Insurance

Building a Cannabis Cyber Insurance Strategy: What Underwriters Actually Want to See

CannaSecure

CannaSecure

10 min read
Building a Cannabis Cyber Insurance Strategy: What Underwriters Actually Want to See

Cyber insurance for cannabis businesses is complicated—but not impossible. Here's how to get coverage, reduce your premiums, and ensure you're actually protected when something goes wrong.

The Cannabis Cyber Insurance Challenge

Let's be honest: getting cyber insurance for a cannabis business isn't as simple as filling out an application.

You're operating in a federally illegal industry. You're handling massive amounts of sensitive customer data. You're a prime target for ransomware. And insurance underwriters know all of this.

But here's the good news: cannabis cyber insurance is absolutely obtainable, and more carriers are entering the market every year. The key is understanding what underwriters look for and positioning your business accordingly.

After the STIIIZY breach exposed 420,000+ customers, expect underwriters to scrutinize cannabis applications even more carefully. This guide will help you navigate that scrutiny.

The Complete Dispensary Cybersecurity Hardening Guide: Protect Your Business Before You’re the Next Stiiizy
420,000+ customer records exposed. Passports leaked. Purchase histories published. Don’t let this happen to you. The Wake-Up Call: Stiiizy Breach (January 2025) On January 10, 2025, Stiiizy—one of the largest cannabis brands in California—confirmed a devastating data breach. The Everest ransomware gang stole data from over 420,
Canna SecureCannaSecure

Why Cannabis Businesses Need Cyber Insurance

Before diving into how to get coverage, let's establish why it's essential.

The Numbers Don't Lie

  • Average cost of a ransomware attack: $1.53 million (excluding ransom payment)
  • 60% of small businesses close within 6 months of a cyberattack
  • Median ransom payment in 2025: $1 million for enterprises, $115,000-$267,000 for smaller businesses
  • Average recovery time: 24.6 days
  • Customer notification costs: $150-$300+ per record

For a dispensary with 50,000 customer records, breach notification alone could cost $7.5-$15 million. Add in forensics, legal fees, regulatory fines, and class action settlements, and you're looking at potential business-ending numbers.

What Cyber Insurance Covers

A comprehensive cyber policy typically includes:

First-Party Coverage (Your Direct Costs):

  • Forensic investigation
  • Data recovery and system restoration
  • Business interruption losses
  • Extortion/ransom payments (where legal)
  • Crisis management and PR
  • Customer notification costs
  • Credit monitoring for affected customers

Third-Party Coverage (Claims Against You):

  • Regulatory fines and penalties
  • Legal defense costs
  • Settlements and judgments
  • Payment Card Industry (PCI) fines
  • Media liability (if customer data published)

Specialized Coverages:

  • Social engineering/fraud coverage
  • Reputational harm
  • Dependent business interruption (vendor breaches)
  • System failure (non-malicious outages)

What Cyber Insurance Doesn't Cover

Equally important—know the exclusions:

  • War and terrorism (nation-state attacks may be excluded)
  • Prior known incidents (if you knew about a problem before the policy)
  • Intentional acts (insider threats you enabled)
  • Contractual liability (beyond what you'd face without the contract)
  • Physical damage (separate property insurance needed)
  • Regulatory fines (in some jurisdictions, insuring fines is prohibited)
  • Failure to maintain security (this is the big one—see below)

The Underwriting Process

Understanding how underwriters evaluate your application helps you prepare.

What Underwriters Assess

1. Industry Risk
Cannabis is categorized as high-risk. Underwriters know you're:

  • Handling sensitive customer data (IDs, medical info)
  • Cash-heavy (attractive to criminals)
  • Operating in a regulatory gray zone
  • Dependent on third-party vendors

You can't change your industry, but you can demonstrate mature security practices that mitigate industry-specific risks.

2. Security Controls
This is where you have the most influence. Underwriters look for:

Must-Haves (Minimum requirements for coverage):

  • Multi-factor authentication (MFA) on all remote access and email
  • Endpoint Detection and Response (EDR) or advanced antivirus
  • Regular patch management program
  • Data backup with offline/immutable copies
  • Email filtering and anti-phishing protection

Nice-to-Haves (Reduce premiums):

  • 24/7 Security Operations Center (SOC) monitoring
  • Annual penetration testing
  • Security awareness training
  • Privileged Access Management (PAM)
  • Network segmentation
  • Incident response plan and testing

3. Claims History
Prior incidents don't automatically disqualify you, but expect questions:

  • What happened?
  • How did you respond?
  • What controls did you implement afterward?
  • Have you had any incidents since?

