The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule requires financial institutions — including tax preparers, bookkeepers, CPA firms, financial advisors, and insurance agencies — to maintain a written information security program. It's enforced by the FTC through 16 CFR Part 314 and is the legal foundation of the WISP requirement.
In a hurry? Get your free Compliance Score, then come back to this guide.
Take the Free Quiz View Sample WISPIf you prepare tax returns for compensation, keep books for clients, advise on investments, sell insurance, or originate loans, federal law treats you as a financial institution. That single classification triggers one of the most consequential information-security regimes in the country: the Gramm-Leach-Bliley Act and its implementing regulation, the FTC Safeguards Rule (16 CFR Part 314). This pillar guide is the long-form reference for tax preparers, CPA firms, bookkeepers, financial advisors, and insurance agencies who need to understand what GLBA compliance actually requires in 2026 — and how to document it inside a Written Information Security Plan that will hold up to an FTC inquiry, a PTIN audit, or a cyber insurance renewal.
Table of contents
- What is the Gramm-Leach-Bliley Act?
- GLBA, the Safeguards Rule, and the Privacy Rule
- Why tax preparers and financial professionals care
- The nine GLBA security requirements
- Conducting a written risk assessment
- MFA requirements under the Safeguards Rule
- Vendor and service-provider oversight
- Incident response and the 30-day FTC notification rule
- Mapping GLBA to your Written Information Security Plan
- The GLBA compliance checklist
- Penalties and enforcement
- Frequently asked questions
What is the Gramm-Leach-Bliley Act?
The Gramm-Leach-Bliley Act, formally the Financial Services Modernization Act of 1999, was passed primarily to repeal the Glass-Steagall barrier between commercial banking, investment banking, and insurance. Tucked inside that statute, however, was Title V — a set of privacy and information-security provisions that have reshaped how every "financial institution" in the United States handles customer information.
Title V has two operative pieces. The Privacy Rule governs what a financial institution can do with consumer financial information and requires annual privacy notices. The Safeguards Rule governs how that information must be protected. For non-bank financial institutions — which include almost every tax and accounting firm — the Federal Trade Commission is the agency that writes and enforces the Safeguards Rule. The current version of the rule, with significant amendments effective in 2023 and a breach-notification amendment effective in 2024, is codified at 16 CFR Part 314.
Crucially, GLBA's definition of "financial institution" is much broader than what most small-business owners assume. It is not limited to banks, credit unions, or brokerages. The FTC has issued guidance and brought enforcement actions making clear that the definition reaches:
- Paid preparers of federal tax returns (anyone with a PTIN)
- Bookkeepers and accounting firms
- Enrolled agents, CPAs, and tax attorneys acting in a financial-services capacity
- Financial advisors and investment advisers not otherwise regulated by the SEC
- Insurance agencies and brokers
- Mortgage brokers, lenders, and loan servicers
- Check-cashing businesses, payday lenders, and debt collectors
- Career counselors that serve people in the financial services industry
Notice the absence of any revenue floor, employee count, or "small business exemption." If you fall in a covered category, the Safeguards Rule applies. Size only changes which documentation requirements apply, not the underlying duty to protect customer information.
GLBA, the Safeguards Rule, and the Privacy Rule
The terminology trips up almost every firm the first time it encounters this regime. Here is how the pieces fit together:
- GLBA — the underlying federal statute (15 U.S.C. §§ 6801–6809 and 6821–6827).
- FTC Privacy Rule — 16 CFR Part 313. Governs information sharing and the annual privacy notice. Recent amendments have moved much of this to the CFPB's Regulation P for some institutions, but tax preparers still answer to the FTC.
- FTC Safeguards Rule — 16 CFR Part 314. Governs the administrative, technical, and physical safeguards that protect customer information. This is the rule that requires your WISP.
- IRS Publication 5708 — a tax-preparer-specific implementation guide and template that mirrors the Safeguards Rule structure and adds IRS-specific items, including PTIN-related attestations. See our full IRS Publication 5708 guide.
- IRS Publication 4557 — older companion guidance, Safeguarding Taxpayer Data, still cited by the IRS and useful as a plain-language reference.
When a tax-and-accounting professional refers casually to "GLBA compliance," the practical content of that phrase is almost always the FTC Safeguards Rule. When they refer to "WISP compliance," it is the document the Safeguards Rule requires you to maintain. The IRS attaches its own PTIN-renewal attestation on top of all of that.
Why tax preparers and financial professionals care
Three forces have converged to make GLBA compliance an urgent operational concern in 2026, not a back-burner legal exercise.
