The cannabis industry is the latest target for cybercriminals. Why? Because many cannabis operations employ less than 100 workers and few are equipped with sophisticated IT systems and knowledgeable on-staff IT personnel, so they are often easier to exploit.
Add the all-cash nature of the business, along with the large amounts of protected health data and personally identifiable information medical dispensaries may store and the industry’s shift toward operational automation to increase yields and lower labor costs and you’ve got an industry that’s extremely vulnerable and a prime target for cyber extortion.
Safeguard your corporate networks and internet connections by encrypting information and using a firewall.
Take the cannabis businesses in Ontario that lost millions after a local distributor was hit by a cyberattack and was incapable to process or deliver orders to local retailers. In another cyberattack, hackers stole $3.6 million that an Australian medicinal cannabis firm intended to send to an overseas contractor.
A still prevalent tactic is for hackers to target workers with email-based phishing scams that enable the installation of malware or ransomware to obtain protected health information to sell or lists of high-profile clients to extort.
While there’s a lot to fear and be on the alert for, there’s also a lot that cannabis businesses can do to both reduce their risk of an attack and proactively protect themselves.
Six hallmarks of a strong cyber-defense program:
Assess the risk. One place to start building a comprehensive approach to cybersecurity is to conduct an appropriate cyber vulnerability or risk assessment of your cannabis business. This exercise can reveal gaps, but it also helps prioritize your effort and develop a vision for your goal state.
Train and test. Train employees on the importance of cybersecurity. Make sure employees undergo phishing training and conduct refresher courses at least annually. Then, test them. Are employees retaining the information shared in training? Send simulated phishing emails and track performance to determine if training hits the mark.
Secure the perimeter. Safeguard your corporate networks and internet connections by encrypting information and using a firewall. If your employees work remotely, consider use of a Virtual Private Network (VPN) to allow them to safely connect to your network from out of the office.
Engage protective tools. In addition to using antivirus software and keeping all software updated and patched,multifactor authentication (MFA) and endpoint detection and response (EDR) are crucial for maintaining a secure network. Most carriers require MFA for remote network access, on email, and to protect privileged user accounts. EDR monitoring of devices connecting to the network is also increasingly a minimum requirement for insurance coverage.
Develop a backup strategy. A solid data backup strategy makes companies less susceptible to ransomware attacks by allowing organizations to restore operations. Perform frequent backups — every day if possible — and consider leveraging cloud solutions along with storing backups in an immutable state off-site or off-network.
Build an incident response plan. Cannabis companies should have a plan for responding to an attack, a system for validating what happened and the resources to remediate the issue.
What if a breach occurs?
Even with a great incident response plan in place, the road to recovery from a cyberattack is a complex and rapidly evolving landscape. Should we communicate with the threat actor? Should we pay the ransom demand? How do we capture forensic evidence? What are the laws guiding notification of impacted employees or clients? When an organization has armed itself with a cyber insurance policy, they not only transfer much of their risk, but they often gain access to a carrier panel of specialized response providers that include breach coaches, forensic investigations firms and privacy attorneys.
In addition to leveraging the specialized post-breach expertise offered by carriers, insureds should also consider familiarizing themselves with and leveraging any pre-breach resources provided, which often include no-cost external vulnerability scans, employee awareness training and discounted technical security solutions.
Despite the US making cannabis regulations challenging to navigate, the industry is snowballing toward profitability. New Jersey legalized adult use cannabis on April 21 this year. One month earlier, The Garden State began accepting applications for Class 5: Retailers, Dispensing and Delivery.
Although New Jersey isn’t shy about its licensing requirements and standards, many people want to know how retailers can stay in the game for the long run. So, let’s talk about risk management considerations New Jersey retailers need to know.
Top Risks Cannabis Retailers Face in New Jersey
Regardless of what kind of retailer you operate —medical or adult use — it’s critical to know what you’re up against. The following are the most common risks we’ve watched cannabis retailers face daily in New Jersey, making a customized risk management strategy necessary.
Theft
Like other retailers, New Jersey cannabis retailers are vulnerable to theft. Unfortunately, theft can come from various angles, such as in-store, in-transit and insider crime. Besides cannabis retailers typically having a well-stocked inventory, it’s not uncommon for them to have more cash on hand than most other businesses.
Although the SAFE Banking Act could positively impact the cannabis industry, it’s in a notorious stall yet again. Briefly, the SAFE Banking Act would no longer allow financial institutions, such as banks and credit card companies, to refuse to do business with cannabis companies. However, cannabis retailers must operate in a cash-only environment, for now, forcing them to make bank runs multiple times a day. We probably don’t have to explain how enticing a significant inventory and fat bank bags look to criminals.
Cybersecurity
Since the onset of the global health crisis, the cyber liability landscape has nearly spun into a death spiral. In other words, cybercriminals sat on the edge of their seats during the pandemic, waiting to pounce on anything that looked slightly vulnerable. Remote workers, small businesses, and emerging industries were hard-hit.
It’s no surprise that New Jersey cannabis retailers face many cybersecurity risks through their point of sale (POS) systems. Additionally, retailers often gather and store personal information, such as email addresses, credit card numbers, shipping addresses, etc. Hackers and cybercriminals gravitate to this vital data rapidly.
Property Damage
In addition to the risk of theft, as mentioned above, cannabis retailers must protect their property from losses. Without adequate protection, damage to equipment or buildings could add up to high out-of-pocket costs. Consider the damage a weekend office fire or late-night vandalism would cause. If property damage occurs, retailers must figure out how to sustain business operations while recovering from the loss simultaneously. As a result, New Jersey retailers must protect their property and maintain business continuity.
How to Customize a Risk Management Strategy
Watch or listen to any news reports and there’s a decent chance that you’ll feel some slight sense of doom and gloom. And sure, a lot is going wrong in our world; however, that doesn’t need to impact how you perceive your businesses. Instead of casting a massive net over every possible risk that you can imagine, we recommend trying the following 5-step approach. Here’s the gist:
Identify: Pinpoint high-level risks that are specific to the cannabis industry. Then, let the process trickle down to focus on company-specific exposures.
Analyze: Determine how badly a particular risk could harm your retail company. How much will this hurt should the “what-ifs” play out?
Evaluate: Categorize risks according to how risk tolerant your company is. Will you avoid, transfer, mitigate or accept the risk?