Transparency is key. Underwriters will discover prior claims during the application process—it's better to explain proactively.

4. Revenue and Employee Count
These determine coverage limits and pricing. Larger operations = more exposure = higher premiums.

5. Data Sensitivity
The type of data you hold matters:

  • PII (names, addresses) - standard risk
  • Government IDs, SSNs - elevated risk
  • Medical information (HIPAA) - highest risk
  • Payment card data (PCI) - elevated risk

Cannabis businesses often hold all of the above, which is why security controls matter even more.

The Application Process

Step 1: Initial Application
Most carriers have a standard application covering:

  • Business description and revenue
  • Number of records/customers
  • Types of data held
  • Basic security questions

Step 2: Supplemental Questionnaire
For cannabis businesses (and other high-risk industries), expect a detailed security questionnaire covering:

  • MFA implementation specifics
  • Backup procedures
  • Incident response capabilities
  • Vendor management
  • Employee training

Step 3: Underwriter Questions
Be prepared for follow-up calls or emails. Underwriters may want:

  • Clarification on security controls
  • Evidence of claimed controls (screenshots, policies)
  • Explanation of any concerning answers
  • Details on prior incidents

Step 4: Quote and Binding
If approved, you'll receive a quote showing:

  • Premium (annual cost)
  • Coverage limits
  • Retention/deductible
  • Sub-limits on specific coverages
  • Exclusions and conditions

Timeline: Expect 2-6 weeks from application to binding, depending on carrier and your preparation.

What Underwriters Actually Ask

Here's a sample of real questions from cyber insurance applications, with guidance on strong answers:

Multi-Factor Authentication

Q: "Do you require multi-factor authentication for all remote access to your network?"

Strong Answer: "Yes. All remote access requires MFA via [specific solution, e.g., Duo, Microsoft Authenticator]. This includes VPN connections, remote desktop, and cloud application access. MFA is enforced at the network level and cannot be bypassed."

Weak Answer: "We have MFA on some systems" or "Users can opt in to MFA"

Backup and Recovery

Q: "Describe your backup procedures, including frequency, testing, and offline storage."

Strong Answer: "We perform daily backups of all critical systems to [solution]. Backups are replicated to an offsite location and we maintain offline/immutable backups that cannot be modified by ransomware. We test restore procedures quarterly, with the last successful test on [date]. Recovery Time Objective is [X hours]."

Weak Answer: "We back up to the cloud" (doesn't address immutability, testing, or recovery)

Endpoint Protection

Q: "What endpoint protection solution do you use?"

Strong Answer: "We deploy [EDR solution, e.g., CrowdStrike, SentinelOne, Microsoft Defender for Endpoint] on all endpoints. The solution provides real-time threat detection, behavioral analysis, and automatic response. It's monitored by [internal team/MSSP] with 24/7 alerting."

Weak Answer: "We use antivirus" (traditional AV is insufficient for modern threats)

Patch Management

Q: "Describe your patch management program."

Strong Answer: "We maintain a documented patch management policy. Critical vulnerabilities are patched within 48 hours, high severity within 7 days, and routine patches within 30 days. We use [tool] to track patch status and generate compliance reports. Internet-facing systems are prioritized."

Weak Answer: "We apply patches when available" (no timeline or accountability)

Security Training

Q: "Do you conduct security awareness training for employees?"

Strong Answer: "All employees complete security awareness training upon hire and annually thereafter. Training covers phishing, social engineering, password security, and incident reporting. We conduct simulated phishing tests quarterly, with a current click rate of [X%]. Employees who fail tests receive additional training."

Weak Answer: "We remind people to be careful with email"

Incident Response

Q: "Do you have a documented incident response plan?"

Strong Answer: "Yes. Our incident response plan was developed in [year], last updated [date], and covers detection, containment, eradication, recovery, and lessons learned. Key contacts include [IR retainer firm], [legal counsel], and [insurance carrier]. We conduct tabletop exercises annually, with the last exercise on [date]."

