Does the Independent Security Study satisfy §1.132-5 on its own?

The ISS is one of two paths the regulation provides for establishing an overall security program. The study must be paired with consistent application of its recommendations, retained documentation, and periodic reassessment.

What happens if the IRS audits the executive's security perk?

The ISS is the foundational document examiners will request. A defensible study includes clear independence language, explicit reference to §1.132-5, documented facts and circumstances, and recommendations tied to identifiable risk.

Why don't you sell executive protection or other security services?

Because we cannot credibly study what we sell. The regulation's independence requirement exists for a reason. Our structure is our answer to it.

How long does a study take?

Standard engagements run twelve weeks from kickoff to delivery. Expedited delivery is available for compressed timelines driven by proxy filings, litigation events, or changes in executive status.

Can one study cover multiple executives?

Yes. A single governing study can document the employer's overall security program and address facts and circumstances executive by executive in structured appendices.

Who conducts the work?

Senior practitioners with federal protective, investigative, or intelligence experience — augmented by digital risk and OSINT analysts. Every engagement is led by a senior partner who signs the study.

What is an Independent Security Study?

An Independent Security Study is a formal, third-party report conducted under Treas. Reg. §1.132-5(m) that documents the facts and circumstances justifying an employer's executive security program. It defines the overall security program and establishes the defensible record required for the employer to exclude executive security benefits from the executive's taxable compensation as a working condition fringe benefit.

Who qualifies as an independent third party under §1.132-5?

The regulation requires the firm performing the study to be independent — meaning it does not sell executive protection, guard services, monitoring systems, or any of the security measures the study might recommend. A firm with a financial interest in the recommended security measures cannot credibly author an independent study of those measures. The independence requirement is structural, not just a disclosure obligation.

What triggers the need for an Independent Security Study?

An ISS is typically triggered by one of four events: a proxy filing season requiring perquisite disclosure analysis, an IRS audit or inquiry involving executive compensation, a board or compensation committee review of executive security perquisites, or a significant change in the executive's threat environment. Legal counsel and tax directors are usually the first to identify the need.

How is an Independent Security Study different from a security assessment?

A security assessment is an operational document focused on vulnerabilities and recommendations. An Independent Security Study is a regulatory compliance document that must also document a bona fide business-oriented security concern, assess risks objectively, make reasonable recommendations, and be prepared by an independent third party. The ISS is what the IRS examiner will request; the security assessment may inform it but does not replace it.

Can a company's existing security vendor conduct the Independent Security Study?

An existing security vendor may conduct the physical assessments that inform an ISS. The study itself, however, should not be authored by a party that sells the recommended measures. Many employers engage their existing vendor for operational assessments and a separate independent firm for the ISS itself. The two are complementary.

What specialized reports does an Independent Security Study engagement produce?

A full engagement produces specialized reports covering physical security (residential and corporate office assessments), digital risk (online footprint, OSINT, and data broker analysis), and PII exposure, along with stakeholder interviews and governance review. These reports are synthesized into the final Independent Security Study, which includes the regulatory determination and overall security program language.

How often should an Independent Security Study be updated?

Tax counsel typically treat an ISS as current for approximately three years. Reassessment is recommended sooner if material changes occur — including changes in the executive's threat environment, a significant public event (litigation, media exposure, activist attention), changes in residential or office location, or a change in executive status.

What is the IRS safe harbor for personal aircraft use under §1.132-5(m)(4)?

The regulation provides a safe harbor for personal flights on employer aircraft used in connection with a security program. The value of the flight is determined at 200% of the Standard Industry Fare Level (SIFL) rate rather than the full fair market charter rate. This safe harbor only applies when the security program meets the §1.132-5(m) requirements, including the Independent Security Study requirement.

Does the IRS and SEC treat executive security differently?

Yes. The IRS analyzes executive security under §132 to determine whether the benefit is excluded from taxable income as a working condition fringe. The SEC analyzes the same security expense under Item 402 of Regulation S-K to determine whether it must be disclosed as a perquisite in proxy filings. A benefit can simultaneously be a non-taxable fringe benefit under §132 and a disclosable perquisite under SEC rules. The two analyses are parallel but distinct.

