Growing Cyber Threats Against Cannabis Retailers

In the midst of ongoing debate around the legalization of marijuana, a clear trend toward regulated acceptance has emerged in the United States and Canada. As of July 2019, the sale of marijuana for medicinal purposes is legal in 34 U.S. states, 10 of which also allow sales for recreational use through state-licensed dispensaries. In January 2020, Illinois will become the 11th U.S. state to legalize the sale of marijuana for recreational purposes. Operating in an  unusual federal legislative environment where the cannabis industry is still entirely illegal, legitimate cannabis enterprises have all the responsibilities of a traditional business. In Canada, recreational cannabis is legal federally. Each province and territory governs how cannabis can be sold, where stores may be located and how stores must be operated. Provinces and territories are also given the freedom to lower the federal possession limit, increase the minimum federal age, restrict where cannabis may be used in public and add requirements surrounding personal cultivation.

While they share with all retailers the duty to protect customer data and financial records, cannabis businesses must acknowledge a heightened state of sensitivity around privacy issues. For example, one of the topics covered in this report is how cybercriminals in possession of cannabis customer names may threaten to extort these customers by publicizing their purchases.

I invite you to read about the current state of cyber threats and how legitimate cannabis retailers can bolster their cyber security maturity. You may download the report in PDF format on this page or read each section separately:

• In “The Impact of Cyber Crime in the Cannabis Industry” the compounded threats to cannabis retailers are examined. 
• The section outlining the “The Three Pillars of Cyber Security for Cannabis Retailers” offers pragmatic guidance validated by Kroll practitioners with frontline cyber investigations insight. 

Given the evolving and still contentious nature of marijuana sales in certain areas – and the fact that new cyber exploits and threats arise every day – we hope cannabis retailers recognize that fighting their industry-specific cyber threats is not a “one and done” exercise. This white paper offers a starting point. Vigilance and resiliency will be key for protecting your business and your customers from cyber threats today and into the future. You can count on Kroll to help with the most preeminent experts in the field, global resources and practical solutions to your cyber risk challenges.

Regardless of the commodity, retailers are trusted to handle and store their customers’ sensitive data in a manner that will protect it from being compromised by cybercriminals. Cannabis dispensaries must recognize that they are not immune from being targeted by cybercriminals; in fact, they are at greater risk than most because of the controversial commodity they deal in. For cannabis dispensaries, developing a mature cyber security strategy is imperative in order to combat daily cyberattacks.

As of July 2019, recreational cannabis in Canada is legal federally. Across the border, 34 U.S. states authorize the sale of marijuana for medicinal purposes, 10 of which also allow its sale for recreational use, all through state-licensed dispensaries, and in January 2020 Illinois will join this group, becoming the 11th state to legalize the sale of recreational marijuana. Meanwhile, legalization proposals continue to be debated or advanced in many of the remaining states. 

The best practices described in this report can help existing and prospective marijuana retailers become better equipped to identify vulnerabilities and implement the necessary measures to mitigate cyber threats. They also provide cannabis businesses the framework to develop a mature cyber security strategy that protects the data in their network and enables a business to thrive while providing customers a sense of security when they share their sensitive, personal information.