August 1, 2019
While retailers have always had to deal with threats to physical security, those brick-and-mortar retailers taking advantage of evolving attitudes and laws regarding cannabis are faced with increasing physical and cyber threats, according to a new report from Kroll.
The whitepaper, Growing Cyber Threats Against Cannabis Retailers, authored by Matt Dunn, associate managing director in Kroll’s Cyber Risk practice, highlights the cyber and physical security challenges for marijuana retailers. Because these businesses are not legal under federal laws and it is difficult for them to get bank accounts and card processing, most establishments run cash operations.
“Banks are unwilling to risk violating federal anti-money laundering laws by financing cannabis businesses or supporting these financial transactions for their customers. This presents obvious physical threats to cannabis businesses that are consequently predominantly cash-only transaction facilities,” the report said.
In addition to being a target because of the commodity they sell, cannabis retailers are increasingly becoming prime targets for cybercriminals as well. The healthcare sector has long been the target of cyber attacks because medical records are worth a lot on the Dark Web.
“Medicinal marijuana dispensaries, which maintain protected health information (PHI), [are at risk] as those types of records are much more valuable on dark web forums than common PII due to the additional information they contain,” the report said.
Those states in which the sale of cannabis has been legalized have security mandates that require retailers to incorporate video surveillance in their facilities. The video cameras may add an additional layer to mitigate the risks of physical theft, but they actually increase the likelihood that these retailers could become the victim of a cyber attack, according to Dunn.
“The retention period to maintain this video data ranges from 90 days to one year, depending upon the state. Having your image recorded and stored while you shop for marijuana raises major privacy issues, but the cyber security risks for potential extortion raises the stakes for cannabis retailers,” Dunn wrote.