Back to Blog

The Difference Between 'Having a Policy' and 'Having a Program' (And Why Regulators Care)

Daniel Chang, Founder of SafeGuardGRC

A firm owner calls me and says, "We're good on compliance. We have a WISP." I ask a few follow-up questions. When was it last updated? Who reviews it? Has your team been trained on what's in it? Is the person named as your qualified individual actually doing the work described in the document?

Silence.

This is the most common gap I see in CPA firms across the country. The document exists. It's sitting in a shared drive or a filing cabinet. Someone wrote it, probably when the FTC Safeguards Rule deadline hit in June 2023. And since then, nothing has happened with it.

The problem is that having a Written Information Security Plan on file is not the same as having an information security program. The FTC doesn't just want you to write something down. It wants you to do the thing you wrote down. Continuously. And be able to prove it.

What the FTC Actually Requires

The language in the FTC Safeguards Rule (16 CFR Part 314) is specific. It requires covered financial institutions to "develop, implement, and maintain a comprehensive information security program." Those three words do different things.

Develop means create the plan. Write the policies. Define the controls. This is where most firms stop, and they assume they're done.

Implement means actually execute what you wrote. If your WISP says you'll conduct quarterly access reviews, those reviews need to happen. If it says you'll train employees annually, the training needs to be delivered and documented. If it names a qualified individual to oversee the program, that person needs to be actively managing it.

Maintain means keep it current. Update it when your operations change, when you add new systems, when you hire or lose staff, when new threats emerge. The FTC expects your program to evolve alongside your business, not sit static on a server collecting digital dust.

A policy is a document. A program is the ongoing work of doing what the document describes.

How the FTC Has Enforced This Distinction

This isn't theoretical. Ten of the FTC's enforcement complaints have specifically cited "either the nonexistence or the inadequacy of a defendant's written information security program." The keyword is inadequacy. These weren't cases where the company had no security. They were cases where the security existed on paper but failed in practice.

The Drizly case in 2022 is a clear example. Drizly publicly claimed that consumer information was "securely stored and protected by commercially reasonable security practices." The reality was different. An executive used a seven-character password that was reused across personal accounts. Attackers accessed the company's systems using credentials from an unrelated breach. The gap between what the policy said and what the organization actually did exposed 2.5 million consumers' personal data.

The FTC's enforcement order didn't just require Drizly to fix the specific vulnerability. It required the company to establish a comprehensive information security program with administrative, technical, and physical safeguards, subject to third-party assessments every two years. The FTC's message was clear: a policy that isn't backed by an active program is a liability, not a protection.

More recently, the Marriott consent order imposed a 20-year compliance requirement, including annual board reporting, third-party audits, and documented evidence of ongoing program management. Marriott had security controls. What they lacked was the governance framework to ensure those controls were consistently applied and monitored.

Where CPA Firms Commonly Fall Short

The gap between policy and program tends to show up in a few predictable places.

The qualified individual exists on paper but not in practice. The FTC requires you to designate someone responsible for your information security program. Many firms name a partner in the WISP and then that partner never reviews the program, never reports on its status, and wouldn't be able to describe what it includes if asked. The designation is meaningless without the work that goes with it.

Training happened once and was never repeated. Your WISP probably says you'll train employees on security practices. If that training happened in 2023 and hasn't been refreshed since, you have a compliance gap. The FTC expects ongoing training, especially when threats evolve and staff changes.

Risk assessments are stale. The Safeguards Rule requires you to periodically reassess the risks to your client data and evaluate whether your safeguards are still adequate. If your risk assessment is two years old and you've changed software, added remote access, or brought on new service providers since then, it no longer reflects your actual risk environment.

Monitoring doesn't exist. The rule gives you two options: continuous monitoring of your information systems, or annual penetration testing combined with vulnerability assessments at least every six months. Most small firms do neither. They assume their IT provider is handling it, but when they ask, there's no documentation of regular scans or testing.

Board or partner reporting doesn't happen. Section 314.4(j) requires that the qualified individual report at least annually to the firm's leadership on the status of the information security program. This is a governance requirement. If your annual partner meeting doesn't include a security program update, that's a documented gap.

The IRS Reinforces the Same Standard

The IRS isn't just the FTC's echo here. Publication 4557 requires every tax professional to have a Written Information Security Plan and to review it regularly. The IRS specifically warns that a WISP is not "set it and forget it." It expects minimum quarterly reviews, with immediate updates when you change technology, add or remove staff, modify business processes, experience a security incident, or receive updated regulatory guidance.

There's also an uncomfortable reality: some CPA firms have been attesting on their PTIN renewals that they have a WISP in place when they haven't actually built one. That's a compliance assertion without a foundation. If those firms are ever investigated, the gap between what they attested and what exists will be a problem.

What a Real Program Looks Like

A document is a starting point. A program includes the ongoing activities that make the document real. At minimum, a functioning information security program includes:

A qualified individual who actively manages the program and can describe its current state at any time. A risk assessment that's been updated within the past 12 months and reflects your current operations, systems, and service providers. Documented employee training delivered at least annually, with acknowledgment records. Regular monitoring or testing of your security controls, either through continuous monitoring or through the penetration testing and vulnerability assessment schedule required by the rule. Annual reporting to firm leadership on the program's status, including any incidents, changes, or identified gaps. Documented oversight of service providers, including your IT provider, with written agreements that specify their security responsibilities.

None of this is optional under the current regulatory framework. And none of it happens by itself. A policy might live in a filing cabinet. A program lives in your calendar.

What You Can Do Today

  1. Pull out your WISP and read it. When was it last updated? Does it accurately describe your current operations? If it references systems you no longer use or people who no longer work at the firm, it needs an update.

  2. Check your qualified individual. Is the person named in the WISP actually managing the program? Can they tell you when the last risk assessment was conducted, when training was last delivered, and what monitoring is in place? If not, either reassign the role or give that person the support they need to do it.

  3. Verify your monitoring or testing schedule. Ask your IT provider whether vulnerability scans are being conducted and documented. If the answer is vague, schedule a conversation to establish a clear testing cadence.

  4. Schedule your annual leadership report. If you haven't reported to your partners on the security program this year, put it on the calendar. A simple 30-minute presentation covering the program's status, any incidents, and planned improvements satisfies the reporting requirement.

  5. Document everything you do from this point forward. Every training session, every access review, every risk assessment update. The documentation is the proof that your program is real, not just written.

The Bottom Line

The FTC doesn't care what's in your filing cabinet. It cares what's in your practice. A policy tells the regulator what you said you'd do. A program tells them what you actually did.

The firms that treat their WISP as a living document, supported by ongoing activities, staffed by a real qualified individual, and reported on regularly, are the ones that will weather a regulatory inquiry without breaking a sweat. The firms that wrote a document in 2023 and assumed it was sufficient are carrying a risk they may not fully appreciate.

If closing the gap between your policy and your program feels overwhelming, that's exactly the problem SafeGuardGRC was built to solve. We help firms turn static documents into active programs, with the structure, reminders, and documentation tools to keep the work on track year-round. Not as a replacement for your IT provider, but as the governance layer that turns good security into provable compliance.

Your WISP is a start. Your program is the finish.

Ready to Get Compliant?

Plans starting at $99/mo · Billed annually

See Plans & Pricing
30-day money-back guarantee
Cancel anytime
No setup fees

We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy