KapacyberKapacyber
Accounting & Tax Firm Cybersecurity Guide·Overview·IRS Publication 4557 & the WISP Every Tax Preparer Needs·How Much Does Cybersecurity Cost for an Accounting Firm?·Tax-Season Phishing·Your Tax Firm Had a Data Breach·Cyber Insurance for Tax and Accounting Firms
ComplianceAccounting & Tax9 min read

IRS Publication 4557 & the WISP Every Tax Preparer Needs

The IRS confirms it at PTIN renewal. The FTC enforces it under the Safeguards Rule. Here's the Security Six, the nine WISP elements, the penalties for getting it wrong, and a 10-question self-audit.

If you accept money to prepare federal tax returns, the federal government considers you a financial institution and expects you to run cybersecurity like one. That isn't hyperbole — it's the practical reading of two converging obligations: the IRS's Publication 4557 guidance for paid preparers, and the FTC's Safeguards Rule (16 CFR Part 314), which the FTC interprets to cover preparers because they handle consumer financial information.

Most preparers we meet have, at best, a generic template WISP downloaded from a software vendor years ago. That isn't what the IRS or the FTC has in mind, and it isn't what your cyber insurance carrier will accept after a breach.

Why This Matters Right Now

Three forces have converged:

1. PTIN renewal now asks the question. The IRS added an affirmative confirmation to PTIN renewal asking preparers whether they have a written information security plan. False answers create liability. The IRS is using the data.

2. The FTC Safeguards Rule applies — with no size exemption.The expanded Safeguards Rule that took effect in 2023 treats any firm handling consumer financial data as a covered "financial institution." That captures essentially every paid preparer. Penalties under the FTC Act can reach $43,792 per violation per day, with state attorneys general enforcing in parallel.

3. Threat activity has shifted toward preparers. Stolen tax-software credentials are now a category on dark-web markets. Ransomware groups time attacks to filing season. Client-impersonation BEC during tax season is a specific attacker playbook. EFIN theft and PTIN compromise are reported in the thousands each year by IRS Stakeholder Liaisons.

The IRS Security Six

Publication 4557 names six specific control families. These aren't the whole WISP — they're the baseline the IRS expects every preparer to operate:

1

Anti-virus software

Modern endpoint protection on every device handling client data. Generic free antivirus is no longer sufficient for the threats targeting preparers.

2

Firewalls

Configured perimeter and host-based firewalls with documented rule sets, regularly reviewed.

3

Two-factor authentication

MFA on email, tax software, e-file portals, IRS e-Services, bank logins, and any system that touches client information.

4

Backup software / services

Encrypted, off-site, immutable backups — tested for restorability, not just running.

5

Drive encryption

Full-disk encryption on every laptop, desktop, and mobile device that touches client data.

6

Virtual private network

VPN or zero-trust network access for remote work, with documented configuration and access reviews.

The Nine WISP Elements (FTC Safeguards)

The Safeguards Rule layers nine specific WISP elements on top of the Security Six. Together, they form the programme the IRS and FTC both expect you to be able to demonstrate:

1

Qualified Individual

A named person responsible for the security programme — solo preparer, managing partner, or outsourced security partner serving as virtual Qualified Individual.

2

Written risk assessment

Documented evaluation of foreseeable threats to client data. Refreshed annually before PTIN renewal.

3

Access controls

Least-privilege access, named accounts (no shared logins), and role-based permissions across tax software, document portals, and accounting platforms.

4

Data inventory and classification

Map where client non-public information lives — tax software, document portals, scanned IDs, working papers — and classify by sensitivity.

5

Encryption of client information

Tax returns, working papers, scanned IDs, and bank details encrypted in transit and at rest. Email encryption for any client document exchange.

6

Application security

Secure configuration of tax software, document portals, and accounting platforms. Vendor due diligence on every system touching client data.

7

MFA on access to customer information

Multi-factor authentication enforced on every account that can reach client data. No exceptions for partners or senior staff.

8

Secure disposal of customer information

Documented retention policy and secure-disposal procedures for paper returns, scanned IDs, prior-year files, and end-of-life devices.

9

Continuous monitoring, training, IR, reporting

Ongoing monitoring of the programme, annual employee training, written incident response plan, and periodic reporting to the firm owner or partner group.

