Cyber attacks are now commonplace. Ransomware attacks, in particular, have skyrocketed in frequency and size. High-profile data breaches have cost businesses in the United States millions of dollars in losses and incalculable reputational harm. Just like those in any other industry, cannabis cyber attack risks pose a clear and present danger of financial consequences.

With new data-security legislation, cyber attacks create even more risk. Under the California Consumer Privacy Act (CCPA), for example, attacks can lead to regulatory fines and private actions by affected consumers. Under the CCPA, consumers are not required to prove personal losses or damage. This increased risk of liability for cyber attacks coupled with the increased volume of attacks makes the issue one that must be addressed by every business. Increasing security is step one, but there is no foolproof protection. Thus, it is equally important to consider how best to insulate companies from potential monetary damage resulting from an attack.

Cyber insurance is no panacea, but it can address cannabis businesses’ cyber risks, including the one described above. It also covers the cost of investigating and responding to data breaches and ransomware attacks, as well as some lost profits due to computer system downtime.

As valuable as these basic coverages are, cannabis businesses have unique risks that make them more vulnerable to cyber attacks and their financial consequences. Cannabis producers and retailers should carefully consider their other, possibly bigger, cyber risks and seek to address them when buying cyber insurance.

There is no “standard” cyber insurance policy. Dozens of insurers sell such a product, with each insurer constantly adapting its policy terms to market changes and challenges. As a result, cannabis businesses must carefully review policies offered to them and negotiate the terms in order to address their individual cyber risks. Those that fail to do so may leave some of their biggest risks uncovered.

We focus on three such risks here.

1. Retailers face acute reputational risks associated with data breaches.

Retailers collect and hold highly sensitive personal information, including, in some cases, personal health information. The sensitivity arises not only from the type of information, but also its potential to reveal the relationship between the consumer and retailer. Many customers rely on retailers to keep their purchases hidden from public view. As a result, a data breach publicizing the personally identifiable information from a cannabis retailer’s customer list may cause real-life consequences to those individuals whose information is disclosed. While cyber insurers typically defend lawsuits seeking such damages, cyber insurance policies often do not cover the lost profits the retailer will suffer as consumers flee to its competitors, which may be perceived as better safeguarding confidentiality. Some cyber insurers offer this coverage, though, and cannabis retailers should try to purchase it.

2. Growers and producers may suffer damage to or loss of property that is not easily insured.

Cultivators’ operations may depend, at least in part, on computers. A cyber attack or other event impacting those computers has the potential to damage cannabis crops by interfering with or hampering growth or harvesting operations. Both grape growers and cannabis cultivators lost crops to California wildfires over the past few years, but there is one critical difference between the two groups: Grape
growers can purchase federally backed crop insurance, whereas cannabis growers cannot. Policies that would cover cannabis growers for damages resulting from cyber attacks—cyber insurance—typically exclude coverage for property damage. As a result, cannabis growers and producers should work closely with their insurance brokers and counsel to seek coverage for this risk.

3. Businesses struggle with contradictions created by conflicting state and federal laws.

Insurance is no exception to the federal-state dichotomy cannabis businesses face. Cyber insurance policies may require, as a condition of coverage, the insured business notify law enforcement of a cyber attack, such as a ransomware attack. Cannabis businesses must scrutinize such provisions when they shop for cyber insurance to ensure policies do not place them in a Catch-22 situation when the time comes to make a claim. It is possible to negotiate the deletion, or at least modification, of these kinds of provisions so that they do not create impossible roadblocks to coverage.

Cannabis businesses commonly navigate legal and regulatory minefields. They can successfully navigate this one, too, with advanced planning and reliance on the advice of their insurance brokers and counsel. They should give careful consideration to the types of attacks their particular businesses are likely to suffer and the financial losses such attacks could produce. They should work to prevent and mitigate the potential impact of such attacks by employing up-to-date security practices and remaining constantly aware of their information-technology security. Finally, they should understand their remaining computer security and financial vulnerabilities and proactively seek to address them with cyber insurance.