Tag Archives: risk

Current Trends in Banking for Cannabis-Related Businesses

By Paula Durham, CFE, CCCE
No Comments

Cannabis is still federally illegal and is included on Schedule 1 of the Controlled Substances Act (CSA), along with such other substances as heroin, fentanyl and methamphetamines.1 It is a federal crime to grow, possess or sell cannabis.

Despite being federally illegal, 36 U.S. states and the District of Columbia have legalized the sale and use of cannabis for medical and/or adult use purposes,2 and both direct and indirect cannabis-related businesses (CRBs) are growing at a rapid rate. Revenue from medical and adult use cannabis sales in the US in 2019 is estimated to have reached $10.6B-$13B and is on track to reach nearly $37B in 2024.3

Because the sale of cannabis is federally illegal, financial institutions face a dilemma when deciding to provide services to CRBs. Should they take a significant legal risk or stay out of the market and miss out on a significant revenue opportunity? So far, the vast majority of financial institutions have been unwilling to take the risk, resulting in a dearth of options for CRB’s. Until recently, cannabis business operators had few options for financial services, but times are changing.

This piece will discuss current trends in banking for cannabis-related businesses. We will cover differences in legality at state and federal levels, complexities in dealing in cash versus digital currencies, Congressional actions impacting banking and CRBs and how banking is changing. The explosion of state legalization of cannabis over the past several years has had a strong ripple effect across the US economy, touching many industries both directly and indirectly. Understanding the implications of doing business with a CRB is both challenging and necessary.

Feds Versus States

Money laundering is the process used to conceal the existence, illegal source or illegal application of funds.4 In 1986 Congress enacted the Money Laundering Control Act (MLCA), which makes it a federal crime to engage in certain financial and monetary transactions with the proceeds of “specified unlawful activity.”5 Therefore, CRB transactions are technically illegal transactions under the MLCA.

Financial institutions therefore face a risk of violating the MLCA if they choose to do business with CRBs, even in states where cannabis operations are permitted. In addition, financial institutions could also face criminal liability under the Bank Secrecy Act (BSA) for failing to identify or report financial transactions that involve the proceeds of cannabis businesses operating legally under state law.6

Federal authorities continued to aggressively enforce federal cannabis laws

In short, because cannabis is illegal at the federal level, processing funds derived from CRBs could be considered aiding and abetting criminal activity or money laundering. States, however, began legalizing cannabis in 1996, and by 2009, thirteen states had laws allowing cannabis possession and use.7 Despite this legislation, federal authorities continued to aggressively enforce federal cannabis laws.8 That changed under the Obama administration when, shortly after being elected, President Obama stated that his administration would not target legal CRB’s who were abiding by state laws.[9] In an attempt to provide clarity in this murky environment, beginning in 2009, the Department of Justice (DOJ) issued three memos designed to guide federal prosecutors in this area. However, none of the DOJ memos issued from 2009 through 2013 addressed potential financial crime related to the legal sale or distribution of cannabis in states allowing the use of medicinal or recreational cannabis.

To assist financial institutions in navigating potential financial crime implications of banking CRBs, the Financial Crimes Enforcement Network (FinCen) issued guidance in 2014 that clarified how financial institutions could conduct business with CRBs and maintain compliance with their Bank Secrecy Act requirements (2014 Guidance).9 According to the 2014 Guidance, financial institutions may choose to interact with CRBs based on factors specific to each institution, including the institution’s business objectives, the evaluated risks associated with offering such services, and its ability to manage those risks effectively.

The 2014 Guidance requires those who choose to provide services to CRBs to design and implement a thorough customer due diligence review that includes, in part, analyzing the licensing of the entity, developing an understanding of the business operations of the entity, and ongoing monitoring of the entity.9 In addition, financial institutions are required to file a Suspicious Activity Report (SAR) for every transaction they process for a CRB, should they choose to accept the business.

