Alert: Validating Cyber Risks in the Cannabis Industry

With information gathered from assets in the underground (involved with the dark web) and conversations with federal authorities, investigations disclosed that, while there is no specific group actively targeting the cannabis industry, there are hackers focusing on three areas within the Seed to Sale lifecycle: research and extraction; growing; and consumption and retail operations.

Investigations revealed two incidents where intellectual property was stolen by a former employee due to partial or ineffective security practices that were in place. In addition to potential malicious insiders, external threat actors are expected to attack the research portion of the industry in order to steal intellectual property such as the strains being developed, marketing strategies and technology practices related to growing.

The loss or modification of proprietary information such as strain development and cultivation methodology could severely impact the production of future products, result in a tampered or inferior product or the overall loss of a competitive advantage within the industry. While an increased timeline for a future product or loss of IP to a competitor could result in a financial impact, the release of a tampered product could not only cause a financial impact but a reputational one as well.

Security is not at the forefront and therefore mobile payment applications, that were developed to reduce the originally heavily cash-based system, are a high target. Mobile applications that are not securely developed or have appropriate oversight, are at risk and provide an attack vector for malicious actors. Successfully breaching the application could be used to gain customer financial information leading to mistrust of the application author and discontinued usage which then has financial and potentially reputational impacts for dispensaries as well as the industry.

As legalization for medical and recreational use increases, the customer base and dispensaries will become higher priority targets. Medical information and Personal Health Information (PHI) are already targets for cyber-crime based on their high values. Similar to other small businesses and early stages of a new industry, the protection and security of the computers and networks involved with customer information is minimal or inefficient. Specifically, this involves the Point of Sale system and supporting infrastructure, which are among the most targeted assets, and would result in the theft of customer information. Once again, a breach of customer information, especially PHI, will not only have a negative impact to the reputation of the dispensary and industry overall, but could result in HIPAA violations resulting in millions of dollars’ worth of fines.


John V. Pellitteri John V. Pellitteri is a Partner at Grassi and leads the firm's Healthcare and Cannabis Service Practices. Possessing over 30 years of experience in accounting, auditing, tax planning and business consulting, John is now applying his talent to the burgeoning cannabis industry. John possesses comprehensive accounting and taxation knowledge, which combined with his healthcare consulting experience, allows him to provide an all-inclusive assessment of... Read full bio

Categories: Advisory