Track: Use your history or the stats from a similar retailer to map out how you’ve handled the risk over time. Older retailers have an advantage over younger retailers, of course, but you can still get a feel for your risk management style.
Treat: Make good on your evaluation promises by avoiding, transferring, mitigating, or accepting the various risks you identified.
Recommended Insurance for New Jersey Retailers
Sales totals in the first month of New Jersey’s adult use market
The New Jersey Cannabis Regulatory Commission issued detailed requirements for new cannabis businesses. That said, part of the application requirements considered is the plan for companies to obtain liability insurance. Many new retailers opted for a “letter of commitment” as opposed to a certificate of insurance (COI), stating their plans for obtaining the following coverages:
Commercial general liability: Protects cannabis companies against basic business risks.
Product liability: Protects against claims alleging your product or service caused injury or damage.
Property: Reimburses cannabis companies for direct property losses.
Workers’ compensation: Covers employees if they are injured on the job and can no longer work.
In addition to the required insurance coverages, we recommend New Jersey retailers customize their risk management package with these policies:
Crime: Protects your cannabis company against specific money theft crimes.
Cyber: Protects your cannabis company against damages from specific electronic activities.
Directors & officers: Protects corporate directors’ and officers’ personal assets if they are sued.
Employment practices liability: Protects cannabis companies against employment-related lawsuits.
Professional liability: Protects cannabis companies against lawsuits of inferior work or service.
With more states in the US entering the marketplace soon, New Jersey is doing its fair share of the heavy lifting by spearheading the onboarding process. Remember, doing your due diligence at the start pays off in the long run — New Jersey retailers are proving that. Consider teaming with a commercial insurance broker calibrated to the cannabis industry, so you get the most out of your broker, marketplace and the cannabis industry as a whole.
It wasn’t that long ago that cannabis was underground, sometimes literally, and operators protected what was theirs any way they knew how. Before legalization, cannabis operators needed to secure their plants, cash, supplies and equipment not just from people who wanted to steal them, but also from law enforcement. The legacy cannabis market is now transitioning into a legal one, and licensed operators are joining the industry at an incredible rate, but security is still part of the success equation. Like before, operators need to protect plants, products, equipment and cash, but they now also need to protect records, privacy and data, and do so in a manner that complies with state regulations.
Cannabis regulatory authorities set security guidelines that cannabis business owners must follow in order to obtain and renew operational licenses. For instance, there are state-specific security regulations regarding video surveillance, camera placement, safes, ID verification, and more. While security measures help protect the business, they also protect the public. It’s a win-win for everyone involved. Here are five best practices and techniques to protect cash, records, products and people.
Hybrid cloud storage
State regulations call for reliable video surveillance footage that is accessible, in most cases, 24/7 and upon demand by cannabis regulatory authorities and local law enforcement acting within the limits of their jurisdiction. SecurityInfoWatch.com reports that video data is the industry’s next big investment, meaning there will be an increased demand and need to store video surveillance footage. Most states require video surveillance footage to be retained for a specific amount of time, often 45-90 days or longer if there is an ongoing investigation or case that requires the footage. While some businesses only retain video data for the state-required length of time, others choose to keep it longer.
Storing data on-site can become expensive and precarious. Best practices call for a hybrid cloud storage solution model as it provides on-site and both public and private cloud data storage solutions. This model provides users with the ability to choose which files are stored on-site and which files live in the cloud. Doing so improves file accessibility without impacting or compromising on-premises storage. In addition, it’s helpful to have two methods of digitizing data, for safety’s sake. In the event an on-site storage method crashes—though hopefully this won’t ever happen—there’s a version available off-site via the cloud. That said, with cloud-based storage solutions come cybersecurity threats that must be managed.
Cybersecurity
Dispensaries are prime targets for burglary. Defending a storefront requires a comprehensive security plan
Due to the ongoing COVID-19 pandemic, more businesses are online than ever before. Unsurprisingly, cyberthreats are on an upward trend, including in the cannabis industry. Earlier this year, MJBizDaily reported that a data breach exposed personal information of current and former employees of Aurora Cannabis. The incident involved “unauthorized parties [accessing] data in (Microsoft cloud software) SharePoint and OneDrive”. Although this breach involved only employees, confidential customer information is also at risk of being compromised during a data breach.
On a separate occasion, an unsecured Amazon S3 data storage bucket caused a large-scale database breach that impacted almost 30,000 people across the industry, according to the National Cannabis Industry Association. The breach included scanned versions of government-issued ID cards, purchase dates, customer history and purchase quantities. Unlike the Aurora Cannabis breach, this one included customer data.
Just like other more established industries, the cannabis industry needs to protect and secure confidential data. If you don’t have a cybersecurity expert on your team, consider hiring a consultant to evaluate your risk or partnering with a credible cybersecurity technology company to implement proactive solutions. Before signing a contract, do your due diligence. Does the consultant and/or technology company understand the compliance regulations specific to the cannabis industry? Do their solutions meet the regulations in the state(s) where your facility operates? Taking the time to protect your company’s data before a breach occurs is proactive, smart business.
Smart Safes
A smart safe like this one can helps secure cash handling
Smart safes help secure cash handling, which given the difficult banking environment for cannabis companies, means they’re on the list of best practice security technology products. What is a smart safe? A smart safe is a device that securely accepts, validates, records and stores cash and connects to the other cash management technology solutions such as point of sale systems. They connect to the internet and provide off-site stakeholders visibility into a facility’s cash position.
A high-speed smart safe counts cash by hand faster than a human and is an overall more secure way to deliver cash bank deposits. At the end of the night, making a deposit at a physical bank location can be dangerous, exposing your cash and the individuals responsible for making the deposit to unsecured threats. Using a smart safe reduces that threat and also helps cannabis operators comply with financial recordkeeping and documentation requirements. Due to federal cannabis prohibition, many cannabis businesses lack enough insurance to fully cover their exposure to cash theft, which has led to a trending industry-wide investment in smart safes.
Advanced access control
Best practice access control means more than a ring of keys hanging off the facility manager’s belt. Advanced access control gives cannabis business owners and managers the ability to manage employee access remotely via the cloud. This feature can limit access areas within a facility, enabling an individual to revoke access instantly from a remote location making it a useful tool in the event of a facility lockdown or emergency. A mobile app and/or website can be used to lock or unlock secure doors, monitor access in real time and export access logs.
Advanced access control devices aren’t a standard in the industry yet. Although many state regulators don’t require cannabis businesses to utilize advanced electronic access control, using this technology is a best practice and may be required in the future.
