Decision Guide · Regulatory
Do I Need a WISP?
If you've been asked for a "WISP" by a regulator, an insurer, or a customer's procurement team, here's the plain-English version: it's a written security plan, several laws require one, and far more businesses are covered than realize it. This guide tells you who needs one and how to tell if that's you. (Note: in this context, WISP means Written Information Security Program, not the telecom term Wireless Internet Service Provider.)
The short answer
You almost certainly need a WISP if any of these are true: you hold personal information about a Massachusetts resident; you're a "financial institution" under the FTC Safeguards Rule (a category far broader than banks); you're a paid tax preparer; or a customer contract or cyber insurance application asks whether you have a written information security program. When in doubt, having one is the safe, low-cost default.
What a WISP actually is
A Written Information Security Program is a documented plan describing the administrative, technical, and physical safeguards your organization uses to protect sensitive and personal information. In practice it covers things like who is responsible for security, what data you hold and where, how you control access, how you train staff, how you vet vendors, and what you do if there's an incident. It's the document that proves you have a security program, not just scattered tools.
Who is legally required to have one
1. Anyone holding data on a Massachusetts resident
Massachusetts 201 CMR 17.00 requires any person or entity that owns or licenses personal information about a Massachusetts resident to develop, implement, and maintain a comprehensive written information security program. Critically, this applies regardless of where your business is located, it follows the resident's data, not your address. If you have customers or employees in Massachusetts, this likely reaches you.
2. "Financial institutions" under the FTC Safeguards Rule
The FTC Safeguards Rule, which implements the Gramm-Leach-Bliley Act (GLBA), requires "financial institutions" to develop and maintain a written information security program. The catch is how broadly financial institution is defined: it reaches well beyond banks to include businesses like mortgage brokers, auto dealers, tax preparers, collection agencies, and "finders." The amended Safeguards Rule added specific, prescriptive program requirements, and the key deadline for those new provisions was June 9, 2023. If you're covered, a written program is not optional.
3. Paid tax preparers
Paid tax preparers are covered by the FTC Safeguards Rule under GLBA and must maintain a written data security plan. The legal requirement comes from the FTC rule, but the IRS reinforces it and makes compliance easier: IRS Publication 4557 covers safeguarding taxpayer data, and the IRS provides a ready-to-use WISP template in Publication 5708. If you have a PTIN and prepare returns for compensation, plan on having one.
The reasons even non-required businesses build one
Plenty of companies aren't strictly mandated to have a WISP but build one anyway, because two things now ask for it directly:
- Cyber insurance applications. Carriers increasingly ask whether you maintain a written information security program. "No" can raise your premium, limit coverage, or sink the application.
- B2B contracts and security questionnaires. Enterprise customers routinely require vendors to attest to a written security program before signing. No WISP can mean no deal.
A quick self-check
You should treat a WISP as a requirement if you can say "yes" to any of these:
- We hold personal information about residents of Massachusetts (customers or employees).
- We're a financial institution under the FTC Safeguards Rule, including non-bank businesses like brokers, dealers, lenders, accountants, or tax preparers.
- We prepare tax returns for compensation.
- A customer contract or cyber insurance application has asked whether we have a written information security program.
Build your security program the way underwriters and contracts expect
A WISP is only as credible as the controls behind it. The Strondex Cyber Insurance Prep Checklist walks you through the administrative, technical, and physical safeguards a written program needs, the same access, MFA, vendor, and incident-response controls insurers verify, in plain English, with how to evidence each one.
Frequently asked questions
What is a WISP?
A Written Information Security Program, a documented plan describing the administrative, technical, and physical safeguards you use to protect sensitive and personal information.
Who is legally required to have a WISP?
Common triggers: holding data on a Massachusetts resident (201 CMR 17.00), being a "financial institution" under the FTC Safeguards Rule (broadly defined), and paid tax preparers. Many contracts and insurers also require one.
Do tax preparers need a WISP?
Yes. Paid preparers are covered by the FTC Safeguards Rule under GLBA and must maintain a written data security plan. The IRS reinforces this and provides a template in Publication 5708.
Is a WISP the same as a Wireless Internet Service Provider?
No, same acronym, different worlds. In security and compliance, WISP means Written Information Security Program.
Sources
- FTC, Safeguards Rule (FTC Safeguards Rule: What Your Business Needs to Know): ftc.gov
- Commonwealth of Massachusetts, 201 CMR 17.00 (Standards for the Protection of Personal Information): mass.gov
- IRS, Publication 5708, Creating a Written Information Security Plan: irs.gov
This article is general educational content, not legal advice. Whether and how a WISP requirement applies to your specific business depends on your data, location, and industry; consult qualified counsel for a definitive answer.