Although the 2014 Guidance does outline a path for financial institutions to engage with CRBs, it does not change federal law and, therefore, does not eliminate the legal risk to financial institutions.10 By its very nature, the 2014 Guidance was a temporary fix, subject to changing views of different administrations, evidenced by the fact that all three of the DOJ guidance documents noted above were rescinded by then Attorney General Jeff Sessions on January 4, 2018.12 The DOJ enforcement posture could change once again in a Biden administration. Biden is on record as favoring decriminalization, and Attorney General candidate Merrick Garland has stated that if confirmed he will deprioritize enforcement of low-level cannabis crimes. Garland also believes using limited government resources to pursue prosecution of cannabis crimes states where cannabis is legal does not make sense.12

Because of the uncertainty and high risk, most banks remain unwilling to serve CRBs. Those that do serve CRBs charge exorbitant fees (fees of $750-$1,000 or more per account per month are not uncommon), pricing many smaller operators out of the financial services market.

Cash is King – Or Is It?

Cannabis operators have discovered the old adage “cash is king” is not necessarily true when it comes to the cannabis space. Bank-less CRBs are forced to utilize cash to pay business expenses, which can be particularly difficult. Utility companies, payroll companies, and taxing authorities are just some of the providers that are difficult, if not impossible, to pay in cash. For example, cannabis operators have been turned away from IRS offices when attempting to pay large federal tax obligations in cash. Likewise, cannabis operators have been unable to utilize payroll processing companies to administer payroll and benefits for their businesses because the processors won’t take cash. CRBs can’t use Amazon or other online retailers because online providers cannot accept cash.

Because dealing in cash is so difficult, CRB operators look for workarounds such as using personal credit/debit cards to purchase business equipment and supplies. This doesn’t eliminate the cash problem, however, because the credit card holder will likely have to accept cash as reimbursement. Such transactions could be considered an attempt to hide the source of the cash, which is, by definition, money laundering.

CRBs often have large sums of money onsite

Some bank-less CRBs try to skirt the system by obtaining bank accounts in the name of management companies or other entities one step removed from the actual business. While operators often choose this route in an effort to streamline business and operate out of the shadows, it again runs afoul of banking laws. Transferring cannabis related financial transactions to another entity is actually the very definition of money laundering – which, as noted above, is defined as the process used to conceal the existence or source of “illegal” funds.

In addition to the difficulties in making payments or purchasing business supplies, operating in a cash-heavy environment poses significant safety risks for cannabis operators. CRBs often have large sums of money onsite and transport large sums of cash when purchasing product or paying bills, making them a target for robbery. In 2017, there was a spate of dispensary robberies across the Phoenix Metro area, including one at Bloom Dispensary that took place during operating hours.13

Managing all that cash increases the cost of doing business as well, in the form of increased labor, insurance, and security costs. Cash must be counted and double counted, which can be time consuming for staff, not to mention the time it takes to deliver physical cash payments to hither and yon. Ironically, lack of banking significantly decreases transparency and clouds the waters of compliance, as operating strictly in cash makes it easier to manipulate reported financial results.

Potential Congressional Solutions

In recent years Congress has undertaken several efforts to pass legislation designed to address the state/federal divide on cannabis, which would likely clear the way for financial institutions to provide services to CRBs, including:

  • R. 1595 – Secure and Fair Enforcement Banking Act of 2019 (“SAFE Act”);
  • 1028 & H.R. 2093 – Strengthening the Tenth Amendment Through Entrusting States Act (STATES Act); and
  • 2227 – Marijuana Opportunity Reinvestment and Expungement Act of 2019 (MORE Act).

The climate in Washington DC, however, did not allow any of these initiatives to pass both houses of congress. Had any been sent to the White House, President Trump was unlikely to sign them into law.

