Skip to main content
All resources
Checklists

FTC Safeguards Rule WISP Checklist 2026

Complete 2026 FTC Safeguards Rule WISP checklist for tax preparers and CPA firms — every 16 CFR Part 314 element mapped to IRS Pub 5708 controls.

May 202612 min read
Written by Alfonso LovoLinkedInReviewed by WISPWolf Compliance TeamLast Updated: May 2026 · Verified July 10, 2026
Short answer

The FTC Safeguards Rule (16 CFR Part 314) requires every covered tax and accounting firm to maintain a written security program with nine specific elements — including a designated qualified individual, risk assessment, MFA, encryption, employee training, vendor oversight, and an annual review. This checklist maps all nine to your WISP.

In a hurry? Get your free Compliance Score, then come back to this guide.

Take the Free Quiz View Sample WISP

If you prepare tax returns for compensation, the Federal Trade Commission considers your firm a "financial institution" under the Gramm-Leach-Bliley Act — and that means the FTC Safeguards Rule (16 CFR Part 314) applies to you. The rule requires every covered firm to maintain a Written Information Security Plan (WISP) with specific, documented controls. The IRS has aligned its own guidance — Publication 5708 ("Creating a Written Information Security Plan for your Tax & Accounting Practice") and Publication 4557 ("Safeguarding Taxpayer Data") — to the same framework. For the statutory foundation, see the GLBA Safeguards Rule pillar.

This 2026 checklist walks through every Safeguards Rule requirement the way an FTC examiner, IRS auditor, or cyber insurance underwriter actually reads it. Use it as a self-audit. Every item you can't check off today is a gap to close before your next PTIN renewal or insurance renewal — and read it alongside the 2026 WISP requirements brief.

On this page

What Is the FTC Safeguards Rule?

The FTC Safeguards Rule, codified at 16 CFR Part 314, implements the security provisions of the Gramm-Leach-Bliley Act (GLBA) for non-bank financial institutions. The rule was substantially revised in October 2021, and the full set of new requirements became enforceable on June 9, 2023. It mandates that covered firms "develop, implement, and maintain a comprehensive information security program" — a WISP — that contains specific administrative, technical, and physical safeguards proportional to the firm's size and the sensitivity of the customer information it handles.

The 2023 amendments added nine concrete elements that every program must include, most notably: a designated Qualified Individual, a written risk assessment, encryption of customer information in transit and at rest, multi-factor authentication for any access to customer information, an incident response plan, and an annual written report to firm leadership. The rule also requires firms with 5,000 or more consumers to report certain notification events to the FTC within 30 days — a requirement that took effect May 13, 2024.

Who Must Comply in 2026?

The Safeguards Rule applies to every "financial institution" the FTC has jurisdiction over. For the tax and accounting industry, that includes:

  • All paid tax return preparers — including PTIN holders, EAs, CPAs, and attorneys preparing returns for compensation.
  • Accounting and bookkeeping firms that handle personally identifiable financial information.
  • Enrolled agents and tax resolution practices — see WISP requirements for bookkeepers and EAs.
  • Payroll service providers and small CPA offices, regardless of revenue.
  • Solo practitioners with a single PTIN. There is no small-business exemption — only narrower reporting requirements for firms under 5,000 consumers.

The IRS reinforces this through the annual PTIN renewal: since the 2024 cycle, every paid preparer must attest to having a written data security plan. For a full breakdown of the IRS-specific obligation, see our companion guide on the IRS WISP requirement for PTIN holders, and for the section-by-section drafting walkthrough use the tax preparer security plan guide.

The Complete WISP Checklist

The checklist below groups the Safeguards Rule's requirements into the six categories an auditor will work through. Each item cites the controlling section of 16 CFR § 314.4 or the matching IRS Pub 5708 / Pub 4557 control. Use the free IRS WISP template as your structural starting point.

1. Administrative Safeguards (§ 314.4(a), (e), (i))

Who is accountable, what is documented, and how the program is governed.

  1. Designate a Qualified Individual to oversee, implement, and enforce the information security program (§ 314.4(a)). Name them in writing in your WISP.
  2. Maintain a written information security program appropriate to your size and complexity (§ 314.3). Verbal practices do not satisfy the rule.
  3. Conduct and document a written risk assessment identifying reasonably foreseeable internal and external risks to customer information (§ 314.4(b)). Update it whenever your systems or staffing materially change.
  4. Implement security awareness training for all personnel and refresh it as risks evolve (§ 314.4(e)). Phishing is still the dominant vector for tax-data breaches.
  5. Retain qualified information security personnel — internally or through a vendor — sufficient to manage the risks identified (§ 314.4(e)(2)).
  6. Provide an annual written report from the Qualified Individual to your board or, for smaller firms, your senior management — covering program status, risk assessment results, and incidents (§ 314.4(i)).
  7. Document an acceptable use policy and signed employee acknowledgments. These are required by IRS Pub 4557 and expected by every cyber insurance underwriter.

