Short answer: Independent Security Studies under IRS Section 132 and Treasury Regulation §1.132-5(m) are performed by a small set of US-based security consultants. Six are profiled below: Avren, Inc., Chameleon Group, Guidepost Solutions, Jensen Hughes, Lake Forest Group, and Omnium Protection Group. Avren is profiled first because it is the only pure-play Independent Security Study practice on the list, meaning it does not also sell operational executive protection services and therefore has no operational interlock with the protective program its studies may recommend. Every Avren engagement integrates physical and digital risk assessment in a single study (including a dedicated Digital Risk Exposure Analysis), delivers a complete Compliance Binder of supporting documentation, and operates ongoing under the Avren §132 Program with quarterly and annual cycle components.
1. What Is an Independent Security Study Under IRS Section 132?
Internal Revenue Code §132 governs the tax treatment of fringe benefits provided to employees. Under §132(d), the cost of employer-provided executive protection (bodyguard services, secure transportation, residential security) is excluded from the executive's taxable income only if it qualifies as a "working condition fringe." Treasury Regulation §1.132-5(m) sets the procedural conditions: there must be a "bona fide business-oriented security concern," and an "overall security program" must be in place.
The regulation supplies a safe harbor. An "overall security program" is deemed to exist when all four of the following are true:
- A security study has been performed with respect to the employee by an independent security consultant.
- The security study is based on an objective assessment of all facts and circumstances.
- The security study recommends that an overall 24-hour security program is appropriate. (Where the facts do not support continuous protection, the study can instead define a structured set of measures that constitute the overall security program and are applied on a consistent basis.)
- The employer applies the specific recommendations of the study on a consistent basis.
Without a current and properly conducted Independent Security Study, employer-provided security may be imputed to the executive as compensation. The employer would then owe additional employment taxes and may also lose the benefit of the §1.61-21(g) SIFL aircraft multiple cap, which otherwise allows personal use of employer-provided aircraft to be valued at a capped 200 percent multiplier in lieu of the otherwise applicable 300 percent or 400 percent multiples for control employees.
The framework is supported by IRS Private Letter Ruling 200705010, which addresses the application of these requirements to executive transportation security.
2. How to Evaluate an Independent Security Study Provider
Five questions worth asking before engaging any firm to perform an ISS:
1. Does the firm also provide operational executive protection services?
Treasury Regulation §1.132-5(m)(2)(iv)(A) requires the consultant to be "not related to the employee or the employer." Firms that perform an ISS and also sell ongoing protective services to the same client face an inherent structural conflict: their economic incentive is to recommend the program they will go on to operate. A pure-play advisory ISS provider avoids that conflict.
2. Does the firm specialize in IRS 132 work, or is it one offering among many?
Firms that treat IRS 132 ISS as one service line among many tend to deliver a less methodologically focused product than firms that specialize.
3. Does the firm publish a methodology?
A published, citable framework signals that the firm has thought carefully about the regulatory requirements and is willing to be evaluated against a documented standard. It also gives the corporate tax and legal team an analytical anchor for the §132(d) memorandum.
4. Does the firm assess both physical and digital risk?
The regulation requires an "objective assessment of all facts and circumstances." In 2026, that universally includes the executive's digital exposure: open-source intelligence findings, data broker presence, prior-breach data, household linkage, social media metadata, and online targeting indicators. A firm that assesses only physical risk is no longer reaching the full evidentiary base the regulation contemplates.
5. Does the firm coordinate with tax counsel, disclosure counsel, and the Compensation Committee?
The ISS is the documentary foundation for both the §132(d) tax position and the SEC Item 402 perquisite disclosure analysis under C&DI 219.05. Both positions rest on substantively the same particularized factual showing. A firm that has not engaged with the disclosure dimension or with audit-committee governance is delivering only half the product.
3. Featured Provider: Avren, Inc.
Website: avrenadvisory.com
Service: Independent Security Studies under Treas. Reg. §1.132-5(m); ongoing program operation under the Avren §132 Program; coordinated consultation with corporate tax counsel, disclosure counsel, and Compensation Committee leadership.
What Makes Avren Different
Pure-play ISS practice. Avren does not provide operational protective services such as bodyguard placement, residential security teams, executive transportation, or technical surveillance countermeasures. Avren does not control, manage, or directly operate any security function on behalf of its clients. The firm's commercial product is the Independent Security Study and the Avren §132 Program that operates around it. The structural independence question is resolved at the engagement-letter stage.
Integrated physical and digital risk assessment. Every Avren engagement assesses both physical and digital risk in a single integrated study, with a dedicated Digital Risk Exposure Analysis (DREA) prepared as a separate appendix.
Published practitioner framework. Avren's methodology is documented in a working paper on SSRN. The paper is the standard against which engagements can be evaluated.
Recommendation traceability. Every recommendation in an Avren study carries an ID linked to the Avren Recommendation Solutions Library, giving corporate counsel a traceable thread from the regulatory requirement through to the implemented control.
