January 29, 2026

Compliance with FTC Safeguards Rule & (WISP) for the Financial Sector

Compliance with FTC Safeguards Rule & (WISP) for the Financial Sector

Is Your Business Compliant with the FTC Safeguards Rule and Written Information Security Plan?

As digital crime continues to rise, the Federal Trade Commission (FTC) has strengthened its enforcement of data security requirements to better protect customer information, including sensitive financial data. These updated safeguards apply across multiple sectors, with particular focus on non-banking financial institutions.

The FTC Safeguards Rule, updated for 2025, mandates that financial institutions implement        comprehensive security measures to protect customer data, with stricter compliance requirements now affecting many small businesses.

Organizations that fail to implement required safeguards may face:

• Substantial fines and legal action
• Reputational damage
• Suspension of e-filing privileges
• Significant remediation and recovery costs

Importantly, penalties may be imposed not only on the company, but also on business owners personally. Understanding and complying with the Safeguards Rule is therefore critical. 

FTC Safeguards Rule Overview

The FTC Safeguards Rule requires covered businesses to develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical protections for customer data.

The rule is designed to:

1. Ensure the security and confidentiality of customer information
2. Protect against anticipated threats or hazards

Prevent unauthorized access that could result in substantial harm or inconvenience 

Written Information Security Plan (WISP) for the Financial Sector

The financial sector—particularly tax preparation and accounting firms—is a prime target for cybercriminals. Data breaches can lead to serious financial losses, regulatory scrutiny, and long-term reputational damage. Small and mid-sized firms are often especially vulnerable due to limited cybersecurity resources.

To address these risks, the IRS requires tax preparers and accounting firms to create and maintain a Written Information Security Plan (WISP). This requirement falls under both the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule.

A WISP documents how an organization protects sensitive client and taxpayer data and must be tailored to the firm’s size, complexity, and scope of operations.

Key Components of a Strong WISP

A robust Written Information Security Plan typically includes:

1. Risk assessment
2. Security policies and procedures
3. Employee training and awareness programs
4. Access controls
5. Data encryption
6. Secure data disposal practices
7. Incident response and breach notification procedures
8. Ongoing monitoring and compliance reviews

The IRS emphasizes that a WISP is a living document and must be reviewed and updated regularly to address evolving threats, regulatory changes, and operational growth. 

Need Help with FTC Safeguards Compliance?

Do you own a small or mid-sized financial business in Northwest Ohio or Southeast Michigan?

Would you like to better understand your compliance obligations and risk exposure under the FTC Safeguards Rule?

Click here to speak with one of our experts and learn how we can help ensure your organization remains compliant and secure.

Author:  Justin Zahn, Managing Member, Gut Consulting