Q: My firm has a Written Information Security Plan (“WISP”), but it hasn’t been updated since early 2023. How often should we be reviewing/updating our WISP? And have there been any significant changes to the regulatory guidance related to physical, technical, and/or administrative safeguards a CPA firm is required to have in place to protect its confidential client data from potential breaches and cyberattacks?

A: CAMICO strongly encourages firms to keep their Written Information Security Plan (“WISP”) relevant and updated to showcase the firm’s ongoing efforts to ensure compliance with the spirit and intent of Gramm-Leach-Bliley Act’s (“GLBA”) Safeguards Rule. To that end, CPA firms should periodically review the effectiveness of their security program as detailed in their WISP and reassess the risk factors as well as any material changes to the firm’s operations and make changes to the plan as necessary. Firms need to consider the appropriate frequency of this review based on the firm’s size, complexity, identified risk factors, and any updated guidance promulgated by the Internal Revenue Service (“IRS”) or other regulatory bodies.

Now would be a good time to consider reviewing and updating the firm’s WISP given the IRS’s August 13, 2024 announcement regarding the availability of an updated WISP template to help tax professionals, especially smaller practices, protect against continuing threats from identity thieves and data risks. (IR-2024-208). The updated WISP, contained in IRS Publication 5708, Creating a Written Information Security Plan for Your Tax & Accounting Practice, is available at: www.irs.gov/pub/irs-pdf/p5708.pdf.

The IRS’s guidance includes best practices for implementing multi-factor authentication for any individual accessing any information system (refer to: Multi-factor authentication: Key protection to tax professionals’ security arsenal now required | Internal Revenue Service (irs.gov), as well as a new requirement to report a security event affecting 500 or more people to the Federal Trade Commission (FTC) as soon as possible, but no later than 30 days from the date of discovery.

Remember that maintaining an information security program is not a one-size-fits-all approach as every firm will need to ensure that they have the required safeguards in place for their size, complexity, and the nature and scope of the services they render. As such, a CPA firm’s efforts to comply with the Safeguards Rule is organization-specific and CAMICO recommends that each firm work with their IT/cyber specialists and legal counsel to modify and tailor their WISP to ensure the firm’s compliance with the GLBA’s Safeguards Rule and other applicable laws.

If you are a CAMICO policyholder and are looking for more risk management guidance and information on cyber and data security issues, then access CAMICO’s Cyber/Data Security Resource Center on our Members-Only Site. It also includes CAMICO’s illustrative Written Information Security Plan template.