2. Technical Safeguards (§ 314.4(c))

The system-level controls that protect customer information day to day.

  1. Implement and periodically review access controls using least-privilege principles (§ 314.4(c)(1)). Review user access at least annually.
  2. Inventory data, personnel, devices, systems, and facilities that enable you to identify customer information (§ 314.4(c)(2)).
  3. Encrypt all customer information at rest and in transit over external networks (§ 314.4(c)(3)). Use TLS 1.2 or higher in transit and AES-256 (or equivalent) at rest. Document any compensating controls if encryption is infeasible — the Qualified Individual must approve them in writing.
  4. Adopt secure development practices for any in-house applications (§ 314.4(c)(4)).
  5. Implement multi-factor authentication for any individual accessing any information system that holds customer information (§ 314.4(c)(5)). This includes email, tax software, file shares, and your practice management system.
  6. Securely dispose of customer information no later than two years after the last interaction, unless retention is required by law or a legitimate business need (§ 314.4(c)(6)).
  7. Adopt procedures for change management (§ 314.4(c)(7)).
  8. Monitor and log activity of authorized users and detect unauthorized access (§ 314.4(c)(8)).

3. Physical Safeguards (IRS Pub 4557 alignment)

The Safeguards Rule treats physical controls under the broader administrative and technical umbrellas, but IRS Pub 4557 and 5708 call them out explicitly.

  1. Lock physical files and storage areas containing taxpayer information.
  2. Restrict facility access with badges, keys, or visitor logs.
  3. Enforce a clean-desk policy and require workstations to lock automatically after a short idle period.
  4. Secure disposal of physical media — cross-cut shred paper; physically destroy or cryptographically erase drives and USB devices.
  5. Document workstation, laptop, and mobile device controls, including full-disk encryption on every endpoint that touches taxpayer data.

4. Vendor and Service Provider Oversight (§ 314.4(f))

One of the most frequently missed sections — and a top cause of cyber insurance claim denials.

  1. Maintain a written vendor inventory of every service provider that touches customer information (tax software, cloud storage, email, payroll, e-signature, etc.).
  2. Select and retain providers capable of maintaining appropriate safeguards (§ 314.4(f)(1)). Document your due diligence — SOC 2 reports, security questionnaires, or signed attestations.
  3. Require service providers, by contract, to implement and maintain such safeguards (§ 314.4(f)(2)). Update your engagement letters and DPAs.
  4. Periodically assess service providers based on the risk they present and the continued adequacy of their safeguards (§ 314.4(f)(3)).

5. Incident Response and Breach Notification (§ 314.4(h), § 314.5)

The rule expects you to know exactly what you will do in the first 72 hours of an incident.

  1. Maintain a written incident response plan designed to promptly respond to and recover from any security event that materially affects customer information (§ 314.4(h)).
  2. Define internal processes for responding — roles, escalation, evidence preservation, and external communications.
  3. Define roles, responsibilities, and decision-making authority for incident response.
  4. Establish external and internal communications and information sharing protocols, including legal counsel, cyber insurer, and forensic vendor contacts.
  5. Identify remediation requirements for any identified weaknesses.
  6. Document and evaluate the response after every incident, and revise the program as needed.
  7. Notify the FTC as soon as possible, and no later than 30 days, of any notification event involving the unencrypted customer information of 500 or more consumers (§ 314.5). This obligation applies to firms with 5,000 or more consumers in their systems.
  8. File IRS Stakeholder Liaison and state notifications as required by IRS Pub 4557 and state breach laws.

6. Ongoing Program Management (§ 314.4(d), (g))

The Safeguards Rule is not a one-time project. The 2021 amendments make continuous evaluation explicit.

  1. Test or otherwise monitor the effectiveness of safeguards. Either perform continuous monitoring or annual penetration testing and semi-annual vulnerability assessments (§ 314.4(d)).
  2. Evaluate and adjust the information security program in light of testing results, material changes to operations, or any other circumstance the Qualified Individual reasonably believes may have a material impact (§ 314.4(g)).
  3. Conduct an annual WISP review with a signed attestation from the Qualified Individual — this is the artifact the IRS expects at PTIN renewal.
  4. Keep dated logs of training, vendor reviews, risk assessments, and incidents. Undated records are treated as missing records under audit.
  5. Update the program after any material change — new tax software, new staff, office move, new cloud provider, or any incident.

