Cyber: The Biggest Cannabis Risk You're Probably Not Thinking About

Happy New Year! 🎉

Happy New Year from all of us at Frontier Risk! We had a strong 2023, onboarding clients of all shapes and sizes with material premium savings and using our data to pull in brand new carrier and reinsurance markets that were previously unwilling to touch cannabis. We’re seeing rates start to normalize in certain lines of business, and other lines still remain asymmetric compared to non-cannabis industries, but are easing slightly. 

Here at Frontier Risk we do believe that rescheduling is on the horizon between now and election day. While timing is uncertain and we don’t believe any of the “experts” know with any certainty, the mechanics of a likely required comment period before final implementation – and that happening by election day – would seem to point to this summer as the most likely time window. See our previous insight breaking down rescheduling mechanics and issues.

2024: The Year of Cyber Risks in Cannabis

Of all the trends we monitor, Cyber risks may represent the biggest gap between very high intrinsic risk and very low opt-in rates in the market. Said differently, cannabis businesses of all types remain highly exposed to various Cyber threats, but very few operators are purchasing coverage when they should be. And this isn’t a sales pitch: Cyber coverage, dollar for dollar, is some of the most affordable coverage available relative to other lines such as property, general liability, and product liability.

Why are cannabis businesses more exposed to Cyber risks than other businesses? It has to do with a complicated set of factors unique to cannabis, coupled with a systemic rise in Cyber crimes across the world that is set to rise again in 2024. While Cyber risk is high across all parts of the cannabis supply chain, retailers may be most exposed. Here’s what we mean by the above:

• Cannabis businesses are often in the business of storing and transmitting consumer data, particularly data that can contain Personal Identifying Information (PII), and, even more risky, Protected Health Information (PHI). All operators should know the difference in importance and risk between these two categories
• Vertically integrated operators and retailers are particularly exposed depending on whether they serve medical or Adult Use markets, and the interplay can be further described as follows:
• As more and more US states turn to Adult Use, the consumer base moves toward Adult Use, and therefore more in the category of PII than PHI. However (and this is a big however):
• Many dispensaries / retail shops may double as both medical and Adult Use sales centers, as many consumers prefer not to pay sales tax that typically is not applicable to a medical product. Conversely, many consumers who consume cannabis for true medical needs prefer to still purchase under an Adult Use framework out of concern for being listed on a given state’s medical database (there are multiple reasons for this, but we typically see consumers worried about 2nd Amendment rights or employee background checks, even though many of these concerns are misplaced – contact us to understand why)
• In either case, a retail facility handling both medical and Adult Use sales frameworks under the same roof, with consumers mixing and matching, requires operators to set up and enforce robust internal controls with respect to data protection and broader information technology to avoid leakage of confidential data
• Most operators are behind in enforcing enterprise-level data security in their systems for obvious and understandable reasons. You’re jumping through enough hoops just to get a cannabis business set up, much less profitable, and the last thing on operators’ minds is typically IT security
• But: it matters, a lot. Any operator concerned with reputation through great products and great customer service needs to realize that for every hour of effort spent on the aforementioned, an hour on data protection is equally important. Imagine a data breach where the PII of your Adult Use customers is exposed to the broader internet or broader public; would that customer base be happy with you? Now, take that risk and multiply it by at least 10x if PHI is exposed. The liability can increase exponentially, as in many cases, these breaches can represent HIPAA violations
• Importantly, HIPAA violations can occur in your business every single day without any kind of data breach. PHI-related data is often tossed around carelessly in a dispensary setting amongst employees with no malicious intent and who don’t know any better or haven’t been trained. Patient data, often stored in Point-of-Sale systems, is often downloaded, emailed, and shared with numerous parties on cc that should not be in custody of this highly sensitive information. And this isn’t limited to retailers: Customer and patient data is often passed along to brand partners, distribution partners, and licensing partners from retailers to run consumer analysis, inadvertently putting multiple parties in the line of fire from consumers and patients who will litigate in the event of a public breach or inappropriate internal / partner sharing. Lots of things can bring a cannabis business to its knees; a HIPAA violation is right at the top of that list

Here’s the bottom line: Cannabis businesses traffic in much more sensitive (and at times much more robust) data than many other industries, yet often lack the resources or attention to properly protect it, making Cyber risk, in our opinion, one of the most asymmetric risks in the entire industry.

Frontier Risk Can Help – We’ve Seen It All

Frontier Risk has a litany of methods to help you better protect your data through rigorous internal controls on the IT side and loss-prevention programs that we have designed to protect your business.

It’s not just risks related to consumer and patient data. We’re seeing cyber crimes on the fraud side explode as the use of AI in businesses has risen dramatically in 2023 (and will continue to rise even faster in 2024). Operators are now more likely than ever to fall victim to phishing and related scams that result in parting ways with their hard-earned cash. It’s easier than ever for hackers to use AI-assisted tools to pretend to be your partner, your employee, your landlord, your investor – anyone, really – and scam you into wiring money in a fraudulent scheme. Never, ever wire money without voice verification, and train your employee base to be on the lookout for these risks. If it quacks like a duck and walks like a duck, it’s probably a duck. Virtually no one asks for money over email anymore.

Last, but definitely not least, come to us for a policy review. Most cyber crimes are not protected under your Property or General Liability policies, and in the rare cases where they are, sublimits (the amount beneath the headline limit in your policy that is buried in the fine print) can be very, very low, particularly for wire fraud. Given the low cost of Cyber coverage, it’s almost always better to procure a separate Cyber policy. To go a step further: Management teams are viewed in a better light if they’re managing liability in an organization with a separate and robust Cyber policy, potentially leading to better (lower) rates on other insurance coverages like D&O and EPLI.

At Frontier Risk, we’ve seen it all: from single-door dispensaries inadvertently emailing spreadsheets with sensitive health information to partners, to POS-system leaks and indemnification fights based on weak POS provider contracts, to large MSOs with systemic internal controls failures leading to major data breaches. As operators, we’ve designed internal controls processes to mitigate these risks, and we know how to tailor Cyber coverage for your business that doesn’t break the bank but leaves you well protected so you can focus on great product and service.