Missouri Chapter
WISP Required! Key Components in Your Firm’s Written Information Security Plan*

WISP Required! Key Components in Your Firm’s Written Information Security Plan*

Published June 13, 2023 By Roman H. Kepczyk, CPA., CITP
While the FTC Safeguards rule designed to protect financial and PII (personally identifiable information) has been around for decades, as of June 9, 2023, compliance of various components including a WISP became mandatory!   While primarily targeted at companies maintaining more than 5,000 client records (think tax returns), certain safeguard components are required for firms with less than 5,000 records such as the use of multi-factor authentication, encryption of data, and secure disposal of Information.  Also, with financial and criminal penalties imposed for “knowingly or inadvertently” disclosing taxpayer data, the IRS has issued additional guidance on key strategies for protecting taxpayer data which would apply to all firms regardless of the number of clients they have.  The need for a WISP was highlighted for practitioners when they renewed their PTIN and expanded requirements including security and phishing training.  Accordingly, it is recommended that all firms have a WISP with the caveat that it is “appropriate” to their firm’s size and situation.  Below we identify key components that should be documented in writing to be incorporated into firm WISPs as well as templates and resources to help you get started.

STEP 1: Designate WISP Leader: Firm’s must appoint an individual to represent the firm in coordinating the development of the firm’s information security program.   This includes providing the authority to hire security consultants, external technical expertise, and work with knowledgeable service providers to assist with the technical components which are most likely beyond the technical knowledge and understanding of the WISP leader.

STEP 2: Conduct a Risk Assessment:  The firm must identify where all protected data is located and how it may be utilized including the foreseeable cybersecurity risks and system vulnerabilities that could compromise this data.  This can begin by listing all the firm’s applications and identifying which contain protected data as well as the location where this data is stored, whether on individual hard drives, mobile media, firm network drives, or in the cloud (hosted applications and data backup providers). The same stringent risk assessment procedures the firm applies to its internal systems should be applied to third-party cloud application vendors and hosting providers.  This comprehensive file inventory should also indicate if that data is encrypted and who has access to these files (regularly checking to verify that individual access is terminated when the employee or contractor is terminated).

STEP 3: Implement Safeguards: The next step is to identify the safeguards the firm has in place and whether they are deemed adequate. Right Networks has coined the phrase “Smart Security Management” to separate CPA firm safeguards into three components: Securing Firm/Client Data, Protecting User Access, and Ongoing Cyber Education. Firms should partner with IT experts and cloud providers to implement “Enterprise” grade cybersecurity solutions including intrusion detection, prevention, and remediation as well as a “hardened” IT infrastructure to ensure system resilience and business continuity.  This would entail automatic updating of the operating systems and firmware for all computing and network devices including remote users and home Wi-Fi. Preventing unlawful access is the second component and includes the use of multi-factor authentication, complex passwords (12+ characters recommended), and technical solutions to ensure passwords are unique and not re-used (such as password wallets to store them).  The final component of Smart Security Management is employee education discussed in Step 5. To assist firms in identifying current IT safeguards and security best practices, Right Networks has a Cybersecurity Checklist available at: CPA-Cybersecurity-Checklist.pdf (rightnetworks.com) which was originally created for the AICPA PCPS.   The WISP leader should walk through this listing with their IT experts at least annually so they understand the firm’s status on each item and can implement safeguards where needed.

STEP 4: Ongoing Testing and Monitoring: The WISP leader must work closely with their internal IT personnel and external security contractors to ensure that cyber safeguards are being continuously monitored and that alerts are being followed up with and remediated. Special attention should be given when new applications or hardware are implemented to ensure that they fall within the WISP guidelines and do not expose firm data to unintended consequences. Data backups should be tested regularly as well as disaster recovery solutions to ensure the firm can recover from a breach or ransomware event.

STEP 5: Employee Education: The IRS recommends firms provide ongoing cyber security education discussing not only the firm’s security policies and procedures, but also education on current and evolving threats, how to connect securely via a VPN (virtual private network), and how to respond in the event the employee suspects a breach.  Firm policies regarding client data should be reviewed and updated annually such as for example the firm’s document retention policy where personnel should be educated on how to properly delete files (including that which is stored on external media).  Security training would also include regular updates on how cybercriminals are using social engineering and increasingly sophisticated phishing email schemes to get firm members to provide information, allow malicious access, and to unintentionally click on a link or download files and applications that may contain malware.

STEP 6: Preparing for the Worst: Additional components of the WISP include having a breach response plan and cyber-insurance in place in the event of a breach.  The breach response team should include expertise in responding to and remediating a cyber event and a plan to communicate with the appropriate authorities and any impacted clients.  Insurance policies should also be reviewed annually to ensure that any new requirements are being covered as well as verifying the firm has adequate 1st and 3rd party coverage if the firm is breached.

As outlined in the steps above, it’s obvious that developing a WISP is a significant undertaking but it is one that if done properly will better protect the firm and its client’s data.  To assist firms in formalizing their WISP, the IRS provides a template via Publication 5708: How to Create a Written Information Security Plan for Your Tax & Accounting Practice.

Roman H. Kepczyk, CPA.CITP, CGMA is director of Firm Technology Strategy for Right Networks and partners exclusively with accounting firms on production automation, application optimization and practice transformation. He has been consistently listed as one of INSIDE Public Accounting’s Most Recommended Consultants, Accounting Today’s Top 100 Most Influential People, and CPA Practice Advisor’s Top Thought Leaders. *This article was originally published June 10, 2023 at CPA Practice Advisor.

Recent Posts

Browse Archives

Apr 2024
Jan 2024
Jun 2023
Dec 2022
Nov 2022
Oct 2022
Jul 2022
Jun 2022
Mar 2022
Jan 2022
Nov 2021
Sep 2021
Jul 2021
Jun 2021
May 2021
Apr 2021
Feb 2021
Jan 2021
Dec 2020
Oct 2020
Sep 2020
Aug 2020
Jul 2020
May 2020
Apr 2020
Jan 2020
Nov 2019
Oct 2019
Aug 2019
May 2019
Apr 2019
Jan 2019
Dec 2018
Oct 2018
Sep 2018
Aug 2018
Jul 2018
Jun 2018
May 2018
Apr 2018
Feb 2018
Jan 2018
Dec 2017
Oct 2017
Jul 2017
Jun 2017
May 2017
Apr 2017
Mar 2017
Feb 2017
Jan 2017
Dec 2016
Nov 2016
Oct 2016
Sep 2016
Aug 2016
Jul 2016
Jun 2016
Apr 2016
Mar 2016
Dec 2015
Nov 2015
Oct 2015
Sep 2015
Jun 2015
Apr 2015
Mar 2015
Feb 2015
Jan 2015
Dec 2014
Nov 2014
Oct 2014
Sep 2014
Aug 2014
Jul 2014
Jun 2014