For years, the WISP was a requirement most tax preparers knew existed and treated as a soft obligation — something you'd get around to eventually, right after the next filing season. That posture stopped working in 2023, when the FTC's amended Safeguards Rule became fully effective and added specific technical mandates (universal MFA, encryption at rest and in transit, tested incident response). It stopped working further in August 2024, when IRS Publication 5708 was updated with stricter MFA and NIST-aligned password guidance. And it stopped working entirely in 2026, when PTIN renewal began requiring a formal WISP attestation under penalty of perjury. The IRS Security Summit and the FTC are both actively enforcing. This article tracks what changed, when, what auditors look for now, and what to do before your next renewal.
1. What the 2024 IRS Publication 5708 update actually changed
The August 2024 revision to IRS Publication 5708 was not cosmetic. It tightened three areas that directly invalidate a lot of WISPs written before mid-2024. First, MFA is now required for all users on all systems that touch taxpayer data — including in-office workstations on the local network. The old carve-out that many firms relied on ("we don't need MFA inside the office because we're on a trusted network") is gone. Any preparer accessing tax software, the client portal, cloud storage, or email needs a second factor, every session.
Second, password guidance shifted to align with NIST SP 800-63B. The 90-day forced rotation cadence most firms wrote into their WISPs is now discouraged; the updated guidance points to longer-lived passphrases (effectively a minimum of one year), screening against known-breached password lists, and abandoning arbitrary complexity rules in favor of length. Third, vendor documentation requirements got stricter. Contracts with any service provider that touches taxpayer data must include specific security language and evidence that the vendor's controls are periodically reviewed. WISPs written to the 2018- or 2021-era templates typically fail all three checks — which is why the update matters even to firms who already have a document on file.
2. PTIN renewal and the attestation problem
The 2026 PTIN renewal cycle added an explicit WISP-related certification. Every renewing preparer now attests, on a federal form, that they have implemented a written information security program consistent with the FTC Safeguards Rule and IRS Publication 5708. That attestation is signed under penalty of perjury — meaning a false certification is an independent federal exposure separate from the underlying compliance failure. It also becomes admissible evidence in any later enforcement matter.
Verification is not theoretical. When a renewal is flagged — typically by a Security Summit referral, a state-board complaint, an e-Services security event, or a breach notification tied to the preparer's PTIN — the IRS requests the WISP directly, along with evidence of the annual review, the training log, and the risk assessment. A missing or stale document holds the renewal until the preparer either produces a compliant WISP or withdraws the attestation. Neither option preserves the filing season. Preparers we've worked with in similar situations have lost anywhere from two weeks to two months of e-file capability during resolution — and in a few cases have been referred to the Office of Professional Responsibility for Circular 230 review.
3. What FTC enforcement looks like in practice
FTC Safeguards Rule enforcement typically begins one of four ways: a breach notification (the 30-day rule, effective May 2024, guarantees the FTC sees any 500+ consumer event); a consumer or employee complaint; a referral from another agency or state AG; or a routine sweep of a covered industry segment. Once opened, an investigation asks for the WISP, the risk assessment, evidence of the technical safeguards claimed (MFA rollout, encryption, backup testing, penetration test results or equivalent), incident response documentation, and training records.
Settlements almost always include a monetary penalty (civil fines can reach $51,744 per violation, per day under the adjusted Section 5 ceiling), plus a consent order that runs 10 to 20 years. Under the consent order, the firm pays for a qualified third-party assessor to audit the security program every two years, submits compliance reports to the FTC, and notifies the agency of material incidents. The all-in cost of a single assessment cycle typically exceeds the direct penalty, every two years, for the life of the order. Enforcement is not reserved for large firms — the Safeguards Rule applies to any covered financial institution, and small preparer and CPA firms have been named in recent actions.
4. The five things auditors find most often
Based on IRS Security Summit outreach and published FTC enforcement patterns, the same five gaps show up over and over:
- No written program at all. The single most common finding. A verbal understanding of "we use MFA and back things up" is not a WISP.
- A WISP that hasn't been touched since it was first created. Documents dated 2019 or 2021 — with no annual review log, no signature page, no evidence the firm has revisited it — fail on the annual review requirement alone.
- MFA only on email, not tax software or portals. Post-August 2024, MFA has to be universal. Firms that enabled it on Microsoft 365 but not on their professional tax software or client portal are non-compliant.
- Vendor agreements with no security language. Contracts with tax software vendors, cloud storage providers, and payroll processors that predate the amended Rule usually lack the required security clauses and periodic review provisions.
- An incident response plan nobody knows about. A plan buried in a document that no employee has read, and that has never been walked through in a tabletop, fails both the "implemented" and "tested" prongs.
5. How to know if your firm is audit-ready today
Five yes-or-no questions. If any answer is "no," you have a gap to close before your next PTIN renewal or the next FTC breach notification you'd otherwise have to file.
- Do you have a written WISP, dated within the last 12 months, that reflects the August 2024 IRS Publication 5708 update?
- Is MFA enforced on every system that touches taxpayer data — email, tax software, portals, cloud storage, workstations?
- Do you have a documented risk assessment and a log showing the annual review was actually completed?
- Do your vendor contracts include current FTC Safeguards Rule–aligned security language?
- Has your incident response plan been read and walked through by everyone who would need to act on it?
If you'd rather not audit yourself, the free WISP Audit Checklist covers every element examiners request, and the 2-minute WISPWolf Compliance Score maps your current state against the FTC and IRS requirements automatically. WISPWolf is built as a continuous readiness platform — not a one-time document generator — so once the gaps are closed, the WISP stays current as your environment changes.
Enforcement timeline: 2021–2026
Key IRS and FTC WISP milestones over the last five years.
- 2003
FTC Safeguards Rule enacted under GLBA
The original Rule required covered financial institutions — including tax preparers — to develop and maintain a written information security program. Enforcement was minimal for years.
- 2021
FTC substantially amends the Safeguards Rule
The amended Rule adds specific technical requirements (access controls, encryption, MFA, tested incident response) and replaces the earlier flexible standard with prescriptive elements.
- June 9, 2023
Amended Safeguards Rule fully effective
MFA, encryption at rest and in transit, penetration testing or equivalent, and a qualified individual overseeing the program become mandatory for firms in scope.
- October 2023
FTC adds breach notification requirement
Amendment requires covered financial institutions to notify the FTC within 30 days of a security event affecting 500+ consumers.
- May 13, 2024
Breach notification requirement effective
The 30-day FTC notification obligation begins applying to qualifying events, adding a new reporting exposure on top of state-law notifications.
- August 2024
IRS Publication 5708 updated
Universal MFA (no in-office exception) and NIST SP 800-63B–aligned password standards replace prior guidance. Vendor security documentation expectations tighten.
- 2026
PTIN renewal WISP attestation active
Preparers now certify a current WISP as part of PTIN renewal, under penalty of perjury. IRS Security Summit outreach and FTC enforcement continue to intensify.
Frequently asked questions
Related reading
Get audit-ready before your PTIN renewal
Take the free 2-minute WISPWolf Compliance Score. You'll see exactly where your firm stands against the FTC Safeguards Rule and IRS Publication 5708 — with a prioritized gap list you can act on today.