3 Tips for Cannabis Businesses Looking to Shore Up Some Cybersecurity Protection

For the past several years, cyberattacks on private businesses and public agencies alike have been on the rise. What that means, specifically, varies from case to case, but generally these compromise a company’s data or hold certain information “hostage” for a proposed ransom.  

With the ratcheting war in Ukraine, warning signs are flashing over the threat of even more cyberattack activity in the weeks and months to come. 

Businesses remain vulnerable to attacks that remain hard to predict and hard to perceive.

Michael Sampson, partner at Leech Tishman and member of the firm’s litigation practice group, says that cannabis businesses (and businesses of all stripes) would do well to assess the risk of those attacks to the best of their ability—and to prepare. He outlines three ways to think about that.

“Cyber risk remains very significant across the cannabis and across the U.S. commercial landscape generally, because this is really an area where the cannabis industry faces the same types of risks that many other businesses face,” he says. “The risk to the cannabis industry may be greater in some respects, but it’s certainly no less than any other business.”


The first step, after registering one’s shock at being attacked by a certain cyber threat, is to communicate transparently with law enforcement. Cyberattacks are indeed occurring more frequently, but that doesn’t mean they are any less significant or potentially damaging to victims. Get onboard with law enforcement right away to keep the matter transparent—and to secure any hope of a clear recovery.

This is also just a practical matter. Without communicating the attack to a law enforcement agency, your business may be missing out on possible insurance benefits—like payment of a cyber ransom.

“There is certainly, in many cyber policies, a requirement that the policyholder provide notice to the appropriate authorities—which is often the FBI in the case of a cyberattack—in order to access and have the right to insurance coverage,” Sampson says. “Regardless of whether or not the FBI actively chooses to investigate a cyberattack affecting the cannabis industry, it’s still incumbent on an affected cannabis-related business to give the requisite notice to the FBI. The forms are available, so go ahead and fill those out so that the FBI has the ability to look into the crime—and also so that the preconditions for insurance coverage are satisfied. Keep in mind that what we’ve seen recently is an attack or attacks that are affecting multiple businesses at once.”

Cannabis businesses may not be caught in a silo in the event of a cyberattack. It can be very helpful to an investigation for all affected parties to have their names thrown into the ring for further communication on the ramifications of the attack.

And don’t get scared off by those letters: F. B. I. Just because cannabis remains a federally illegal industry, the FBI is not necessarily precluded from investigating crimes like this. Consider the IRS during tax season.

Have a Plan of Action

Two-factor authentication can be a helpful tool—and a helpful phrase to

More 3 Tips for Cannabis Businesses Looking to Shore Up Some Cybersecurity Protection