Committee Blog: Navigating Cybersecurity Risks in the Cannabis Industry

Cannabis Industry Cybersecurity threats are on the rise, and organizations that don’t take a proactive approach to information security may see themselves increasingly targeted. In this blog, members of National Cannabis Industry Association’s Risk Management & Insurance (RMIC) details key considerations to help cannabis organizations enhance their network security. Throughout the blog there are hyperlinks for further information on certain topics, and for those organizations just getting started on their cannabis industry cybersecurity journey, two free resources to consider investigating are the Small Business Administration’s (SBA) Cybersecurity Guide and the Cybersecurity & Infrastructure Security Agency’s (CISA) Cyber Essentials Starter Kit.

A Business Case for Cybersecurity Investment.

Like with any business investment, increasing cyber defense resources must provide a sufficient ROI for the business. When considering cybersecurity, it may be best to define that as Regret Of Inaction. Consider that according to IBM’s 2023 Cost of a Data Breach Report the average cost of a breach has reached an all-time high of $4.45M. The old adage, “an ounce of prevention is worth a pound of cure” is certainly applicable to security measures.

Cybersecurity risks are not just applicable to large enterprises, Accenture’s Cybercrime study reveals that nearly 43% of cyber-attacks are targeted at small and medium-sized businesses (SMBs), and 60% of small businesses close within 6 months of being hacked.

Cannabis Industry Cybersecurity Starts with People

Any cultural shift at an organization needs to start from the top, and that includes security. Security culture needs to be driven from the top. Adopting proper policies and procedures to properly safeguard organization networks and personnel is key. This includes regular employee training. As many as 95% of attacks are caused by human error.

Being a Victim Stinks- Elevate Your Basic Cyber Hygiene

The National Cybersecurity Alliance just completed Cybersecurity Awareness Month, where they stressed four of the key principles which can help better secure organizations. We’ll touch on each below, and for additional best practices check out the Cannabis Information Sharing & Analysis Organization’s (Cannabis ISAO) blog from 420 where they asked 4 cybersecurity experts to compile 20 tips for the cannabis industry.

Use Strong Passwords or Password Managers. If your password is on this list, it’s probably time for a change.
Turn on Multifactor Authentication. Not all MFA is created the same, do your research and make sure your solution provides sufficient protections.
Recognize and Report Phishing. A best practice is to set up a channel in your organization’s chat platform where employees can share screenshots of phishing attempts to raise awareness.
Update software. Don’t forget to include all of the connected Internet of Things (IoT) devices throughout the organization

Navigating Cyber Insurance

The world of business insurance, especially in the cannabis sector, can be quite complex. However, with the insights provided here, you can navigate your policy purchasing process with confidence and ensure your business is fortified against potential risks. By understanding policy forms, adhering to safeguards, and adapting to local regulations, you can lay a resilient foundation for your business’s growth and success.

“In Cannabis, we don’t get many options when it comes to cyber insurance providers, so it’s important we put our best foot forward when seeking or renewing cyber insurance policies. Work with your broker early to understand any changes upcoming to policies and the expectations being set by your insurers. When you can, hire a dedicated team that is focused on securing your digital estate, and leverage well known guidance frameworks such as NIST CSF, CIS Top 20, and HIPAA, and work with an independent party to verify your progress, which help keep your premium costs down long-term and reduce the risk of you having an incident that requires you to file a claim in the first place.”- Chris Clai, Director of Information Security, Green Thumb Industries

Stay up to date on Cannabis Industry Cybersecurity threats and trends

Cyber criminals are opportunistic and will look for any advantage to beat cannabis industry cybersecurity systems or trick employees. Holidays can be a prime time for attacks because of employees taking time off and being more distracted than usual. Holidays and major newsworthy events can also lead to a spike in phishing and other scam activities. In the same way FEMA often warns people to look out for scams after natural disasters, consider what industry news may cause a lot of buzz that could also be used in phishing campaigns. Announcements related to a new state legalizing adult use, or legislative updates around SAFER Banking could all be hiding malicious links.

Being involved in communities that actively sharing information about ongoing threats can be very beneficial. A member of the Cannabis ISAO recently shared details of cash management company who had been a victim of a Business Email Compromise (BEC) which led to fraudulent wire transfer requests being sent out. Days later MJBizDaily reported a similar incident which resulted in the loss of funds totalling nearly $650K for MariMed. Keeping up to date on these types of incidents can help inform employees of the current threat landscape, and boost organizational resilience.

Incident Response

Responding to a cybersecurity incident is not the first time you want to be considering what your response processes are. In response to the recent high profile MGM and Caesars ransomware incidents, National Cyber Security Alliance Executive Director Lisa Plaggemier stated “the best way to deal with a ransomware attack is to practice having one, to do tabletop exercises.” Having plans and procedures in place are important, but it’s equally important to test and validate those plans.

In the event of an incident, it may be necessary to utilize a digital forensic vendor. Consider having one on retainer, or at least establishing a relationship ahead of time to enable a speedy response. In some cases your cyber insurance company may have preferred vendors for this type of work.

Conclusion

The RMIC advocates for a proactive approach to risk management that emphasizes the importance of informed decision-making. By evaluating an insurer’s claims experience, comprehending legal nuances, and staying attuned to the evolving threat landscape, you can empower your business with robust protection, ensuring a resilient foundation for growth and success.

Published by NCIA’s Risk Management & Insurance Committee (RMIC)

Contributors:

Ben Taylor, Executive Director of the Cannabis Information Sharing & Analysis Organization

Matthew Johnson, Risk Consultant at AssuredPartners

Member Blog: As Cannabis Sales Rise, So Do Questions About Privacy and Security

Frank Nisemboum, Vice President of ERP Sales at c2b teknologies

Legal cannabis is a big business that handles big data. From personalized data to protected health information to cannabis information that requires regulatory compliance with cybersecurity and data privacy laws–the entire cannabis industry faces data privacy and cybersecurity challenges not faced by other sectors.

