Skip to main content
All articles
Compliance

What Happens If You Don't Have a WISP? The Real Consequences for Tax Preparers in 2026

A plain-English breakdown of the fines, license risks, insurance denials, and reputational fallout tax preparers face when they operate without a written information security plan.

July 6, 20269 min readBy the WISPWolf Compliance Team

In February 2026, a solo EA in the upper Midwest — a firm we've since consulted with — logged in to renew her PTIN and hit a compliance attestation she didn't remember from prior years. She'd been preparing returns for eleven years, ran a home office, had roughly 180 clients, and had always assumed the "written information security plan" language referred to bigger firms. It didn't. Her renewal was flagged pending confirmation of a current WISP, and until it cleared she couldn't e-file a single return. She lost three weeks of the busiest month of her year.

That story is increasingly common in 2026. The IRS Security Summit has moved WISP compliance from a soft recommendation to an active enforcement priority, and the FTC's amended Safeguards Rule has teeth it didn't have five years ago. This article walks through what actually happens when a tax preparer operates without a WISP: who's covered, what the fines look like, how PTIN and EFIN consequences work, why cyber insurance claims get denied, what a consent decree costs, and the reputational damage that outlasts every other line item.

1. First: who actually has to have a WISP?

Every paid tax return preparer. That's the short answer, and it's worth being blunt because the misconception in this industry is almost universal. Under the Gramm-Leach-Bliley Act (GLBA) and the FTC's implementing Safeguards Rule (16 CFR Part 314), any business that is "significantly engaged in providing financial products or services" is a "financial institution" for federal privacy and security purposes. The FTC has stated explicitly — and reinforced in the 2023 amended Rule — that tax preparation services fall inside that definition.

That covers solo preparers, EAs, CPAs, bookkeepers who touch tax data, part-time seasonal preparers, and firms with a single PTIN holder. It doesn't matter whether you have 30 clients or 3,000. The 5,000-consumer threshold that circulates in Facebook groups and preparer forums applies only to a narrow subset of the Rule's requirements (the written risk assessment and a few program-level obligations) — not to whether you need a WISP at all. IRS Publication 4557, Safeguarding Taxpayer Data, restates this obligation in plain language and points readers to Publication 5708 for the WISP itself. If you hold a PTIN and get paid to prepare returns, you're in scope. Full stop.

2. FTC fines: $51,744 per day per violation

Under Section 5 of the FTC Act, civil penalties are adjusted annually for inflation. As of the most recent adjustment, the maximum is $51,744 per violation, per day. Each day a firm operates without required safeguards can, in principle, be counted as a separate violation, and the FTC has cited daily accrual in past complaints. In practice the agency negotiates settlements rather than stacking the daily max — but even a modest negotiation against a small firm typically produces a six-figure penalty once corrective terms are added.

What preparers often miss: individual officers can also be named. The FTC has historically sought penalties of up to $10,000 per violation against individual principals whose conduct contributed to the failure. For a solo EA or a two-partner CPA firm, that means personal liability, not just business liability. The FTC's 2024 and 2025 enforcement calendar shows a clear posture: the agency is prioritizing financial-services firms that never built a program, and it is treating the absence of a WISP as an independent violation regardless of whether a breach occurred. You do not need to be breached to be fined.

3. PTIN suspension and EFIN revocation

The IRS added an explicit WISP-related attestation to PTIN renewal for the 2026 season. When you renew, you certify — under penalty of perjury on a federal form — that you have a written information security program consistent with the FTC Safeguards Rule and IRS Publication 5708. That certification is not a formality. A false attestation is a criminal exposure separate from the underlying compliance failure, and it converts what would have been a civil regulatory matter into something the Office of Professional Responsibility (OPR) can act on.

In practice, PTIN suspension is what firms feel first. Without an active PTIN, you cannot legally accept compensation for preparing a federal return. Without an active EFIN — which the IRS can and does revoke as a downstream consequence of PTIN or OPR action — you cannot e-file. For a preparer who runs an e-file practice, revocation mid-season is a hard stop: paper returns only, delayed refunds, angry clients, and a rebuild that stretches across multiple filing seasons. The administrative appeal exists, but it typically resolves after the season that mattered has ended.

