We discussed the need for a cyber policy in our last issue, and this article will examine the components of a cyber policy. First, a short review:

The company “Net Diligence” recently wrote that the cost of a cyber attack could exceed $300,000 for a small organization. While many of these firms were service businesses, not consumer-oriented retailers, nonetheless the final costs often totaled near $2 million which is verified by several sources.

We have discussed that your existing insurance is not adequate. While it may help with certain ad hoc costs, there are many loopholes that insurers will use to accept/avoid the full costs. The simple truth is that regular insurance policies were not designed to protect against cyber damage, which is a new growing threat just being realized/accepted by the conservative insurance industry.

Among the necessary coverages for a meaningful cyber policy are:

1. Response costs which could include the tools of a computer forensic company to do an assessment
2. The fees for notifying your customers
3. Legal costs which are increasing each year because even the law firms have been caught flat-footed
4. Loss of revenue
5. Ransomware to recover data
6. Just the simple loss of revenue you might incur

Marsh & McLennan did a survey of 1,500 organizations and 80% saw cyber as a real risk. There was some anxiety of assessing cyber threats, preventing attacks and responding appropriately. In an era of tech being transformed cannabis businesses must turn to brokers who must have a new mindset about cyber and are selling appropriate coverages.

One of the many issues is how your cyber policy covers new ways of doing business post‑Covid. The policy must cover things like curbside pickup, contactless payments, no-touch sales, virtual staff meetings where important information is discussed, and even pick-up and delivery where the staff/customer may be using mobile devices for transmitting financial information.

So in sum, these are the selling and coverage needs for an adequate cyber risk policy:

• Costs incurred for a forensic investigation to find the weak spots in your system
• Restoration of damaged software, hardware and the system itself
• Legal fees incurred
• Third-party liability costs
• Government assessments/fines
• Financial institution charges (in cannabis this would be debit card, ATM and credit union losses
• Loss of revenue from sales
• Computer fraud

Kanna Knowledge™ recommends a separate policy for cyber even though some CGL, crime, or business property policies may have some coverage. Watch the gaps in your policy; a famed Chinese restaurant company paid the costs of the breach but NOT the $2 million in expenses incurred. And notify your carrier ASAP should a breach occur.

Want to learn more about cyber? The New York Times business section recently ran a great article on Cyber Swindlers. And the U.S. Army has a huge Cyber Command division that is doing all sorts of work for the government. We recommend taking a look at both since Kanna is a valuable, pricey commodity. We’ll see you next month for a final article on cannabis cyber, and be safe.