But wait, other sectors have to navigate data concerns, too right? Cannabis is different. Aside from adhering to all the typical privacy concerns, cannabis data comes with a layer of complexity for cannabis operators due to industry-specific data collection and mandatory retention requirements surrounding it.

Growing Cannabis Data Collection

A cannabis customer provides a vast amount of personally identifiable information every time they buy legal marijuana products. These individuals present a government-issued ID card to confirm they are at least 21 for adult-use purchases or prove they have a prescription to access medical marijuana. The data collected on each transaction includes customer or patient name, date of birth, address, phone number, driver’s license or medical ID card numbers as well as email addresses and signatures.

Cannabis dispensaries also provide equally large amounts of operations data to METRC (Marijuana Enforcement Tracking Reporting Compliance), used in 13 states and the District of Columbia. METRC is not the only government reporting company used to maintain cannabis compliance. For example, California relies on the CCTT (California Cannabis Track-and-Trace) system to report the inventory and movement of cannabis and cannabis products throughout the cannabis supply chain.

Cannabis legalization is expected to spread across the country to all 50 states now that adult-use cannabis is permitted in 11 states and Washington D.C. and 36 states allow medical marijuana. Many of those states require all cannabis licensees, both annual and provisional, to use METRC to track marijuana products through the entire supply chain.

Cannabis cultivators, manufacturers, retailers, distributors, testing labs, and micro-businesses need to manage and maintain those records for a minimum of seven years. It’s a tremendous amount of valuable data for cannabis companies to track, the precious data cybercriminals and hackers seek out, including combinations of protected personal and health data like social security numbers and diagnoses with supplemental information like addresses, copies of ID cards.

If a cannabis company dispenses medical marijuana to patients or supports one who does, they fall into the regulatory oversight of the Health Insurance Portability and Accountability Act (HIPAA) and the Office of Civil Rights (OCR).

Safeguarding Cannabis Data

Legal cannabis and the data security issues it creates form multi-prong challenges from a legal and technological perspective. The cybersecurity and data privacy requirements don’t come with a roadmap cannabis operators can borrow from other industries due to the massive repositories of personalized data that require regulatory compliance with cybersecurity and data privacy laws.

The collection, storage, and security of all this valuable data raise many privacy and security concerns, especially when guidelines for collecting the information vary by state. For example, Ohio and California must house personal data using third-party software to track inventory and retail point-of-sales, whereas Illinois dispensaries cannot store any personally identifiable information onsite and instead use cloud or other off-location services.

Healthcare companies make attractive targets for hackers and often suffer data breach more often due to their huge storage of protected health information (PHI). Medical dispensaries and supporting companies handle PHI too, but PHI is not all a cybercriminal may want from a cannabis operation.

Employee records often contain background checks and financial data along with personally identifiable information such as name, date of birth, and SSN, all in one nice package. And cannabis data has been breached several times in recent years.

Cannabis Data Breaches Happen

Even as a newly legitimized industry, cannabis organizations have already experienced high-impact data and security breaches. In early 2020, a database breach that impacted almost 30,000 people connected to the marijuana industry resulting from an unsecured Amazon S3 data storage bucket was reported. The data breach included scanned versions of government-issued ID cards, purchase dates, customer history, and purchase quantities.

In 2019, a Canadian cannabis company exposed the electronic medical records of over 34,000 customers.

Between 2016 and 2018, the cannabis-tracking software provider MJ Freeway endured significant data breaches where over 1,000 dispensaries in 23 states were hacked. Less than six months later, hackers stole a portion of MJ Freeway’s source code and posted it publicly to social media.

Prior to that, Nevada’s Medical Marijuana Program database was breached in 2016, exposing sensitive personal data of over 11,000 people involved in the Nevada cannabis industry. This breach included names, social security numbers, race, as well as home and business addresses.

Cannabis Operators Short on Cybersecurity Budgets

Cannabis companies are responsible for securing their data to protect their customers and staff. To prevent data leakage, point-of-sale machines need endpoint protection, encryption, secure backups with proper network segmentation.

Unfortunately, some cannabis organizations fall short of installing appropriate cybersecurity measures that could have far-reaching effects on a cannabis user. Leaked personal data could have negative personal and professional consequences for the cannabis patient whose workplace prohibits cannabis use.

To avoid becoming an easy target, cannabis companies need to focus on data privacy and security just as much marketing and sales. The penalties from having a customer or employee’s personally identifiable information and cannabis-related data exposed can be too expensive to ignore and fail to give confidence that their data is secure.

Vice President of ERP Sales, Frank Nisemboum, is a trusted advisor at c2b teknologies who has guided organizations of all sizes enabling them to establish a technology presence and expand their business through technology. His proven ability to analyze the current and future plans of a company and work with team members to subsequently bring technology solutions to the organization result in improved processes and controls that assure continued growth and profitability.

Frank has worked in the ERP and CRM software selection, sales and consulting industry for almost 25 years. His strong ability to understand, interpret and match the needs of an organization to the right solution make him an asset to all of his clients.

c2b teknologies integration and engineering experts have partnered with leading cannabis industry experts to develop a software solution that provides a complete cannabis operations system. The best-in-class solution not only handles tracking of seed-to-sale activities but encompasses your entire cannabis operations with compliance needs handles along the way. Our passion for solving problems drives us to deliver innovative solutions for everyone we work with. Visit c2btek.com for more information.