The cannabis industry has new reason to believe reform is on the horizon with shift in political leadership in the White House and Senate. Newly anointed Senate Majority Leader Chuck Schumer recently committed to making federal cannabis reform a priority, and President Biden appears committed to decriminalization, reviving the hope of passage of one of these pieces of legislation.

The Changing Banking Landscape

Even though there is little in the way of formal protections for financial institutions, and with the timeline for a legislative fix unknown, an increasing number of banks are working with cannabis operators.

According to FinCen statistics, there were approximately 695 financial institutions actively involved with CRBs as of June 30, 2020. It is important to note that these statistics are based on SAR filings, which banks are required to file when an account or transaction is suspected of being affiliated with a cannabis business. However, some of these SARs may have been generated on genuine suspicious activity rather than on a transaction with a known cannabis customer.

Number of Depository Institutions Actively Banking
Cannabis-Related Businesses in the United States
(Reported in SARS)14

There are arguably more banking institutions offering services to CRBs than ever before. The challenges for CRBs are (1) finding an institution that is willing to offer services; (2) building/maintaining a compliance regime that will be acceptable to that institution; and (3) cost, given the high fees associated with these types of accounts. 

How CRBs Get Accepted by Banks

The gap between CRBs’ need for banking and the financial services providers’ sparse and expensive offerings to the sector has created an opportunity for third-party firms to intervene and provide a compliance structure that will satisfy the needs of the financial institutions, making it easier for the CRB to find a bank.

These third-party firms perform extensive BSA-compliant due diligence on applicants to ensure potential customers are following FinCen guidance required to receive banking services. After the completion of due diligence, they connect the CRBs with financial institutions that are willing to do business with CRBs and provide checking/savings accounts, check writing capability, and merchant processor accounts. These firms often provide additional services such as armored car and cash vaulting services. Some of these firms also offer vendor screening, pre-approving vendors before any payments can be made.

One such firm, Safe Harbor Private Banking, started as a project implemented by the CEO of Partners Credit Union in Denver, Colorado, who set out to design a cannabis banking program that would allow Partners to do business with Colorado CRBs.15 The program was successful and has since expanded into other states who have legalized cannabis. Other operators include Dama Financial and NaturePay.

While these services offer hope for many CRBs, the downside is cost. These services perform the operations necessary to find, open, and maintain a compliant bank account; however, the costs of compliance are still high, pricing some small operators out of the market.

Is Digital Currency an Answer?

 Digital currency is also making its way into the cannabis world. Digital currency, or cryptocurrency, is a medium of exchange that utilizes a decentralized ledger to record transactions, otherwise known as a blockchain. One of the largest benefits of blockchain is that it is a secure, incorruptible digital ledger used for, among other things, financial transactions.16 Blockchain technology offers CRBs a transparent and immutable audit trail for business and financial transactions. Several cannabis-specific cryptocurrencies have sprung up in the past several years, including PotCoin, CannabisCoin, and DopeCoin, to name a few.

In July 2019, Arizona approved cryptocurrency startup ALTA to offer services to the state’s medical cannabis operators.17 ALTA describes itself as a “digital payment club where cash-intensive businesses pay each other using digital tokens instead of cash.”18 ALTA members purchase digital tokens that are used to pay other members using a proprietary blockchain based system. The tokens are redeemable for US dollars at a stable rate of 1:1, and CRBs do not need a bank account to participate in the ALTA program.

ALTA proposes to pick up members’ cash and exchanges it for tokens, which are then used to pay other members for goods and services. Tokens may be redeemed for cash at any time.18 The company has been approved by the Arizona State Attorney General, and one of the first members they hope to enlist is the Arizona Department of Revenue (ADOR). Enlisting ADOR into the program would allow dispensary members to pay state taxes digitally rather than hauling large amounts of cash to ADOR offices.