1. The IRS now verifies the PTIN attestation
Since the 2024 renewal cycle, the PTIN renewal form has required preparers to attest that they have a written data security plan. Through 2025 the attestation functioned as a checkbox. In 2026 the IRS Stakeholder Liaison program is sampling attestations and requesting documentation. A preparer who attested without actually having a WISP has exposure not just under the Safeguards Rule but potentially under 18 U.S.C. § 1001 for false statements. See the dedicated IRS WISP requirement for PTIN holders brief for the renewal mechanics.
2. The 2023 technical amendments are fully enforceable
The FTC's 2021 amendments to the Safeguards Rule — pushed to a June 2023 enforcement date — added prescriptive technical requirements that did not exist in the original rule. MFA on every system, encryption at rest and in transit, continuous monitoring or annual penetration testing plus biannual vulnerability assessments, secure development practices, and a written incident response plan are no longer aspirational. They are baseline. Firms that "intend to get to it after busy season" are exactly the population the FTC is targeting.
3. Cyber insurance carriers demand evidence
Travelers, Chubb, Coalition, At-Bay, Beazley, and CNA all updated their 2025 and 2026 application questions to ask for the actual WISP, the date of the most recent annual review, evidence of MFA enforcement, and the named Qualified Individual. Firms that submit a template document with placeholder text are seeing premiums climb 20–40% or facing outright non-renewal. After an incident, carriers routinely deny claims where the application materially misrepresented controls. See the cyber insurance questionnaire walkthrough for the specific questions you will be asked.
Download the GLBA Compliance Checklist
A printable checklist covering the Safeguards Rule, Privacy Rule, and recordkeeping requirements. Part of the free WISPWolf Compliance Starter Kit — a starter resource for identifying gaps, not a completed customized WISP.
The nine GLBA security requirements
The Safeguards Rule organizes its substantive requirements into nine elements at 16 CFR § 314.4. Every WISP — and every audit, insurance, or due-diligence checklist your firm faces — is built around these nine items. They are the spine of GLBA compliance.
Element 1 — Designate a Qualified Individual
Section 314.4(a) requires you to designate a single individual — internal or external — to oversee, implement, and enforce the information security program. The role does not require a credential, but the person must have the authority and the time to do the work. For a solo preparer the Qualified Individual is the preparer. For a 10-person firm it is typically the partner with the strongest operational background, supported by an outside vMSP or vCISO. The designation must be documented in the WISP, including the name, title, and reporting line.
Element 2 — Conduct a written risk assessment
Section 314.4(b) requires a written risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. The assessment must address: the criteria you use to evaluate and categorize risks; the criteria for assessing the confidentiality, integrity, and availability of your information systems; and how identified risks will be mitigated or accepted. Firms with fewer than 5,000 customers are not required to put the risk assessment in writing — but the assessment itself still has to be performed, and the FTC will ask to see contemporaneous evidence.
Element 3 — Design and implement safeguards
Section 314.4(c) is the heart of the rule. Eight specific safeguard categories must be addressed:
- Access controls. Least-privilege access, periodic review of who has access to what.
- Inventory. Know what data you have, where it lives, who can touch it, and how it is disposed of.
- Encryption. At rest and in transit; reasonable compensating controls only with documented approval by the Qualified Individual.
- Secure development practices. If you build or significantly customize applications.
- Multi-factor authentication. For any individual accessing any information system containing customer data.
- Secure disposal. Of customer information no longer needed, no later than two years after the last legitimate business use, unless a longer retention period is legally required.
- Change management. Procedures to evaluate, approve, and document changes to information systems.
- Monitoring and logging. Of authorized user activity and detection of unauthorized access.
Element 4 — Regularly test or monitor safeguards
Section 314.4(d) requires either continuous monitoring of the effectiveness of safeguards, or annual penetration testing plus vulnerability assessments at least every six months. For most small firms, continuous monitoring through a managed detection-and-response (MDR) provider or an integrated platform like WISPWolf is operationally easier than scheduling pen tests.
Element 5 — Train your staff
Section 314.4(e) requires security awareness training, periodic updates, and the use of qualified information security personnel. Training must be relevant — generic 30-minute videos from 2019 do not satisfy the rule when the threat landscape is dominated by phishing, vendor compromise, and AI-generated social engineering.
Element 6 — Oversee service providers
Section 314.4(f) requires three things: (1) due diligence in selecting service providers capable of maintaining appropriate safeguards; (2) contractual requirements obligating the provider to implement and maintain those safeguards; and (3) periodic reassessment of the provider's continued adequacy.