Compliance software
Understanding the ramifications and keeping up with state-mandated compliance is challenging. While state regulations can be found online, they’re often in pieces, leaving operators unsure about whether or not they have them all. Once an operator is confident that they have the most current version of all the laws, rules, and regulations that apply to their cannabis business, making way through the dense legal jargon can be exhausting. Even after multiple readings, it can be unclear about how to apply these guidelines to the operator’s cannabis business, which is one reason cannabis businesses work with a trusted legal counsel to meet compliance requirements. For trusted advisors and cannabis business licensees and operators alike, cannabis compliance software solutions are designed to not just check boxes for a cannabis business, but to help everyone involved understand how the regulations apply to the operation. These solutions improve accessibility so that employees at all organizational levels understand the rules and requirements of their position and the products they work with.
In addition, compliance software can help licensees and operators establish and implement best practice SOPs to meet regulatory requirements. Because the cannabis industry is young and many operators are moving fast, many cannabis businesses are vulnerable to security breaches and threats. Prioritizing security and compliance can help cannabis leaders protect against potential threats. Investing in the latest and most innovative security technology solutions—beyond what is required by state regulations—can help operators outsmart those who seek to steal from them and position their companies as industry leaders that prioritize safety and compliance, protecting not just cash and products, but the people who work in their facilities and the customers who purchase their products.
Anyone in the cannabis industry is well aware that theft of crops can economically devastate a grower. Security is critical, and thankfully, growers and dispensaries have many tools available to protect their investment. There is simply no excuse for not having a solid security posture to keep your business in compliance, from public-private partnerships to advanced security tools – in fact, it’s required in most jurisdictions.
In 2020, nationwide cannabis sales increased 67%, and support for legal marijuana reached an all-time high of 68%. New Frontier Data found that U.S. legal cannabis market is projected to double to $41.5 billion by 2025.
The industry’s advancement impacts numerous areas such as job and tax revenue creation and providing a wide variety of valuable opportunities. For cannabis facilities to keep up with the market expansion and experience success, they must face two significant challenges: achieving adequate security and efficient business operations. Though both can be seen as separate concerns, growers and producers must merge processes and solutions to tackle the issue as a whole.
Dispensaries are prime targets for burglary. Defending your storefront requires a comprehensive security plan
Along with rapid growth, dispensaries face traditional security risks, such as workplace violence and retail theft, while cybersecurity risks have also become more prevalent. These potential issues make it clear that the stakes are high, and as the potential impact on a business rises, the need for real-time, predictive response increases. Insider threats are another issue plaguing the industry when you look at the rate of theft, diversion and burglary that is attributable to employees.
The cannabis market is complex: it’s expanding rapidly, has to meet essential regulatory requirements and faces high-security risks. Therefore, security needs to be looked at holistically since it can be challenging to determine where a potential threat may originate.
With security top of mind, it is critical to move away from responsive behaviors and seek ways to manage security in a manner that gets ahead of threats, prevent them before they happen and respond to them in real-time. But does a grower or retailer have the time and expertise to manage all this while keeping an eye on how security affects the business?
Remote Security Operations
The ability to comply with government regulations and protect a valuable cannabis crop at all stages of its journey from seed to sale makes security systems a mission-critical asset for cannabis growers. Security operations centers create a safer and more productive environment and provide state-of-the-art tools to protect employees, retail locations and grow facilities. But some businesses in the cannabis market may not have the resources or space to have their centralized security operations, leading them to piece-meal security together or do the best with what they can afford at the time. Running these facilities can also be prohibitively expensive.
Security operations centers create a safer and more productive environment and provide state-of-the-art tools to protect employees, retail locations and grow facilities.
But new options take the process of security off the table. The business can focus on the growth of its core functions. Remote security operations services allow companies to take advantage of advanced security services typically only possible in larger enterprise environments. These services are offered on a subscription basis, delivered through the cloud, and are entirely customizable to detect risks unique to your business operations while saving each company significant expense.
Centralized security operations centers leverage intelligent tools, standard operating procedures and proven analytic methods to provide cannabis facilities with the information and guidance necessary to mitigate issues like retail or grow theft before they can have a significant impact.
The integrated, holistic response center staffed by experienced operators and security experts delivers a comprehensive security and regulatory compliance method. This approach is designed to provide complete data about what is happening across a cannabis business, from seed to sale, and how individual events can impact the company as a whole. As a result, stakeholders get the security intelligence they need, without the high overhead, personnel investments and complex daily management.
For those businesses in the cannabis market looking to supplement their security operations with other workforce but may not have the budget or infrastructure to do so, remote security operations services are something you should consider. With the experts handling all the heavy lifting, leaders can focus on growth. And, right now, in the cannabis industry, the sky is the limit in terms of opportunity.
The cannabis industry’s advancement towards legalization continues to dominate national headlines, from the stance of incoming Attorney General Merrick Garland to deprioritize enforcement of low-level cannabis crimes, Senate Majority Leader Chuck Schumer’s continued advocacy, to the recent passing of legislation in New York, New Mexico and Virginia (the first in the South) to authorize adult-use cannabis. While these updates are likely to intrigue customers and investors alike, they are also sure to draw the attention of cyber criminals who could look at the relative youth of the industry, as well as its rapid growth, as a prime target of opportunity for nefarious acts.
In order to understand risk mitigation best practices across a wide spectrum of private sector industries, this article will first identify the current security environment in order to understand the threats, briefly highlight specific case studies and assess the risks and identify methods that individual organizations, as well as the cannabis industry as a whole, can take action to enhance security and preparedness and to develop resiliency against future attacks.
Understanding the Threats
For an industry that has operated in a largely cash-based system for much of its existence, the idea of security is not foreign. Typically, these concerns focused on physical security implementation. The topic has received plenty of coverage, including a recent article in this journal articulating Important Security Considerations When Designing Cannabis Facilities. While an audit of physical security measures is a valuable part to any all-hazards threat assessment, securing a growing online network – from email to online finances to connected devices within cannabis facilities – can pose more unfamiliar challenges. When consulted for this article, Patten Wood, a former VP of marketing for a prominent west-coast cannabis retail brand noted: “While the topic of cybersecurity is critically important to customers, businesses, and the industry at large, it isn’t top of mind for many of the cannabis companies that I’ve experienced.” Understanding what risks are present is the first step to mitigating them, so we must first discuss several common cyber threats for the cannabis industry.