Similarly, Nevada recently contracted with Multichain Ventures to supply a digital currency solution to the Nevada cannabis industry. Nevada Assembly Bill 466 requires the state create a pilot program to design a “closed loop” system like Venmo in an effort to reduce cash transactions in the cannabis sector. Like ALTA, Nevada’s proposed system will convert cash to tokens which can then be transacted between system participants.19

While both proposals are promising for Arizona and Nevada CRBs, the timeline as to when, or if, these offerings will come online is unknown. Action on cannabis reform at the federal level may render these options moot.

Looking to the Future

Although states are legalizing cannabis in one form or another in growing numbers, the fact that cannabis is still federally illegal poses a significant barrier to accessing the financial services market for CRBs. While most banks are still reluctant to offer services to this rapidly growing industry, there are more banks than ever before willing to participate in the cannabis industry. Recent changes in leadership in Washington DC offer a positive outlook for cannabis reform at the federal level.

As the “green rush” continues to envelop the country, financial services options available to CRBs are slowly growing. Many new options are now available to help CRBs find a bank, develop compliance programs, and manage the cash related problems encountered by most CRBs. However, these solutions may be out of reach for the budget-conscious small operator. Also, there are a number of cryptocurrency solutions designed specifically for CRBs; however, when, or if, these solutions will gain significant traction is still unknown.


References

  1. Controlled Substances Act, 21 U.S.C., Subchapter I, Part B, §812.
  2. “State Marijuana Laws”; National Conference of State Legislatures, February 19, 2021.
  3. “Exclusive: US Retail Marijuana Sales On Pace to Rise 40% in 2020, near $37B by 2024”. Marijuana Business Daily, June 30, 2020.
  4. Kaufman, Irving. “The Cash Connection: Organized Crime, Financial Institutions, and Money Laundering”. Interim Report to the President, October 1984.
  5. S. Code § 1956 – Laundering of Monetary Instruments.
  6. Rowe, Robert. “Compliance and the Cannabis Conundrum.” ABA Banking Journal, September 11, 2016.
  7. “History of Marijuana as a Medicine – 2900 BC to Present”. ProCon.org, December 4, 2020.
  8. Truble, Sarah and Kasai, Nathan. “The Past – and Future – of Federal Marijuana Enforcement”. org, May 12, 2017.
  9. FIN-2014-G001, BSA Expectations Regarding Marijuana-Related Businesses.
  10. Cannabis Banking Coalition Statement.
  11. Sessions, Jefferson B. “Memorandum for All United States Attorneys”. January 4, 2018.
  12. “Attorney General Nominee Garland Signals Friendlier Marijuana Stance”. Marijuana Business Daily, February 22, 2021.
  13. Stern, Ray. “Robbers Hitting Phoenix Medical Marijuana Dispensaries: Is Bank Reform Needed?” The Phoenix New Times, April 11, 2017.
  14. FinCen Marijuana Banking Update, June 30, 2020.
  15. Mandelbaum, Robb. “Where Pot Entrepreneurs Go When the Banks Just Say No.” The New York Times, January 4, 2018.
  16. Rosic, Ameer. “What is Blockchain Technology? A Step-by-Step Guide for Beginners.” com, 2016.
  17. Emem, Mark. “Marijuana Stablecoin Asked to Play in Arizona Fintech Sandbox.” CCN.com, October 25, 2019.
  18. http:\\Whatisalta.com\
  19. Wagner, Michael, CFA. “Multichain Ventures Secures Public Sector Contract with Nevada to Supply Tokenized Financial Ecosystem for the Legal Cannabis Industry”, January 26, 2021.

How Effective is Your Internal Auditing Program?

By David Vaillencourt
No Comments

The word “audit” evokes various emotions depending on your role in an organization and the context of the audit. While most are familiar with and loathe the IRS’s potential for a tax audit, the audits we are going to discuss today are (or should be) welcomed – proactive internal quality audits. A softer term that is also acceptable is “self-assessment.” These are independent assessments conducted to determine how effective an organization’s risk management, processes and general governance is. 

