Agreement by and Between Lake Shore Savings Bank and the Office of the Comptroller of the Currency, dated July 13, 2022

AGREEMENT BY AND BETWEEN

Lake Shore Savings Bank

Dunkirk, New York

and AA-__-20__-__

The Office of the Comptroller of the Currency



Lake Shore Savings Bank, Dunkirk, New York (“Bank”) and the Office of the Comptroller of the Currency (“OCC”) wish to assure the safety and soundness of the Bank and its compliance with laws and regulations.

The Comptroller of the Currency (“Comptroller”) has found unsafe or unsound practice(s), including those relating to information technology security and controls and information technology risk governance.

Therefore, the OCC, through the duly authorized representative of the Comptroller, and the Bank, through its duly elected and acting Board of Directors (“Board”), hereby agree that the Bank shall operate at all times in compliance with the following:

ARTICLE I

JURISDICTION

(1) The Bank is an “insured depository institution” as that term is defined in 12 U.S.C. § 1813(c)(2).

(2) The Bank is a Federal savings association within the meaning of 12 U.S.C. § 1813(q)(1)(C), and is chartered and examined by the OCC. See 12 U.S.C. §§ 1461 et seq., 5412(b)(2)(B).

(3) The OCC is the “appropriate Federal banking agency” as that term is defined in 12 U.S.C. § 1813(q).









ARTICLE II

COMPLIANCE COMMITTEE

(1) Within ten (10) days of the date of this Agreement, the Board shall appoint a Compliance Committee of at least three (3) members of which a majority shall be directors who are not employees or officers of the Bank or any of its subsidiaries or affiliates. The Board shall submit in writing to the Assistant Deputy Comptroller the names of the members of the Compliance Committee within ten (10) days of their appointment. In the event of a change of the membership, the Board shall submit in writing to the Assistant Deputy Comptroller within ten (10) days the name of any new or resigning committee member. The Compliance Committee shall monitor and oversee the Bank’s compliance with the provisions of this Agreement. The Compliance Committee shall meet at least quarterly and maintain minutes of its meetings.

(2) By September 30, 2022, and thereafter within thirty (30) days after the end of each quarter, the Compliance Committee shall submit to the Board a written progress report setting forth in detail:

(a) a description of the corrective actions needed to achieve compliance with each Article of this Agreement;

(b) the specific corrective actions undertaken to comply with each Article of this Agreement; and

(c) the results and status of the corrective actions.

(3) Upon receiving each written progress report, the Board shall forward a copy of the report, with any additional comments by the Board, to the Assistant Deputy Comptroller within ten (10) days of the first Board meeting following the Board’s receipt of such report.









ARTICLE III

BOARD TO ENSURE COMPETENT MANAGEMENT

(1) Within sixty (60) days of the date of this Agreement, and on an ongoing basis thereafter, the Board shall ensure that the Bank has competent management in place on a permanent and full-time basis, including, but not limited to, in its Chief Executive Officer, Chief Operating Officer, Chief Technology Officer, and Information Security Officer positions, vested with sufficient authority to fulfill the duties and responsibilities of the position, carry out the Board’s policies, ensure the Bank’s adherence to corporate governance and decision-making processes, ensure compliance with this Agreement, applicable laws, rules and regulations, and manage the day-to-day operations of the Bank in a safe and sound manner within the scope of that position’s responsibilities.

(2) Within sixty (60) days of the date of this Agreement, and annually thereafter, or when requested by the Assistant Deputy Comptroller in writing, the Board shall review the capabilities of the Bank’s management to perform present and anticipated duties and the Board shall determine whether management changes will be made, including the need for additions to or deletions from current management.

(3) For incumbent officers in the positions mentioned in paragraph (1) of this Article, the Board shall, within sixty (60) days of the date of this Agreement, assess each of these officer’s experience, qualifications and performance compared to the position’s description, duties and responsibilities.

