Cybersecurity Issues Threaten Cannabis Businesses, But Can Be Mitigated

by Andrew Kingsdale

June 14, 2023

Photo by Kevin Ku on Unsplash.

Cybersecurity breaches can deplete a company’s profits, affect its reputation, and jeopardize employee safety and customer wellbeing. According to IBM, in 2022 the global average cost of a data breach was $4.35 million, around 2.6% higher than in 2021. 

Cannabis operators are at particular risk of cybersecurity threats.  Not only do they collect and share a wide range of information, both for regulatory compliance and marketing purposes, but they also face potential loss or suspension of their cannabis licenses if proper security protocols are not followed.

Given the frequency and sophistication of cyberattacks, cannabis businesses must act proactively to safeguard their data and networks.  Following are some practical ways to ensure your company from cyberattacks:

1. Educate Your Staff

Most importantly, teach your staff about the risks of cyberattacks and ways to spot and handle potential threats.

According to Chad Brockway, Senior Vice President of the Intelligence Operations Division at Edgeworth Security, “the human element is always going to be the weakest link, so employee education is critical.”

Training on subjects like phishing scams, social engineering techniques, and the best practices for password management can fall under this category.

Indeed, states like New York require retailers to be trained on best practices for maintaining customer privacy and confidentiality, so this step also may be legally required.  Consult with legal counsel to understand these training requirements.

2. Implement Tight Access Protocols & Back Up Data Regularly

Another important step includes restricting access to sensitive information and systems through robust access controls, such as two-factor authentication, and backing up your data to a safe, off-site location.

According to Eric Schneider, Managing Director at AlphaRoot, an insurance brokerage that specializes in the cannabis industry, insurance companies offer discounts to cannabis companies that implement these types of protocols.

“User permissions and access levels should also be routinely reviewed and updated. Motivate your employees to use stronger passwords with a combination of capital/small words, numbers, and symbols,” explains Schneider.

Biometric security has become more popular, but should be used with caution because of legal restrictions imposed by biometric information privacy acts.  These state laws can include private rights of action against companies that do not follow requirements for informed consent.

In Cothron v. White Castle Sys. (Ill. Sup. Ct., Feb. 17, 2023), the Illinois Supreme Court held that each instance of scanning or transmitting an individual’s biometric identifier or information constituted a separate claim accruing under that state’s Biometric Information Privacy Act.

3. Conduct Due Diligence on Third-Party Providers

Not only should cannabis licensee train employees about and implement cybersecurity SOPs, but their vendors should as well.

Licensees should ask questions of their service providers—such as point-of-service and payment processing systems—about how their data is stored and encrypted.

4. Outsource Cybersecurity to a Specialist

“Cyber threats change daily,” explains Chad Brockway, so unless your company has the bandwidth to monitor evolving threats and changing cybersecurity technologies, it makes sense to hire a professional to help.

Cybersecurity specialists can ensure you regularly maintain and update technologies (like firewalls, antivirus programs, and intrusion detection systems) to effectively identify and prevent cyberattacks.

They also scan and monitor the internet and dark web for threats and risks to specific businesses, physical threats posted on social media, and the sharing of security secrets.  And if a ransom attack does occur, they can help manage that crisis.

5. Purchase Cyber Liability Insurance

According to Barry Galvin at AlphaRoot, cannabis cyber insurance can protect from unseen and unpreventable cyberattacks and provide financial and legal aid to companies in crisis.  “A specialized cannabis insurance company understands the industry threats and effectively guides you about measures that can reduce your insurance premiums. These measures include educating your staff about cyber, and incorporating advanced cyber safety technology in operations across your business,” says Galvin.

AlphaRoot also recommends purchasing directors and officers insurance to ensure that no executives face consequences of data breach, as well as workers’ compensation insurance to cover lost wages during a company’s struggling period. 

6. Report breaches immediately

Last but not least, every license has a duty to report cyber breaches if they occur.  In New York, for example, licensees must notify the Office of Cannabis Management within 24-hours of “any criminal action involving or occurring on or in the licensed premises”, and submit an incident report within 10 days.  (Revised Proposed Regulations, NYCRR, title 9, proposed § 125.3(e).)

Failure to report these incidents could lead to steep penalties or even suspension of licensure. 

On the other hand, a cybersecurity attack may constitute grounds for emergency or disaster relief, if the company timely reports it to the regulators.

In summary, cybersecurity threats are real and potentially catastrophic to all cannabis businesses.  But precautions can help mitigate those risks, and professionals are available to assist.