When a company decides it needs to provide formal security for a senior executive, the first question usually isn't about tax treatment. It's a practical one: what does this person actually need?
That's the right question to start with. The tax answer follows from the security answer, and understanding how they connect changes how companies set up these programs.
The way the regulation thinks about it
Treasury Regulation §1.132-5(m) is built around a specific model of what comprehensive executive security looks like. The regulation calls it an "overall security program," and its definition is precise: 24-hour protection covering the residence, the commute, the workplace, and all travel, both business and personal.
The full package includes a bodyguard/chauffeur trained in evasive driving techniques, a specially equipped vehicle, access controls at both the residence and the workplace, and where appropriate employer aircraft for personal travel. This is the Fortune 50 standard. Deployed correctly, it takes the guesswork out of the tax analysis. If the program qualifies as an overall security program, the security costs are excludable as working condition fringe benefits.
The problem isn't conceptual. It's practical. A 24-hour program for a single executive routinely costs $1 million or more per year. Most executives don't need that level of coverage given their specific threat environment. Most boards aren't going to approve it. And requiring it as the price of favorable tax treatment would effectively make the exclusion inaccessible for the vast majority of companies that genuinely need it.
What the regulation does instead
It provides an alternative pathway.
If a qualified outside firm performs an Independent Security Study and the study concludes that 24-hour protection is not necessary, and if the company consistently implements the specific measures the study recommends, the narrower program is treated as an overall security program for purposes of the working condition fringe exclusion.
The company doesn't have to provide 24-hour protection. It has to provide what a qualified, independent assessment says is actually needed given this executive's specific situation. If that's a trained driver, workplace access controls, a residential alarm, and digital exposure management, those measures qualify. The executive pays no income tax on them. The company deducts them.
This is the regulatory fiction the ISS creates: the narrower program "is deemed to be" an overall security program. The price of that fiction is a rigorous, independent process for determining what the right program actually is.
The decision companies actually face
For most executives at mid-to-large companies, the practical question comes down to this: does this person's specific situation warrant the expense and intrusiveness of 24-hour coverage, or does the risk profile call for a more targeted set of measures?
Consider a CEO of a consumer-facing company. Her products are in millions of households. She's on television regularly. The company has been through two contentious labor actions in the past three years. Her home address appeared in activist forums six months ago. She's received a handful of menacing social media messages, nothing credible but not nothing.
That's a real threat environment. Round-the-clock personal protection is probably more than the facts call for, and at her insistence, the board isn't going to impose it anyway. But a trained driver, a residential security assessment with specific hardening recommendations, monitored alarm coverage, digital risk management, and a documented program for reviewing the threat picture periodically? That matches the facts. An ISS can recommend exactly that, and the tax treatment follows.
Now consider a CFO at the same company. Senior role, strong compensation, but low public profile. He doesn't do earnings calls. His name appears in public filings but not in news coverage. No documented threats, no unusual digital exposure.
That CFO might receive the same security measures the CEO does, because the company wants consistency or because the board prefers it. But the tax analysis is different. The regulation requires a specific, documented basis for concern. "He's important to us" isn't enough. If an honest study can't document a bona fide concern, the security is compensation. It goes on the W-2. A good ISS firm will tell the company that before taking the engagement.
Where 24-hour protection actually makes sense
It would be misleading to treat the ISS as if 24-hour protection is never the right answer. Sometimes it is.
Executives under active, credible, and specific threat face a different situation than those in a preventive security posture. A CEO who has received a credible kidnapping threat, who operates in regions with documented violent targeting of executives in their industry, or who is a central figure in contentious litigation with a history of associated violence may genuinely need comprehensive protection.
In those cases, a well-conducted ISS might conclude that the full overall security program is warranted. The study still has value: it documents the threat basis, justifies the program to the board and to auditors, and provides the factual record for proxy disclosure. But the output is different. This person needs full coverage.
The regulation handles both outcomes. What it doesn't tolerate is treating the ISS as a rubber stamp for whatever program a company wants to run, or treating 24-hour protection as a lifestyle benefit for executives whose threat profiles don't support it.
How the two pathways differ operationally
From a tax compliance standpoint, the two pathways have different requirements.
A full overall security program requires consistent application of the defined program elements. Document the training credentials of the bodyguard/chauffeur. Track aircraft use and apply the safe harbor airfare calculation to personal flights. Maintain access controls and document their consistent operation. Audit the program periodically to confirm it still qualifies.
An ISS-based program requires all of that plus one thing more: consistent application of the study's specific recommendations. Every measure the study recommends has to be in place. If the security team scales back a measure the study identified as part of the program, the tax position weakens. Either the study gets updated to reflect the current program, or the measures get restored.
That consistency requirement is where ISS-supported programs most often run into trouble. Security teams adjust programs over time as circumstances change. The tax consequences of those adjustments don't always get the attention they deserve.
Companies that run these programs well treat the ISS as a living document tied to tax compliance, not a one-time deliverable filed in a drawer. They review the program against the study's recommendations regularly. They update the study when the threat environment or the security measures change materially.
The question worth starting with
Before any company decides between these pathways, the question worth answering honestly is whether a bona fide business-oriented security concern exists for the executive in question. If it does, both pathways are available. If it doesn't, neither one works. The security can still be provided, but it's compensation and it goes on the W-2.
If you're trying to figure out which side of that line your executives fall on, that's exactly what a scoping call is for. We'll tell you what we think based on what you describe, with no engagement required.
This post is for informational purposes and does not constitute tax or legal advice.