Common Compliance Mistakes

After working with hundreds of tax and accounting firms, the same gaps come up over and over — many of them captured in why a one-time WISP document is no longer enough and the annual WISP review checklist:

  • Treating a template as a WISP. Downloading a sample, filling in the firm name, and printing it is not a program. The rule requires controls to be implemented, not just described.
  • No named Qualified Individual. "Everyone is responsible" means no one is. The rule requires a single designated person.
  • Skipping the written risk assessment. Without it, you cannot defensibly say your safeguards are "proportional" to your risk.
  • MFA on email only. § 314.4(c)(5) covers every system that touches customer information — including your tax software, document portal, and remote desktop.
  • Two-year-old data still on the file server. § 314.4(c)(6) requires disposal within two years absent a documented retention need.
  • No vendor inventory. If you cannot list every provider that touches customer data, you cannot perform the oversight § 314.4(f) requires.
  • No annual review or signed attestation. This is the single document the IRS and your cyber insurance carrier are most likely to request — see the cyber insurance questionnaire walkthrough.

How to Automate Your WISP Compliance

Most of the controls above can be evidenced automatically if your firm runs on Microsoft 365 or Google Workspace. MFA enforcement, conditional access policies, encryption status, admin activity logs, and mailbox retention can all be read directly from the tenant — no screenshots, no spreadsheets. Tying that live evidence to each Safeguards Rule citation turns your WISP from a static PDF into a continuously monitored program. See Microsoft 365 WISP compliance automation for the implementation pattern.

WISPWolf does exactly that. It generates your WISP from a guided intake mapped to 16 CFR Part 314 and IRS Pub 5708, then pulls live evidence from your Microsoft 365 tenant on a read-only connection. The result is a Living WISP that updates as your environment changes, tracks every annual review, and produces the exact report cyber insurance underwriters ask for. Firms looking specifically at tax-preparer use cases can dig deeper on our WISP for tax preparers page.

Frequently Asked Questions

Is the FTC Safeguards Rule actually enforced against small tax firms?

Yes. The FTC has brought enforcement actions against small financial institutions, and IRS Stakeholder Liaisons routinely refer breach incidents involving tax preparers to the FTC. More commonly, non-compliance surfaces during a cyber insurance claim — and 'no documented WISP' is one of the most frequent reasons claims are denied or premiums spike.

Do I really need MFA on my tax software, not just email?

Yes. 16 CFR § 314.4(c)(5) requires multi-factor authentication for any individual accessing any information system that holds customer information. Tax software clearly qualifies. The Qualified Individual may approve a reasonably equivalent compensating control in writing, but turning MFA on is almost always cheaper and faster.

How is IRS Publication 5708 different from the FTC Safeguards Rule?

Pub 5708 is the IRS's plain-English guide to building a WISP for a tax practice. It maps cleanly onto the FTC Safeguards Rule and Pub 4557 controls, but its purpose is instructional — it shows you how to document the program the Safeguards Rule requires. A WISP built to Pub 5708 generally satisfies the Safeguards Rule's documentation expectations for a small firm.

How often does my WISP have to be reviewed?

At least annually, and any time there is a material change to your operations — new software, new staff, an office move, or after any security incident. The Qualified Individual is required to deliver a written report to firm leadership at least once a year (§ 314.4(i)).

What is the FTC's 30-day breach notification rule?

Effective May 13, 2024, covered financial institutions must notify the FTC within 30 days of discovering a security event involving the unencrypted customer information of 500 or more consumers. The notification is filed through the FTC's online portal and must identify the firm, describe the event, and report the number of consumers affected.

Does the rule apply to firms with fewer than 5,000 consumers?

The substantive duties — MFA, encryption, training, vendor oversight, incident response — still apply in full. The exemption only narrows a few documentation requirements (the written risk assessment, written incident response plan, and annual report to the governing body). See the GLBA Safeguards Rule pillar for the statutory framing.

What is the fastest way to get compliant if I have nothing in place today?

Start with a gap assessment. The free WISPWolf compliance quiz takes about five minutes and gives you a letter grade plus a prioritized remediation list mapped to 16 CFR Part 314. Then download the free Compliance Starter Kit for the structural baseline document.

Ready to close the gaps?

Generate your IRS-compliant WISP in minutes.

WISPWolf maps every control to 16 CFR Part 314 and IRS Pub 5708, pulls live Microsoft 365 evidence, and tracks your annual review automatically.

IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required

Disclaimer: This article is for informational purposes only and does not constitute legal advice. WISPWolf is a compliance documentation platform, not a law firm. Citations to 16 CFR Part 314, IRS Publication 5708, and IRS Publication 4557 reflect the rules as published; consult qualified legal counsel and a licensed information security professional for advice specific to your firm.

References

Sources & References

Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.

  1. IRS Publication 5708 — Creating a Written Information Security Plan
  2. IRS Publication 4557 — Safeguarding Taxpayer Data
  3. FTC Safeguards Rule (16 CFR Part 314)
  4. Gramm-Leach-Bliley Act (GLBA) Safeguards
  5. IRS Tax Security — Protect Your Clients, Protect Yourself
  6. NIST Cybersecurity Framework
  7. Microsoft Security Documentation
Free Compliance Starter Kit

Get the free WISPWolf Compliance Starter Kit

Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.

Free WISP Compliance Score

Get Your Free WISP Compliance Score

See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.

IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required