A data breach in November 2021 prompted federal regulatory action against Lake Shore Savings Bank.
The incident was quietly disclosed in March. According to a letter sent to Lake Shore customers in Vermont by the Vermont Attorney General’s office, the bank had a data breach that prevented employees from accessing internal systems and information. Bank officials hired a digital forensics team to uncover the amount of information accessed and notified the FBI and the Federal Office of the Comptroller of the Currency. Until March, Lake Shore Savings Bank officials had found no misused personal information.
Earlier this week, however, Lake Shore Savings Bank officials reached an agreement with the Federal Office of the Comptroller of the Currency, which reports to the Securities and Exchange Commission. Lake Shore Savings Bank is to establish a compliance committee to monitor and oversee the bank’s compliance with the agreement and submit quarterly reports to the bank’s board of directors and the OCC.
The agreement between the bank and the office does not list the specific issues related to the data breach. But the bank’s board of directors must ensure competent management. The bank has had 10 days to form a compliance committee that includes at least three board members who are not employees or officers of the bank. Lake Shore Savings must establish a compliance committee consisting of at least three board members who are not employees or officers of the bank or its subsidiaries. By September 30, and then every 30 days thereafter, the committee will submit a written progress report outlining in detail the corrective actions to reach the complaint, the specific corrective actions taken to comply with each section of the agreement and the results and status of the corrective action.
The Board of Directors will then determine if management changes should be made.
“Within sixty days of the date of this agreement, and continuously thereafter, the board shall ensure that the bank has competent management in place on a permanent, full-time basis, including , but not limited to, its Chief Executive Officer, the positions of Director, Chief Operating Officer, Chief Technology Officer and Chief Information Security Officer, vested with sufficient authority to perform the duties and responsibilities of the position, implement Board policies, ensure the bank’s compliance with corporate governance and decision-making processes, ensure compliance with this Agreement, applicable laws, rules and regulations, and manage day-to-day operations of the bank in a safe and sound manner within the scope of the responsibilities of this position.”
Lake Shore Savings Bank currently does not have a Chief Technology Officer, but a Vice President of Information Technology responsible for advancing technology across the organization, network administration, setting up new branches, rolling out new products and services, purchasing technology equipment, supporting employees and liaising with the bank’s main processor provider, Fiserv.
Bank staff who the board believes should stay on will be subject to a skills assessment. The board should then develop a written program to improve the skills of bank officers who need training and to improve the officer’s supervision and management of the bank.
The federal OCC also requires the creation and implementation of a written program to effectively assess and manage the bank’s information technology. This plan must be approved by the OCC. Lake Shore Savings Bank shall also develop, adopt and implement a written information security program including administrative, technical and physical safeguards to ensure the security and confidentiality of customer information, subject to review and approval. approval by the OCC. Finally, the bank will develop, adopt and implement a written automated clearinghouse risk management program, subject to review and approval by the OCC.
“The bank shall not be deemed to be in compliance with this agreement until it has adopted, implemented and complied with all corrective actions set forth in each article of this agreement; the corrective actions are effective in addressing the Bank’s shortcomings; and the OCC verified and validated the corrective actions. An evaluation of the effectiveness of corrective actions requires a sufficient period of time to demonstrate the lasting effectiveness of the corrective actions.