The State Street Global Security Team quickly implemented protocols to ensure the security of all staff and maintain continuity of operations, including establishing travel protocols, exclusion protocols and visitor protocols, implementing temperature check stations, deploying credentials, and monitoring of government orders and restrictions.

Maintaining Critical Functions and Minimizing Risk at State Street Corporation

Stephen D. Baker, CPP, Senior Vice President and Chief Security Officer for State Street Corporation (State Street), envisioned security’s role as a business partner that proactively works with divisions across the company to help solve problems far beyond normal security operations. His leadership approach has created a unique “business” security culture throughout the global organization.

Headquartered at One Lincoln Street in Boston with operations worldwide, State Street is one of the world’s leading providers of financial services to institutional investors, including investment servicing, investment management and investment research and trading. With $40.3 trillion in assets under custody and/or administration and $3.6 trillion in assets under management as of March 31, 2021, State Street operates globally in more than 100 geographic markets and employs approximately 39,000 people worldwide. State Street is also designated as a Systematically Important Financial Institution (SIFI) in the U.S. and globally; therefore, the company’s business resiliency is critical to financial markets around the world.

Fifteen years before COVID-19 emerged, Baker realized the potential disruption that could be caused by a major infectious disease event. At that time, he took actions that would position the Global Security organization to lead company response in mitigating infectious disease risk without realizing that a decade and a half later, the outbreak of COVID-19 would severely impact communities, businesses and organizations globally, inadvertently affecting financial markets and the global economy.

"None of the things we accomplished could have been done without the support of executive management at the highest level of the company, the partners within each function and business, and the security, facilities, human resources and Information Technology staff who provided continuous services throughout the event," Baker says.

Built from the ground up, Baker was part of the team that created the company’s Infectious Disease Program after the September 11 and Anthrax attacks – a guide for planning for, responding to, and recovering from an infectious disease that may impact State Street’s business continuity and community. The program identified potential occupational exposure to the infectious disease; ways to mitigate employees’ risk of contracting the infection(s); and methods to respond in an appropriate and timely manner if exposure incidents occur.

In addition to establishing guidance documents associated with track-and-trace procedures, company communication and reporting protocols, Baker engaged infectious disease subject matter experts (SMEs) and instituted basic preventative measures with human resources and realty services. “As infectious diseases occurred, such as SARS, MERS, Avian Flu and Swine Flu, we increased the focus on health and safety procedures to enhance emergency preparedness,” Baker explains. “For example, we installed hand sanitizers in conference rooms, lobbies, cafeterias and common areas, and placed hand washing signs in restrooms, to make prevention part of everyday life at the company, not just to prevent mass infectious diseases, but the common flu as well.”

Over the years, while addressing infectious disease risks to the enterprise, Baker continued to learn as much as he could about preparing and planning for infectious diseases and is now considered a company-based SME. To this day, Baker maintains relationships with leading medical experts to gather the latest knowledge and guidance related to infectious disease outbreaks. Because of this early, out-of-the-box view, State Street Global Security team was able to take a leadership role within the company’s response to the pandemic and use the existing Infectious Disease Program to operate effectively and ensure all essential services were delivered as planned, while maintaining the health and safety of the company’s workforce.

During the COVID-19 pandemic, Baker has taken on the role of Global Infectious Disease Response Officer, as well maintaining his CSO role with direct responsibility over the company’s physical security, safety workplace program, incident management and incident response, safe travel programs, personal protection and event security, and investigation programs, among other areas.

The Global Security Management team – comprised of Andre Rheault, Americas Regional Security Director; Tony Marcangelo, EMEA Regional Security Director; Danny Ho, Asia Pacific Regional Security Director; and Mukesh Parkash, India Country Security Manager took on roles as Infectious Diseases Response Officers for their regions. Ron Holm, Director of Security Systems and Technology, led the development of COVID-related SharePoints, workflows and reporting; and Greg Gebler, Global Director of Investigations, focused on COVID-related financial fraud schemes. They all quickly implemented protocols to ensure the security of all staff and maintain continuity of operations, including establishing travel protocols, exclusion protocols and visitor protocols, implementing temperature check stations, deploying credentials, and monitoring of government orders and restrictions.

A list of the security team’s leadership during the company’s global pandemic response effort is far-reaching and includes: ongoing risk intelligence, identification, analysis and advisement; intelligence reporting; screening and testing protocols; research and strategy for guidance on government restrictions, such as criteria for limits and benchmarks for site occupation; daily global communications, such as employee and staff meetings, messaging and question responses; reporting to regulators; site population reporting for management; provision of case management and contact tracing guidance to site leads; establishment of site security resource playbooks; proactive adjustments for access control; creation, ordering, receiving and distribution of COVID-specific badges/lanyards globally; provision of controls center and local security resources to assist in supporting staff’s work-from-home arrangements with PC resets, property retrieval; implementation of enhanced and virtual security (systems) patrols at offices with few staff occupying the office to ensure site security and staff safety; and travel restrictions monitoring, assessment and approval of necessary travel.

The biggest challenge, Baker says, was to address the speed at which the company had to implement the work-from-home initiative. “Though we had well-established resiliency programs for every business, it did not necessarily address the scope and breadth of the pandemic,” he says. “The focus was on keeping the business running from a financial perspective, and on most critical people first. For traders, it was important to either keep them in the office, or get them operational.”

In order to return to office, Baker and the Global Security team planned and developed phases and played key roles in case management and reporting at all levels of incidents and cases (confirmed, presumed, and suspected), conducted track-and-trace interviews, and reviewed technology data to determine exclusion requirements and enhanced cleaning deployment.

“We considered internal and external factors that needed to be established, which included posting signage on hand sanitizer and appropriate social distancing measures, and updated and deployed zone credentials ready to be issued to employees, and included all these protocols in a booklet for staff and employees. When they returned to the office, they had this COVID-19 booklet at their desk, with protocols and processes they needed to follow.”

The Global Security team also employed health attestations. Baker adds, “Employees are required to complete their health attestation at the security desks on their way inside the office, by calling the Security Control Center to complete it, or fill out the form on their smartphones, desktops at work, or laptops at home. We monitor the health attestations on a daily basis, and check that their response matches up with available access control data for those in the office.”

The Global Security team oversaw the local security teams’ pandemic response and return-to-the-office as well. “We evaluated their response and readiness in their facilities, and determined a ‘Go’ or ‘No Go’ to return employees back to the office. The return to the office was set under certain standards, always under evaluation due to local and national restrictions,” Baker says. “In Massachusetts, occupancy allowance was 20% for quite a while. Now, we’re only set at 50%, and we’re still maintaining our distancing protocols, which exists in the vast majority of our sites.”

Throughout the COVID-19 pandemic, Baker and his entire security team provided strategy and risk leadership with ongoing risk assessments and mitigating strategies, allowing the company to continue its global operations, placing workers at ease and supporting clients’ needs without disruption — a remarkable achievement.

“It was an all-hands-on-deck approach that contributed to the success of the COVID-19 response for State Street,” Baker says. “I can proudly say that we maintained a full staff of security personnel worldwide, while continuing to deliver all security programs and ensuring proper site security staffing throughout the pandemic. Our pandemic response was also successful because the entire company stepped up. Most notably, the Return to Office team, Global Realty, Information Technology, Human Resources, Internal Communications, Legal, Privacy, Continuity and business unit representatives across the regions who were all part of the team that implemented all of the procedures and processes designed to maintain business continuity and resilience.”