Phishing: Phishing happens when cybercriminals impersonate a trusted individual or entity, typically through email. The goal in this instance is to get the target to share confidential information or download software that can allow unauthorized access into an organization’s network. Phishing is one of the most common types of cyberattacks as it is relatively easy to conduct and surprisingly effective.
Ransomware Attacks: Ransomware attacks are used to gain access to a computer network and then lock and encrypt either the entire system or certain sets of high-value files, which can compromise important business information, and impact client and vendor privacy. A ransom is then demanded for restoring access, but paying the ransom comes with its own risk as it doesn’t guarantee the files will be restored.
Cyber Extortion: Similar to ransomware attacks in their design, cyber extortion typically deals with a threat of leaking personal information and will generally demand payment in cryptocurrency in order to maintain their anonymity.
Lumu: 2020 Ransomware Flashcard
Remote Access Threats: As 2020 has forced organizations to rethink how they conduct business and shift to more remote operations than they had in the past, it can open up several new threats. According to a survey by IT social network SpiceWorks.com, six out of every ten organizations allow their employees to connect their company-issued devices to public Wi-Fi networks. Utilizing unsecured Wi-Fi networks opens the user up to man-in-the-middle attacks, allowing hackers to intercept company data. Unsecure Wi-Fi also brings the threat of malware distribution. An additional consideration with remote workers is the uptick in cyber attacks against remote access software referred to as remote desktop protocol (RDP) attacks. According to Atlas VPN, RDP attacks skyrocketed 241% in 2020 and we’ve seen numerous RDP attacks against critical infrastructure throughout the pandemic and across all industries.
Internet of Things (IoT) Leaks: With IoT devices running everything from security systems to automated growing operations, the convenience has been a huge boost for the industry. Unfortunately, many IoT devices don’t have sophisticated built-in security. Another common problem is the tendency of users to keep default passwords upon installation, which can make devices easy for cyber criminals to access. Once they are inside the system, malware can easily be installed, and the actors can move laterally throughout the network.
Personal and Medical Record Security: Many cyberattacks expose some level of personal data, whether that be customer, employee or vendor information. An extra consideration for retail operations that either treat medical patients, or medical and adult-use customers, is the additional information they must store about their clients. Medical facilities will maintain protected health information (PHI), which are much more valuable on the dark web than personally identifiable information (PII). But even adult use facilities may keep government-issued ID or other additional information above that of a typical retailer, which makes the potential value of their information much more intriguing for a cybercriminal.
Assessing the Risks
Depending on where your organization lies in the seed to sale chain, you will have different levels of risk for various types of attacks. We briefly discussed ransomware attacks earlier. Ransoms can range widely depending on the size of the organization that is attacked, but the ransom alone isn’t the only risk consideration. Businesses must also factor in the cost of downtime (an average of 18 days in 2020) caused by the ransomware when evaluating the impact to business operations, as well as reputation. While small – medium businesses are absolutely at risk, especially given their relative lack of cybersecurity resources and sophistication, a recent trend involves “Big Game Hunting” where cybercriminals are targeting larger organizations with the potential for bigger paydays. Criminals understand that big business can rarely afford major delays, and may be more able and willing to pay, and pay big, for a return to normal operations.
Group-IB: Ransomware Uncovered
Below are several examples of attacks which have either directly impacted the cannabis industry, or have valuable lessons the industry can learn from.
GrowDiaries: In October 2020 researcher Bob Diachenko discovered that 3.4 million records including passwords, posts, emails and IP addresses were exposed after two open-source application Kibana apps were left exposed online. As a platform for cannabis growers around the world (who are not all growing legally), this type of exposure puts the community at great risk, and can lower user confidence in the product, as well as putting them at personal risk of harm or legal ramifications. The applications being left open is a prime example of either a lack of good cybersecurity policies, or not following through on those policies.
Aurora Cannabis: On December 25th, 2020 Canadian company Aurora Cannabis suffered a data breach when SharePoint and OneDrive were illegally accessed. Included in the data that was compromised was credit card information, government identification, home addresses and banking details. The access point coming through Microsoft cloud software is a prime example of some of the challenges facing businesses who have an increasingly remote workforce yet still need that workforce to access critical (and usually highly sensitive) information.
THSuite: A database owned by seed to sale Point-Of-Sale (POS) software provider THSuite was discovered by researchers in December 2019. The database contained PHI/PII for 30,000 people, with over 85,000 files being exposed. The information that was left accessible included scanned government IDs, personal contact information and medical ID numbers. Clearly this gets into HIPAA territory, which can result in fines of up to $50,000 for every exposed record.
Door Dash: As cannabis delivery apps become more prevalent, it’s good to reference how similar businesses in other industries have been targeted. In May of 2019 nearly 5 million user records were accessed by an unauthorized third party, exposing PII and partial payment card information.
Taking Action
On an organizational level, employee training, password hygiene and malware protection are some of the basic and most important steps that should be taken by all organizations. But, if “knowledge is power,” the best defense for any organization against cyber threats is a well-informed organization- including leadership down to the front-line employees. Excellent tools to assist in this are Information Sharing & Analysis Centers/Organizations (ISACs/ISAOs). ISACs were established under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. The National Council of ISACs currently has over 20 member ISACs including Real Estate, Water, Automotive and Energy. ISAOs were created by a 2015 executive order to encourage cyber threat information sharing within private industry sectors that fall outside of those listed as “critical infrastructure”. Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO) says information sharing enabled by the executive order is critical. “We need to accelerate private sector information sharing, and I believe that the ISAO is the vehicle.”
According to Michael Echols, CEO of the International Association of Certified ISAO’s (IACI) at the Kennedy Space Center, security experts have long understood that threat information sharing can allow for better situational awareness and help organizations better identify common threats and ways to address them. “On the other side, hackers in a very documented way are already teaming up and sharing information on new approaches and opportunities to bring more value (to their efforts).” The ongoing crisis surrounding the Microsoft Exchange Server Vulnerability demonstrates that different cybercriminal groups will work simultaneously to abuse system flaws. As of March 5th it was reported that at least 30,000 organizations in the U.S. – and hundreds of thousands worldwide – have backdoors installed which makes them vulnerable to future attacks, including ransomware.
Below are several links to recent products that have been shared by various ISACs/ISAOs, which are provided as an example of the type of information that is commonly shared via these organizations.
