Your WISP Won't Survive a 2026 EFIN Renewal — Here's What to Fix

Open the drawer where you keep your Written Information Security Plan. Look at the last-reviewed date.

If it says 2023, or the date line is blank, or you can't put your hands on the document at all, you have a lot of company. Most solo and small-firm preparers signed a template once, grabbed a sample WISP off a forum five years back, or kept meaning to write one and never got around to it.

Sound familiar?

Here's what shifted. The IRS is reading WISP documentation at EFIN renewal with a level of attention it wasn't bringing two years ago. The FTC's Safeguards Rule, with the November 2023 amendment that took effect in 2024, now requires a written plan, a named qualified individual, and a documented incident response procedure. Civil penalties under the FTC Act are indexed annually for inflation; recent maxima sit above $50,000 per violation, per day, with no statutory cap.

This is practice operations work, and it doesn't get done unless you put it on the calendar. Below is what Publication 4557 actually requires, what reviewers are pulling on, and how to fix a thin WISP in roughly 90 minutes.

What IRS Publication 4557 actually says

IRS Publication 4557, Safeguarding Taxpayer Data, is the document every paid preparer ought to be able to cite from memory. It pulls from the Gramm-Leach-Bliley Act and the FTC Safeguards Rule and spells out what a tax pro has to do to protect client information.

The technical floor is what the IRS calls the Security Six:

1. Anti-virus software on every device that touches client data

2. Firewalls (hardware or software) at every network boundary

3. Two-factor authentication on all professional accounts, including email and tax software

4. Backup software or cloud-based backup, tested

5. Drive encryption on every laptop, desktop, and mobile device

6. A VPN for any remote access

Sitting on top of that, Pub 4557 directs every paid preparer to maintain a written plan covering six required security elements: designate a coordinator, identify and assess risks, develop and implement safeguards, oversee service providers, evaluate and adjust the program, and respond to security incidents.

A WISP isn't a checkbox you tick. It's the document that proves you did those six things.

The penalty number nobody quotes

Most CPE webinars race past this part. The amended FTC Safeguards Rule (16 CFR Part 314) treats tax preparers fully as "financial institutions" for data security purposes. Civil penalties under the FTC Act apply.

The current maximum, indexed each year under 16 CFR 1.98, has run above $50,000 per violation, per day in recent years. There is no statutory cap.

A "violation" doesn't have to mean a breach. Failing to maintain a written plan is a violation. Failing to designate a qualified individual in writing is a violation. Skipping vendor oversight is a violation. Each one can be assessed separately, and the day-counter starts when the deficiency exists — not when the FTC happens to find it.

The honest version: most enforcement actions kick off after a breach. But "we'll fix it if something happens" stops being a strategy when the IRS is asking to see the WISP at renewal anyway. If you want a quick read on your own number based on staff size, client count, and the state of your WISP, run it through the penalty risk estimator.

What's inside a WISP that actually holds up

A WISP that survives review isn't a doorstop. The good ones come in at 12 to 25 pages. The bad ones are either three pages of generic boilerplate or a 60-page template the preparer never read past the cover.

Section 1: Designated Security Coordinator (Qualified Individual). Name, title, contact info, date of designation. "The owner" or "management" doesn't cut it after the 2023 amendment. If you're solo, write your own name down with your title and the date.

Section 2: Risk Assessment. A documented review of where client data lives — server, cloud, email, paper files, mobile devices, vendor systems — what could go wrong, and what's in place to stop it. Redo at least annually.

Section 3: Safeguards. The actual controls. Maps to the Security Six plus access controls, password policy, physical security (locked file cabinets, alarm system, shred procedures), and employee training. Note who has access to what.

Section 4: Service Provider Oversight. Every vendor that touches client data, plus how you've checked their security. More on this in a minute.

Section 5: Program Evaluation and Adjustment. Annual review log, signed and dated. Triggers for off-cycle review (new software, breach, staff change, new service line).

Section 6: Incident Response Plan. What happens in the first 24 hours, the first 72, the first week. Who you call. How you notify clients. How you reach the IRS Stakeholder Liaison and your state. Required under the amended Safeguards Rule.

If your current WISP doesn't have all six sections clearly labeled with real content under each, it's thin. Thin WISPs don't hold up.

The vendor section most preparers skip

Section 4 is where most WISPs come apart, because most preparers have never sat down and listed every vendor that touches client data.