“How do you know where you’re going if you don’t know where you’ve been” – Maya Angelou

Internal quality audits are critical to ensuring the safety of products, workers, consumers and the environment. When planned and performed periodically, these audits provide credible, consistent and objective evidence to inform the organization of its risks, weaknesses and opportunities for improvement. Ask yourself the question: do your clients/vendors rely on you to produce reliable, consistent and safe products? Assuming the answer is yes, what confidence do you have, and where is the documented evidence to support it?

Compliance units within cannabis businesses are typically responsible for ensuring a business stays legally compliant with state and federal regulations. This level of minimum compliance is critical to prevent fines and ensure licenses are not revoked. However, compliance audits rarely include fundamental components that leave cannabis operators exposed to many unnecessary risks.

Internal quality audits are critical to ensuring the safety of products, workers, consumers and the environment.

As a producer of medical and adult-use products that are ingested, inhaled or consumed in other forms by our friends, family and neighbors, how can you be sure that these products are produced safely and consistently? Are you confident that the legal requirements mandated by your state cannabis control board are sufficient? Judging by the number of recalls and frustrations voiced by the industry regarding the myriad of regulations, I would bet the answer is no.

What questions do internal audits address? Some examples include:

  • Are you operating as management intends?
  • How effective is your system in meeting specified objectives? These objectives could include quality metrics of your products, on-time delivery rates and other client/customer satisfaction metrics.
  • Are there opportunities to improve?
  • Are you doing what you say you do (in your SOPs), and do you have the recorded evidence (records) to prove it?
  • Are you meeting the requirements of all applicable government regulations?

There are potential drawbacks to internal audits. For one, as impartiality is essential in internal audits, it may be challenging to identify an impartial internal auditor in a small operation. If your team always feels like it is in firefighting mode, it may feel like a luxury to take the time to pull members out of their day-to-day duties and disrupt ongoing operations for an audit. Some fear that as internal assessments are meant to be more thorough than external assessments, a laundry list of to-do items may be uncovered due to the audit. But, these self-assessments often uncover issues that have resulted in operational efficiencies in the first place. This resulting “laundry list” then affords a proactive tool to implement corrective actions in an organized manner that can prevent the recurrence of major issues, as well as prevent new issues. The benefits of internal audits outweigh the drawbacks; not to mention, conducting internal audits is required by nearly every globally-recognized program, both voluntary (e.g. ISO 9001 or ASTM Internationals’s Cannabis Certification Program) and government required programs such as 21 CFR 211 for Pharmaceuticals.

Internal Auditing is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. Additional benefits of internal audits include giving your organization the means to:

  • Ensure compliance to the requirements of internal, international and industry standards as well as regulations and customer requirements
  • Determine the effectiveness of the implemented system in meeting specified objectives (quality, environmental, financial)
  • Explore opportunities for improvement
  • Meet statutory and regulatory requirements
  • Provide feedback to Top Management
  • Lower the cost of poor quality

Findings from all audits must be addressed. This is typically done in accordance with a CAPA (Corrective Action Preventive Action) program. To many unfamiliar with Quality Management Systems, this may be a new term. As of Jan 1, 2021, this is now a requirement for all cannabis licensed operators in Colorado. Many other states require a CAPA program or similar. Continuing education units (CEUs) are available through ASTM International’s CAPA training program, which was developed specifically for the cannabis industry.

Examples of common audit findings that require CAPAs include:

  • Calibration – Production and test equipment must be calibrated to ensure they provide accurate and repeatable results.
  • Document and record control – Documents and records need to be readily accessible but protected from unintended use.
  • Supplier management – Most standards have various requirements for supplier management that may include auditing suppliers, monitoring supplier performance, only using suppliers certified to specific standards, etc.
  • Internal audits – Believe it or not, since internal audits are required by many programs, it’s not uncommon to have a finding related to internal audits! Findings from an internal audit can include not conducting audits on schedule, not addressing audit findings or not having a properly qualified internal auditor. Are you looking for more guidance? Last year, members of ASTM International’s D37 Committee on Cannabis approved a Standard Guide for Cannabis and Hemp Operation Compliance Audits, ASTM D8308-21.