What Happens When a Preparer is Breached

The IRS has a specific incident-response path for preparers, and it's worth knowing before you need it.

Same day / within 24 hours: contact the IRS Stakeholder Liaison for your area. The Liaison coordinates EFIN review, may temporarily suspend e-filing privileges, and helps contain damage on the IRS side. Also contact the state tax agency and your state attorney general where required.

Within 30 days: notify affected clients in writing, following state breach-notification law. Most states give a defined window (often 30–60 days) and prescribe specific content.

In parallel: engage forensic counsel and (ideally) the breach-counsel team listed on your cyber insurance policy. Do this before you talk publicly about scope or cause.

A WISP that documents this incident-response process in advance is the difference between a contained event and a chaotic one. The Safeguards Rule explicitly requires that plan to exist before an incident occurs.

The Penalty Stack

The financial exposure has four layers:

1. FTC penalties — up to $43,792 per violation per day under the FTC Act, plus FTC consent-decree obligations that can run for 20 years.

2. State enforcement — every state has consumer protection authority; many have specific data-breach statutes with additional fines.

3. IRS sanctions — EFIN suspension or revocation, PTIN suspension, exclusion from e-file. For a tax practice this is existential.

4. Civil litigation — class actions from affected clients are now routine after a tax-preparer breach. And cyber insurance will not pay if you misrepresented your controls on the application.

The 10-Question Self-Audit

If you can't answer "yes" to each of these honestly, you have a gap that the IRS, the FTC, or your cyber carrier will find for you.

  • 1
    Have I documented a written information security plan that covers the IRS Security Six and the nine FTC Safeguards elements?
  • 2
    Is MFA enforced on email, tax software, e-file portals, IRS e-Services, bank logins, and document portals?
  • 3
    Is every workstation running endpoint detection & response (not just basic antivirus)?
  • 4
    Are all laptops and mobile devices full-disk encrypted?
  • 5
    Are backups encrypted, off-site, immutable, and tested at least quarterly?
  • 6
    Is there a written incident response plan, including IRS Stakeholder Liaison notification?
  • 7
    Has the firm conducted a written risk assessment in the past 12 months?
  • 8
    Have all staff completed security awareness training in the past 12 months?
  • 9
    Is vendor due diligence documented for tax software, document portal, and any cloud service touching client data?
  • 10
    Could I show this evidence to an FTC examiner or IRS Stakeholder Liaison tomorrow?

Where to Start

Whether you're a solo preparer or a 40-person firm, the sequencing is the same:

  • Designate a Qualified Individual in writing (today)
  • Turn MFA on across email, tax software, e-file, IRS e-Services, banking, and document portals (this week)
  • Confirm endpoint protection, encrypted backups, and full-disk encryption on every device touching client data
  • Draft (or refresh) a written risk assessment
  • Build the WISP to cover both the Security Six and the nine FTC elements
  • Run a baseline phishing simulation and refresh awareness training
  • Document vendor due diligence on every system touching client data
  • Tabletop an incident-response exercise with whoever would actually be in the room when something happens

The Bottom Line

The era of "tax preparation is private; nobody cares about my computer" is over. The IRS cares. The FTC cares. Your insurance carrier cares. Attackers definitely care. And every PTIN renewal from now on includes a question that effectively forces you to answer the WISP question — under penalty of perjury.

Treat this as a routine professional obligation, the same way you treat continuing education or licensing. It belongs in the budget; it belongs on the calendar; and it belongs in your annual planning cycle.

This article is general information, not legal advice. Confirm specific obligations with qualified counsel and the IRS Stakeholder Liaison for your area.

Related reading: the SMB BEC guide, backup strategies that survive ransomware, and the MFA rollout primer.

Tax Preparers

Use the free IRS Pub 4557 + FTC WISP checklist.

The Security Six controls AND the 9 FTC Safeguards WISP elements in one fillable checklist, with PTIN-renewal-ready attestation language and IRS Stakeholder Liaison contacts.

Get the free checklist

Free WISP-Readiness Assessment for Tax Preparers

We map your firm against IRS Publication 4557 and the FTC Safeguards Rule and hand you a one-page roadmap. Preparer principals only.

Get Free Assessment
← Back to Security Insights