In this article
Most CPAs and tax preparers I talk to in southwest Riverside County now have a WISP — a Written Information Security Plan. They downloaded the IRS template, filled in the blanks, and checked the box at PTIN renewal. That’s a real step, and good for them.
But here’s the gap I keep finding: the document says the firm uses multi-factor authentication, encrypts client data, and keeps tested backups — and on the ground, none of that is actually turned on. A WISP is a promise about your IT. If the IT behind it doesn’t match the paper, the plan doesn’t protect you, and it doesn’t protect your clients.
I’m a local IT specialist in Menifee, and this is the part I handle: making the technology under your WISP real. Here’s what that looks like for a CPA, tax, accounting, or insurance firm.
Your WISP is a promise — the IT has to back it up
The IRS now ties WISP attestation to PTIN renewal, and the certification isn’t a formality — a false one is a federal offense. So when your WISP says you’ve implemented certain safeguards, that statement needs to be true.
The same goes for insurance agencies. In California there’s no separate state insurance-data-security law, so the FTC Safeguards Rule is the framework that applies — and it asks for the same controls. Whether you’re running UltraTax, Lacerte, or Drake on the tax side, or Applied Epic, AMS360, or HawkSoft on the insurance side, the question is the same: does your actual setup match what you’ve signed your name to?
MFA: the one that’s already required
Multi-factor authentication is no longer optional for either group. The IRS requires MFA for everyone accessing systems with taxpayer data, inside the office or out. The FTC Safeguards Rule requires it for anyone reaching customer financial information. And it’s the control that does the most good for the least money — most stolen-password break-ins simply stop at the second check.
I turn MFA on properly across the places it matters: your Microsoft 365 email, your remote access, and your line-of-business software. Done right, it’s a quick tap on your phone, not a daily headache. Done wrong — or skipped — it’s the single most common reason a firm’s WISP is fiction.
Encryption, access control, and tested backups
Three more controls carry most of the weight, and they’re the same whether you prepare returns or write policies:
- Encryption so a lost laptop or phone full of client SSNs is a dead end, not a breach you have to report.
- Access control so each staff member has their own login reaching only what their job needs, and access is cut the day someone leaves.
- Tested backups, encrypted and kept off-site, so a ransomware hit in the middle of filing season doesn’t put you out of business. Tested matters — I restore from your backups on a schedule so we both know they work before you need them.
This isn’t theoretical for insurance agencies in particular. Attackers have been targeting agency management systems hard, and remote-access services are now the entry point for the large majority of ransomware claims. The controls above are exactly what shut that door.
Get ahead of the tax-season crunch — and your cyber renewal
The worst time to discover your IT doesn’t match your WISP is the second week of filing season, with deadlines stacking up and a system locked by ransomware. The best time to fix it is now, in the slower stretch, when changes can be made calmly.
There’s a financial nudge here too: cyber-insurance carriers increasingly require MFA, training, and an incident-response plan before they’ll renew you — or pay a claim. The same work that makes your WISP honest tends to make your renewal cheaper and smoother.
What I do, and where a partner takes over
I’ll be clear about the lines, because they matter. I put the technical safeguards in place — MFA, encryption, access control, monitoring, backup — and I help make sure your WISP reflects reality. For the formal written plan, the risk-assessment sign-off, and any Qualified Individual designation, I work with a compliance partner and point you to the right legal resources. I won’t promise to make you “guaranteed compliant” or “audit-proof” — anyone who does is overselling.
I’m local and business-hours, serving firms in Menifee, Temecula, Murrieta, Wildomar, and Lake Elsinore. If you’d like an honest read on whether the IT under your WISP holds up, book a free FTC Safeguards check. It’s a short call, no obligation — and I never ask you to share client financial information.
This article is general information, not legal or compliance advice.