Element 7 — Keep your program current
Section 314.4(g) requires you to evaluate and adjust the information security program based on the results of testing and monitoring, material changes to your operations, and any other circumstance that may have a material effect. This is the "living document" requirement — the reason a static WISP downloaded once never satisfies the rule.
Element 8 — Establish a written incident response plan
Section 314.4(h) requires a written incident response plan addressing internal processes, roles and responsibilities, communications, remediation, documentation and reporting, and post-event review. The plan must be tested.
Element 9 — Report to the governing body
Section 314.4(i) requires the Qualified Individual to report in writing, at least annually, to the firm's board of directors or equivalent governing body. The report must cover the overall status of the program, compliance with the Safeguards Rule, and material matters including risk assessment results, testing results, security events, and management's responses.
Conducting a written risk assessment
The risk assessment is the document the FTC asks for first. It is also the document that most firms get wrong — usually by treating it as a one-page checklist instead of an analytical exercise.
A defensible risk assessment for a tax or accounting firm contains six sections:
- Data inventory. Every system that touches customer information: tax software, document portals, email, cloud storage, payroll, payment processing, backup, accounting software, e-signature platforms. For each, note the data classification, the volume, and the retention period.
- Threat catalog. The realistic threats to that inventory — phishing of staff credentials, business email compromise, ransomware, lost or stolen devices, malicious insiders, vendor compromise, accidental disclosure.
- Vulnerability analysis. Where current controls are weakest. Common gaps: MFA not enforced on tax software, encryption not enabled on workstations, no backup test in the last 12 months, shared logins for portal access.
- Risk scoring. Likelihood × impact. A simple high/medium/low matrix is acceptable; the FTC has not prescribed a methodology.
- Treatment plan. For each material risk, the control you will implement (or the compensating control you will accept), the owner, and the target date.
- Review cadence. When and how the assessment will be revisited. Annual is the minimum; quarterly is recommended.
Time-box the first pass. A solo preparer can produce a credible risk assessment in three to four hours using the WISPWolf template plus the IRS Publication 5708 worksheets. A multi-partner CPA firm should expect one to two business days for the first iteration and a half-day annually thereafter.
MFA requirements under the Safeguards Rule
Section 314.4(c)(5) is unambiguous: multi-factor authentication "for any individual accessing any information system" containing customer information. The rule allows the Qualified Individual to approve "reasonably equivalent or more secure" controls in writing — but in practice the FTC and cyber insurance carriers expect actual MFA.
In a typical tax or accounting firm, MFA must be enforced on:
- Email — Microsoft 365, Google Workspace, or any other provider.
- Tax preparation software — UltraTax, Drake, Lacerte, ProSeries, ATX, TaxAct, TaxSlayer Pro, and the cloud equivalents.
- Document portals — SmartVault, Liscio, ShareFile, OneDrive, SharePoint, Google Drive, Dropbox Business, Karbon.
- Practice management — Canopy, Karbon, TaxDome, OfficeTools, Jetpack Workflow.
- Cloud accounting — QuickBooks Online, Xero, Sage Intacct, NetSuite.
- Payroll — Gusto, ADP, Paychex, OnPay, Patriot.
- Remote access — RDP, VPN, any jump-server.
- Hosted Windows environments — Rightworks, Cetrom, Verito.
- Admin consoles — anything where one person can change access for many.
Phishing-resistant factors (FIDO2 security keys, platform authenticators tied to a trusted device) are increasingly the baseline expectation. SMS-only MFA is still technically allowed but is the first thing carriers flag as "weak control."
Vendor and service-provider oversight
Vendor compromise — not direct attacks on the firm — is the most common breach vector for tax and accounting practices today. Section 314.4(f) puts the responsibility for that risk back on the firm.
A defensible vendor management program contains:
- A current list of every vendor that touches customer information, classified by risk.
- Due-diligence documentation collected before contracting — SOC 2 Type II reports, security questionnaires, evidence of insurance, breach history.
- Written contracts that obligate the vendor to maintain controls equivalent to your own, notify you of incidents within a defined window, and submit to audit on reasonable notice.
- Annual reassessment — updated SOC 2, refreshed questionnaire, contract renewal review.
- An offboarding procedure that confirms data return or certified destruction when a vendor relationship ends.
Tax software vendors, document portals, cloud accounting platforms, payroll providers, e-signature platforms, IT MSPs, and any AI tools that process client data all belong in scope.