(4) If the Board determines that an officer will continue in his or her position, but that the officer’s depth of skills needs improvement, the Board shall within fifteen (15) days of such determination, develop and implement a written program, with specific time frames, to improve 











the officer’s supervision and management of the Bank. At a minimum, the written program shall include:

(a) an education program designed to ensure that the officer has skills and abilities necessary to supervise effectively;

(b) a program to improve the effectiveness of the officer;

(c) objectives by which the officer’s effectiveness will be measured; and

(d) a performance appraisal program and projected timeline for evaluating performance according to the position’s description and responsibilities and for measuring performance against the Bank’s goals and objectives.

Upon completion, a copy of the written program shall be submitted to the Assistant Deputy Comptroller.

(5) If any senior executive officer (as defined in 12 C.F.R. § 5.51(c)(4)) position is vacant now or in the future, the Board shall within sixty (60) days of the date of this Agreement or the future vacancy, respectively, identify and provide notice to the Assistant Deputy Comptroller, of a competent, permanent, and full-time candidate for the position. The Board shall comply with the prior notice requirements of 12 U.S.C. § 1831i and 12 C.F.R. § 5.51 when selecting an individual to serve in any senior executive officer position.

(6) Prior to the appointment of any individual to an executive officer position (other than for a senior executive officer as defined in 12 C.F.R. § 5.51(c)(4)), the Board shall submit to the Assistant Deputy Comptroller written notice containing information regarding the proposed candidate’s identity, personal history, business background, and experience, and any other information required by the Assistant Deputy Comptroller in writing and receive the Assistant Deputy Comptroller’s written determination of non-disapproval.







(7) The Assistant Deputy Comptroller shall have the power to disapprove the appointment of the proposed executive officer. However, the failure to exercise such disapproval power shall not constitute an approval or endorsement of the proposed executive officer.

(8) Within thirty (30) days of receiving the Assistant Deputy Comptroller’s written determination of non-disapproval of a proposed executive officer referred to in paragraph (6) of this Article, the Board shall appoint the individual to that executive officer position. That new executive officer shall be vested with sufficient authority to fulfill the duties and responsibilities of the position, carry out the Board’s policies, ensure compliance with this Agreement, applicable laws, rules and regulations, and ensure the safe and sound operation of the Bank within the scope of that position’s responsibilities.

(9) The requirement to submit information and the prior disapproval provisions of paragraph (6) of this Article are based upon the authority of 12 U.S.C. § 1818(b)(6)(E) and does not require the Comptroller or the Assistant Deputy Comptroller to complete his or her review and act on any such information or authority within thirty (30) days.

ARTICLE IV

INFORMATION TECHNOLOGY GOVERNANCE PROGRAM

(1) Within sixty (60) days of the date of this Agreement, the Bank shall submit to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection an acceptable, written program to effectively assess and manage the Bank’s information technology (“IT”) activities (“IT Governance Program”). Refer to Federal Financial Institutions Examination Council, IT Handbook, for related safe and sound principles. Although













the Bank may outsource some or all of its IT functions, outsourcing does not change the Board’s responsibility to ensure effective IT controls.

(2) The IT Governance Program shall be commensurate with the level of risk and complexity of the Bank’s IT activities and shall, at a minimum, address the following:

(a) an effective IT risk governance program that establishes the roles, responsibilities, and accountability of the Board of directors and management; refer to the “Management” booklet of the FFIEC IT Examination Handbook;

(b) an IT planning process with the following elements: long-term goals and the allocation of IT resources to achieve them; alignment of the IT strategic plan with the enterprise-wide business plan; identification and measurement of risk before changes or new investment in technology are made; an IT infrastructure to support current and planned business operations; integration of IT spending into the budgeting process; refer to the “Management” booklet of the FFIEC IT Examination Handbook;

(c) hiring and training practices governed by appropriate policies to maintain competent and trained staff to fulfill respective roles in the Bank’s IT program, including in the Information Security Officer position; refer to the “Management” booklet of the FFIEC IT Examination Handbook;

