In today’s growingly digital financial world, cybersecurity is no longer just an IT problem, it’s a firm-wide concern. Accounting firms, tax professionals, bookkeepers, payroll processors, financial planners, and more are prime targets for data breaches due to the vast amount of sensitive financial and personally identifiable information (PII) they manage.
Hence the need for a Written Information Security Program, or WISP; a document-driven framework that outlines how your firm protects client data, manages risks, and responds to cyber threats. While the concept may sound like excess administrative tasks, a WISP is essential to surviving and required in our industry of increasing compliance demands and cyber attacks.
Financial Services Are of Particular Risk
Before diving into the mechanics of a WISP, it’s important that we highlight why firms are particularly vulnerable:
High-value data: Tax IDs, banking details, payroll records, and social security numbers are goldmines for cybercriminals.
Seasonal staff and consultants: Many firms bring on temporary help during tax season, increasing the number of access points to sensitive data.
Use of cloud platforms: Tools like QuickBooks Online, TaxDome, Microsoft 365, Google Workspace, AI Platforms, Xero, and tax filing systems offer convenience but create more potential vulnerabilities.
Remote work: Working remotely, expands the attack surface.
Strict regulatory oversight: GLBA, the FTC’s Safeguards Rule, and state laws mean that even small firms can face steep fines if they don’t protect client data.
What Exactly Is a WISP?
A Written Information Security Program (WISP) is a formal document that outlines how your firm collects, stores, protects, and disposes of sensitive information. It’s both a policy framework and an operational manual that guides your team in managing data security across every level of your organization. Essentially it is your SOP (Standard Operating Procedures) for technology and security in your firm.
A well-written WISP will include:
A clear assessment of what data you hold and where it resides
Policies around access control, encryption, and physical safeguards
Procedures for monitoring systems, detecting breaches, and notifying affected parties
A roadmap for training staff and continually improving security
Legal and Compliance Requirements
Let’s talk compliance. Many firms adopt WISPs because they’re required to do so by law and leave it at that while some forward-focused firms exceed the expectations of a security plan and design a policy and operation focused on security.
Some of the key regulatory drivers include:
1. Gramm-Leach-Bliley Act (GLBA)
Applies to firms providing financial services, including tax return preparation and accounting services. Requires “administrative, technical, and physical safeguards” to protect client information.
2. FTC Safeguards Rule (2023 Update)
As of June 2023, the FTC mandates that financial service institutions must maintain a formal security program. Your program must include:
A qualified individual to oversee the program
A written risk assessment
Encryption for customer information
Multi-factor authentication (MFA)
Monitoring and testing of systems
Incident response plans
And many more
3. State Laws
If your firm stores data of residents from certain states (like MA or CA), state-specific data protection laws often require a WISP, and these requirements may vary from those on the national level. These may include breach notification requirements and fines for noncompliance.
4. IRS Publication 4557
While not a law, this publication lays out data security expectations for tax professionals. It is a good starting point for a practitioner looking to design a WISP themselves.
5. Insurance Providers
Many cybersecurity or data breach insurance providers not only require a security plan, but may require a review of that plan before honoring your policy. Many firms in the past have lost their insurance or had refused payouts because they had not complied with their insurance provider’s requirements.
What Needs Included in a WISP?
No two security plans will ever be the same; each firm operates differently, even to the smallest degree. So many of the templates floating out there do not provide significant detail or support. Most templates are lacking in newer technology support such as artificial intelligence, remote work, offshoring, and more.
Some of the key components, but not all-inclusive, of a standard security plan include:
1. Risk Assessment and Data Inventory
Start by mapping your digital portfolio and what specific technology ecosystems you prefer to work within.
Technical Tasks:
Use automated discovery tools to scan for sensitive data (SSNs, financial account numbers).
Identify data repositories (cloud platforms, local servers, portable devices).
Classify data by sensitivity level.
Assess threats:
Email phishing
Ransomware
Insecure remote access
Lost or stolen devices
2. Administrative Controls
These are less-technical measures that set expectations for employees and define responsibilities.
Key Elements:
Appoint a Security Program Coordinator (can be a partner, IT director, or outside consultant).
Create an Acceptable Use Policyoutlining how staff should interact with technology.
Define access controls based on the principle of least privilege (POLP).
Require employee background checks for those with access to PII.
Training:
Conduct annual cybersecurity awareness training, including topics like phishing, password hygiene, and incident reporting.
Use simulated phishing campaigns and quizzes to reinforce training.
3. Technical Safeguards
This is where your IT systems come into play. Most practitioners may not be fully qualified to handle all of these tasks, so may want to consult with a third-party.