Incident response and the 30-day FTC notification rule
The Safeguards Rule has always required a written incident response plan. The May 2024 amendment added a hard external deadline: any security event involving the unencrypted information of 500 or more consumers must be reported to the FTC within 30 days of discovery, through the FTC's online portal. The notice must include the firm name, contact information, a description of the event, the number of consumers affected, and whether a law enforcement official has determined that notification would impede an investigation.
A workable incident response plan addresses:
- Detection and triage. Who is notified, in what order, with what information.
- Containment. Isolate affected systems, preserve forensic evidence, change credentials.
- Eradication and recovery. Restore from clean backups, validate the restore, monitor for re-infection.
- External notification. FTC (30 days for 500+ consumers), state attorneys general per state law, the IRS Stakeholder Liaison for client-data incidents, cyber insurance carrier within the policy-defined window (usually 48–72 hours), and affected clients per state breach-notification statutes.
- Documentation. A contemporaneous timeline, the decisions made and by whom, and the evidence preserved.
- Post-incident review. What changed in the program as a result.
The plan must be tested. A tabletop exercise once a year — even a 60-minute walkthrough with the Qualified Individual, the firm's IT contact, and outside counsel or a cyber insurance breach coach — satisfies the requirement and surfaces gaps before they matter.
Mapping GLBA to your Written Information Security Plan
The WISP is the deliverable that ties all of this together. A WISP that satisfies the Safeguards Rule and IRS Publication 5708 contains, at minimum:
- Scope and applicability statement
- Named Qualified Individual with documented authority
- Written risk assessment, or the analysis underlying it for firms under the 5,000-customer threshold
- Administrative safeguards — policies, training, vendor management
- Technical safeguards — MFA, encryption, logging, patching, access controls
- Physical safeguards — facility access, secure disposal, clean-desk practices
- Written incident response plan
- Annual review attestation, signed and dated
- Evidence appendix — MFA enforcement reports, training completion logs, vendor SOC 2 acknowledgments, backup test logs, incident response tabletop notes
The most common failure mode is a WISP that exists as a static PDF, signed once and filed. The Safeguards Rule explicitly requires you to keep the program current — and a static document by definition cannot. Either your firm has to run a quarterly cadence of manual updates, or the WISP has to be backed by a platform that surfaces drift as it happens. See why a one-time WISP document is no longer enough for the operational version of this argument.
Use the free IRS WISP template if you do not have a starting document, and walk it through the FTC Safeguards Rule checklist to confirm coverage of every required element.
The GLBA compliance checklist
Use this as a triage tool. A "no" to any item means either an unaddressed regulatory obligation or an audit-trail gap that needs closing before your next renewal or PTIN cycle.
- A Qualified Individual is named in writing.
- A written WISP exists, was reviewed within the last 12 months, and is dated.
- A risk assessment has been documented (or, for under-5,000-customer firms, performed and documented in the WISP narrative).
- MFA is enforced on email, tax software, document portal, practice management, payroll, and any admin console.
- Workstations and mobile devices are encrypted at rest; all client data in transit is TLS-protected.
- A current vendor inventory exists, with at least the top five vendors covered by due-diligence documentation and contractual safeguards language.
- Phishing-resistant security awareness training has been completed by every staff member in the last 12 months, with completion logged.
- An incident response plan exists, was tested in the last 12 months, and includes the FTC 30-day notification workflow.
- Backups are tested at a defined cadence and the most recent test is documented.
- An annual review attestation has been signed by the Qualified Individual and, where applicable, reported to the governing body.
Penalties and enforcement
FTC enforcement actions under the Safeguards Rule typically combine four elements:
- Civil penalties — currently up to $51,744 per violation, adjusted annually for inflation.
- Consent decrees lasting up to 20 years, with mandatory third-party security audits at the firm's expense.
- Injunctive relief restricting business practices and requiring specific remediation.
- Public administrative orders that become part of the firm's permanent regulatory record.
State attorneys general can bring parallel actions under state UDAP and breach-notification statutes. Private plaintiffs can sue under state-level analogues like California's CCPA/CPRA, New York's SHIELD Act, and the Illinois BIPA when biometric data is involved. After-the-fact, cyber insurance carriers can deny coverage if the application misrepresented the firm's security posture — and that determination is made by reviewing the WISP and the underlying evidence.
Where to go from here
Three steps move a firm from "we have a binder somewhere" to defensible GLBA compliance:
- Take the free 15-question compliance quiz to identify your specific gaps and get a personalized scorecard.
- Download the FTC Safeguards Rule checklist (also serves as the GLBA Compliance Checklist) and walk through each element with evidence in hand.
