April 15, 2019

CT's latest cyber-defense mechanism is stiffening penalties against financial scammers, hackers

Illustration | aurielaki, shutterstock.com
Illustration | aurielaki, shutterstock.com
Arthur House, Chief Cyber Security Risk Officer, Connecticut

State police boost cyber presence

Just over a year ago, the State Police formed its first investigations unit devoted exclusively to cybercrimes.

State Police Sgt. Bryan Ferrucci supervises three detectives in the unit he was assigned to create, after a decade investigating online child pornography cases.

Cybercrimes committed against Connecticut residents and businesses are growing, Ferrucci said.

"We're definitely on an upswing,'' the 19-year trooper said. "The need for us is increasing every day.''

Ferrucci said that, for now, his office has adequate manpower and other resources to probe cyberfraud, often in conjunction with the FBI, Secret Service and other state and federal law enforcement agencies.

Once his unit is notified of a financial cybercrime, Ferrucci says his team's first priority is "to stop the bleeding'' of a victim's bank account — cutting the cybercriminal's digital umbilical cord.

As for the potential impact of Connecticut raising penalties for cybercriminals, Ferrucci is optimistic about their potential for deterrence.

"I don't think you'll ever stop [cybercrimes]," he said. "It may help to deter some people.''

Operators of Connecticut's banks, credit unions and thrifts essentially wear two hats.

As investors, they leverage collected deposits into loans. As financial fiduciaries, they, too, accept responsibility for protecting depositors' private information and shielding accounts from thieves and hackers.

It's with their fiduciary hats on that Connecticut's deposit-collecting institutions, with support from state bank regulators and law enforcement, are promoting legislation — Senate Bill 811 — that would substantially raise state penalties for those convicted of depositor scams.

It, too, is but the latest example of Connecticut's determination to crack down on cybercrime. Just over a year ago, State Police formed the state's first investigations unit devoted exclusively to cybercrimes. And Connecticut is one of a handful of states with a cybersecurity czar and statewide cyber-defense plan.

Still, Connecticut residents and businesses remain vulnerable to cyberattacks, officials say, with the pace of data breaches in the state increasing in recent years. It was just over a year ago, for example, that a weekend cyberattack infected 160 computers across 12 state agencies. In February, UConn Health disclosed that an unauthorized third party had accessed its employee email accounts, potentially breaching the privacy of 326,000 patients and others.

Protecting money managers

Currently, deposit scams against financial institutions in Connecticut are a Class D felony with a maximum penalty of five years in prison and a $5,000 fine — too lax, the state's bankers insist. That would jump under S.B. 811 to become a Class A felony, bearing a maximum 25 years behind bars and a $25,000 fine per violation.

Thomas Mongellow, executive vice president of the Connecticut Bankers Association, said increasing the state's bank-deposit fraud penalties could help act as a deterrent.

"No. 1, what we'd like to do is give a clear road map for prosecutors … and send a message out there,'' said Mongellow, who in June ascends as CEO of the state's leading banker lobby. "If you're destroying somebody's financial well-being, it should be a stiff penalty.''

He also noted that S.B. 811's penalties would extend beyond cyberthieves to family members and other caregivers who exploit physically or mentally debilitated depositors for financial gain.

The bill has received unanimous approval in the Banking Committee and is now awaiting further action in the Senate.

According to an American Bankers Association survey, fraud against bank deposit accounts cost the banking industry and their customers $2.2 billion in 2016.

Under Connecticut law, companies operating in this state must report any data breaches or other illegal access to consumer information to the state attorney general's office, which handles civil prosecutions only.

There were 801 data breaches reported in Connecticut last year, up 3 percent from 2017, the AG's office said.

Meantime, there have been 27 charges under the state computer crimes statutes since fiscal 2014, but all cases have been dismissed, according to the Office of Fiscal Analysis.

It's not clear why no cases have been fully prosecuted in the last five-plus years.

Policy, technology gaps

Connecticut's cybersecurity chief Arthur House says the state is ahead, not only of other states, but other countries, when it comes to plotting strategies for thwarting harmful incursions into the etherspace of agencies, businesses and residents.

For instance, House said that amid allegations that Russian operatives penetrated much of America's social-media and other online portals, to sway the 2016 election, an inspection of Connecticut's digital elections setup uncovered Russian fingerprints. But there were no signs the operatives penetrated this state's digital-elections firewall, he said.

Still, House said lingering policy and technology gaps and inconsistencies are the real threats to states' and the nation's ability to shield themselves against cyberattacks and must be dealt with.

House helped lead development of Connecticut's first-ever cybersecurity defense plan last May, which called for extensive security in state government agencies, municipalities, the General Assembly and judicial branch.

It also called for engaging the business community to encourage risk assessment and security.

While S.B. 811 raises penalties for cybercriminals who target banks operating in Connecticut, what about those who victimize insurers or small businesses? House asked. He suggested the tougher penalties should be instituted more broadly.

"I applaud paying attention to cyberissues,'' he said. "But I'd feel better if we took a comprehensive look at it.''

Mongellow acknowledged bankers share many of the same cybersecurity concerns with other industries. However, he said this bill is targeted specifically at deposit-taking institutions.

Matthew Smith, general counsel for the state Department of Banking, said his agency's limited enforcement powers do not extend to criminal matters, but it supports anything that helps the state's financial institutions avoid data breaches like ones that comprised personal credit and other information for millions at Equifax and others in recent years.

"The department wants to partner with institutions it regulates to ensure there's a robust cybersecurity program in place,'' Smith said.

Comments
ADVERTISEMENTS
Most Popular on Facebook
Copyright 2017 New England Business Media