applications, and physical locations)
3. What safeguards protect it? (Antivirus, backup, encryption, access controls, VPN, training, etc.)
4. Who is responsible for each safeguard? (Named roles -- not just "IT handles it")
5. How often are safeguards reviewed and tested? (Annually, quarterly, etc.)

Your WISP is the first document regulators, insurers, or auditors will ask for in the event of a data breach, an IRS inquiry, or a cyber insurance claim. If it does not exist, your firm is exposed -- legally, financially, and reputationally.

4. What Happens If You Don't Have a WISP?

5. What Verito Provides

Your VeritGuard Pro or Elite plan includes WISP Assistance and FTC Safeguards Audit services. Here is what that covers:

WISP Assistance includes: A custom WISP document tailored to your firm's size, workflows, and risk profile. This is not a boilerplate template -- it is built from the specific information you provide during the WISP setup call, combined with the technical security data we already have from managing your devices.

FTC Safeguards Audit includes: A compliance review that evaluates whether your firm's security controls meet FTC Safeguards Rule requirements. The audit identifies gaps in your security posture and provides recommendations for remediation.

6. How to Prepare for Your WISP Setup Call

After onboarding, Verito will send you a scheduling email to set up your WISP call. To make the call efficient, have the following information ready:

1. Your firm's structure: Number of employees, offices, and whether anyone works remotely.
2. Types of client data you handle: SSNs, EINs, bank account numbers, financial statements, tax returns, etc.
3. Applications and systems you use: Tax software (Drake, UltraTax, Lacerte, etc.), accounting software (QuickBooks, Xero, etc.), email platform (Microsoft 365 or Google Workspace), document management, client portals.
4. Physical security: Who has access to your office? Are filing cabinets locked? Are old paper records shredded?
5. Who will be your Qualified Individual: This is the person in your firm ultimately responsible for overseeing your security program. It is typically the firm owner or managing partner.
6. Any prior security incidents: Have you ever experienced a data breach, phishing attack, lost device, or unauthorized access to client data?

The call typically takes 30-45 minutes. If you received a "Pre-WISP" information email from us before the call, please review and complete it -- it covers many of these questions ahead of time.

7. Understanding Your FTC Compliance Audit

Your compliance audit is not something to be nervous about -- it is a health check for your firm's security. Here is what happens:

1. We scan your environment. Using our compliance tools, we assess your devices, network configuration, software versions, security policies, and data handling practices.
2. We generate a Technical Risk Analysis report. This report shows where your firm is compliant and where there are gaps -- in plain language, not dense IT jargon.
3. We review the findings with you. During a delivery call, our team walks you through the report, explains what each finding means, and recommends next steps for any gaps identified.
4. You keep the report. This documentation serves as evidence that your firm is proactively addressing compliance -- useful for cyber insurance applications, client due diligence, and regulatory inquiries.

8. Your Ongoing Responsibilities

Verito handles the technical security and documentation, but compliance is ultimately your firm's responsibility. Here is what you need to maintain on an ongoing basis:

9. Frequently Asked Questions

Q: Is a WISP really required if I'm a solo practitioner?

Yes. The IRS and FTC requirements apply to all tax preparers regardless of firm size. Even a single-person firm handling taxpayer data must have a WISP.

Q: How long does the WISP process take?

The initial setup call takes about 30-45 minutes. After that, Verito prepares the document and schedules a delivery call to walk you through it. The entire process is typically completed within 1 week.

Q: Does Verito update my WISP if my firm changes?

Your WISP should be reviewed and updated annually. If significant changes occur at your firm (new office, major staffing changes, new software), notify Verito and we can help you update the document.

Q: Can I see a sample WISP before the call?

We do not share sample WISPs because each document is custom-built for the client's specific environment. However, the setup call is straightforward -- we guide you through every question and handle the technical writing.

Q: What is a "Qualified Individual" and do I need one?

The FTC Safeguards Rule requires every firm to designate a Qualified Individual (QI) who is responsible for overseeing the firm's information security program. This is typically the firm owner, managing partner, or a senior employee. The QI does not need to be a technical expert -- they just need to ensure the security program is being followed and reviewed. Verito provides the technical implementation; the QI provides the organizational oversight.

Q: I'm on the Essentials plan. Can I still get a WISP?

WISP Assistance is included with Pro and Elite plans. If you are on the Essentials plan, Verito can prepare a WISP as a standalone service for a one-time fee. Contact your account manager or Verito Support for details.

Q: Who do I contact about compliance questions?

Contact Verito Support at (844) 629-9899 or itsupport@verito.com. For WISP-specific scheduling, look for the WISP scheduling email from our team.