As with every industry, the need for cyber insurance is growing for the cannabis sector. However, this is not the perception in the market, with many seeing marijuana businesses as being low-value targets for hackers, according to thought-leaders on a Farella Braun + Martel LLP webinar.
“The reality is we are starting to see more cyber incidents in the cannabis industry as a whole,” said Michael Peters, product leader and professional liability broker for the cannabis division at PL Risk Advisors. He added that even more worrisome is the range of sectors covered by cannabis, spanning cultivation and wholesale to retail, in addition to having a medical standpoint.
“You have to keep in mind that cannabis itself can find a home in a lot of industry types,” Peters reiterated. “There are a lot of moving pieces in the cannabis continuum that can drive claim frequency and severity.”
While the marijuana industry spans across the risk spectrum, Farella Bruan highlighted the following three issues as critical coverage challenges in the cannabis space:
1. Property damage: As seen during the Colonial Pipeline attack and the Ukraine steel plant incident from late 2014, companies relying on computers to operate industrial systems can result in bad digital actors causing real-world property damage either as part of the attack strategy or as a byproduct of a breach, according to Tyler Gerking, head Farella Braun’s insurance recovery department.
For example, if a cultivator is using a computer to monitor or regulate a watering system and a cyber event shuts those systems down, and the product is damaged as a result, coverage in a cyber policy would typically not apply.
“In that case, the grower would have to look at their crop coverage, which if they have it typically has a cyber exclusion,” Gerking said.
However, if a cannabis company is monitoring crops using a third-party system and that vendor is breached rending the business inoperable, or partially inoperable, there are potentially certain elements of coverage that could be applied, such as business interruption elements of these policies, according to Javier Gonzalez, a partner with PL Risk Advisors and executive vice president of sales.
“We had a situation where a server farm was hit by lightning in West Texas. The farm was down for four or five days at a minimum, and we had multiple insurers calling to report an incident that they were unable to obtain their data and operate,” Gonzalez said. “Because the server farm was shut down, their data was inaccessible for a period of time for which they wanted to know if they were able to collect a business interruption income loss under their cyber policy. In that particular case, there was some coverage, and the vendor also decided to indemnify them (impacted businesses) to a certain extent.”
2. Exhausting limits for defense: Cannabis businesses also may face a limits issue, of sorts, with cyber insurance due to the potentially sensitive nature of the information they collect, according to Gerking, who noted this could result in more lawsuits, higher-profile cases and plaintiffs seeking greater damages.
“We saw it in the Ashley Madison breach four or five years ago — just the fact that someone’s name was associated with a company caused lawsuits and liability exposure to skyrocket,” he explained. “Limits get eaten up quickly by defense costs. Basically, you can spend all your limits defending a case and have nothing left for settlement or judgment at the end.”
3. Reputational harm: Cannabis businesses can store quite a bit of sensitive information in addition to credit card and personal details, such as driver’s license numbers and health info. As such, a breach that exposes that info could lead to reputational harm for marijuana businesses as consumers could grow fearful of future breaches. Further, given the nature of cannabis, some consumers might prefer to keep their use private, Gerking pointed out.
“Cyber sometimes covers reputational harm that results in lost business due to a cyber event,” he said. “Say you have a breach; you notify your customers, and the incident becomes public, and, in turn, people don’t want to do business with you. That is particularly important coverage to get if available.”
For wholesalers and cultivators, cyber issues are less about sensitive data and more about being “dependent on technology to operate,” Gonzalez said, adding, “that’s where the money is for the bad guys.”