(d) an effective IT risk management process that includes: identification and measurement of risks to information and technology assets, within the Bank or controlled by third-party providers; mitigation of risks to an acceptable residual















risk level in conformance with the board’s risk appetite; and monitoring risk levels with results reported to the board and senior management; refer to the “Management” booklet of the FFIEC IT Examination Handbook;

(e) an effective, written, system architecture program to identify, acquire, install, and maintain appropriate IT systems with project management standards, procedures, and controls commensurate with the characteristics and risks of the Bank’s development, acquisition, and maintenance activities; refer to the “Development and Acquisition” booklet of the FFIEC IT Examination Handbook;

(f) an effective written program with standards and controls over data structure, usage, and storage; refer to the “Operations” and “Development and Acquisition” booklets of the FFIEC IT Examination Handbook;

(g) appropriate system security controls including documenting an inventory of information system assets including hardware, software, information and connections; classify the information system assets based on risk; implement user access and authentication controls based on the principle of least privilege, including proper segregation of duties; refer to the “Information Security” booklet of the FFIEC IT Examination Handbook;

(h) an effective incident identification and assessment process and effective written incident response program (“Incident Response Program”); refer to OCC Bulletin 2005-13 “Response Programs for Unauthorized Access to Customer Information and Customer Notice – Final Guidance”;













(i) a written change management program that addresses controls over the introduction of changes, in a controlled manner, into the IT environment; implements effective patch management systems and software to ensure all network components (virtual machines, routers, switches, mobile devices, firewalls, etc.) and application software are appropriately updated; and use vulnerability scanners periodically to identify vulnerabilities in a timely manner; refer to the “Information Security” and “Operations” booklets of the FFIEC IT Examination Handbook;

(j) operational controls, procedures, standards, and processes, including, but not limited to, an environmental survey, network topologies and data flows, environmental controls, physical and logical security, personnel controls, conversions, back-ups, disposal, imaging, problem management, and user support; refer to the “Operations” booklet of the FFIEC IT Examination Handbook;

(k) an updated written, Board-approved, enterprise-wide business continuity management and resiliency process (“Business Continuity and Recovery Plan (BCP)” that includes a business impact analysis (“Business Impact Analysis”) that assesses and prioritizes potential threat and disruption scenarios, including cyber events, based upon their impact on operations and probability of occurrence; periodic enterprise-wide tests; independent assessment of the tests; and, updating the plan regularly as needed; refer to the “Business Continuity Planning” and “Information Security” booklets of the FFIEC IT Examination Handbook; and

















(l) an IT assurance and testing program that is risk-based, written, and well-documented; identifies and addresses the areas of greatest IT and information security risk exposure; promotes sound IT and information security controls; evaluates the adequacy of planning, oversight, operating processes, internal controls, and compliance efforts; includes self-assessments, independent penetration tests, vulnerability assessments and audits in the assurance testing program; and promptly detects, reports, and tracks significant risks and deficiencies and corrective actions; refer to the “Audit” and “Information Security” booklets of the FFIEC IT Examination Handbook.

(3) Within ten (10) days following receipt of the Assistant Deputy Comptroller’s written determination of no supervisory objection to the IT Governance Program or to any subsequent amendment to the IT Governance Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter adhere to the IT Governance Program.

(4) The Board shall review the effectiveness of the IT Governance Program at least annually, no later than December 31, and more frequently if necessary or if required by the OCC in writing, and amend the IT Governance Program as needed or as directed by the OCC. Any amendment to the IT Governance Program must be submitted to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.



















ARTICLE V

INFORMATION SECURITY PROGRAM

(1) Within sixty (60) days of the date of this Agreement, the Bank shall submit to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection an acceptable, written Information Security Program that includes administrative, technical, and physical safeguards to ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of such information; protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; ensure the proper disposal of customer information; and ensure the overall safety and soundness of the Bank. Refer to the “Information Security” booklet of the FFIEC IT Examination Handbook for guidance.