Weak Answer: "We would call IT if something happened"

Reducing Your Premium

Cyber insurance premiums have increased significantly industry-wide. For cannabis businesses, rates are even higher. Here's how to bring them down:

Controls That Lower Premiums

MFA Everywhere (5-15% reduction possible)

  • Email accounts
  • VPN and remote access
  • Cloud applications
  • Administrative consoles

EDR Deployment (5-15% reduction)

  • Not just antivirus—actual EDR with behavioral detection
  • Managed EDR (MDR) even better

Immutable Backups (5-10% reduction)

  • Air-gapped or immutable cloud backups
  • Tested regularly

24/7 Monitoring (10-20% reduction)

  • Security Operations Center (internal or outsourced)
  • Real-time alerting and response

Annual Penetration Testing (5-10% reduction)

  • Third-party testing by qualified firm
  • Documented remediation of findings

Security Awareness Training (5-10% reduction)

  • Regular training with phishing simulations
  • Documented participation

Premium Reduction Example

Control Potential Reduction
MFA on all remote access -10%
EDR on all endpoints -10%
Immutable backups tested quarterly -10%
Managed SOC monitoring -15%
Annual pen test with remediation -5%
Security training with phishing tests -5%
Total Potential Reduction Up to 55%

Note: Actual reductions vary by carrier and aren't always stackable at full value, but mature security programs do translate to significant premium savings.

Other Ways to Lower Costs

Increase Your Retention
Higher deductibles = lower premiums. If you can absorb the first $50,000-$100,000 of an incident, your premium drops.

Right-Size Your Limits
Don't over-insure. Work with a broker to determine appropriate limits based on your actual exposure.

Consider Aggregate vs. Per-Incident Limits
Understand how your policy pays out. Some policies have an annual aggregate that all claims count against.

Bundle Policies
Some carriers offer discounts if you bundle cyber with other lines (property, liability, D&O).

Shop Around
Cyber insurance markets vary significantly. A broker with cannabis experience can access markets you might not find directly.

Choosing the Right Coverage

Coverage Limits

How much coverage do you need? Consider:

First-Party Costs:

  • Forensic investigation: $50,000-$250,000
  • System restoration: $100,000-$500,000
  • Business interruption: Your revenue × estimated downtime
  • Notification costs: $150-$300 × number of records
  • Credit monitoring: $10-$50 × affected individuals

Third-Party Exposure:

  • Regulatory fines: Varies by state (CCPA: up to $7,500 per intentional violation)
  • Class action settlements: $100-$200+ per affected individual is common
  • Legal defense: $500,000+ for complex litigation

Rule of Thumb:

  • Small dispensary (1 location, <50K customers): $1-2M minimum
  • Multi-location operation (50K-200K customers): $3-5M minimum
  • Enterprise (200K+ customers): $5-10M+ minimum

Key Policy Terms

Retention (Deductible)
Amount you pay before coverage kicks in. Cannabis policies often have higher retentions ($25,000-$100,000 or more).

Waiting Period (Business Interruption)
Hours/days you must absorb before BI coverage activates. Typically 8-24 hours.

Retroactive Date
How far back coverage extends for incidents discovered during the policy period. "Full prior acts" is ideal.

Sub-Limits
Specific limits within your overall limit for categories like ransomware, social engineering, or regulatory fines. Watch these—they can be surprisingly low.

Consent Clause
Whether you need carrier approval before incurring expenses (hiring forensics, paying ransom, etc.). Understand these requirements before an incident.

Cannabis-Specific Considerations

Federal Illegality
Some policies exclude "illegal activity." Ensure your policy has a specific cannabis carve-out or endorsement.

Banking Limitations
If your incident involves payment processing, understand how your policy handles cannabis banking complications.

Regulatory Environment
State regulators may impose fines. Verify your policy covers regulatory proceedings in your state.

THC vs. CBD
If you also handle CBD products, understand whether the same policy covers both or if you need separate coverage.

Working with Brokers

For cannabis cyber insurance, working with an experienced broker is almost mandatory.

What a Good Broker Does

  • Access to Markets: Many cyber carriers won't work directly with cannabis businesses. Brokers have relationships that open doors.
  • Application Support: They help you present your security posture effectively.
  • Coverage Analysis: They explain policy differences and exclusions you might miss.
  • Claims Advocacy: When you have a claim, they fight for coverage on your behalf.