If organizations are interested in learning more about enhancing their cybersecurity resiliency through private-sector led information sharing, please reach out to the newly formed Cannabis ISAO at ben@cannabisisao.org
Based on the recent string of cannabis thefts in Portland, Oregon, the spotlight is shining even brighter on the need for enhanced security measures at cannabis dispensaries throughout the country. According to the Oregon Liquor Control Commission, the Portland metro area alone has experienced more than 120 cannabis shop burglaries since March 2020, resulting in a reported total loss of more than $500,000 in cash and products.
Robbing a cannabis dispensary is as lucrative as robbing a bank. Cash is king in the shops until the Secure and Fair Enforcement (SAFE) Banking Act is passed to prohibit federal banking regulators from penalizing depository institutions that provide banking services to legitimate cannabis businesses. Until the Act is passed, it is widely known that all transactions must be done in cash—which makes cannabis dispensaries a prime target for thieves.
Dispensaries are prime targets for burglary. Defending your storefront requires a comprehensive security plan.
While many security protocols—such as product traceability systems and security cameras—are mandated by each individual state, dispensary owners should take measures to actively secure their product, protect their employees and preserve their businesses as theft increases.
One of the quickest and most cost-effective ways to fortify shop security is by implementing rolling security doors. After determining what level of security is needed, consider these four tips to help deter criminal activity and ensure the safety of both employees and products.
Tip 1 – Defend The Storefront
Designed to prevent against looting events and burglaries, heavy-duty rolling steel doors offer cannabis business owners robust security. They can be retrofitted into existing buildings, are exterior mounted and are ideal for storefront defense—including protecting glass windows, which can be expensive to replace. Unlike more common rolling grilles, thieves can’t see merchandise when the rolling door is lowered. In addition to the door giving the building a secure look, blocking sight access is key to deterring criminals.
Heavy-duty steel doors must also be lift- and pry-resistant. Manufacturers put the doors through rigorous testing, and some security doors even meet Department of Defense forced entry standards, which can provide up to an hour of protection against violent attacks against the door to gain entry. Look for rolling security doors that can withstand heavy impact and resist pry attempts with common tools, as well as doors that are lift resistant. Some manufacturers offer doors with robust slide locks and rigid heavy-duty bottom bars, enabling the doors to withstand up to 4,500 lbs of lifting effort.
Tip 2 – Protect While Allowing Visibility and Airflow
If product visibility is desired, but more robust security is needed at the storefront—beyond a security measure such as impact glass—a heavy-duty security grille is an excellent choice. Security grilles are easy to custom order and don’t require structural modifications to fit individual spaces. They are easily installed behind storefront glass, are compact enough to remain out of sight when not in use and require little maintenance.
Strong rolling service doors can protect delivery entrances well
It’s important to work with a manufacturer to select a rolling grille that provides dependable, increased security. Choose grille curtains with rods that are spaced closer together and have heavier links. Security grilles with these features are harder to lift and pry than standard rolling grilles.
Rolling security grilles are also an ideal solution to protect counters inside the dispensary. They can be easily concealed in small headspaces where there is limited ceiling room.
Tip 3 – Fortify A Store Within A Store
For cannabis dispensaries located within high-end retail shops, it is important to consider additional security measures to separate the dispensary from the rest of the store.
A metal grille can be a good barrier for a store within store
A store within a store may be subject to different hours of operation as states often dictate specific operating hours for cannabis dispensaries. Altered operating hours necessitate an easy way to secure only a small section of a larger store.
If aesthetics are of concern inside retail shops, a woven metal mesh grille will provide both beauty and security without imposing looks while securing cannabis products as customers browse throughout the store. Manufacturers offer a variety of patterns and even logo designs as a way to bring more creativity to a grille’s aesthetics—making them rolling pieces of art.
Tip 4 – Secure Deliverables
Dispensary owners sometimes overlook the fact that thieves target deliveries. Deliveries that are made at the back of the store or in receiving areas may be the most at risk. It is of utmost importance to be aware of how deliveries are timed, who is present during them, and how the product is handed off.
Robust rolling service doors provide the best security for delivery entrances and are more secure than traditional rolling sectional doors. Made from slats of formed galvanized steel, aluminum or stainless steel, these rolling doors are completely customizable to meet existing building designs and are ideal for areas with limited overhead room.
Robust Protection
By closely evaluating the levels of security needed, the layout of the building and where deliveries take place, security updates and enhancements are easily implemented with the right rolling doors. Every door is made for a specific opening, so each one is custom-made for its application. Choose a knowledgeable manufacturer that will help determine which rolling closure suits the dispensary’s needs.
The cannabis industry is growing so quickly that even COVID-19 can’t slow it down. Before the pandemic, the industry amassed $13.6 billion in U.S. legal cannabis sales in 2019 – a figure that is expected to more than double to $30 billion in the next five years, according to New Frontier Data. In states where cannabis is legal for medical or recreational use, dispensaries have been deemed necessary, essential businesses – especially when it comes to calming stress and anxiety in our ever-changing times.
Cannabis legalization and newly budding dispensaries have expanded across the U.S., which may come with an unfortunate counterpart – a higher incidence of crime. Despite lower prices in states that have legalized cannabis, as compared to states where it is still illegal, theft has run rampant across grow operations, warehouses and, most often, dispensaries.
Heavy-duty security doors at the front of the dispensary block sight access and provide a visual deterrent.
Dispensaries can be targeted more frequently. Robbers may perceive them as an easy target, because they are businesses that have larger amounts of cash on hand. Many dispensaries only accept cash because payment processors and financial institutions aren’t willing to work with them. This is primarily because cannabis is still deemed an illegal substance under federal law, and the actions of financial institutions are governed by federal, not state, laws. Once the Secure And Fair Enforcement (SAFE) Banking Act is approved, cannabis businesses will be able to work more easily with banks, in turn reducing the amount of cash on site and erasing the dollar signs in opportunistic thieves’ eyes.
However, cash isn’t the only high thieves seek when they break into dispensaries. There’s also the product itself. Protecting it – and providing peace of mind to the facilities’ owners and occupants – is a concern for dispensaries, grow operations and warehouses. Robbers are motivated by the opportunity to make even more fast cash through reselling the product found onsite.
To eliminate such easy targets, security requirements for the cannabis industry are a necessity. They are also involved, complicated, and vary from state to state. A number of security specifications apply between state laws and local ordinances. Inventory must be properly surveilled and managed at all stages of transportation and storage. Any discrepancies in inventory can result in large fines and other penalties. To aid in understanding security compliances, the National Cannabis Industry Association (NCIA), a national trade association, recommends that start-ups obtain attorneys to guide businesses through their state’s laws and regulations.
