NEWS & ANALYSIS FMJ.CO.UK
LEGAL VIEW
6 AUGUST 2021
BESA PUBLISHES IAQ TARGET
GUIDANCE TO SUPPORT THE
HEALTH AND WELLBEING OF
BUILDING OCCUPANTS
The removal of most COVID restrictions in the UK has increased calls for clearer
practical guidance and the setting of specific indoor air quality (IAQ) contaminant
targets to support the health and wellbeing of building occupants.
The Building Engineering Services Association (BESA) has therefore produced a
concise guide to good practice: ‘Indoor Air Quality for Health & Well-Being’, which is
designed to help building owners, managers and engineers interpret IAQ data and
turn it into useful strategies for improving the indoor environment.
The new BESA guidance, which is part of the Association’s wider Buildings
as Safe Havens (BASH) campaign, sets out target limits for a range of airborne
contaminants in a variety of indoor spaces. It explains how air quality data
gathered during specialist surveys or from the wide range of low cost real-time and
continuous IAQ monitoring devices, can be interpreted and acted upon.
The advice it provides is also based on the experience of practitioners in the
field who see what is possible and achievable in the real world. It is designed as a
follow-up to the BESA publication H&W001: A Beginners Guide to Indoor Air Quality
published in March in collaboration with Mitsubishi Electric.
The BESA Guide has also been produced in the wake of a report commissioned
by the Government’s Chief Scientific Adviser Sir Patrick Vallance, which highlighted
the importance of building ventilation in reducing the risk of Covid-19 and other
infections.
The report was published by the National Engineering Policy Centre (NEPC),
which is a group of 43 professional engineering organisations representing 450,000
engineers. It found that ventilation was o˜ en neglected, and that the COVID-19
crisis had revealed flaws in the design, management, and operation of buildings.
It advised Sir Patrick that, unless these flaws were addressed, they could disrupt
the management of this and future pandemics and impose high financial and
health costs on society.
CBRE TO ACQUIRE MAJORITY STAKE IN
TURNER & TOWNSEND
CBRE Group has announced a definitive agreement whereby the company will
acquire a 60 per cent ownership interest in, and enter into a strategic partnership
with Turner & Townsend, a provider of program management, cost consultancy,
project management and advisory consulting services for clients in 46 countries.
CBRE will acquire its stake in the business for approximately £960 million in cash,
with 55 per cent to be paid upon closing.
The transaction preserves Turner & Townsend’s existing leadership team, heritage,
operational independence and partnership structure, which will hold the remaining
40 per cent ownership interest.
The transaction values Turner & Townsend
at approximately £1.6 billion and is expected
to be immediately accretive to CBRE’s
earnings.
Turner & Townsend operates across three
business segments: Real Estate (62 per cent
of net revenue) – serving investors and
occupiers across all property types, including
data centres and life-science properties; Infrastructure (31 per cent of net revenue) –
notably, transportation, environmental and power generation projects, and Natural
Resources (7 per cent of net revenue) – renewable energy, alternative fuels, liquified
natural gas and other projects.
Among the key benefits to Turner & Townsend from the strategic partnership is the
opportunity to materially expand its business in the Americas, where CBRE has deep
occupier and investor relationships and a leading market presence.
The transaction is subject to regulatory approvals and other customary closing
conditions. Closing is expected in the fourth quarter of this year.
CYBER SECURITY
By Ed Cooke, Founder at Conexus Law
There have been a number of high-profi le
ransomware attacks in recent weeks
proving the vulnerability of systems to
cyber-attack. Ed Cooke, answers some
frequently asked questions.
Q: Is this type of attack an IT issue?
Responsibility for IT systems typically reside with the IT
department, the CTO or CIO or, increasingly, a Chief Security
Offi cer. But their focus is often on operational systems and data
within the business - email and cloud storage security, etc.
Buildings and other infrastructure are increasingly being run by
computer. Obvious examples would include the physical security
systems, the heating, air and ventilation, the lifts. These are often
not within the remit of the business’ IT department and are often
managed by a facilities director or property director.
Q: Can a building management system be a way into an
organisation?
Yes. As they are “back end” rather than user interfacing, these
building systems are often running on older fi rmware and
operating systems, which may not have been patched to the most
up-to-date version. Many organisations lack eff ective processes
and procedures for their building systems. This wasn’t so much
of a problem when these building systems were standalone and
not connected to the internet. But nowadays, as more building
management is carried out remotely and centrally across a whole
portfolio, that is not the case.
Q: How could it happen?
Let’s say somebody wants to launch a highly visible attack on a
major clearing bank as a protest against the bank’s funding policy
in relation to climate change. They could either:
(i) try to circumvent the systems running on the bank’s computer
through malware in an email or a phishing attack, or
(ii) hack into the building systems in the bank’s headquarters
building - switch all the heating on to full blast, lock all the
digital locks on the offi ce doors, have the lifts go to the top fl oor
and sound the fi re alarm.
To carry out the fi rst option, they will have to circumvent the
bank’s anti-malware software so an attack has to be sophisticated
to bypass them. For the second option, let’s say the building
systems are running an outdated operating system, which has not
been properly patched. Circumventing the security would then be
much simpler. It is almost an open invitation and while it might
not gain them lots of money or result in a loss of customer data,
it is likely to make a better media story, and the reputational
damage in the customers’ eyes still points to the bank having lax
controls over their IT. Job done.
Q: Who is liable for any attack or security breach?
Liability can be complex. For example for a data breach the
‘business’ is responsible as the designated ‘data controller’ but if
there is a problem with a data processing device or smart building
product, then the manufacturer could have some liability.
However, it could also have been confi gured incorrectly by the
IT Manager or used for a function it is not designed for by the
Building Manager.
Sometimes the risks lie within areas managed or supplied by
third party organisations and so contractual compliance is key as
is ensuring that policies and procedures refl ect contractual and
regulatory obligations. Sound legal counsel can help mitigate the
risks, both reputational and fi nancial.