What’s a WISP? Getting Started on a Written Information Security Plan

Accounting firms handle vast amounts of sensitive client data, and protecting this information is paramount. Many accountants and PTIN holders, however, remain unaware of the legal obligations surrounding client data security. In this article, we shed light on the essential concept of a Written Information Security Plan (WISP) and the fundamental steps accounting firms must take to ensure compliance.

What is a WISP?

A WISP is a comprehensive and tailored information security plan that outlines the specific measures and protocols an organization, including CPA agencies, has implemented to protect sensitive information. It includes risk assessments, employee training, physical and electronic security measures, and incident response plans. 

A number of accountants and tax preparers remain uninformed about the statutory requirements for their agency that could require them to establish and implement a Written Information Security Program.

Background of Legal Requirements

The Gramm-Leach-Bliley Act (GLBA), the FTC Safeguards Rule, and IRS Publication 4557 collectively create some of the main measures ensuring the security and protection of client data for financial firms.  

The GLBA holds importance for tax professionals and CPAs to safeguard nonpublic personal information related to financial activities. A WISP is required for all PTIN or tax preparers, regardless of how many clients they may have, in conjunction with the FTC Safeguards rule. Firms must attest to it during their PTIN renewal.

Understanding the implications of GLBA and the Safeguards Rule is essential. State boards of accountancy, overseeing the licensure process, emphasize compliance with data security regulations, reinforcing the need for a comprehensive WISP.

IRS Publication 4557 provides guidelines and recommendations to enhance the security of sensitive client data. This resource is a valuable tool for accounting professionals, offering insights into developing and implementing effective security measures, including creating a WISP.

Despite their importance, many accountants seem unaware of the legal obligations stipulated by the Safeguards Rule and its counterparts. This lack of awareness poses a potential risk, as it may lead to inadequate data security practices and (inadvertent) non-compliant status.

These knowledge gaps pose significant risks to firms, ranging from damage to reputation to costly breaches and potential FTC penalties. Given the increasing frequency and sophistication of cyber threats, having robust security measures in place is not just a legal requirement but a best practice in the long run. 

What Firms Must Include in a WISP

So, you've established that you need a WISP. How do you go about creating one in the first place? Unbeknownst to many, the IRS has already outlined the steps to create a WISP. Their official requirements state that firms must:

• Designate one or more employees to coordinate its information security program.
• Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.
• Design and implement a safeguards program, and regularly monitor and test it.
• Select service providers that can maintain appropriate safeguards by ensuring your contract requires them to maintain safeguards and oversee their handling of customer information.
• Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Begin your WISP by offering a comprehensive overview of your firm's information security systems and hardware. At least one employee must be designated to coordinate and report on information security. This section should also encompass details about background checks conducted on personnel working with key software and hardware and how you ensure the integrity of data security efforts to this end.

Proceed with a risk assessment for each relevant component of your agency's operations, evaluating how effective current safeguards around customer information are. Then, create a data handling inventory to pinpoint potential shortcomings within those safeguards. This step is pivotal in comprehending the landscape of data vulnerabilities within your firm, paving the way for targeted risk mitigation strategies.

Following the assessment and documentation phase, shift focus to the design of a program dedicated to protecting data. This entails drafting a well-defined employee/contractor code of conduct and an implementation clause. These components are pivotal in ensuring that your WISP clarifies each employee's role in maintaining the security of customer information.

Once the data safeguards program has been designed, the implementation phase begins. This includes ensuring staff are aware of security policies. More practical terms of the WISP are important, too, such as practices for strong passwords and limiting privileged access to only those who need it.

Make regular monitoring and testing of WISP-defined protocols part of this by incorporating an annual review of the WISP to keep it up-to-date. All data security measures should evolve in tandem with emerging threats, operational changes, and industry best practices.

Finally, make sure service providers are compliant with your established safeguards. Contracts with third parties and clients need to specify how they are required to handle customer data in a way that is safe and avoids compromising your internal safeguards as delineated in and established by the WISP. 

Additional Measures for FTC Safeguards Rule Compliance

Firms that fall under the FTC Safeguards Rule must embrace additional measures to support their WISP creation.

First, thoroughly vetting third-party vendors is paramount for accounting firms to meet the Safeguards Rule's robust security measures. This involves assessing the security protocols and responsible vendors' personnel. Compliance under the FTC Safeguards Rule also demands a nuanced understanding of the broader definitions of customer data. Accounting firms must consider the full range of what could constitute sensitive information within their organization to prevent oversight in their WISP.

Outsourcing to Managed Service Providers (MSPs) like Cetrom often proves strategically beneficial for accounting firms. Leveraging the expertise of MSPs provides valuable assistance in navigating the intricacies of WISP implementation.

Client Engagement and Cybersecurity

Informing clients about secure communication protocols is integral to maintaining data security. Accounting firms should proactively communicate the mechanisms to ensure secure data transmission, fostering trust and transparency. However, client cooperation is a two-way street in data security. Firms should actively engage with clients, encouraging cooperation in adhering to secure practices. This collaborative effort enhances overall data security hygiene.

Beyond just clients, firms that develop and implement a WISP may benefit from easing the documentation process for cyber insurance providers. Reviewing your firm's size, clients, and cybersecurity measures is similar to what you'll need to document when seeking a cyber insurance policy, so it certainly helps to have this information already on hand.

Conclusion

Creating a WISP to outline your firm's data security schematics takes time, but it is worth knowing what is necessary if you require one. The awareness deficit among tax preparers underscores the need for further knowledge and promoting adherence to these legal mandates.

A Written Information Security Policy is not just a legal requirement but a cornerstone of client data protection. For those navigating the complexities, Managed Service Providers like Cetrom offer services and expert guidance to ensure continual compliance with robust cybersecurity practices.

Contact Cetrom today to see how we can take your firm's IT and cybersecurity to the next level.