Lake Shore Bancorp in Dunkirk, N.Y., will be making some internal improvements after its bank entered into a written agreement with the Office of the Comptroller of the Currency.
The agreement, included in a Tuesday regulatory filing by the $707 million-asset company, said the OCC “found unsafe or unsound” practices tied to IT security and controls and IT risk governance.
As a result, the bank must ensure that it has “competent management in place,” including its CEO, chief operating officer, chief technology officer and information security officer.
Lake Shore is required to develop, adopt and implement a written program to effectively assess and manage IT activities. The plan is subject to review and feedback from the OCC.
The bank must also develop and implement programs for information security and ACH management.
Lake Shore said its bank is required to create a committee to monitor and oversee compliance with the agreement and submit quarterly reports to its board and the OCC.
OCC approval will also be required anytime the bank wants to change directors and executive officers.
Lake Shore disclosed in March that someone gained unauthorized access to data in its internal systems. The company said that its bank experienced a data security incident in November that barred employees from accessing internal systems and data for “a limited period of time.”
The bank launched an investigation and hired a digital forensics firm to help determine the scope of the incident and identify potentially impacted data. Lake Shore also notified law enforcement and the OCC.