Skip to main content
All resources
Compliance

WISP Requirements 2026 for Tax Preparers

The 2026 WISP requirements for tax preparers — what changed, what the IRS and FTC now expect, the compliance checklist, and the mistakes that fail an audit.

May 31, 202620 min read
Written by Alfonso LovoLinkedInReviewed by WISPWolf Compliance TeamLast Updated: May 31, 2026 · Verified July 18, 2026
Short answer

In 2026, every paid tax preparer and most financial institutions are required to maintain a current Written Information Security Plan aligned with IRS Publication 5708 and the FTC Safeguards Rule. The plan must name a qualified individual, document risk assessment and safeguards, include an incident response procedure, and be reviewed annually.

In a hurry? Get your free Compliance Score, then come back to this guide.

Take the Free Quiz View Sample WISP

Three forces have converged in 2026 to change what a credible Written Information Security Plan has to look like for tax preparers: the IRS now verifies the PTIN renewal WISP attestation, the FTC Safeguards Rule's 2023 technical amendments are fully enforceable, and cyber insurance carriers require concrete evidence of controls — not just policy documents. This guide is the long-form reference on the WISP requirements for 2026: what changed, what the IRS and FTC now expect, the explicit compliance checklist, and the mistakes that quietly fail audits, PTIN renewals, and insurance reviews.

Table of contents

What changed in 2026

The baseline obligation — every PTIN holder must maintain a written information security program — has not changed. The standard against which that program is measured has. Four specific shifts define the 2026 landscape:

1. The IRS verifies the PTIN attestation

The PTIN renewal form has required preparers to attest to a data security plan since the 2024 renewal cycle. Through 2025 the attestation functioned as a self-certification — checked and forgotten. In 2026 the IRS Stakeholder Liaison program is sampling attestations and requesting documentation as part of routine outreach and as a follow-up to client-data incidents. Treating the attestation as a checkbox is no longer safe; a false attestation can also create exposure under 18 U.S.C. § 1001.

2. The 2023 FTC amendments have no remaining grace period

The FTC's 2021 Safeguards Rule amendments — pushed to a June 2023 enforcement date — added explicit technical requirements that did not exist in the original rule. By 2026 those are baseline. MFA on every system that touches customer information, encryption at rest and in transit, continuous monitoring or annual penetration testing plus biannual vulnerability assessments, secure change management, and a written and tested incident response plan are no longer "next year" items.

3. The 30-day FTC breach notification rule is in force

Effective May 13, 2024, any covered financial institution must notify the FTC within 30 days of discovering a security event affecting the unencrypted information of 500 or more consumers. The first FTC notifications under the rule were filed in 2024 and the cadence is increasing. The notification workflow has to live inside your incident response plan — adding it after a breach is too late.

4. Cyber insurance carriers underwrite on evidence

Travelers, Chubb, Coalition, At-Bay, Beazley, and CNA all updated 2025 and 2026 applications to ask for the actual WISP document, the date of the most recent annual review, screenshots of MFA enforcement, and the name of the Qualified Individual. Firms that submit a template with placeholder text are seeing premium increases of 20–40% or outright non-renewal. After an incident, carriers deny claims where the application materially misrepresented the firm's posture — and the WISP is the document used to make that determination.

Current IRS expectations

The IRS expresses its expectations through three published documents and one operational program:

  • IRS Publication 5708 — Creating a Written Information Security Plan for Your Tax & Accounting Practice. The structural template the IRS asks preparers to follow.
  • IRS Publication 4557 — Safeguarding Taxpayer Data. Older companion guidance, still cited, useful as plain-language reference.
  • The PTIN renewal form — the attestation that you have a written data security plan in place.
  • The Stakeholder Liaison program — the channel through which the IRS engages preparers on data security matters, including post-incident outreach.

Operationally, the IRS expects every PTIN holder to be able to produce, on request, a WISP that:

  1. Names a Data Security Coordinator (the IRS terminology for the Safeguards Rule's "Qualified Individual").
  2. Documents the firm's data inventory, including where client data lives and who can access it.
  3. Describes administrative, technical, and physical safeguards in place.
  4. Contains a written incident response plan that includes notifying the IRS through the Stakeholder Liaison.
  5. Was reviewed and updated within the last 12 months, with a signed and dated attestation.

For the IRS-specific drafting steps and Pub 5708 section-by-section walkthrough, use the tax preparer security plan guide alongside this requirements brief.