If you are still on the fence about the value of an internal audit, given the option of an inspector uncovering a non-conformance or your own team discovering and then correcting it, which would you prefer? With fines easily exceeding $100,000 by many cannabis enforcement units, the answer should be clear. Internal audits are a valuable tool that should not be feared.

HUB International Announces New Cannabis Specialty Leader

By Cannabis Industry Journal Staff
No Comments

HUB International, a leading insurance brokerage serving the cannabis industry, just announced today their new U.S. cannabis specialty leader. Bradley Rutt, senior vice president at HUB and Cannabis Industry Journal contributor, will now take the lead on cannabis insurance for the brokerage.

Bradley Rutt, senior vice president and U.S. cannabis specialty leader at HUB International

Rutt will work alongside Jay Virdi, another frequent CIJ contributor and chief sales officer of cannabis specialty at HUB to support the practice strategy on a national level. Rutt’s role will put him in charge of expanding HUB’s growth in the cannabis space as well as “enhancing cannabis insurance solutions and risk services, further developing cutting-edge resources for clients to support their needs, and attracting and retaining talent to deepen knowledge and expertise to help cannabis clients thrive.”

Rutt’s role as senior vice president has been to specialize in cannabis executive liability, working with public and private management services organizations to develop insurance and risk management programs. “Brad is an industry leader, and his diverse experience and deep understanding of the cannabis industry to insure its unique risks will play a critical role in continuing to strengthen our practice,” says Jay Virdi. “More importantly, we continue our commitment as trusted advisors to our clients to provide them with relevant support and solutions to help them continue to grow.”

Growing the Seed of Sale: Integrating Security with Business Opportunity

By Ryan Schonfeld
No Comments

Anyone in the cannabis industry is well aware that theft of crops can economically devastate a grower. Security is critical, and thankfully, growers and dispensaries have many tools available to protect their investment. There is simply no excuse for not having a solid security posture to keep your business in compliance, from public-private partnerships to advanced security tools – in fact, it’s required in most jurisdictions.

In 2020, nationwide cannabis sales increased 67%, and support for legal marijuana reached an all-time high of 68%. New Frontier Data found that U.S. legal cannabis market is projected to double to $41.5 billion by 2025.

The industry’s advancement impacts numerous areas such as job and tax revenue creation and providing a wide variety of valuable opportunities. For cannabis facilities to keep up with the market expansion and experience success, they must face two significant challenges: achieving adequate security and efficient business operations. Though both can be seen as separate concerns, growers and producers must merge processes and solutions to tackle the issue as a whole.

Dispensaries are prime targets for burglary. Defending your storefront requires a comprehensive security plan

Along with rapid growth, dispensaries face traditional security risks, such as workplace violence and retail theft, while cybersecurity risks have also become more prevalent. These potential issues make it clear that the stakes are high, and as the potential impact on a business rises, the need for real-time, predictive response increases. Insider threats are another issue plaguing the industry when you look at the rate of theft, diversion and burglary that is attributable to employees.

The cannabis market is complex: it’s expanding rapidly, has to meet essential regulatory requirements and faces high-security risks. Therefore, security needs to be looked at holistically since it can be challenging to determine where a potential threat may originate.

With security top of mind, it is critical to move away from responsive behaviors and seek ways to manage security in a manner that gets ahead of threats, prevent them before they happen and respond to them in real-time. But does a grower or retailer have the time and expertise to manage all this while keeping an eye on how security affects the business?