Authentication & Access:
Enforce multi-factor authentication (MFA) for all systems and applications that access or store PII.
Use Role-Based Access Control so staff can only access data relevant to their job.
Encryption:
Encrypt data at rest (such as using BitLocker on workstations or encrypted file shares).
Encrypt data in transit using secure file transfer protocols.
Endpoint Protection:
Install endpoint detection and response (EDR) software on all firm-owned devices.
Ensure real-time monitoring, behavioral analysis, and automated threat quarantining.
Network Security:
Use firewalls and intrusion detection systems to monitor traffic.
Employ virtual private networks (VPNs) for remote access.
Patch Management:
Automate OS and software updates using tools like WSUS or cloud endpoint management systems.
Maintain a patch schedule and audit logs.
4. Physical Security
Don’t forget your physical office space and printed materials.
Physical items to consider:
Lock file cabinets containing sensitive data.
Restrict access to server closets or IT equipment.
Use visitor logs and badge systems.
Install surveillance in areas with sensitive hardware.
Shred all documents before disposal, or use certified e-waste vendors for hardware.
5. Vendor Management
Your data is only as secure as the vendors you trust.
Vendor-Critical Items:
Maintain a vendor inventory of all service providers with access to client data.
Require vendors to sign Data Processing Agreements and provide security certifications (e.g., SOC 2, ISO 27001).
Conduct due diligence on new vendors and re-evaluate annually.
6. Incident Response Plan (IRP)
When, not if, something goes wrong, your WISP should include a clear response protocol.
Remediation steps: Patch vulnerabilities, restore from clean backups
Communication plan: Notify leadership, legal counsel, affected clients, and regulators
Post-mortem review: What went wrong and what should be improved?
7. Monitoring and Testing
Security is not “set and forget” or something you only look at one a few years. It should be a constant and ongoing reminder on your task list.
Ongoing Tasks to Schedule:
Enable centralized logging and alerting using management tools.
Schedule quarterly vulnerability scans and annual penetration tests.
Review user access rights every 90 days.
Document and resolve all security incidents.
8. WISP Review and Updates
Your WISP should evolve as your business changes. Don’t let a busy schedule or growth plan impact the security of your firm.
Update Triggers:
Adoption of new software or cloud services
Hiring/termination of key personnel
Regulatory changes
After a breach or close call
The WISP should be reviewed at least once per year and updated as needed. Document all changes for audit purposes.
A Few Small Bonuses
Having a WISP is more than just a compliance and legal issue. There are so many residual impacts that th security plan can have on your firm:
1. Demonstrates Credibility
Clients appreciate knowing you take data security seriously. A WISP shows that you’re not just compliant, but thoughtful.
2. Improves Operational Discipline
Mapping your data flows and systems often uncovers inefficiencies and gaps. A WISP helps tighten your internal processes. Reviewing these processes can absolutely give you added insight into how workflows and data management.
3. Reduces Insurance Premiums
Cyber liability insurers increasingly request evidence of security programs. A WISP can lower your premiums or help you qualify for coverage in the first place.
4. Limits Legal Exposure
In a breach scenario, having a documented and followed WISP may reduce fines or liability, as it proves due diligence.
A Written Information Security Program isn’t just a formality, it’s a critical part of running any financial services firm. Whether you’re a solo practitioner or a multi-office firm, a WISP helps you stay compliant, keep your clients' trust, and reduce the chaos whenever something goes wrong.
While the technical and legal details can seem intimidating, you don’t have to tackle this alone. Start small, involve your team, and use tools and consultants where needed. The most important thing is to take action.
Feeling Overwhelmed?
This topic, especially when done well, can be very overwhelming. But you are not alone. Financial Guardians is absolutely here to help with any or all of your WISP-related needs:
Monthly Plan: A more DIY solution for somebody looking to partner long-term with a group of other professionals on improving the security of their firm; includes a large WISP template.
WISP Update: If you already have a security plan, but would like it reviewed or updated, we can take your current plan and apply those updates.
Full WISP: The thought of even talking a WISP got your overwhelmed? No worries - we can write one for you from scratch.
Comprehensive Template (Releasing in May 2025): Want a strong starting point to get things kicked off? This powerful and comprehensive template includes a video walk-through as well as a year or updated documents.
Financial Guardians is a proud member of InCite, the recently launched online community exclusively for tax professionals, bookkeepers, and accountants. InCite members receive a 30% discount.
Financial Guardians has partnered with the California Society of Tax Consultants to provide a 30% access discount as well as many other offers. More info can be found at www.cstcsociety.org
