A data reporting services provider shall set up and maintain procedures and arrangements for physical and electronic security designed to:
protect its IT systems from misuse or unauthorised access;
minimise the risks of attacks against the information systems;
prevent unauthorised disclosure of confidential information;
ensure the security and integrity of the data.
Where an investment firm ("reporting firm") uses a third party ("submitting firm") to submit information to an ARM on its behalf, an ARM shall have procedures and arrangements in place to ensure that the submitting firm does not have access to any other information about or submitted by the reporting firm to the ARM which may have been sent by the reporting firm directly to the ARM or via another submitting firm.
A data reporting services provider shall set up and maintain measures and arrangements to promptly identify and manage the risks identified in paragraph 1.
In respect of breaches in the physical and electronic security measures referred to in paragraphs 1, 2 and 3, a data reporting services provider shall promptly notify:
the competent authority and provide an incident report, indicating the nature of the incident, the measures adopted to cope with the incident and the initiatives taken to prevent similar incidents;
its clients that have been affected by the security breach.