Skip to main content
All posts

What Is WISP Compliance? A Plain Guide for Insurance and Financial Firms

WISP compliance means keeping a written information security program. Here is what a WISP is, who is required to have one, and what it covers for insurers.

Share
What Is WISP Compliance? A Plain Guide for Insurance and Financial Firms

If you handle other people's financial or insurance information, you have probably been told you need a WISP. WISP compliance means creating, following, and maintaining a Written Information Security Program: a documented plan for how your business protects sensitive customer data. It is not a one-time form. It is a living document that several federal and state rules now expect regulated businesses to keep current.

Here is what a WISP is, who has to have one, and what belongs inside it.

What a WISP actually is

A Written Information Security Program is a written plan that describes how your organization safeguards nonpublic personal information. The key word is written. Regulators want to see that your security is documented and repeatable, not just a set of habits in someone's head.

A WISP records what sensitive data you hold, where it lives, who can access it, the safeguards you use to protect it, and what you do when something goes wrong. The plan is meant to be sized to your business. A solo agency and a regional carrier face the same idea but very different detail.

Who is required to have a WISP

Several laws point at the same requirement from different angles.

The Federal Trade Commission's Safeguards Rule, issued under the Gramm-Leach-Bliley Act, requires financial institutions to keep a written information security program. The FTC explains that the program must be written and appropriate to the size and complexity of the business, the nature of its activities, and the sensitivity of the information involved. The rule also requires firms to name a single Qualified Individual to run the program and to report to leadership at least once a year.

Tax and accounting practices are squarely in scope. Under federal law, tax professionals are treated as financial institutions for data security purposes, and the IRS reminds them that a written security plan is mandatory. The IRS even publishes a sample template, Publication 5708, to help smaller firms build one.

Some states add their own requirements. Massachusetts, through its data protection regulation known as 201 CMR 17.00, requires any business that holds personal information about a Massachusetts resident to develop and maintain a written information security program, regardless of where the business is located.

WISP compliance in the insurance industry

For insurance businesses, the most direct driver is the NAIC Insurance Data Security Model Law. The model requires entities licensed by a state insurance department, which can include insurers, agencies, and adjusters, to develop, implement, and maintain a written information security program based on a risk assessment.

The NAIC model sets out a familiar set of duties: assess your risks at least once a year, put safeguards in place that match those risks, oversee the third-party vendors who touch your data, keep an incident response plan, and notify the state insurance commissioner promptly after a cybersecurity event, generally within 72 hours. Many states have already adopted a version of this law, so an agency operating in several states may answer to several near-identical rules at once.

The practical takeaway is that a licensed insurance business is increasingly expected to treat its data security program as a written, auditable obligation, not an informal practice.

What goes in a WISP

The different rules describe the same core building blocks. A workable WISP usually covers six elements.

  • A designated coordinator. One named person, the Qualified Individual under the FTC rule, who owns the program.
  • A risk assessment. A documented review of the threats to the data you hold, updated at least annually.
  • Safeguards. The actual controls, such as access limits, encryption, secure storage, and password rules, chosen to address the risks you identified.
  • Employee training. Evidence that staff know how to handle data and spot threats like phishing.
  • Vendor oversight. Written expectations for the third parties who store or process your data.
  • An incident response plan. Clear steps to detect, contain, report, and recover from a breach, including who you have to notify and how fast.

The point of writing these down is accountability. If a regulator or an auditor asks how you protect client data, the WISP is the answer you hand them.

How to start and stay compliant

A template is a starting point, not a finished plan. The IRS sample WISP, for example, uses placeholder language that you are expected to replace with your real systems, vendors, and controls. Copying a template without tailoring it leaves you with a document that does not match how your business actually runs, which helps no one if a breach happens.

Treat the WISP as something you revisit. Reassess your risks on a schedule, update the plan when you add new software or vendors, retrain staff, and keep records of the reviews you do. Compliance is the ongoing practice, not the file sitting on a shared drive.

A note on legal advice

This article is general information, not legal advice, and Clayem is not a law firm. Data security requirements vary by state, by industry, and by the kind of information you hold, and they change over time. Before you rely on any specific rule described here, confirm the current requirements that apply to your business and consider speaking with a licensed attorney or a qualified compliance professional.