As the cannabis industry expands in the United States with increasing numbers of states legalizing some production and sales, firms involved in the sector often are looking to buy insurance coverages to protect their business — including cyber liability insurance.

But unlike other sectors where insurers and brokers are aggressively promoting cyber coverage, few insurance market participants offer cyber insurance to cannabis-related companies, experts say.

The federal classification of cannabis as a controlled substance is the main deterrent to insurers entering the field, as legal uncertainty would surround potential claims, they say.

Yet there is demand for coverage as cannabis manufacturers store digital records of their products’ ingredients, much like the pharmaceutical sector, and high-tech growing facilities can be vulnerable to cyberattacks, experts say.

But there is no standard insurance offering for the sector and brokers must court insurers, said Ian A. Stewart, a partner with Wilson Elser Moskowitz Edelman & Dicker LLP in Los Angeles, where he heads the law firm’s cannabis team working with insurers and brokers.

“For a broker to place cyber insurance for cannabis businesses presently, they have to go to discrete markets on a sort of one-off basis,” Mr. Stewart said. Brokers must sometimes “push” insurers to cover cyber risks for cannabis, and an insurer “may look at a potential insured and say OK but not write another,” he said.

Broker sources say cyber capacity is constrained in a market with few participants.

“The marketplace is limited,” said Brian Savitch, senior vice president of financial services with Worldwide Facilities LLC in San Francisco. “There’s a handful of markets that are writing cyber for cannabis.”

Lloyd’s of London, a traditional market for hard-to-place risks, bars syndicates from writing cannabis-related business in the United States due to its federal illegal status. Last year, however, it permitted syndicates to write cannabis business in Canada, which legalized adult recreational use.

“The cyber market itself isn’t all that big — and particularly as it relates to cannabis, certainly much smaller,” said Michael Pieciak, commissioner of the Vermont Department of Financial Regulation in Montpelier, which regulates banks, securities, traditional insurance and captive insurers for the state, where marijuana is legal for both medical and recreational use.

Kyle Burnett, regional vice president of property and head of excess and surplus property for Axa XL, a unit of Axa SA, in New York, says he receives submissions each week and phone calls every month about cannabis-related cyber coverage but the insurer is not covering the risk due to the legal uncertainty.

Alternative risk transfer providers are also looking at the risk.

“Our regulatory people have been very understanding of how hard it is to find some of these niche coverages,” said Kevin Cross, founder of the Specialty Agriculture Risk & Financial Association in Grand Rapids, Michigan, who also serves as vice president of the Specialty Agriculture Insurance Company of Michigan, a captive insurer for Michigan cannabis-related businesses.

Mr. Cross said the association hopes to expand to all 33 states that have medical or recreational cannabis provisions, and that in addition to working on title insurance it is looking to develop a cyber product.

The cannabis industry — from growers to retailers — has cyber exposures like other industries and also has specialty exposures, experts say.

“Cannabis as an industry presents some unique risk exposures,” sharing attributes with the agricultural, manufacturing and pharmaceutical sectors, said Patrick Ryder, vice president and management and professional liability segment leader in Denver for Hub International Ltd.

Tracking and tracing of ingredients, such as plants, generates huge amounts of data that is stored and protected, he said.

“When you’re growing cannabis in California, you’re tracking every single plant you grow.”

A ransomware attack on industrial systems can cause substantial damage, such as if a breach occurred with the system controlling the nutrients and lighting in a growing operation.

As the cannabis industry expands, so too will its data and cyber exposures.

“We’re in the digital age, and that’s the way the way the world is going,” said Mr. Burnett of Axa XL.

“The industry definitely needs additional markets opening for cyber coverage,” said Mr. Stewart of Wilson Elser.

Mr. Savitch of Worldwide said he has placed cyber policies for cannabis-related businesses, mainly with limits of $1 million and $2 million, although he has been quoted limits as high as $5 million.

“It’s challenging to build limits,” he said, adding that although most of the companies buying the coverage are first-time buyers, some of the larger public Canadian companies have “lofty” valuations and “even some (multistate operators) are making $50 million to $200 million annually, which is a pretty sizable company.”

“There is not tremendous capacity; there is not tremendous appetite (from insurers); so to build significant limits has proven to be difficult,” said Mr. Ryder.