FTC Safeguards Rule requirements

The FTC Safeguards Rule (16 CFR Part 314) is the binding federal regulation under the Gramm-Leach-Bliley Act. The substantive requirements live at § 314.4 and organize into nine elements:

  1. Designate a Qualified Individual responsible for the information security program.
  2. Conduct a written risk assessment (with documentation relief for firms under 5,000 customers).
  3. Design and implement safeguards to control identified risks — including access controls, inventory, encryption, secure development, MFA, secure disposal, change management, and monitoring/logging.
  4. Regularly test or monitor the safeguards — continuous monitoring, or annual penetration testing plus biannual vulnerability assessments.
  5. Train personnel and use qualified information security staff.
  6. Oversee service providers through due diligence, contracts, and reassessment.
  7. Evaluate and adjust the program based on testing results and material changes.
  8. Maintain a written incident response plan.
  9. Require the Qualified Individual to report at least annually to the governing body.

Firms with fewer than 5,000 consumer records are exempt from a few documentation requirements (written risk assessment, written incident response plan, annual report to the board). The substantive duties — MFA, encryption, training, vendor oversight — still apply in full. Walk each element with the FTC Safeguards Rule checklist to confirm coverage. For the full statutory framing, see the GLBA Safeguards Rule pillar.

Free Compliance Starter Kit

Free WISPWolf Compliance Starter Kit

Everything a solo preparer or small firm needs to identify their compliance gaps this season — the IRS WISP starter template (not a completed customized WISP), the 2026 FTC Safeguards Rule checklist, the GLBA checklist, a risk-assessment worksheet, the cyber-insurance questionnaire guide, and the tax preparer compliance checklist.

Risk assessment requirements

Section 314.4(b) requires a written risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. In 2026 the FTC and most cyber insurance carriers expect six elements in a defensible risk assessment:

  1. Data inventory. Every system that touches client data — tax software, document portals, email, cloud storage, payroll, payment processing, backup, accounting software, e-signature, AI tools. Note classification, volume, and retention.
  2. Threat catalog. Realistic threats — phishing of staff credentials, business email compromise, ransomware, lost or stolen devices, malicious insiders, vendor compromise, accidental disclosure.
  3. Vulnerability analysis. Where current controls are weakest — MFA not enforced on tax software, encryption not enabled on workstations, no backup test in the last 12 months, shared logins.
  4. Risk scoring. Likelihood × impact, expressed as a simple high/medium/low matrix unless the firm operates in a regulated specialty that requires more.
  5. Treatment plan. For each material risk, the control you will implement (or the compensating control you will accept), the owner, and the target date.
  6. Review cadence. Annual is the regulatory minimum; quarterly review of the treatment plan is recommended.

Time-box the first iteration. A solo preparer can produce a credible risk assessment in three to four hours using the WISPWolf template plus the Pub 5708 worksheets; a multi-partner CPA firm should expect one to two business days for the first pass and a half-day annually thereafter.

Employee training requirements

Section 314.4(e) requires security awareness training that is current, relevant, and documented. Generic 30-minute compliance videos from 2019 do not satisfy the rule when the dominant threats in 2026 are phishing, vendor compromise, and AI-generated social engineering. In 2026, defensible training programs share five characteristics:

  • Annual baseline training for every staff member, including seasonal preparers, contractors, and front-desk staff.
  • Role-based modules for preparers (data handling, IRS notification workflow), administrative staff (phishing recognition, wire-fraud red flags), and partners (incident response decision-making, regulatory notification timelines).
  • Phishing simulations at least quarterly, with remedial training for repeat clickers.
  • Onboarding training completed before any new hire is given client-data access.
  • Documented completion logs — name, module, date, score. The log is the evidence the FTC or an insurance carrier will request.

MFA requirements

Section 314.4(c)(5) is unambiguous: multi-factor authentication for any individual accessing any information system containing customer information. The Qualified Individual may approve "reasonably equivalent or more secure" controls in writing — but in practice the FTC, the IRS, and cyber insurance carriers all expect actual MFA. In a 2026 tax-and-accounting environment, MFA must be enforced on:

  • Email — Microsoft 365, Google Workspace, or any other provider.
  • Tax preparation software — UltraTax, Drake, Lacerte, ProSeries, ATX, TaxAct, TaxSlayer Pro, and the cloud equivalents.
  • Document portals — SmartVault, Liscio, ShareFile, OneDrive, SharePoint, Google Drive, Dropbox Business.
  • Practice management — Canopy, Karbon, TaxDome, OfficeTools, Jetpack Workflow.
  • Cloud accounting — QuickBooks Online, Xero, Sage Intacct, NetSuite.
  • Payroll — Gusto, ADP, Paychex, OnPay, Patriot.
  • Remote access — RDP, VPN, jump servers, and hosted Windows environments (Rightworks, Cetrom, Verito).
  • Admin consoles — anywhere one person can change access for many.

