The cannabis industry has become a popular target of cyberattacks, and that trend shows little sign of abating. With most cannabis companies employing less than 100 workers, few are equipped with sophisticated cyber protection systems, making them easier to exploit. And the all-cash nature of the business, along with the large amounts of protected health data and personally identifiable information dispensaries may store, make cannabis a prime target for cyber extortion.

Hackers may try to disable a dispensary’s security system to enable a robbery, or target workers with email-based phishing scams to obtain protected health information to sell or lists of high-profile clients to extort.

The evolving industry’s shift toward operational automation to increase yields and lower labor costs has further increased its vulnerability, offering attackers even more entry points to take down systems and cripple business. With a hard cyber insurance market and carriers skittish about writing coverage for these never-ending threats, cannabis companies without the right controls in place may struggle to find sufficient coverage.

But insufficient cyber insurance can be devastating in the event of an attack: Cannabis companies in Ontario lost millions after a distributor for the Ontario Cannabis Store was hit, leaving the province unable to process or deliver orders to cannabis retailers.1 In late 2020, cyber criminals stole 50 gigabytes of data from a Toronto-based producer, and an Australian medicinal cannabis firm lost millions when hackers stole money that was intended for an overseas contractor.2

Conducting a comprehensive assessment of all cyber risk can help cannabis companies locate their vulnerabilities, implement a cyber defense strategy and develop a plan to show carriers that they’ve taken steps to reduce exposure and that they’re worth the risk.

Create a strong cyber-defense program

These six defensive tactics can help cannabis companies ward off cyberattacks:

  1. Manage the human element. Train employees on the importance of cybersecurity. Make sure employees undergo phishing training and conduct refresher courses at least annually.
  1. Test employee awareness. Are employees retaining the information shared in training? Send simulated phishing emails and track performance to determine if training hits the mark.
  1. Develop a corporate policy on passwords. Drive password management from the top down and require complex passwords that employees must change frequently. Set an automated reminder that enforces the requirement.
  1. Implement a minimum of protective tools. Among other technical controls, multifactor authentication (MFA) and endpoint detection and response (EDR) are crucial for maintaining a secure network. Most carriers require MFA for remote network access, on email, and to protect privileged user accounts. EDR monitoring of devices connecting to the network is also a minimum requirement for insurance coverage.
  1. Have a backup strategy. A solid backup plan makes companies less susceptible to ransomware attacks by allowing organizations to restore operations Perform frequent backups — every day if possible — and store them off-site and off-network.
  1. Build an incident response plan. Cannabis companies should have a plan for responding to an attack, a system for validating what happened and the resources to remediate the issue.

Contact HUB International’s cannabis insurance experts to learn more about protecting against cyber risk.

1 CBC “Pot shop owners worry they'll lose customers if halt on OCS deliveries stretches on,” August 9, 2022.
2 Smart Company, “Medicinal cannabis company Cann Group loses $3.6 million in ‘sophisticated’ cyber attack,” February 9, 2021.