This is why, especially for new business owners, it is critical to consider the best, most advanced security solutions – especially when it comes to doors and points of egress – that are easily integrated into buildings during the design phase. These solutions protect the products, properties, and people throughout the cannabis supply chain.
Understanding State Security Regulations While there are no federally recognized security requirements for the cannabis industry, there are similar requirements across all states that have legalized cannabis, including:
Maintaining strict access control throughout the facility – this is especially important for grow operations and warehouses
Functional alarm systems
Documented standard operating procedures
Video surveillance systems – many states mandate very precise requirements, such as length of storage time and even video resolution specifications
Notifying appropriate regulatory agencies immediately or within a strict timeframe after a security incident or theft
Securing all records and record storage
While these are common, state-mandated security requirements, it is critically important to know and understand all rules, regulations, and laws concerning the industry within the business’s specific state. Making sure the business is compliant with all aspects of state laws for security and preventing violations, including the hefty financial penalties that can accompany them, is key.
States require cannabis facilities to implement sophisticated security features for several reasons. One of the most obvious is the fact that the industry supplies a high-value product and is a cash-intensive business. Integrating security features into the building can be a challenging task for architects and designers. To help tackle these challenges, manufacturers have introduced products to the cannabis industry, creating easier, more effective and aesthetically pleasing security solutions.
Integrated Designs For High Level Security Security shouldn’t be a constraint when considering design aesthetics. Certain elements can be discretely tucked away, including cameras and security doors by way of specifying a concealed rolling door, conveniently disguised in the ceiling during operating hours. These doors can even close under alarm eliminating the need for manual intervention. Other security measures, such as bullet resistant glass, are hidden in plain sight.
Rolling doors like this one can be conveniently disguised in the ceiling during operating hours.
Untrustworthy employees, smash-and-grab thefts or meticulously planned heists mean secure building design is of the utmost importance. In order to have the most effective security, there needs to be design vision – a clear intent for incorporating advanced security into the facility, whether visible or not.
Suggested security measures include video surveillance around the outdoor perimeter of the property as well as inside the facility. Physical barriers, such as specialized entrance locking systems – including fingerprint-scanning biometric technology – and security doors that may also include intrusion detection and automatic closure systems are recommended. All systems may be paired with 24/7 visual monitoring by security personnel.
Many state regulations also require restricted access to specific areas within dispensaries, grow operations and warehouses, with employee names and activities logged for reference. These necessary measures aid in inventory monitoring and control, further reducing the likelihood of internal theft.
When specifying building security, it’s important for architects to consider what type of building they are designing. There are differences in providing security for dispensaries versus warehouses and grow operations. Dispensaries and storefronts are frequently out in the open and in locations that are well-known to consumers. Warehouses and grow operations are usually tucked out of the way, rarely publicized, and less noticeable.
Rolling Grilles And Doors Deter Dispensary Theft With a high-value product and cash on hand, dispensaries in particular have unique security challenges. And because they are retail businesses, egress and fire codes must be strictly adhered to, in addition to special security regulations.
Rolling grilles can be an effective deterrent against dispensary theft
In light of this, security doors require special consideration. They are necessary to provide secure protection against theft but shouldn’t distract from the architectural vision of the building or interior design.
Rolling security grilles are the ideal solution to protect the counter inside the dispensary and may also be ideal for the front of the store. They fit in small headspaces where there is limited ceiling room and can be easily concealed when not in use.
Even heavy-duty rolling doors used to protect the glass storefront of the dispensary and prevent intruders from entering the building’s dock area can be hidden when not in use. If building code allows, architects may specify a rolling door that coils up into the door’s header, residing behind an exterior soffit. These robust security doors’ lift-resistant bottom bars also can be obscured from sight.
Heavy-duty security doors at the front of the dispensary block sight access and provide a visual deterrent. They give the building a secured look when in use, but heavy-duty rolling doors don’t need to be imposing to customers during the dispensary’s operating hours.
Robust Visible Protection For Grow Operations And Warehouses
Grow operations and warehouses usually opt for more visible security doors to deter criminal activity. They also have different design considerations because of building layout and production needs. For instance, larger grow operations house plants and supplies which require heavy equipment to move throughout the facilities.
A heavy duty steel rolling grille
Heavy duty rolling security doors can be made with up to 12-gauge steel with interlocking slats and tamper resistant fasteners – making them stronger than standard garage doors. They provide high-end security at loading docks and limit access to restricted areas inside.
Rolling doors can also be used to block employee access to off-limits areas common in grow operations and warehouses. Because they are heavily reliant on utilities and infrastructure, such as water mains and humidity and temperature controls, warehouses and grow operations are ideal applications for rolling doors. If unauthorized personnel with ill intentions access these utility areas, it could spell disaster with ruined crops and damaged or unsafe products – turning into substantial financial losses. From a design standpoint, these doors do not need to be concealed. In fact, their visibility signals restricted access areas and hints at the security measures taken to protect these facilities.
Enhanced Security Features
Whether designing a dispensary, a grow operation facility, or a warehouse, rolling doors may be paired with automatic protection features to enhance the building’s security and help workers feel safe. These automatic closing systems allow the security doors to be immediately activated by a building alarm or the push of a panic button in emergency situations. The doors also feature advanced locking systems – some of which are hidden in non-traditional locations – providing further tamper resistance.
Some rolling door manufacturers offer in-house architectural design groups to guide architects and designers in choosing the ideal security doors. These groups can address and solve any design dilemmas that arise during the project. Every rolling door is built to a specific opening, making each product unique to that area of the project. Because of this customization, manufacturers can meet virtually any specification.
Meeting Insurance Requirements
Selecting the correct rolling door along with other advanced security features aids in meeting insurance requirements. Each insurance company has individual minimum-security conditions in its policy. Many insurance companies will not provide theft insurance if cannabis businesses do not have adequate security or cannot demonstrate they have it.
Planning Leads To Integrated Protection The technical and legal aspects of securing dispensaries, grow operations, and warehouses can be overwhelming and, at times, confusing. Legal counsel, state agencies, industry associations, and manufacturers encourage new cannabis businesses to use them as resources as they unravel the nuances of the industry’s security regulations.