Phishing-resistant factors (FIDO2 security keys, platform authenticators tied to a trusted device) are the 2026 baseline expectation. SMS-only MFA is the first thing carriers flag as a weak control.

Vendor oversight

Vendor compromise — not direct attacks on the firm — is the most common breach vector for tax and accounting practices today. Section 314.4(f) puts that risk back on the firm. A defensible vendor management program in 2026 contains:

  • A current vendor inventory, classified by risk, identifying every vendor that touches customer information.
  • Due-diligence documentation collected before contracting — SOC 2 Type II reports, security questionnaires, evidence of insurance, breach history.
  • Written contracts that obligate the vendor to maintain controls equivalent to your own, notify you of incidents within a defined window, and submit to reasonable audit.
  • Annual reassessment — updated SOC 2, refreshed questionnaire, contract review.
  • An offboarding procedure that confirms data return or certified destruction when a vendor relationship ends.

Tax software vendors, document portals, cloud accounting platforms, payroll providers, e-signature platforms, IT MSPs, and AI tools that process client data all belong in scope. Be especially deliberate with AI tools — a generative-AI vendor that retains prompts for model training has not satisfied the Safeguards Rule's confidentiality requirement even if its marketing claims SOC 2.

Cyber insurance expectations

Cyber insurance is no longer a financial-risk-transfer tool that lives parallel to the WISP. In 2026 it is functionally an additional regulator. Carriers underwrite on the same evidence the FTC would request:

  • The current WISP document, with date of last review.
  • Named Qualified Individual or Data Security Coordinator.
  • Evidence of enforced MFA across email, tax software, and remote access.
  • Endpoint detection and response (EDR) or managed detection and response (MDR) deployed firmwide.
  • Written and tested incident response plan, with tabletop dated within the last 12 months.
  • Backup strategy with immutability or air-gapping and a recent restore test.
  • Security awareness training completion logs for the last 12 months.
  • Vendor due-diligence files for top-tier vendors.

Misrepresenting any of these on the application is the most common reason a claim is denied after an incident. The cyber insurance questionnaire walkthrough covers the specific carrier questions firms see in 2026.

2026 WISP compliance checklist

Use this as a triage tool. A "no" to any item is either an unaddressed regulatory obligation or an audit-trail gap that needs closing before your next PTIN renewal or insurance review.

  1. Qualified Individual (Data Security Coordinator) named in writing.
  2. Written WISP exists, reviewed within the last 12 months, signed and dated.
  3. Risk assessment documented (or, for under-5,000-customer firms, performed and reflected in the WISP narrative).
  4. MFA enforced on email, tax software, document portal, practice management, payroll, and any admin console.
  5. Workstations and mobile devices encrypted at rest; all client data in transit TLS-protected.
  6. Vendor inventory current; top-five vendors covered by due-diligence documentation and contractual safeguards language.
  7. Phishing-resistant security awareness training completed by every staff member in the last 12 months, with completion logged.
  8. Incident response plan exists, was tested in the last 12 months, and includes the FTC 30-day notification workflow.
  9. Backups tested at a defined cadence; the most recent test is documented.
  10. Annual review attestation signed by the Qualified Individual and, where applicable, reported to the governing body.
  11. PTIN attestation aligned to actual WISP status — never check the box unless the documentation supports it.
  12. Three-year archive of training logs, attestations, and incident documentation.

Use the free IRS WISP template as the structural starting point for the document.

Common mistakes

The pattern of failure in 2026 is consistent. Six mistakes account for the majority of audit findings, denied claims, and IRS Stakeholder Liaison escalations.

  1. Treating the WISP as a one-time document. A static PDF cannot satisfy the Safeguards Rule's requirement that the program be kept current. Either the firm runs a quarterly maintenance cadence or the WISP is backed by a platform that surfaces drift as it happens.
  2. Checking the PTIN attestation without supporting evidence. The IRS is now sampling. A false attestation has consequences beyond the Safeguards Rule.
  3. Naming a Qualified Individual on paper without giving them authority or time. The role must be substantive. Carriers and auditors interview the named person.
  4. MFA enabled but not enforced. "Available" or "encouraged" MFA does not satisfy § 314.4(c)(5). The setting must require MFA for every user, with no opt-out.
  5. No vendor inventory. Firms rely on dozens of third-party services and cannot list them. The first thing an FTC inquiry or insurance audit asks for is the vendor list.
  6. Incident response plan that has never been tested. A document that has never been walked through fails on contact with a real incident — and carriers know it.

Where to go from here

Three steps move a firm from "we have a binder somewhere" to defensible 2026 WISP compliance:

  1. Take the free 15-question compliance quiz to identify your specific gaps and get a personalized scorecard.
  2. Download the 2026 Tax Preparer Compliance Starter Kit and walk each item with evidence in hand.
  3. Move from a static WISP to a continuously-monitored program so the document stays current as your environment changes.

