Article 9 Security
1. A data reporting services provider shall set up and maintain procedures and arrangements for physical and electronic security designed to:
(a) protect its IT systems from misuse or unauthorised access;
(b) minimise the risks of attacks against the information systems as defined in Article 2(a) of Directive 2013/40/EU of the European Parliament and of the Council [Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8).];
(c) prevent unauthorised disclosure of confidential information;
(d) ensure the security and integrity of the data.
2. Where an investment firm ('reporting firm') uses a third party ('submitting firm') to submit information to an ARM on its behalf, an ARM shall have procedures and arrangements in place to ensure that the submitting firm does not have access to any other information about or submitted by the reporting firm to the ARM which may have been sent by the reporting firm directly to the ARM or via another submitting firm.
3. A data reporting services provider shall set up and maintain measures and arrangements to promptly identify and manage the risks identified in paragraph 1.