Questions to Ask Potential Brokers

  1. "How many cannabis businesses have you placed cyber insurance for?"
  2. "Which carriers are willing to write cannabis cyber policies?"
  3. "Can you show me sample policy language addressing federal illegality?"
  4. "What's your claims support process?"
  5. "How do you stay current on cannabis regulatory changes?"

Broker Red Flags

🚩 "We can definitely get you coverage" (without asking any security questions)
🚩 No experience with cannabis clients
🚩 Unable to explain policy exclusions
🚩 Pushes one carrier without comparing options
🚩 Won't discuss premium reduction strategies

When Claims Happen

Understanding the claims process before you need it is crucial.

Immediate Steps

1. Notify Your Carrier
Most policies require notification within 24-72 hours of discovering an incident. Don't wait until you know everything—notify early.

2. Document Everything
Keep records of:

  • When you discovered the incident
  • What you observed
  • Actions you took
  • Expenses you incurred

3. Follow the Policy
Read your policy's claims section. Common requirements include:

  • Using carrier-approved forensics firms
  • Getting consent before paying ransom
  • Coordinating legal response through carrier panel counsel
  • Preserving evidence

What Can Derail Claims

Failure to Maintain Security Controls
If your application stated you had MFA everywhere, but you disabled it, expect claim denial. Representations on your application are conditions of coverage.

Late Notification
Missing notification deadlines can result in claim denial or reduced coverage.

Unauthorized Expenses
Hiring your own forensics firm without carrier consent may result in those costs not being covered.

Prior Knowledge
If you knew about a vulnerability or incident before the policy started and didn't disclose it, the claim may be denied.

Working with the Carrier

During a claim:

  • Be responsive to information requests
  • Coordinate all communications through your broker
  • Keep your own documentation
  • Don't admit fault publicly
  • Follow carrier guidance on communications

Building Your Insurance-Ready Security Program

Here's a roadmap to becoming attractive to underwriters:

Phase 1: Foundations (Month 1-2)

  • [ ] Implement MFA on all remote access and email
  • [ ] Deploy EDR on all endpoints
  • [ ] Establish immutable/offline backups
  • [ ] Enable email filtering and anti-phishing
  • [ ] Document current security controls

Phase 2: Enhancement (Month 2-4)

  • [ ] Develop incident response plan
  • [ ] Implement patch management policy
  • [ ] Conduct security awareness training
  • [ ] Segment POS and compliance networks
  • [ ] Engage MSSP for monitoring (if not internal)

Phase 3: Maturity (Month 4-6)

  • [ ] Conduct penetration test
  • [ ] Remediate pen test findings
  • [ ] Perform tabletop exercise
  • [ ] Complete vendor security assessments
  • [ ] Document all policies and procedures

Phase 4: Insurance Application (Month 6)

  • [ ] Engage experienced cannabis broker
  • [ ] Gather evidence of security controls
  • [ ] Complete application with detailed responses
  • [ ] Respond promptly to underwriter questions
  • [ ] Review policy carefully before binding

Resources

Finding Cannabis Cyber Insurance

Brokers with Cannabis Experience:

  • Hub International (cannabis practice)
  • Risk Strategies (cannabis division)
  • Brown & Brown (specialty cannabis team)
  • Crouse & Associates (cannabis insurance specialists)

Direct Markets (Limited):

  • Some Lloyd's syndicates write cannabis
  • Specialty E&S carriers
  • State-specific options vary

Security Standards

  • NIST Cybersecurity Framework
  • CIS Controls
  • SOC 2 (for your own organization)

Cannabis Industry Resources

  • Cannabis ISAO (threat intelligence)
  • NCIA Risk Management Resources
  • State cannabis authority guidance

The Bottom Line

Cyber insurance isn't a replacement for security—it's a complement. The best protection is preventing incidents in the first place. But when prevention fails, insurance provides the financial safety net that keeps your business alive.

For cannabis businesses, getting covered requires:

  1. Mature security controls (especially MFA, EDR, and backups)
  2. Experienced broker (cannabis and cyber expertise)
  3. Transparent application (honest answers, documented controls)
  4. Ongoing maintenance (security isn't set-and-forget)

The carriers who write cannabis cyber policies want to see that you take security seriously. Demonstrate that commitment through your controls, your documentation, and your culture—and coverage becomes achievable.

Don't wait for a breach to figure out you're uninsured. Start the process now.

CannaSecure helps cannabis businesses build insurance-ready security programs. Contact us for security assessments and insurance preparation guidance.

Read more