- Use the free IRS WISP template as your starting document, then move to a continuously-monitored platform so the WISP stays current as your environment changes.
WISPWolf is purpose-built for this work — a Living WISP for tax preparers, CPA firms, bookkeepers, financial advisors, and insurance agencies that ties live evidence from Microsoft 365 and Google Workspace to each FTC Safeguards Rule element, generates the Pub 5708-aligned plan, and produces the annual review attestation your governing body needs. Start with the free compliance score.
Frequently asked questions
Does the GLBA Safeguards Rule apply to solo tax preparers?
Yes. The FTC has consistently held that any paid tax return preparer is a financial institution under GLBA, regardless of firm size, revenue, or whether the preparer works from a home office. A solo PTIN holder has the same Safeguards Rule obligation as a multi-partner CPA firm.
What is the difference between GLBA and the FTC Safeguards Rule?
GLBA is the underlying federal statute passed in 1999. The FTC Safeguards Rule (16 CFR Part 314) is the regulation the Federal Trade Commission issued to implement GLBA's security requirements for the non-bank financial institutions it oversees. In practice, when tax and accounting firms talk about 'GLBA compliance' they almost always mean compliance with the FTC Safeguards Rule.
What is the 5,000-customer threshold under GLBA?
Firms that maintain information on fewer than 5,000 consumers are exempt from a few documentation requirements — specifically the written risk assessment, the written incident response plan, and the annual report to the governing body. The other Safeguards Rule elements, including MFA, encryption, training, and vendor oversight, still apply in full.
Is a Written Information Security Plan (WISP) required by GLBA?
Yes. Section 314.4(a) of the Safeguards Rule requires every covered financial institution to develop, implement, and maintain a comprehensive, written information security program. That document is commonly called a WISP. IRS Publication 5708 provides a tax-preparer-specific template that satisfies the requirement.
What kind of MFA does the GLBA Safeguards Rule require?
16 CFR 314.4(c)(5) requires multi-factor authentication for any individual accessing any information system that contains customer information. SMS one-time codes are technically allowed but disfavored; the FTC, NIST, and CISA all recommend phishing-resistant factors such as authenticator apps, hardware security keys (FIDO2/WebAuthn), or biometrics tied to a trusted device.
What is the FTC's 30-day breach notification rule?
Effective May 13, 2024, covered financial institutions must notify the FTC within 30 days of discovering a security event involving the unencrypted customer information of 500 or more consumers. Notification is made through the FTC's online portal and must include the institution name, contact, a description of the event, and the number of consumers affected.
Do I need a Qualified Individual if I'm a solo preparer?
Yes. The rule requires designating one person responsible for overseeing and implementing the information security program. For a solo practitioner, that person is you. The designation must be documented in the WISP and the responsibility cannot be delegated to a vendor without retaining accountability.
What penalties can the FTC impose for Safeguards Rule violations?
FTC enforcement actions can include consent decrees lasting up to 20 years with mandatory third-party security audits, injunctive relief, and civil penalties currently set at up to $51,744 per violation. State attorneys general can also bring independent actions, and individual consumers may sue under state-level analogues like California's CCPA.
Does cyber insurance replace GLBA compliance?
No. Cyber insurance can transfer some financial risk after an incident, but it does not satisfy a regulatory obligation. In fact, carriers increasingly require GLBA Safeguards Rule compliance — including a current WISP, enforced MFA, and a documented incident response plan — as a condition of coverage. Misrepresenting controls on an application can void the policy.
How often do I have to update my GLBA-compliant WISP?
At least annually, and any time there is a material change to your operations, technology stack, or risk environment. The Qualified Individual must report at least annually to the governing body (for firms above the 5,000-customer threshold). Most firms tie the annual review to PTIN renewal season so the timing is predictable.
This guide is informational and does not constitute legal advice. Regulatory interpretation evolves; verify current requirements directly with the FTC and IRS, and engage qualified counsel for firm-specific questions.
Sources & References
Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.
- IRS Publication 5708 — Creating a Written Information Security Plan
- IRS Publication 4557 — Safeguarding Taxpayer Data
- FTC Safeguards Rule (16 CFR Part 314)
- Gramm-Leach-Bliley Act (GLBA) Safeguards
- IRS Tax Security — Protect Your Clients, Protect Yourself
- NIST Cybersecurity Framework
- Microsoft Security Documentation
Get the free WISPWolf Compliance Starter Kit
Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.
Get Your Free WISP Compliance Score
See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.
IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required