By combining robust security features such as video surveillance, proper access controls, rolling doors or grilles and automatic closure systems, cannabis facilities can meet state and insurance requirements and deter theft. With thoughtful design consideration and planning, these security features also have the capabilities to seamlessly blend with interior and exterior design aesthetics.
The cannabis industry, like many others, felt the effects of the stay-at-home orders issued in March in response to the COVID-19 healthcare crisis. While medical cannabis companies were considered “essential” in most states, many recreational dispensaries had to close their doors, or pivot to a curbside pickup operations model. According to the State of the Cannabis Industry 2020 report, following a two-week spike in mid-March, as consumers stockpiled product ahead of stay-at-home mandates, sales took a temporary downturn.
The industry rebounded in a big way, however. The report notes that, since April 20, cannabis sales have steadily increased, and are, in fact, up approximately 40% from 2019. But while medical and recreational dispensaries are now open to the public and thriving, it’s far from business as usual.
Like any other retail store, cannabusinesses must follow local- and state-issued health and safety mandates designed to prevent the spread of COVID-19. Complying with these new requirements can be difficult for business owners and management teams on a normal business day – never mind in today’s climate, where demand for cannabis products continues to soar.
Turning to Technology
With more health regulations to follow than ever before and stores experiencing a consistent increase in daily foot traffic, it’s no longer realistic to expect managers to manually monitor every employee and customer to make sure guidelines are met. For example, it’s difficult to manage social distancing within the store – but there are commonly lines outside of cannabusinesses, where social distancing and mask-wearing precautions also need to be followed. Wouldn’t you rather have managers spend their time on customer service and initiatives that will deliver business value, rather than spending time making sure people are following safety protocols?
Technology can help mitigate these new health compliance challenges – and you may even already have the solution deployed: Internet Protocol (IP) security cameras. Often implemented by businesses as a security tool, IP cameras are now also an effective way to ensure employees and customers are following health and safety protocols.
Most IP cameras are equipped with artificial intelligence (AI) that can analyze information in real-time and make split-second response decisions. In the context of health compliance, they can be trained over time to recognize when requirements are not being followed and immediately alert the appropriate managers. This means managers only need to address violations, rather than observing everyone all the time, and they can resolve compliance gaps as they’re happening. In other words, AI takes on the compliance burden for you. And, as an added bonus, many AI-enabled surveillance systems give managers the ability to pull up live video feeds from their smartphone, so they can conduct compliance checks remotely, at any time. This is especially helpful to managers covering multiple stores (suddenly, they can be in more than one place at a time!).
Here are three specific ways IP security cameras can help dispensaries and other cannabusinesses ensure compliance with COVID-19-prompted health guidelines:
Social distance monitoring
Six-feet social distancing rules are now the norm across the U.S., and IP security cameras are able to measure the space around employees and customers to detect when the six-foot rule is violated. For example, some systems place a ring around each person, and the ring’s color changes when people come within six feet of each other. This capability can be helpful when trying to do things such as supervise the line to get into your store, manage your checkout queue, or monitor the distance between customers browsing in store aisles.You can use IP security cameras to create a healthier and safer work environment
Occupancy management
In many states, organizations must follow orders that restrict occupancy to 50% capacity. Rather than having an employee at your front door tallying the number of people going into and out of your store, IP security cameras can do the counting for you. With this capability, you can control foot traffic and keep the number of shoppers within defined occupancy requirements – without having to allocate personnel to do the task manually.
Face mask detection
AI-enabled IP security cameras can also help businesses comply with mandatory face mask orders. The technology can be trained to detect employees and customers who aren’t wearing face masks or other required personal protective equipment, and then alert appropriate management personnel.
A Dual Purpose – Security and Compliance
IP security cameras now have a dual purpose. Beyond simply helping organizations protect their premises from crime, they now also empower them to ensure compliance with health and safety requirements. You can leverage the technology to remediate compliance issues in real-time and demonstrate to public officials that your business remains in compliance with all health mandates. Most importantly, you can use IP security cameras to create a healthier and safer work environment – and, in these uncertain times, this is a certainty you can count on.
As legalization of cannabis products from hemp to medical cannabis takes root across the U.S., there’s a growing need to understand and build good security practices. While many think of security as safeguarding assets like facilities and product, effective security does much more. It protects a business’ workers, providing them secure workplaces and incomes. Ideally, it reaches from supply chain to customers by ensuring consistently safe products.
To truly understand the value of this for a brand or for the industry as a whole, consider the opposite: the destructive effect – on a brand and on the industry at large – of unsafe or tampered product reaching customers, or of crimes occurring, just as the industry seeks to demonstrate its validity and benefits. Security is vital not only to individual farmers, processors or customers but to all who value what the industry brings to those who rely on CBD or medical cannabis products for their wellbeing.
Know the Threats.
Part of the learning process involves understanding the value of the product.Security is all about anticipating and reducing risks. These can include physical threats from natural sources – think flood, fire, tornado or crop fail – or from human threats. Human threats can arise from organized criminals, hackers, amateur thieves, vandals – or insiders.
As regulated industries, hemp and cannabis businesses also face risk of losses, which can be significant, from penalties ranging from fines to being shut down for non-compliance. While rules vary from state to state and continue to change, a disciplined approach to security is foundational to reducing risk at many levels. Rigorous operational processes must incorporate security that addresses risks at multiple points of access, transport and sale of products.
Learn the Rules.
In a rapidly evolving industry, one of the most important things producers can do is to learn. Security requirements vary by region and providers need to be aware of what is available. Get to know your state, local and federal resources for your operating area. California law, for example, specifies use of high-resolution video surveillance in dispensaries, while others do not.
Joshua Wall, Chief Operating Officer at Harvest Connect LLC
Part of the learning process involves understanding the value of the product. With medicinal cannabis, it’s helpful to grasp both its commodity value and the street value that could make it attractive to thieves. In “Why Marijuana Plant Value is So Important for Adjusters,” Canadian Underwriter Magazine gave examples that indicate the size of losses that may occur in growing and processing operations:
“In the medical marijuana space, ClaimsPro has already seen losses primarily between $150,000 and $750,000. These losses, mostly on Vancouver Island, were for fire and water damage, as well as boiler machinery issues, physical damage to buildings and specialized greenhouse equipment, as well as extra expense and business interruption.”
The same article notes a claim over $20 million at another single flower greenhouse. Security needs to reflect what’s present on our premises.