Remote Security Operations

The ability to comply with government regulations and protect a valuable cannabis crop at all stages of its journey from seed to sale makes security systems a mission-critical asset for cannabis growers. Security operations centers create a safer and more productive environment and provide state-of-the-art tools to protect employees, retail locations and grow facilities. But some businesses in the cannabis market may not have the resources or space to have their centralized security operations, leading them to piece-meal security together or do the best with what they can afford at the time. Running these facilities can also be prohibitively expensive.

Security operations centers create a safer and more productive environment and provide state-of-the-art tools to protect employees, retail locations and grow facilities.

But new options take the process of security off the table. The business can focus on the growth of its core functions. Remote security operations services allow companies to take advantage of advanced security services typically only possible in larger enterprise environments. These services are offered on a subscription basis, delivered through the cloud, and are entirely customizable to detect risks unique to your business operations while saving each company significant expense.

Centralized security operations centers leverage intelligent tools, standard operating procedures and proven analytic methods to provide cannabis facilities with the information and guidance necessary to mitigate issues like retail or grow theft before they can have a significant impact.

The integrated, holistic response center staffed by experienced operators and security experts delivers a comprehensive security and regulatory compliance method. This approach is designed to provide complete data about what is happening across a cannabis business, from seed to sale, and how individual events can impact the company as a whole. As a result, stakeholders get the security intelligence they need, without the high overhead, personnel investments and complex daily management.

For those businesses in the cannabis market looking to supplement their security operations with other workforce but may not have the budget or infrastructure to do so, remote security operations services are something you should consider. With the experts handling all the heavy lifting, leaders can focus on growth. And, right now, in the cannabis industry, the sky is the limit in terms of opportunity.

How Private-Sector-Led Information Sharing Can Transform Cybersecurity in the Cannabis Industry.

By Andy Jabbour, Ben Taylor
No Comments

The cannabis industry’s advancement towards legalization continues to dominate national headlines, from the stance of incoming Attorney General Merrick Garland to deprioritize enforcement of low-level cannabis crimes, Senate Majority Leader Chuck Schumer’s continued advocacy, to the recent passing of legislation in New York, New Mexico and Virginia (the first in the South) to authorize adult-use cannabis. While these updates are likely to intrigue customers and investors alike, they are also sure to draw the attention of cyber criminals who could look at the relative youth of the industry, as well as its rapid growth, as a prime target of opportunity for nefarious acts.

In order to understand risk mitigation best practices across a wide spectrum of private sector industries, this article will first identify the current security environment in order to understand the threats, briefly highlight specific case studies and assess the risks and identify methods that individual organizations, as well as the cannabis industry as a whole, can take action to enhance security and preparedness and to develop resiliency against future attacks.

Understanding the Threats

For an industry that has operated in a largely cash-based system for much of its existence, the idea of security is not foreign. Typically, these concerns focused on physical security implementation. The topic has received plenty of coverage, including a recent article in this journal articulating Important Security Considerations When Designing Cannabis Facilities. While an audit of physical security measures is a valuable part to any all-hazards threat assessment, securing a growing online network – from email to online finances to connected devices within cannabis facilities – can pose more unfamiliar challenges. When consulted for this article, Patten Wood, a former VP of marketing for a prominent west-coast cannabis retail brand noted: “While the topic of cybersecurity is critically important to customers, businesses, and the industry at large, it isn’t top of mind for many of the cannabis companies that I’ve experienced.” Understanding what risks are present is the first step to mitigating them, so we must first discuss several common cyber threats for the cannabis industry.

  • Phishing: Phishing happens when cybercriminals impersonate a trusted individual or entity, typically through email. The goal in this instance is to get the target to share confidential information or download software that can allow unauthorized access into an organization’s network. Phishing is one of the most common types of cyberattacks as it is relatively easy to conduct and surprisingly effective.
  • Ransomware Attacks: Ransomware attacks are used to gain access to a computer network and then lock and encrypt either the entire system or certain sets of high-value files, which can compromise important business information, and impact client and vendor privacy. A ransom is then demanded for restoring access, but paying the ransom comes with its own risk as it doesn’t guarantee the files will be restored. 
  • Cyber Extortion: Similar to ransomware attacks in their design, cyber extortion typically deals with a threat of leaking personal information and will generally demand payment in cryptocurrency in order to maintain their anonymity. 
  • Lumu: 2020 Ransomware Flashcard