What documentation does the IRS expect if it audits an executive security benefit?

Examiners typically request the Independent Security Study, evidence of consistent application across similarly situated executives, the employer's overall security program documentation, and any threat assessment or incident history relied upon. Studies that include clear independence language, explicit regulatory citations, documented facts and circumstances, and recommendations tied to identifiable risk have historically withstood examination.

Tax Compliance

What "24-Hour Protection" Actually Means Under Treasury Reg. §1.132-5(m)

By Senior Partner · June 2026 · 10 min read

The phrase "24-hour protection" appears in Treasury Reg. §1.132-5(m) as the threshold definition of an "overall security program." If you provide 24-hour protection, the working condition fringe exclusion is available for your executive's personal security costs. If you do not, you need an Independent Security Study concluding that 24-hour protection is not necessary.

That framing makes 24-hour protection sound like the easier of the two paths. It is not. The regulation's definition is precise, conjunctive, and demanding. Understanding exactly what it requires, and what it does not, is essential both for companies operating under a full protection program and for companies relying on an ISS to stand in for one.

What the regulation requires, precisely

Section 1.132-5(m)(2)(iii) defines an overall security program in the following terms:

"An overall security program is one in which security is provided to protect the employee on a 24-hour basis. The employee must be protected while at the employee's residence, while commuting to and from the employee's workplace, and while at the employee's workplace. In addition, the employee must be protected while traveling both at home and away from home, whether for business or personal purposes."

The regulation then specifies what the program must include:

"An overall security program must include the provision of a bodyguard/chauffeur who is trained in evasive driving techniques; an automobile specially equipped for security; guards, metal detectors, alarms, or similar methods of controlling access to the employee's workplace and residence; and, in appropriate cases, flights on the employer's aircraft for business and personal reasons."

Four locations. Four required components. These elements are connected by the word "must." The regulation does not present them as a menu.

That last phrase in the location requirement carries significant weight. The regulation does not distinguish between business travel and personal travel. The program must cover both. A program that provides security when the executive is traveling for company purposes but not when she is taking a family vacation does not meet the standard.

What explicitly does not qualify

The regulation is equally specific about what does not constitute an overall security program. Section 1.132-5(m)(2)(iii)(B) provides:

"There is no overall security program when, for example, security is provided at the employee's workplace but not at the employee's residence. In addition, the fact that an employer requires an employee to travel on the employer's aircraft, or in an employer-provided vehicle that contains special security features, does not alone constitute an overall security program. The preceding sentence applies regardless of the existence of a corporate or other resolution requiring the employee to travel in the employer's aircraft or vehicle for personal as well as business reasons."

This eliminates two arrangements that companies frequently treat as the foundation of a qualifying program.

A program with sophisticated workplace access controls, security personnel, and visitor management protocols but no residential component does not qualify, regardless of how robust the workplace component is. Half the perimeter is not the perimeter.

A board resolution requiring the CEO to fly private for security reasons is frequently treated as the core of a security program. Under the regulation, it is not even the beginning of one. Without the residence, commute, and workplace components, the aircraft requirement does not create an overall security program.

The chauffeur requirement has its own definition

The bodyguard/chauffeur component has a specific technical requirement that is easy to overlook. Section 1.132-5(m)(5) states:

"For purposes of this section, a bodyguard/chauffeur must be trained in evasive driving techniques. An individual who performs services as a driver for an employee is not a bodyguard/chauffeur if the individual is not trained in evasive driving techniques. Thus, no part of the value of the services of such an individual is excludable from gross income under this paragraph (m)(5)."

A car service, a company-employed driver, or a security guard who drives but has not completed formal evasive driving training does not satisfy this requirement. The distinction is not administrative. It is the difference between an excludable fringe benefit and taxable compensation.

The bona fide security concern threshold comes first

Before the 24-hour question even arises, the regulation requires a documented, specific basis for concern. Section 1.132-5(m)(2)(i) sets that threshold:

"A bona fide business-oriented security concern exists only if the facts and circumstances establish a specific basis for concern regarding the safety of the employee. A generalized concern for an employee's safety is not a bona fide business-oriented security concern."