Educating the community can reduce risk as well. Producers of industrial hemp may need to inform would-be thieves that what they are looking at is not street-valued product. To protect the crops, which are generally grown outdoors and do not require a full security detail, a best practice is simply posting signs on the property that say explicitly “No THC.”
Begin with a Risk Assessment.
Security begins with a professional evaluation of site vulnerabilities, examining key weaknesses that could be exploited by attackers. These include:
Monitoring access to the site is a foundational principle of security.
Design limited access points into the facility as well as prepare for possible facility breaches with perimeter access control, technological redundancies and ballistic glass for defensive architecture measures.
Look at route vulnerabilities as well.
Hedge site risk by not limiting your operation to a single site where one incident could wipe out an entire year’s crop.
The nature of threats is always changing. A 2018 Newsweek article described the struggles of legal cannabis farmers against illegal and potentially cartel-backed and violent operations in California. While a 2020 Business Insider report described indications that legalization was prompting some cartels to leave cannabis alone and move on to fentanyl and meth. “While Mexican drug cartels made their money predominantly from marijuana in past decades, the market has somewhat dissipated with the state-level legalization of cannabis in dozens of states across the US.”
Define Levels of Risk and Access.
The best security matches spending to risk in a commonsense way. Are you more at risk from the occasional smash and grab incident or is there reason to anticipate an organized assault? As in many industries, the greatest risk often comes from employee fraud or theft. Hiring carefully, paying fairly and training staff well are important to long term security.
Iron Protection Group in a training session Image credit: Tampa Bay Times
How will the product be moved around within the facility and beyond it – and what staff are responsible for each part of the journey? Who can enter the cultivation areas and what protocols must they follow? On site staff should be trained on what to look for if they observe a security breach. Consider biometrics such as retinal scans, fingerprint scans or similar.
In cases where valuable product or cash is present, guards can play an important role. Harvest Connect uses only high-level former military or police officers in these roles, an approach recognized by many. Hunter Garth of Iron Protection Group notes they have “the ability to de-escalate a potentially harmful situation and the fortitude to see a mission through to completion, no matter what external circumstances may arise.”
Inventory and Transaction Controls
Inside threats from sloppy processes can be just as insidious as attacks. Poor tracking of inventory by Oregon’s legal cannabis producers made headlines in 2018 as The Oregonian reported, “U.S. Attorney Billy Williams told a large gathering that included Gov. Kate Brown, law enforcement officials and representatives of the cannabis industry that Oregon has an ‘identifiable and formidable overproduction and diversion problem.’’ Discipline, applied by state pressure but carried out by producers themselves, has begun to reduce the diversion of untracked product into the black market a year later.
Cannabis businesses need a professional approach to monitoring all product and money that moves through its systems. These operational processes can include time, date and attendance stamps on all inventory. Similarly, accounting systems and software must follow the highest professional standards. Lastly, when breaches occur, it is essential that fraud and theft are caught, eliminated and prosecuted as appropriate.
Nurturing an Emerging Industry
Security resources are an integral part of maintaining the integrity of a business’ supply chain. As the product moves from the fields to processing centers to consumers, purity assurance becomes an operational objective. Ultimately, protecting the product through secure and professional practices is the optimal way to serve customers, build a brand, and sustain the industry.
Cannabis growers and distributors are “green” when it comes to cyber security. Unaware of the real risks, cannabis businesses consistently fall short of instituting some of the most basic cybersecurity protections, leaving them increasingly vulnerable to a cyber-attack.
Cannabis businesses are especially attractive to hackers because of the vast amount of personally identifiable and protected health information they’re required to collect as well as the crop trade secrets they store. With businesses growing by leaps and bounds, and more and more Americans and Canadians purchasing cannabis, cybercriminals are likely to increase their attacks on the North American market in the coming year. Arm your cannabis business with the following best practices for growers and distributors.
Distributor Risk = A Customer’s PII
Cyber risk is the greatest for cannabis distributors, required to collect personal identifiable information (PII), including driver’s licenses, credit cards, medical history and insurance information from patients. State regulatory oversight further compounds the distributor’s risk of cyber-attack. If you’re a cannabis distributor, you’ll want to make sure to:
Know where you retain buyer information, and understand how it can potentially be breached. Are you scanning driver’s licenses into a database, or retaining paper files? Are you keeping them in a secure area off site, or on a protected network? Make sure a member of your management team is maintaining compliance with HIPAA and state statutes and requirements for cannabis distribution.
Institute strong employee oversight rules. Every employee does not have to have access to every sale, or your entire database of proprietary customer information. Delegate jobs behind the sales desk. Give each employee the access they need to do their job – and that’s it.
Distributors have to protect grower’s R&D information too. Most cannabis distributors have access to their grower’s proprietary R&D information so they can help customers understand which products are best for different medical symptoms/needs. Make sure your employees don’t reveal too much to put your suppliers in potential risk of cyberattack.
Grower Risk = Crop Trade Secrets
For cannabis growers, the risk is specific to crop trade secrets, research and development (R&D). If you’re a cannabis grower, you’ll want to:
Secure your R&D process. If you’ve created a cannabis formula that reduces anxiety or pain or boosts energy, these “recipes” are your competitive advantage – your intellectual property. Consider the way you store information behind the R&D of your cannabis crops. Do you store it on electronic file, or a computer desktop? What type of credentials do people need to access it? Other industries will use a third party cloud service to store their R&D information, but with cannabis businesses that’s typically not the case. Instead, many growers maintain their own servers because they feel this risk is so great, and because their business is growing so fast, there are not yet on the cloud.
Limit the number of people with access to your “secret sauce.” When workers are harvesting crop, or you’re renting land from farmers and planting on it, make sure to keep proprietary information in the hands of just the few who need it – and no one else. This is especially important when sharing details with third party vendors.
Cyber coverage is now ripe for picking
Although cannabis businesses are hard to insure – for just about every type of risk – cyber insurance options for cannabis companies have recently expanded, and come down in price. If you’ve looked for cyber coverage in the past and were previously unable to secure it, now is the time to revisit the market.
Know that cyber policy underwriters will do additional due diligence, going beyond the typical policy application, and ask about the types of proprietary information you collect from customers, as well as how you store and access it at a later date. Have this knowledge at your fingertips, and be ready to talk to underwriters about it when you’re bidding for a new policy – and at renewal time.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
We also use cookies to store your preferences regarding the setting of 3rd Party Cookies.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