(2) The Information Security Program shall comply with 12 C.F.R. Part 30, Appendix B, and shall, at a minimum, address the following:

(a) the Board’s approval, or the approval of an appropriate Board committee, of the Information Security Program;

(b) a risk assessment that identifies reasonably foreseeable threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems; that assesses the likelihood and potential damage of these threats; that assesses the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks; and, that aligns with the Bank’s enterprise-wide risk management program;













(c) measures to control identified risks, commensurate with the sensitivity of the information and the complexity and scope of the Bank’s activities, including measures to address data loss prevention;

(d) dedicated Information Security Officer with sufficient authority to oversee and implement the Information Security Program;

(e) regular testing of key controls, systems, and procedures and independent testing or reviews of testing; including incident response testing and training;

(f) appropriate measures for the proper disposal of customer information and customer information systems; including measures to address data loss prevention;

(g) a process to monitor, evaluate and adjust, as appropriate, the program in response to changes in technology, the sensitivity of customer information, internal or external threats, changing business arrangements, changing outsourcing arrangements, and changing systems; and

(h) the annual receipt by the Board, or an appropriate committee thereof, of a report that describes the overall status of the Information Security Program and the Bank's compliance with 12 C.F.R. Part 30, Appendix B.

(3) Within ten (10) days following receipt of the Assistant Deputy Comptroller’s written determination of no supervisory objection to the Information Security Program or to any subsequent amendment to the Information Security Program, the Board shall adopt and Bank















management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter adhere to the Information Security Program.

(4) The Board shall review the effectiveness of the Information Security Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Information Security Program as needed or as directed by the OCC. Any amendment to the Information Security Program must be submitted to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.

ARTICLE VI

ACH RISK MANAGEMENT PROGRAM

(1) Within sixty (60) days of the date of this Agreement, the Bank shall submit to the Assistant District Comptroller, for review and prior written determination of no supervisory objection, an acceptable written automated clearing house (“ACH”) Risk Management Program (“ACH Program”). Refer to OCC Bulletin 2006-39, Automated Clearing House Activities: Risk Management Guidance.

(2) The ACH Program shall address, at a minimum:

(a) implementation of Board approved written risk based policies, procedures, and processes for effective risk management of ACH activities appropriate for the size and complexity of the bank, to include policies and procedures relating to credit risk management, control requirements for ACH customers, and audit of ACH activities; and













(b) adequate staffing and defined resources at the Bank dedicated to the review and audit of ACH transactions to ensure ongoing compliance with ACH policies and procedures.

(3) Within ten (10) days following receipt of the Assistant Deputy Comptroller’s written determination of no supervisory objection to the ACH Program or to any subsequent amendment to the ACH Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the ACH Program. The Board shall review the effectiveness of the ACH Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the ACH Program as needed or directed by the OCC. Any amendment to the ACH Program must be submitted to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.

ARTICLE VII

GENERAL BOARD RESPONSIBILITIES

(1) The Board shall ensure that the Bank has timely adopted and implemented all corrective actions required by this Agreement, and shall verify that the Bank adheres to the corrective actions and they are effective in addressing the Bank’s deficiencies that resulted in this Agreement.

(2) In each instance in which this Agreement imposes responsibilities upon the Board, it is intended to mean that the Board shall:

















(a) authorize, direct, and adopt corrective actions on behalf of the Bank as may be necessary to perform the obligations and undertakings imposed on the Board by this Agreement;

(b) ensure that the Bank has sufficient processes, management, personnel, control systems, and corporate and risk governance to implement and adhere to all provisions of this Agreement;

(c) require that Bank management and personnel have sufficient training and authority to execute their duties and responsibilities pertaining to or resulting from this Agreement;

(d) hold Bank management and personnel accountable for executing their duties and responsibilities pertaining to or resulting from this Agreement;

(e) require appropriate, adequate, and timely reporting to the Board by Bank management of corrective actions directed by the Board to be taken under the terms of this Agreement; and

(f) address any noncompliance with corrective actions in a timely and appropriate manner.