4. Denied cyber insurance claims

Cyber insurance underwriting has tightened dramatically. Most carriers now require a documented WISP as a condition of binding coverage — either on the initial application or at renewal — and the specific safeguards a firm attests to (MFA enforcement, encryption at rest, tested backups, documented incident response) are treated as warranties. Those warranties are what get audited when a claim is filed.

The more damaging pattern is the one that plays out after a breach. A firm has a policy, gets hit, files a claim, and the carrier's forensic team walks through the environment. If the controls the firm claimed on the application weren't actually in place — or if there's no WISP evidencing the program — the claim is denied and the policy is often rescinded to inception. That leaves the firm paying the breach response, notification costs, credit monitoring, defense counsel, and any regulatory penalties entirely out of pocket. Industry data from broker surveys in 2024–2025 puts cyber claim denial rates in the professional-services segment in the range of 15–20%, with missing or misrepresented WISP controls cited as one of the top denial reasons. Our cyber insurance questionnaire walkthrough shows the exact questions carriers now ask.

5. Consent orders and long-term monitoring

FTC enforcement of the Safeguards Rule rarely ends with a fine. The far more expensive outcome is the consent order that follows. Historical FTC settlements against financial-services firms — including tax and accounting practices — routinely include consent decrees lasting 10 to 20 years, during which the firm must undergo biennial third-party security assessments, submit compliance reports to the FTC, retain assessment documentation for years, and notify the agency of material security incidents. Every one of those obligations is paid for by the firm.

The all-in cost of operating under a consent decree — assessor fees, remediation of assessor findings, legal review, executive time — routinely runs several times the original penalty, every two years, for the life of the decree. Firms that come out of enforcement often describe the monitoring period as the real punishment. And the numbers only get worse when you compare them against proactive compliance: a properly-implemented WISP program, even at the higher end of the market, costs a small fraction of a single assessment cycle under a consent order. The economics of waiting are terrible, and they get worse the longer the gap runs.

6. The reputational cost — the one that's hardest to quantify

Every FTC enforcement action becomes part of the public record. Consent orders are posted on the FTC's site, indexed by Google, and picked up by trade publications. State attorney general actions generate press releases. Breach notification letters — required in every state — go directly to your clients, in the mail, with your firm's name at the top. There is no way to make that quiet.

Tax and accounting practices are almost entirely referral businesses, and trust is the asset that generates the referral. Post-incident client attrition in the professional-services segment consistently runs 20–40% in the first year, and referral partners — attorneys, financial advisors, other CPAs — have their own vendor due diligence obligations that quietly stop the pipeline once a firm shows up as a compliance risk. Compounding this: IBM's Cost of a Data Breach Report 2024found that the average time to identify and contain a breach was 194 days to detect and 64 days to contain — meaning a firm can be actively exposed for more than half a year before it knows. Verizon's 2024 DBIR continues to rank professional services among the most-targeted small-business verticals. The reputational damage is the piece firms undervalue until they're rebuilding from it, which is exactly when it's most expensive.

Closing the gap

Most firms operating without a WISP aren't reckless — they're busy. The requirement is buried in federal regulations most preparers never had reason to read, the guidance is scattered across the FTC, IRS, and state agencies, and the loudest voices in preparer forums have been wrong for years. If you've been meaning to get to it, you're in the majority. The good news is that a defensible, current WISP can be in place in an afternoon — not a quarter — and once it exists, keeping it current is a maintenance workflow, not a rebuild. Start with the free Compliance Score to see exactly what's missing, and read how much a WISP actually costs before you assume it's out of reach.

Related reading

See where your firm actually stands

Take the free 2-minute WISPWolf Compliance Score. You'll get a prioritized gap list mapped to the FTC Safeguards Rule and IRS Publication 5708 — no credit card, no sales call.