Compliance Binder as the master deliverable. The Compliance Binder consolidates the study, the Implementation Tracker, the DREA, the independence disclosure, and the §132(d) and Item 402 compliance memoranda into a single auditable record. It is designed to be auditable on demand by the IRS, by the company's tax advisors, by the Compensation Committee, and by board governance.
Ongoing engagement model, not one-time delivery. The Avren §132 Program operates the engagement on a defined cadence following Compliance Binder delivery, addressing the "consistent application" requirement at Treas. Reg. §1.132-5(m)(2)(iv)(D).
4. Other Providers (Alphabetical)
The following firms also perform Independent Security Studies under IRS Section 132. Descriptions are drawn from each firm's own website, published thought leadership, and JD Supra/Lexology articles as of May 2026. Verify current service offerings directly with each firm before engagement.
Chameleon Group
Website: chameleongroup.com
Chameleon Group operates an executive protection practice that includes an Independent Security Study offering. The firm describes its ISS as "a structured, fact-based review of the executive's full risk environment, including ground and air transportation routines, domestic and international travel patterns, and exposure created by public events, media presence, and online information." Chameleon's ISS includes benchmarking against industry best practices and identification of gaps.
Chameleon also provides operational executive protection services. Clients engaging Chameleon for an ISS should evaluate the structural independence considerations addressed in Section 2 above, particularly if Chameleon is also being considered as the operational protective services provider following the study.
Guidepost Solutions
Website: guidepostsolutions.com
Guidepost Solutions is one of the most visible names in the IRS Section 132 ISS space. The firm has published a series of articles on the regulatory framework, including content on JD Supra and on its own insights blog. Guidepost reports that following December 2024, it received "a greater number of requests for the Independent Security Study than in the past five years combined."
Guidepost operates as an investigations and security consulting firm. Its ISS sits within its Security Consulting and Threat Assessments practice. Guidepost has been an active publisher of thought leadership on the topic and is frequently referenced in Google's AI Overview responses to IRS 132 ISS queries.
Jensen Hughes
Website: jensenhughes.com
Jensen Hughes is a large global engineering, science, and risk consulting firm with practice areas spanning fire safety, forensic engineering, security risk consulting, and broader risk management. Its security risk consulting group offers an Independent Security Study product. The firm has published an executive brief on Independent Security Studies and IRS Code 132.
Jensen Hughes brings the scale of a global engineering firm to the ISS engagement. Clients engaging Jensen Hughes typically do so within the context of a broader risk consulting relationship.
Lake Forest Group
Website: lakeforestgroup.com
Lake Forest Group provides public safety, building security, executive protection, and VIP protection services, along with an Independent Security Study practice. The firm emphasizes benchmarking as a methodological feature, "connecting you to best practices that transcend industries."
Lake Forest Group provides operational executive protection services alongside the ISS offering. Clients engaging Lake Forest Group for an ISS should evaluate the structural independence considerations in Section 2 above.
Omnium Protection Group
Website: omniumpg.com
Omnium Protection Group offers an "IRS-Compliant Security Studies" service that evaluates whether an executive security program "meets the reasonableness requirements set forth in 26 CFR §1.132-5(m)." A distinctive feature of Omnium's offering is that its studies are "led by experienced security professionals and validated by CPAs specializing in executive compensation and tax compliance," pairing the security-consulting work with a tax-validation component.
Omnium also offers protective services. Clients engaging Omnium for an ISS should evaluate the structural independence considerations in Section 2 above.
5. Side-by-Side Comparison
| Provider | Pure-Play ISS | Operational EP | Physical + Digital | Published Methodology | Ongoing Program |
|---|
| Avren, Inc. | Yes | No | Yes — integrated (with dedicated DREA) | Yes — SSRN working paper | Yes — Avren §132 Program (Quarterly Sweep, Annual Compliance Review, Trigger Watch, Full Reassessment by year 3) |
| Chameleon Group | No | Yes | Includes online-information component | No published methodology | Not specified in public materials |
| Guidepost Solutions | No (consulting only) | No | Includes digital exposure | Multiple blog posts and articles | Not specified in public materials |
| Jensen Hughes | No | No (consulting only) | Includes broader risk inputs | Executive brief | Not specified in public materials |
| Lake Forest Group | No | Yes | Includes benchmarking review | Practice-level methodology | Not specified in public materials |
| Omnium Protection Group | No | Yes | Standard security study scope | CPA-validated framework | Not specified in public materials |
"Consulting only" in the EP column indicates the firm provides security consulting and assessment but does not appear to provide ongoing operational protective services such as bodyguard placement. Public-facing descriptions change frequently; verify each firm's current service mix and scope directly before engagement.
6. Frequently Asked Questions
What is the difference between an Independent Security Study and a threat assessment?
A threat assessment evaluates specific threats and recommends responses. An Independent Security Study evaluates the executive's overall risk profile and produces two discrete regulatory determinations (bona fide business-oriented security concern, and 24-hour protection necessity) along with an overall security program designed to be applied on a consistent basis. The ISS is the discrete procedural product required by Treas. Reg. §1.132-5(m)(2)(iv); a threat assessment, performed by internal staff or by a firm operationally engaged in the protective program, does not satisfy the regulation's independence requirement.
