Ransomware might not be the first threat that comes to mind when thinking about cannabis companies. With all the legal, regulatory, and financial risks unique to the industry – as well as the growing threat of armed robbery in certain areas – it can be easy to overlook cyber risks. However, as the cannabis industry grows, it may attract more attention from hackers, meaning it’s important to consider cyber insurance for cannabis companies.
Cybercriminals Can Target Anyone
Ransomware attacks don’t just affect big healthcare companies and critical infrastructure. Although these attacks tend to receive more media attention, smaller businesses in a wide range of industries face attacks every day.
The Ransomware Task Force estimates ransomware victims paid $602 million in ransomware extortions in 2021 – a 70% increase compared to 2021. Ransomware can also disrupt business operations: ransomware incidents accounted for 79% of all business interruption claims.
Small businesses are largely unprepared. Nationwide says cyber claims usually cost between $15,000 and $25,000 in recovery costs alone. Plus, there are costs related to brand reputation and legal fallout. It takes businesses an average of 279 days to recover from an attack. However, 40% of small business owners think a cyberattack would cost less than $1,000 and 60% think they could fully recover in less than three months. Small businesses are grossly underestimating the risk, which can mean they’re unprepared for the reality of a cyberattack.
The Cannabis Industry Is a Target
The cannabis industry is already a multi-billion-dollar market – and it’s growing rapidly. According to Grand View Research, the U.S. cannabis market was valued at $10.8 billion in 2021. It’s expected to experience a compound annual growth rate of 14.9% between 2022 and 2030, which would lead it to reach $40 billion by 2030.
This growth is catching the attention of entrepreneurs and investors. Unfortunately, it may also be attracting the attention of cybercriminals. According to MJBizDaily, cannabis companies could be ransomware targets. Many are largely unprotected against this risk. In a survey that asked people at cannabis companies about their preparations, 59% said they had not taken steps to prevent attacks.
At least one notable cyber incident has already occurred. In 2021, Bleeping Computer reported that a hacker was selling data stolen from a Canadian cannabis company during a breach. The stolen data allegedly included the personal information of customers and employees.
Fallout from Cyberattacks
Ransomware and data breaches are risks for any company involved in the manufacture, distribution, and retail sale of cannabis products.
When a ransomware attack or other type of cyber incident occurs, the impact can be devastating. An attack could:
- Expose sensitive information about clients, partners, or vendors. This could cause reputational harm and expose companies to data breach notification requirements.
- Make important files and computer systems inaccessible, shutting down operations. For grow operations, this disruption could put crops at risk.
- Involve an expensive ransomware extortion demand. Since many victims do pay, hackers have become greedier. Palo Alto says ransom demands increased by 144% on average in 2021.
Cannabis companies need to be prepared for cyber incidents.
- Know the common methods of attack. The Internet Crime Complaint Center (IC3) says the top three vectors of ransomware infection are phishing, Remote Desktop Protocol exploitation, and software vulnerability exploitation. Guard against these threats by training workers on how to avoid phishing, updating your software, and monitoring and securing your RDP.
- Use multifactor authentication and strong passwords. These practices can prevent a successful attack attempt.
- Back up your data. Cloud backups are useful, but the IC3 recommends also making an offline backup. Backups should not be connected to your network – otherwise the same malware that infects your network could also infect the backup.
- Use antivirus software to protect your systems. Make sure programs are up to date and running regular scans.
- Plan for an attack. Safeguards can prevent the likelihood of a successful attack, but there is still risk. Have a continuity and response plan in place. Consider how you will continue operations, recover your systems, and handle data breach notification requirements if your systems are compromised.
- Secure cyber insurance. Cyber insurance can help you cover some of the costs you incur during a cyberattack. Your insurer can also provide resources to support you during the cyber incident to minimize harm.
Are you looking for cyber insurance for cannabis companies? Heffernan Insurance Brokers provides insurance that caters to the needs of companies in the cannabis industry. Learn more.