How did the subject of cybersecurity enter office buildings?
Pierre-Philippe Wibaux: Office buildings have become “smart”, meaning that they are sophisticated and hyperconnected thanks to increasingly open building management systems, the introduction of BOS (Building Operating System), the IoT, etc. Alongside this, nowadays we see mostly multi-let buildings, with occupants now using digital tools for their operations, particularly from the service areas available in both the common and tenant areas. This is why building cybersecurity, which can be defined as a set of systems and measures aimed at ensuring digital security, has become an issue for office buildings and the companies that occupy them.
Like our tenants, we are aware of the risks associated with the swift and sweeping changes that are affecting digital usage. We have therefore decided to implement systems aimed at making our buildings secure.Marielle Seegmuller
Operations Director, Covivio
What does this involve in practice?
Marielle Seegmuller: We have established a Security Assurance Plan, which came about as follows. In mid-2022, we began a global brainstorming process with Mazars regarding office cybersecurity to assess existing measures in place in our French office buildings. This process involved mapping our portfolio and identifying potential risks, along with the cybersecurity measures in place, which we then used to draw up recommendations and action plans. More generally, we drew up a Security Assurance Plan setting out our cybersecurity commitments and best practices.
Pierre-Philippe Wibaux: This task took eight months and involved most of the Covivio teams – Legal, Smart Building, Real Estate Engineering, Customer Relationships and Internal Audit – alongside certain service providers, reflecting the true complexity of the matter.
The mapping exercise provided a lot of insight along with a clear overview of the state of the building’s cybersecurity, allowing us to make the necessary operating adjustments and specify which elements fall on the lessor, the tenants and the various service providers.
What does the Security Assurance Plan involve?
Pierre-Philippe Wibaux: It is a document describing the principles that Covivio strives to implement to respond to cybersecurity issues. It sets out the organisational structure in place, the methodology used for building security management and the technical, organisational and procedural measures implemented to protect assets.
Marielle Seegmuller: The Security Assurance Plan allowed us to define what we require from our service providers in order to ensure cybersecurity in our office buildings. These specifications will henceforth be included in our calls for tender and will enable us to ensure commitment and compliance on the part of our service providers.
You have also established an audit checklist. Can you tell us more about it?
We created this custom checklist alongside Mazars, based on the ISO 27 001 and R2S standards. It comprises 37 checkpoints concerning areas such as logical and physical security, compliance and building network use.Pierre-Philippe Wibaux
How is cybersecurity transforming your business lines?
Pierre-Philippe Wibaux: Cybersecurity transforms the jobs of our Development and Smart Building teams, since the topic is incorporated into the thinking process right from the design phase in order to optimise efficiency. We are confident that cybersecurity will become a determining factor for selecting a building.
Marielle Seegmuller: Our role as building manager and operator is also changing as new skills are required. For example, a Facility Manager can now draw on an IT service manager’s expertise to keep the building in working order and supervise IP networks. It also affects our service providers, since cybersecurity requirements are now included in our selection criteria.