The regulation provides two examples of what qualifies: a threat of death, kidnapping, or serious bodily harm to the employee or a similarly situated employee because of their status as an employee of the employer; or a recent history of violent terrorist activity in the geographic area in which transportation is provided. The regulation is also explicit that once a concern is established, the employer must periodically re-evaluate whether it still exists.

A company cannot invoke the working condition fringe exclusion, whether under the 24-hour path or the ISS path, without first documenting a specific factual basis for concern. "She's a high-profile executive" is not enough. "She received a credible threat in connection with her role as CEO of this company" is.

What happens when the program is incomplete: Example 4 and Example 5

The regulation's own examples illustrate the consequences of a partial program with unusual clarity.

Example 4 from §1.132-5(m)(8) involves a company that retains an independent security consultant whose study concludes that 24-hour protection is not necessary, but recommends security at the workplace and for ground transportation, but not air transportation. The regulation's conclusion:

"If company Z follows the recommendations on a consistent basis, an overall security program will be deemed to exist with respect to the workplace and ground transportation security only."

The exclusion applies to those measures. It does not extend to air transportation, because the study did not recommend it.

Example 5 uses the same facts, but the company provides security only while the executive is commuting, not for other ground transportation. The regulation:

"Because the recommendations of the independent security study are not applied on a consistent basis, an overall security program will not be deemed to exist. Thus, the value of commuting to and from work is not excludable from income."

The exclusion is entirely lost, not reduced, because the implementation departed from the study's recommendations. Together, these examples draw a sharp line: the exclusion tracks the program the study actually recommends, nothing more and nothing less, and only when the company implements it consistently.

A real-world illustration: what happens without documentation

The risks of operating without proper documentation are not theoretical. When Scott Pruitt served as EPA Administrator, his security detail spent approximately $4 million over a two-year period. The detail accompanied him and his family to personal events including Disneyland and the Rose Bowl. Reporting at the time confirmed that no formal threat assessment had been conducted prior to establishing the detail, and no independent study had been obtained.

Legal commentators, including analysis published in the Yale Journal on Regulation by University of Chicago Law professor Daniel Hemel, raised the question directly: absent a qualifying independent security study and a documented basis for a bona fide business-oriented security concern, the value of that security protection would appear to constitute taxable income to the recipient. The Washington Post reached the same conclusion in contemporaneous reporting.

The situation did not result in a published IRS enforcement action, and the circumstances of government employment differ from private-sector arrangements. But the analytical point is not limited to government officials. Without the documented foundation the regulation requires, the working condition fringe exclusion is not available, and the security costs go on the W-2.

The valuation consequences when the aircraft component is at stake

For companies providing corporate aircraft access to executives, whether the overall security program qualifies has a direct dollar consequence.

Section 1.132-5(m)(4) permits an employer to value personal flights on company aircraft at 200 percent of the SIFL rates rather than the 400 percent rate that ordinarily applies to control employees on corporate jets. The regulation:

"The value of the safe harbor airfare is determined under the non-commercial flight valuation rule of §1.61-21(g) by multiplying an aircraft multiple of 200-percent by the applicable cents-per-mile rates and the number of miles in the flight and then adding the applicable terminal charge."

For a large corporate jet with maximum certified takeoff weight over 25,000 pounds, the ordinary valuation multiple is 400 percent. The security safe harbor cuts that to 200 percent. On meaningful personal flight usage, that difference runs into tens of thousands of dollars per executive in employment tax and income tax savings annually.

That safe harbor is only available when the underlying security program qualifies. If the 24-hour protection standard is not met and no qualifying ISS is in place, the lower valuation rate is not available. Personal flights revert to fair market value, which means charter-equivalent pricing.

A 1997 Technical Advice Memorandum (TAM 9801002) and the subsequent district court decision in BMW of North America v. United States, 39 F. Supp.2d 445 (D.N.J. 1998) both addressed situations where employers used special valuation rules incorrectly for fringe benefits. In both cases, the consequence was valuation at fair market value rather than under the special rule. S. Michael Chittenden of Covington & Burling, writing in Tax Executive (August 2025), notes that the same logic applies to the security safe harbor: incorrect use puts the fair market value of the flights, not merely the difference between the 200 percent and 400 percent SIFL calculations, at issue.

