Experian Data Breach Resolution (Experian) has identified its “top data breach trends of 2020,” and the cannabis industry should take note. In its “Data Breach Industry Forecast 2020,” Experian predicts that “we will see many burgeoning industries, such as cannabis retailers, cryptocurrency entities, and even some environmental organizations targeted for cyberattacks as a result of online activism or ‘hacktivism.’”
In recognition of this risk, cannabis retailers as well as other cannabis-related businesses should – in addition to taking other prudent risk-mitigation steps – ensure that they have procured insurance to protect against potential cyber-related losses and claims. While the cyber-insurance market available to cannabis-related businesses is still rather limited, such businesses generally still can – and should – obtain at least some cyber coverage today.
Discussing its prediction that “cannabis retailers” likely will be “targeted for cyberattacks” in 2020, Experian explains:
Many burgeoning companies, like cannabis retailers, may not fully invest in protective, cybersecurity measures as core parts of their business models due to competing priorities. While any retailer is always a target for cybercriminals, cannabis retailers present a bigger target due to the nature of their business. And medical marijuana dispensaries may be an even bigger target due to the ready access they may provide to personal medical records, many of which may prove to be very valuable on dark web forums. …
Due to the relative youth of these burgeoning companies, hackers will be able to leverage more traditional exploits like phishing to gain access to sensitive data. What’s more, the nature of their business models make these companies targets for hacktivist activity from those who simply don’t agree with the company’s business model.
“The [t]akeaway,” according to Experian, is be proactive:
Cannabis retailers, cryptocurrency entities, and environmental organizations are attractive targets for cybercriminals due to their prevalence in society and increased cash flow. However, these industries are faced with many of the same cyberthreats as other businesses, such as phishing scams, cloud vulnerabilities and ransomware. That’s why it’s especially important for businesses that are new to the market to take protective measures such as investing in antimalware software and implementing mandatory cybersecurity training programs for employees, to safeguard from cyberattacks. (emphasis added).
In addition to considering those “protective measures,” a cannabis-related business should also ensure that it has obtained cyber insurance to protect itself against cyber-related losses and claims.
A cyberattack can harm a business in many different ways. For example, a cyberattack can interrupt the business’ normal operations; such an interruption would be a type of a “first-party” loss. By way of another example, a cyberattack could cause the disclosure of a third party’s private information, thereby (allegedly) injuring the third party. In turn, the third party could sue the affected business; such a lawsuit would be a type of a “third-party” claim.
Cyber insurance can cover both first-party losses as well as third-party claims. In terms of first-party coverage, cyber insurance may cover the costs associated with crisis management, data restoration, business interruption, and/or other results of a cyberattack. For example, cyber insurance may even cover the costs associated with responding to some form(s) of cyber extortion.
As noted above, today, the cyber-insurance market available to the cannabis industry is limited. Nevertheless, any cannabis retailer or other cannabis-related business interested in purchasing such coverage should – just like any other business – conduct appropriate due diligence. In addition to, for example, researching the financial ratings and claims-paying histories of potential insurers, the potential policyholder should carefully vet the various policies being offered. To that end, the potential policyholder should consider – just for example – the policy limits; other key policy terms and conditions, including potentially problematic exclusions; applicable deductibles or retentions; and premiums. Insurance-coverage counsel can help with this review and analysis, as well as with the procurement of cyber and other insurance more generally.
Undoubtedly, the cannabis industry is a fast-paced one; there is something new and important to consider each day. As such, many cannabis-related businesses seemingly do not even think about insurance, and, if and when they do, they focus on the more “obvious” coverages, such as property or product liability insurance. Like any business, however, a cannabis-related business should not stop there; it also should consider other coverages. Specifically, given the clear and present danger of a cyberattack, as documented by Experian, a cannabis-related business also should consider obtaining cyber insurance.
Do not wait until a cyberattack occurs before asking, “Am I covered?” Instead, be proactive. In addition to taking other protective measures, a cannabis-related business should confirm that it has the appropriate cyber coverage in place now, and, if it does not, it should consider taking the necessary steps to procure it today.