On the morning of December 4, 2024, Brian Thompson, the CEO of UnitedHealthcare, was shot and killed outside a hotel in midtown Manhattan. He had no security detail with him. He was on his way to an investor conference.
The killing was the first high-profile targeted murder of a Fortune 500 CEO in modern memory. Boards that had never thought carefully about executive security started thinking about it within days.
This post is about what changed, what didn't, and what companies should actually be doing in response. It is not a marketing piece. Brian Thompson was someone's son, husband, and father. The first obligation here is to the safety and wellbeing of the people your company is responsible for. The regulatory and tax questions are secondary - real, and worth getting right, but secondary. If a credible threat exists, you address it. You work on the regulatory infrastructure while the person is protected, not instead of protecting them.
What changed immediately
The security industry saw a surge of inquiry unlike anything in recent years. Allied Universal, one of the largest security firms in the United States, reported that requests for executive protection assessments ran ten to fifteen times pre-December 2024 volumes by early 2025.
Some of that surge is panic. Some of it is legitimate. The companies calling in the weeks after the killing weren't all in the same situation - but most of them had the same first question: are we doing enough?
What the Thompson killing also exposed, quietly but clearly, is that a significant number of large companies had no meaningful security function in place at all. Not an understaffed one. Not a program that needed updating. Nothing - no security director, no threat assessment cadence, no executive protection protocol, no one whose job it was to think about these questions. For companies in that position, the issue isn't how to optimize an existing program. It's how to build one.
Public companies also saw their disclosure obligations come into focus in a new way. UnitedHealth Group disclosed $1.7 million in executive security spending in its 2024 proxy statement - the first time it had disclosed security as a perquisite at that scale. The disclosure was a function of the SEC's Item 402 requirements, not a response to the shooting itself, but the visibility it created landed at a moment when every proxy reader was paying attention.
The number of S&P 500 companies disclosing executive security costs in proxy statements had been rising steadily before December 2024. After the Thompson killing, that trend accelerated. Boards began asking questions that had previously been deferred.
What companies without a security function should actually build
For companies starting from zero, the first decision isn't whether to hire a security detail. It's whether to establish a security function at all - and the answer for any organization with public-facing leadership, significant market presence, or executive visibility is yes.
What that looks like depends on the organization. A company with 5,000 employees and a recognizable CEO does not need the same infrastructure as a Fortune 100 firm. But the foundational elements are consistent regardless of size: someone responsible for security, a process for threat awareness and assessment, and a documented protocol for escalation when something changes.
That typically means a security director or equivalent - a person whose job includes monitoring the threat environment for the company and its leadership, coordinating with law enforcement and outside resources when appropriate, and maintaining the institutional knowledge that a coherent security program requires. Whether that person sits in-house or is provided through a retained outside firm is a cost and structure question. That the role exists is not.
The executive protection question - whether a named executive needs a personal security detail, a trained driver, residential hardening, or some combination - is a separate and more fact-specific question. It requires an honest assessment of that person's actual threat environment: their public profile, any documented threats or incidents, the nature of their industry, their digital exposure, and the pattern of their daily movements. That assessment is what an Independent Security Study is designed to produce. The answer will be different for different people, and a credible assessment will say so.
The point is that the two questions - does the company have a security function, and does this executive need personal protection - are not the same question. Every company of meaningful size should have an answer to the first one. The second depends on facts that vary by person and circumstance.
What questions boards are actually asking
The reactive instinct is to add security. The right instinct is to ask whether the security that already exists is structured correctly - and whether any security exists at all.
The questions that matter aren't primarily about headcount or spend. They're about whether the program is based on a documented assessment of actual risk, whether that assessment was independent, and whether the company's regulatory treatment of the security benefits is in order.
Treasury Regulation §1.132-5(m) governs whether employer-provided executive security benefits are taxable compensation or excludable working condition fringe benefits. The answer has significant financial consequences - for most executive security programs, the difference is six or seven figures annually. And the answer depends heavily on whether the company has done the underlying regulatory work.
What the regulatory framework requires
The working condition fringe exclusion for security doesn't apply automatically. Two things have to be true.
First, there must be a bona fide business-oriented security concern - a specific, documented basis for concern about this executive's safety tied to their role at this company. Generalized concern doesn't qualify. High net worth doesn't qualify. The concern has to be grounded in facts, and those facts have to be documented.
Second, the company must establish an overall security program, or commission an Independent Security Study that defines one. The ISS pathway exists precisely for cases where 24-hour protection isn't warranted or practical, but the facts do support some documented level of security measures. If the study is conducted by a genuinely independent third party and the company consistently implements its recommendations, the program is treated as an overall security program for purposes of the exclusion.
The Brian Thompson case raised the business-oriented security concern question for a lot of companies that hadn't seriously asked it before. For many of them, the answer is yes - the facts do support a documented concern, and they've been providing security without the regulatory infrastructure to support the tax treatment. For some, the honest answer is that the concern isn't there at the level the regulation requires.
What companies should actually do
If a threat exists, the first step is protection. Not documentation, not a study, not a scoping call - protection. Get the person covered while you build the regulatory record that makes the program defensible over time.
The worst long-term response to the Thompson killing is the opposite failure mode: a reactive security upgrade with no documented basis, running indefinitely without a plan to get the regulatory structure right. A company that adds a bodyguard, hardens a residence, or starts requiring corporate aircraft for personal travel because the board is nervous - and never commissions the ISS to support the tax treatment - is creating compounding exposure. The security costs are compensation by default. Excluding them from the executive's W-2 without a qualifying ISS or documented overall security program means the company is taking a tax position it can't defend when the IRS examines it. And the gross-up math on taxable executive security is significant - sometimes more than the cost of the study that would have avoided it.
The right structure addresses both the short-term and long-term obligations together:
Protect the person where the facts warrant it. Don't wait for the paperwork.
Engage an independent firm promptly to document the threat basis, define the appropriate program, and create the ISS that puts the regulatory position on solid ground. This is the short-to-medium-term work. It takes weeks to months, not years.
Track implementation from the start. The regulation's consistent application requirement is where most programs fail on audit. The study's recommendations have to be in place, documented, and monitored. When they change, the study needs to be updated.
Plan for re-evaluation. A study done in 2025 should be reviewed in 2028 - sooner if the executive's situation changes materially.
The board's obligation
The Thompson killing surfaced something that good governance required before December 2024: boards are responsible for understanding whether their company has a security function, whether the executives in their care are appropriately protected, and whether the programs in place are structured correctly from a regulatory and compliance standpoint.
None of those questions require a crisis to motivate them. They are governance questions. The events of December 2024 made that visible in a way that is hard to look away from.
The sequence matters: safety first, regulatory structure second, but second doesn't mean optional or delayed indefinitely. Both obligations are real, and a well-run organization addresses them together.
If you're working through whether your company's program is structured appropriately, we're glad to talk through the specifics. No engagement required for the initial conversation.
This post is for informational purposes and does not constitute tax or legal advice. Readers should consult qualified tax and legal counsel regarding the treatment of specific programs.