WISPWolf is purpose-built for this work — a Living WISP for tax preparers and small firms that ties live evidence from Microsoft 365 and Google Workspace to each FTC Safeguards Rule element, generates the Pub 5708-aligned plan, and produces the annual review attestation the IRS and your carrier both want to see. Start with the free compliance score.

Frequently asked questions

What are the WISP requirements for tax preparers in 2026?

Every paid tax preparer with a PTIN must maintain a Written Information Security Plan that satisfies IRS Publication 5708 and the FTC Safeguards Rule (16 CFR Part 314). In 2026 that means a designated Qualified Individual, a written risk assessment, enforced multi-factor authentication on every system that touches customer information, encryption at rest and in transit, documented vendor oversight, security awareness training, a tested incident response plan, and an annual review attestation.

What changed for WISPs in 2026?

Three shifts define 2026. The IRS now samples and verifies the PTIN renewal WISP attestation rather than treating it as a checkbox. The FTC Safeguards Rule 2023 technical amendments are fully enforceable with no remaining grace period. And cyber insurance carriers now require the actual WISP document, evidence of MFA enforcement, and the named Qualified Individual on the application — refusing to renew firms that cannot produce them.

Does the IRS require a WISP for solo tax preparers?

Yes. The WISP requirement applies to every PTIN holder regardless of firm size, revenue, or whether you operate from a home office. The PTIN renewal form has carried the data security plan attestation since 2024 and there is no small-preparer exemption.

What is the FTC's 30-day breach notification rule?

Effective May 13, 2024, any covered financial institution — including tax preparers and accounting firms — must notify the FTC within 30 days of discovering a security event affecting the unencrypted information of 500 or more consumers. The notification is filed through the FTC's online portal and must identify the firm, describe the event, and report the number of consumers affected.

Is SMS multi-factor authentication enough for the 2026 WISP?

It is technically allowed but increasingly disfavored. The FTC, NIST SP 800-63B, and CISA all recommend phishing-resistant factors — authenticator apps, FIDO2 security keys, or platform authenticators on a trusted device. Cyber insurance carriers in 2026 routinely flag SMS-only MFA as a weak control and price it accordingly.

How long should we keep WISP records and evidence?

The Safeguards Rule does not prescribe a single retention period for WISP evidence, but the practical standard is at least three years for training logs, vendor due-diligence files, incident response documentation, and annual review attestations. Many cyber insurance applications now ask for the prior three years of attestations.

How often does the WISP have to be reviewed?

At least annually, and any time there is a material change to operations, technology, or risk. The Qualified Individual must produce a written annual report for the firm's governing body (boards, partners, or owner). Most firms tie the review to PTIN renewal season so the cadence is predictable.

What's the difference between IRS Publication 5708 and the FTC Safeguards Rule?

The FTC Safeguards Rule is the binding federal regulation that requires the WISP. IRS Publication 5708 is the IRS's tax-preparer-specific implementation template that mirrors the Safeguards Rule structure and adds IRS-specific items like the PTIN attestation. A WISP that follows Pub 5708 will generally also satisfy the Safeguards Rule.

What happens if the IRS asks for our WISP and we don't have one?

A missing WISP can be treated as a false statement on the PTIN renewal attestation, exposes the firm to FTC enforcement under the Safeguards Rule with penalties currently up to $51,744 per violation, and is grounds for cyber insurance non-renewal or claim denial. The IRS Stakeholder Liaison program is the most common point of contact in 2026.

Can a generic downloaded WISP template satisfy 2026 requirements?

A template is a starting point, not a compliant program. The Safeguards Rule explicitly requires you to keep the program current as your environment changes and to monitor or test safeguards on a continuing basis — neither of which a static PDF can do. Use a template to draft the document, then back it with a process or platform that maintains it.

This guide is informational and does not constitute legal advice. Regulatory interpretation evolves; verify current requirements directly with the FTC and IRS, and engage qualified counsel for firm-specific questions.

References

Sources & References

Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.

  1. IRS Publication 5708 — Creating a Written Information Security Plan
  2. IRS Publication 4557 — Safeguarding Taxpayer Data
  3. FTC Safeguards Rule (16 CFR Part 314)
  4. Gramm-Leach-Bliley Act (GLBA) Safeguards
  5. IRS Tax Security — Protect Your Clients, Protect Yourself
  6. NIST Cybersecurity Framework
  7. Microsoft Security Documentation
Free Compliance Starter Kit

Get the free WISPWolf Compliance Starter Kit

Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.

Free WISP Compliance Score

Get Your Free WISP Compliance Score

See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.

IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required