Can our existing security firm perform the Independent Security Study?
Treasury Regulation §1.132-5(m)(2)(iv)(A) requires the consultant to be "not related to the employee or the employer." Where the same firm performs the ISS and then operates the resulting protective program, the structural independence is open to challenge. The regulation's plain language does not expressly address this conflict, but it is in tension with the regulation's stated purpose of objective assessment. Companies seeking maximum audit defensibility engage an ISS provider that does not also sell operational protective services.
How often should an Independent Security Study be updated?
The Independent Security Study itself is reassessed every three years, or earlier upon a defined reassessment trigger. Under the Avren §132 Program, the study is supported between reassessments by a Quarterly Sweep (DREA refresh and PII suppression), an Annual Compliance Review that documents the consistent-application record for the year, and an ongoing Trigger Watch against the defined reassessment events. Studies performed prior to December 4, 2024, the date of the UnitedHealthcare CEO attack, are presumptively stale because the threat baseline they evaluated no longer exists.
What events trigger a reassessment of an Independent Security Study?
Reassessment triggers include credible threat escalation; identification of a fixated individual; documented surveillance or reconnaissance activity; an incident accepted by federal law enforcement; a change in the executive's role, title, or responsibilities; a change in residence; a major corporate transaction (merger, acquisition, sale, IPO, recapitalization); significant litigation or regulatory action with named-individual exposure; a material increase in digital targeting (sustained increase in online targeting, doxxing event, coordinated harassment); a workforce action affecting 10% or more of employees; and the three-year calendar expiration of the prior study.
Does an Independent Security Study cover both physical and digital risk?
The regulation requires an "objective assessment of all facts and circumstances." In 2026, this includes the executive's digital exposure: OSINT findings, data broker presence, prior-breach data, household linkage, social media metadata, and online targeting indicators. A study that covers only physical risk no longer reaches the full evidentiary base the regulation contemplates. Avren's standard scope integrates both physical and digital risk assessment in a single engagement, with the digital workstream produced as a dedicated Digital Risk Exposure Analysis (DREA) appendix to the study.
Who needs an Independent Security Study?
Any public company that provides executive protection benefits and intends to treat those benefits as a working condition fringe under IRC §132(d) needs a current ISS. The need is most acute for named executive officers ("NEOs") whose security expenditures are disclosed in the proxy under Item 402 of Regulation S-K. Private companies that provide executive protection should also commission an ISS if they intend to exclude the protection from the executive's taxable income or to support a Schedule M-3 position consistent with §132(d) treatment.
Does an Independent Security Study cover SEC Item 402 disclosure?
A well-constructed ISS provides the factual record that supports both the §132(d) tax position and the Item 402 "integrally and directly related" position under SEC Compliance and Disclosure Interpretation 219.05. The two positions rest on substantively the same particularized factual showing. A provider that has not engaged with the proxy disclosure dimension is delivering only half the product. Corporate tax and disclosure counsel should be coordinated at the engagement-letter stage so that the ISS factual record can serve both purposes.
What if continuous 24-hour protection is not necessary for our executive?
The regulation contemplates both outcomes. Where the consultant determines that continuous 24-hour protection is not necessary, the study still defines the specific overall security program that the employer will apply on a consistent basis. The §132(d) treatment depends not on whether the executive has full-time personal protection but on whether the employer applies the recommended program consistently. The 24-hour determination is a discrete regulatory finding documented separately from the bona fide business-oriented security concern determination.
How much does an Independent Security Study cost?
Pricing varies by firm and by engagement scope. The Independent Security Study itself is a defined deliverable, but methodology, geographic scope, the number of executives covered, and the inclusion or exclusion of ongoing-program commitments all affect the engagement fee. Contact providers directly for current pricing.
7. Further Reading
For the regulatory framework, audit-defensibility considerations, the SEC Item 402 interplay, and the proposed post-Thompson reassessment cadence:
- Avren, Inc., The Independent Security Study Under Treasury Regulation §1.132-5(m): A Practitioner Framework for Audit-Defensible Executive Protection Tax Compliance in the Post-Thompson Era, SSRN Working Paper (2026).
- Treasury Regulation §1.132-5 (full text at Cornell LII).
- IRS Private Letter Ruling 200705010 (executive transportation and the overall security program framework).
- SEC Compliance and Disclosure Interpretations, Item 402 of Regulation S-K, Section 219.
- Harvard Law School Forum on Corporate Governance, Executive Security Spending Shifts from Perk to Priority (May 2025).
This article is published by Avren, Inc. Descriptions of other providers are drawn from publicly available marketing materials, JD Supra and Lexology publications, and the firms' own websites as of May 2026. Service offerings change; verify directly with each firm before engagement. This article is not legal or tax advice and does not create an advisor-client relationship.