ARTICLE VIII

CLOSING

(1) This Agreement is intended to be, and shall be construed to be, a “written agreement” within the meaning of 12 U.S.C. § 1818, and expressly does not form, and may not be construed to form, a contract binding on the United States, the OCC, or any officer, employee, or agent of the OCC. Notwithstanding the absence of mutuality of obligation, or of consideration, or of a contract, the OCC may enforce any of the commitments or obligations









herein undertaken by the Bank under its supervisory powers, including 12 U.S.C. § 1818(b)(1), and not as a matter of contract law. The Bank expressly acknowledges that neither the Bank nor the OCC has any intention to enter into a contract. The Bank also expressly acknowledges that no officer, employee, or agent of the OCC has statutory or other authority to bind the United States, the U.S. Treasury Department, the OCC, or any other federal bank regulatory agency or entity, or any officer, employee, or agent of any of those entities to a contract affecting the OCC’s exercise of its supervisory responsibilities.

(2) This Agreement is effective upon its issuance by the OCC, through the Comptroller’s duly authorized representative. Except as otherwise expressly provided herein, all references to “days” in this Agreement shall mean calendar days and the computation of any period of time imposed by this Agreement shall not include the date of the act or event that commences the period of time.

(3) The provisions of this Agreement shall remain effective and enforceable except to the extent that, and until such time as, such provisions are amended, suspended, waived, or terminated in writing by the OCC, through the Comptroller’s duly authorized representative. If the Bank seeks an extension, amendment, suspension, waiver, or termination of any provision of this Agreement, the Board or a Board-designee shall submit a written request to the Assistant Deputy Comptroller asking for the desired relief. Any request submitted pursuant to this paragraph shall include a statement setting forth in detail the special circumstances that warrant the desired relief or prevent the Bank from complying with the relevant provision(s) of the Agreement, and shall be accompanied by relevant supporting documentation. The OCC’s decision concerning a request submitted pursuant to this paragraph, which will be communicated to the Board in writing, is final and not subject to further review.











(4) The Bank will not be deemed to be in compliance with this Agreement until it has adopted, implemented, and adhered to all of the corrective actions set forth in each Article of this Agreement; the corrective actions are effective in addressing the Bank’s deficiencies; and the OCC has verified and validated the corrective actions. An assessment of the effectiveness of the corrective actions requires sufficient passage of time to demonstrate the sustained effectiveness of the corrective actions.

(5) Each citation, issuance, or guidance referenced in this Agreement includes any subsequent citation, issuance, or guidance that replaces, supersedes, amends, or revises the referenced cited citation, issuance, or guidance.

(6) No separate promise or inducement of any kind has been made by the OCC, or by its officers, employees, or agents, to cause or induce the Bank to enter into this Agreement.

(7) All reports, plans, or programs submitted to the OCC pursuant to this Agreement shall be forwarded via BankNet, to the following:

James Greg Bost, Assistant Deputy Comptroller

Office of the Comptroller of the Currency

Pittsburgh Field Office

Corporate One Office Park

Building 2, Suite 400

4075 Monroeville Boulevard

Monroeville, PA 15146











(8) The terms of this Agreement, including this paragraph, are not subject to amendment or modification by any extraneous expression, prior agreements, or prior arrangements between the parties, whether oral or written.



IN TESTIMONY WHEREOF, the undersigned, authorized by the Comptroller as his duly authorized representative, has hereunto set his signature on behalf of the Comptroller.































IN TESTIMONY WHEREOF, the undersigned, as the duly elected and acting Board of Directors of Lake Shore Savings Bank have hereunto set their signatures on behalf of the Bank.