Why 24-hour protection is rarely the operative path

Chittenden's Tax Executive article, among the most thorough recent treatments of this regulation, makes an observation worth quoting directly:

"Perhaps no other provision within the fringe benefits regulations is so outdated in its attempt to describe the realities of the modern world."

The regulation was drafted in 1985, before the internet, before social media, and before the digital information environment that now makes an executive's home address, family members, and daily routines accessible with minimal effort. The threat environment facing executives in 2025 is materially different from the one the drafters contemplated, and the regulation's 24-hour definition reflects assumptions that no longer hold for the most common security scenarios.

That observation matters for a practical reason. The full 24-hour program as defined, comprehensive coverage at residence, during commuting, at the workplace, and during all travel including personal, with trained drivers, specially equipped vehicles, and corporate aircraft for personal as well as business use, costs well over $1 million per executive per year when properly implemented. Most executives do not want that level of coverage. Most boards will not approve it. And most threat environments, even real and well-documented ones, do not require it.

The ISS pathway exists because the regulation's drafters recognized this. A qualified, independent assessment that concludes 24-hour protection is not necessary and recommends a proportionate, threat-specific program is treated as satisfying the overall security program requirement. The company provides what the facts support. The executive pays no income tax on it. The company deducts it.

For the vast majority of companies with genuine security concerns and appropriate programs, the ISS is not the second-best option. It is the correct one.

The question the 24-hour definition is actually asking

Understanding the precise definition of 24-hour protection clarifies what the ISS is designed to replace. It is a comprehensive, around-the-clock protective detail: trained personnel, hardened vehicles, controlled access at every location, and corporate aviation for personal as well as business travel. That is a specific and demanding standard. When an ISS concludes that standard is not necessary, it is making a documented professional judgment that the executive's specific threat environment can be adequately addressed by a narrower set of measures.

That judgment has to be defensible. The regulation requires an objective assessment of all facts and circumstances, a reasonable recommendation, and consistent implementation. All three conditions have to be met for the deemed overall security program to exist and the exclusion to apply.

Companies that treat the ISS as a formality or a box-checking exercise are not creating the tax position they think they are. Companies that engage a genuinely independent consultant, produce a study grounded in documented facts, and then track their implementation against it are. The regulation rewards the second approach. It has no mechanism for the first.

This post is for informational purposes and does not constitute tax or legal advice. For application to a specific situation, consult qualified tax counsel.

Sources

26 CFR §1.132-5, Working Condition Fringes (2024 edition). https://www.law.cornell.edu/cfr/text/26/1.132-5
IRS Private Letter Ruling 200705010 (February 2, 2007). https://www.irs.gov/pub/irs-wd/0705010.pdf
S. Michael Chittenden, "The Fringe Benefit Rules Applicable to Protecting Executives," Tax Executive (August 30, 2025). https://www.taxexecutive.org/the-fringe-benefit-rules-applicable-to-protecting-executives/
Ligeia Donis and Anne Batter, "C-Suite Safety and Employer-Provided Security," The Compensation Connection, Baker McKenzie (December 6, 2024). https://www.thecompensationconnection.com/2024/12/06/c-suite-safety-and-employer-provided-security-is-your-companys-security-program-designed-with-tax-considerations-in-mind/
Daniel Hemel, "Scott Pruitt's Security Detail: A Tax Problem?," Yale Journal on Regulation (2018). https://www.yalejreg.com/nc/scott-pruitts-security-detail-a-tax-problem/
"Scott Pruitt's Travel Could Leave Him With a Big Tax Bill," The Washington Post (April 16, 2018). https://www.washingtonpost.com/news/posteverything/wp/2018/04/16/scott-pruitts-travel-could-leave-him-with-a-big-tax-bill/
Technical Advice Memorandum 9801002 (September 3, 1997).
BMW of North America, Inc. v. United States, 39 F. Supp.2d 445 (D.N.J. 1998).

AVREN ADVISORY

Independent Security Studies under Treas. Reg. §1.132-5

We conduct the Independent Security Study required by Treas. Reg. §1.132-5. Physical security assessment, digital risk analysis, executive interviews, and a defensible report — delivered in 12 weeks. Federal pedigree. Structural independence.