Cannabis, cyber and COVID-19 – the three Cs may have more in common than meets the eye.
Cannabis dispensaries, now considered essential businesses in many states, have stepped up deliveries, curbside picksups and online ordering to service customers during the pandemic.
But in doing so, they are facing greater cyber risks and an insurance market in which it’s difficult to find coverage.
Demand for cannabis has continued to increase in recent years. BDSA, a provider of cannabis industry market research, this week issued a report showing 2019 legal cannabis sales globally grew by 46% to $14.8 billion, up from 16% growth in 2018.
As they’ve grown these businesses have become increasingly sophisticated, and have had to become even more so during the crisis, where stay-at-home orders have asked citizens to reduce trips, according to Chris Boden, cannabis and life sciences practice group team leader with wholesaler Crouse & Associates.
“A lot of the dispensaries have gone to online ordering, delivery, and curb-side pick-up models,” Boden said. “And they’re realizing more and more of their organization is run online.”
Deliveries require dispensaries to obtain and keep names and addresses, those who can work remotely need computer access, and dispensaries may be doing more outreach to produce sales to make up for an drop offs in walk-ins, such as the use of customer relationship management software and outreach via email, or even text messaging.
As a wholesale broker, Boden has heard from his retailer clients who have been asking him more often about cyber coverage, a product that has been particularly hard to place for cannabis businesses.
“I would definitely say there has been an increase in inquiries in the last month, two months, obviously when the COVID-19 crisis hit, about cyber coverage options,” Boden said.
Cyber is hard to find, with carriers shying away from selling cyber products to plant-touching cannabis companies whose activities are still officially illegal in the eyes of the federal government.
“There’s a large shortage,” said Michael Sampson, a partner in the insurance recovery group and co-vice chair of the cannabis law team for in the Pittsburgh, Penn., office of ReedSmith. “There’re only a couple carriers at most that will write cyber coverage for plant-touching businesses.”
Even before the pandemic, cannabis businesses had a cyber target on their backs, according to Sampson.
Most cannabis dispensaries are required to have a seed-to-sale tracking system, particularly those selling medical marijuana, and are also required by the licensing structure of numerous states to maintain data on their clients – making them highly appealing to hackers.
“There is a lot of potential for exposure to a data breach, to some sort of ransom attack, to some sort of cyberattack, because they’re dealing with lots and lots of data,” said Sampson, who described his council of new clients as routinely including the recommendation that they obtain cyber liability coverage.
He’s also been speaking to clients a great deal lately about Telephone Consumer Protection Act claims as more dispensaries take to texting out deals, and offers, to buyers in their databases. The TCPA, which restricts telemarketing calls and the use of automatic telephone dialing systems, is often excluded in cyber policies, he noted.
“There’s a ton of these claims being brought currently,” Sampson said.
He’s also telling his cannabis companies that as they change to meet the demand in these uncertain times, their risk profiles change.
“What I’m seeing a lot of is companies that are trying to be quick to respond, but they’re taking on new business models – whether it’s delivery, whether it’s curbside – and every time the amount of data goes up, it just increases the exposure.”
The most important insurance news,in your inbox every business day.
Get the insurance industry’s trusted newsletter