Try this. On a single page, write down every system, service, or contractor with any access — even read-only — to client tax information. A starter list:

• Tax preparation software
• Document management or portal software
• E-signature platform
• Cloud storage or backup provider
• Email provider (yes, your email host counts)
• Practice management or CRM
• Bookkeeping or write-up software you use for clients
• IT support or managed service provider
• Cleaning service with after-hours office access
• Shredding service
• Any 1099 contractor doing data entry, bookkeeping, or admin work
• Any offshore preparer or reviewer

For each one, three things go in the WISP: vendor name, what data they touch, and evidence you've verified their security posture. That evidence is usually a SOC 2 report, a signed data security addendum, or at minimum a written attestation from the vendor.

A common pushback: I trust my software provider, they're a major company, do I really need a SOC 2 on file? Yes. Your WISP isn't proving the vendor is secure. It's proving you exercised oversight. Two different things, and only the second one is your job.

Your annual review isn't optional anymore

Before the amendment, the annual review was a "should." After 2024, it's a documented requirement. If your WISP doesn't have a review log with dated signatures going back at least to 2024, that's a gap a reviewer can put a finger on.

The annual review has four parts:

1. Re-run the risk assessment. Anything change — new software, new staff, new service line, new remote workers, new vendor, office move?

2. Test the safeguards. Confirm 2FA is on for every account. Confirm backups actually restore (most don't, the first time you check). Confirm encryption is enabled on every device.

3. Review the vendor list. Add new ones, drop the ones you no longer use, refresh security verification on the rest.

4. Run an incident response tabletop. Thirty minutes. Walk through a scenario out loud: phishing email got clicked, ransomware on the server, lost laptop in an Uber. Who calls who, in what order. Document that you did it.

That last one is where most firms find out they don't have an incident response plan — they have an incident response paragraph. The first time you walk through "the server is encrypted by ransomware at 9 a.m. on April 14" out loud, the gaps surface fast.

Log the review with a date and the coordinator's signature. That single page is what an EFIN reviewer wants to see.

What EFIN renewal reviewers are looking for

EFIN renewal scrutiny in 2025 and 2026 looks different than it did. Reviewers aren't just confirming a WISP exists. They're sampling content. The seven mistakes that get flagged:

1. No designated qualified individual in writing. A WISP that says "the firm" or "management" is responsible fails this test. Name a person.

2. Templates with placeholder text still in the document. Things like [FIRM NAME] or "Insert your procedures here." Reviewers spot it inside thirty seconds.

3. No date, or a stale date. A WISP last touched in 2022 reads as abandoned. A 2025 or 2026 review log on the front page is the bare minimum.

4. Missing incident response section. Required under the amendment. If your document predates it and was never updated, this section is probably absent or one paragraph long.

5. No vendor list, or a list with no verification. See Section 4.

6. No employee training record. Even solos document their own annual training. For firms with staff, every person who touches client data needs a dated training record. Phishing simulations count. So does sitting through an hour of CPE on data security.

7. Mismatched controls. The WISP says "all laptops are encrypted" but the firm has three laptops and only the owner's is encrypted. Don't write what isn't true.

If renewal documentation has run thin in past years, refresh it now rather than during the renewal window. Pulling together a vendor list and a training log under deadline pressure produces a worse document than doing the same work in April.

A 90-minute plan you can run today

Block 90 minutes, close email, work the list.

Minutes 0-10. Locate your current WISP, or accept that you don't have one. Note the last-reviewed date.

Minutes 10-25. Designate the qualified individual in writing. One paragraph, signed and dated. Solo, it's you. With staff, it's whoever is senior on operations and willing to own it.

Minutes 25-45. Build the vendor list. Use the starter list above. For each vendor, note what data they access. Flag the ones with no security verification on file — those are next week's follow-up items.

Minutes 45-60. Run the tabletop. Pick a scenario: ransomware, phishing, lost device. Walk through the first 24 hours out loud. Write down who you'd call, in what order, and what you'd tell clients. That becomes your incident response section.

Minutes 60-75. Update or rebuild the six WISP sections. If your existing document is salvageable, refresh each section with current content. If it's a 2019 template you've never cracked open, start clean — a focused rebuild beats fixing a bad foundation. The free WISP starter walks through each of the six required elements with prompts written for small tax practices, so you're not staring at a blank page.

Minutes 75-90. Sign and date the annual review log. Save the document somewhere your staff can find it. Email a copy to yourself for a timestamped backup. Put the next review date on your calendar — November is a good month, before busy season.

Done. Ninety minutes from thin WISP to a document that maps cleanly to Publication 4557 and the amended Safeguards Rule.

The firms that get tagged at EFIN renewal aren't the ones with imperfect WISPs. They're the ones who can't produce one at all, or who hand over something with placeholder text still in it. Don't be that firm in 2026.