Making the Business Case for EP to a CFO

The conversation between a Chief Security Officer and a Chief Financial Officer about executive protection spending is one of the most consistently mishandled conversations in corporate security. The CSO frames it as a safety imperative. The CFO frames it as a cost. Both are right about their framing, and that is precisely why the conversation tends to go nowhere productive.

There is a better framing. It requires understanding what the CFO actually needs, which is not a safety argument but a financial and legal argument, and what tools exist to make that argument credibly.

What the CFO Is Actually Evaluating

When a CFO reviews an EP program budget, they are asking a set of questions that have nothing to do with the principal's safety. They are asking: Is this expenditure justified? Is it defensible to auditors and shareholders? Is it structured in a way that minimizes tax liability? Does the organization have appropriate documentation if this decision is ever scrutinized?

These are not unreasonable questions. They are the right questions for a CFO to ask. The problem is that most security leaders are not equipped to answer them, so the conversation defaults to a safety argument that the CFO already accepts in principle but cannot act on without financial justification.

The financial justification exists. Most security leaders are simply not using it.

The IRS 132 Framework

IRS Section 132(d) classifies properly structured executive protection programs as working condition fringe benefits, exempt from income tax for the protected individual and fully deductible for the company. For a Fortune 500 CEO receiving a $500,000 EP program, this qualification can represent $200,000 or more in annual tax liability that simply does not exist if the program is properly structured.

That is a financial argument. It is a CFO argument. It is the kind of number that changes the nature of the conversation.

The qualification requires two things: a bona fide business-oriented security concern, meaning the threats arise from the principal's business role rather than personal circumstances, and an Individual Security Study conducted by an independent, qualified security professional. Neither of these is difficult to establish for a Fortune 500 CEO operating in today's threat environment. But both must be documented, and the documentation must be prepared correctly.

Most organizations are either not pursuing IRS 132 qualification at all, or they are pursuing it with documentation that would not survive audit scrutiny. The gap between a qualifying program and a non-qualifying program is almost entirely a documentation gap. The underlying security reality is the same. Getting the documentation right requires either qualified internal expertise or external advisory support. The cost of that support is trivially small compared to the tax liability it eliminates.

The Duty of Care Argument

Beyond the tax treatment, there is a legal argument that resonates with both CFOs and general counsel: duty of care.

Organizations have a legal obligation to take reasonable steps to protect employees who face elevated risk as a consequence of their employment. For C-suite executives, whose public profile, decision-making authority, and organizational prominence create genuine security exposure, the failure to provide appropriate protection creates legal liability that can exceed the cost of the protection many times over.

This argument works differently in different organizations. In a post-incident context, it is compelling but too late. In a pre-incident context, it requires connecting abstract legal exposure to concrete organizational risk. The most effective version of this argument is not theoretical. It references specific recent incidents involving executives at comparable organizations, documents the threat environment the principal actually faces, and articulates what the organization's exposure would be if a foreseeable incident occurred without reasonable protective measures in place.

This is, again, a documentation exercise. The same Individual Security Study that supports IRS 132 qualification also supports the duty of care argument. The same threat assessment that justifies the program design also demonstrates that the organization understood the risk and took reasonable steps to address it.

The Productivity Argument

A third argument, less compelling to most CFOs but useful in certain contexts, is the productivity case. Executive protection, properly designed, enables the principal to operate more effectively. Travel that would otherwise require extensive self-managed logistics is handled. Meetings that would generate security concerns without protection are conducted without concern. The principal's attention is on business, not on managing their own security environment.

The IRS actually recognizes this argument explicitly in the Section 132 framework. The "working condition" designation reflects the fact that protection provided in connection with business activities serves a business purpose, not just a personal safety purpose. The security is a business tool, not a personal benefit.

For some CFOs, particularly in organizations where executive time is visibly constrained, this argument lands. For others, it is secondary to the tax and legal arguments. Know your CFO.

Structuring the Conversation

The most effective approach to the CFO conversation is to lead with the financial argument and follow with the legal argument. In that order.

Start with the IRS 132 framework: here is what we are spending, here is what we could be spending on a pre-tax basis if the program is properly structured, here is the documentation required to achieve that treatment, and here is what we currently have or do not have. This immediately reframes the conversation from a cost discussion to a financial optimization discussion.

Follow with the duty of care argument: here is the legal exposure the organization faces if a foreseeable incident occurs without reasonable protective measures, here is what the threat environment actually looks like for our principal, and here is how the program design addresses that exposure in a way that is documentable and defensible.

End with a specific ask: approval of the program budget, authorization to engage an independent assessor to prepare the ISS, and a commitment to an annual review cycle that keeps the documentation current.

This is not a safety argument. It is a financial and legal argument that happens to produce a safety outcome. That distinction matters enormously in the room where the budget is approved.