One of the region’s smaller banks, Lake Shore Bancorp, has been slapped with a regulatory order from a federal agency, criticizing its technology compliance and governance – and questioning if its management is up to the task – after it suffered a data breach in its internal systems last November.
That’s despite the bank continuing to be profitable, even posting a 70% increase in second-quarter profits less than 24 hours after disclosing that it had signed an agreement with the Office of the Comptroller of the Currency, its lead bank regulator.
The surprise order – revealed by the Dunkirk-based savings bank in a filing with the Securities and Exchange Commission late Tuesday – came four months after the bank acknowledged it had “experienced a data security incident” last November that “prevented employees from accessing internal systems and data for a limited period of time.”
People are also reading…
It started an internal investigation, notified law enforcement and the OCC and hired a digital forensics firm, which found “unauthorized access to certain data,” but no impact on the bank’s core systems and “no evidence that customer personal information was misused.”
Even so, according to the agreement with the OCC – a division of the U.S. Treasury Department – regulators found “unsafe or unsound practice(s)” at the bank, including those related to “information technology security and controls and information technology risk governance.”
“Our team’s been working diligently over the past several months to institute the appropriate actions,” CEO Daniel P. Reininga said. “Our board and management are committed to working with the OCC to fully address the matters.”
The July 13 agreement doesn’t spell out specific problems that the agency found. But the requirements imposed upon the bank hint at the areas of concern – including a directive to “ensure that the Bank has competent management in place on a permanent and full-time basis” within 60 days and continually afterward.
The order specifically identifies the CEO, the chief operating officer, the chief technology officer and the information security officer, but notes that it’s not limited to them. The latter three positions do not currently exist at Lake Shore, so they would have to be created.
Under the order, Lake Shore’s board of directors must evaluate the bank’s officers’ “capabilities to perform present and anticipated duties” within 60 days and then annually, and must determine if changes need to be made to the management team.
It also must ensure the officers have “sufficient authority” to fulfill their jobs, carry out board policies, ensure compliance with corporate governance and decision-making procedures, and manage daily operations.
If, after assessing each officer’s “experience, qualifications and performance,” the board allows an individual to continue in their role but with additional training or skills development, it must develop and implement a written plan to do so, with benchmarks to evaluate effectiveness. But if changes are needed, or if a position becomes vacant, the bank must first notify the OCC, and must then obtain consent for any new appointments to those positions.
The board also must create a three-member compliance committee to monitor and oversee the bank’s adherence to the agreement.
It also must develop and implement a program to assess and manage the bank’s information technology activities. .
And it must adopt a security program to protect the confidentiality of customer information and prevent threats or unauthorized access to that information.