    Remote Access Threats: As 2020 has forced organizations to rethink how they conduct business and shift to more remote operations than they had in the past, it can open up several new threats. According to a survey by IT social network SpiceWorks.com, six out of every ten organizations allow their employees to connect their company-issued devices to public Wi-Fi networks. Utilizing unsecured Wi-Fi networks opens the user up to man-in-the-middle attacks, allowing hackers to intercept company data. Unsecure Wi-Fi also brings the threat of malware distribution. An additional consideration with remote workers is the uptick in cyber attacks against remote access software referred to as remote desktop protocol (RDP) attacks. According to Atlas VPN, RDP attacks skyrocketed 241% in 2020 and we’ve seen numerous RDP attacks against critical infrastructure throughout the pandemic and across all industries.

  • Internet of Things (IoT) Leaks: With IoT devices running everything from security systems to automated growing operations, the convenience has been a huge boost for the industry. Unfortunately, many IoT devices don’t have sophisticated built-in security. Another common problem is the tendency of users to keep default passwords upon installation, which can make devices easy for cyber criminals to access. Once they are inside the system, malware can easily be installed, and the actors can move laterally throughout the network.
  • Personal and Medical Record Security: Many cyberattacks expose some level of personal data, whether that be customer, employee or vendor information. An extra consideration for retail operations that either treat medical patients, or medical and adult-use customers, is the additional information they must store about their clients. Medical facilities will maintain protected health information (PHI), which are much more valuable on the dark web than personally identifiable information (PII). But even adult use facilities may keep government-issued ID or other additional information above that of a typical retailer, which makes the potential value of their information much more intriguing for a cybercriminal.

Assessing the Risks

Depending on where your organization lies in the seed to sale chain, you will have different levels of risk for various types of attacks. We briefly discussed ransomware attacks earlier. Ransoms can range widely depending on the size of the organization that is attacked, but the ransom alone isn’t the only risk consideration. Businesses must also factor in the cost of downtime (an average of 18 days in 2020) caused by the ransomware when evaluating the impact to business operations, as well as reputation. While small – medium businesses are absolutely at risk, especially given their relative lack of cybersecurity resources and sophistication, a recent trend involves “Big Game Hunting” where cybercriminals are targeting larger organizations with the potential for bigger paydays. Criminals understand that big business can rarely afford major delays, and may be more able and willing to pay, and pay big, for a return to normal operations.

Group-IB: Ransomware Uncovered

Below are several examples of attacks which have either directly impacted the cannabis industry, or have valuable lessons the industry can learn from.

GrowDiaries: In October 2020 researcher Bob Diachenko discovered that 3.4 million records including passwords, posts, emails and IP addresses were exposed after two open-source application Kibana apps were left exposed online. As a platform for cannabis growers around the world (who are not all growing legally), this type of exposure puts the community at great risk, and can lower user confidence in the product, as well as putting them at personal risk of harm or legal ramifications. The applications being left open is a prime example of either a lack of good cybersecurity policies, or not following through on those policies.

Aurora Cannabis: On December 25th, 2020 Canadian company Aurora Cannabis suffered a data breach when SharePoint and OneDrive were illegally accessed. Included in the data that was compromised was credit card information, government identification, home addresses and banking details. The access point coming through Microsoft cloud software is a prime example of some of the challenges facing businesses who have an increasingly remote workforce yet still need that workforce to access critical (and usually highly sensitive) information.

THSuite: A database owned by seed to sale Point-Of-Sale (POS) software provider THSuite was discovered by researchers in December 2019. The database contained PHI/PII for 30,000 people, with over 85,000 files being exposed. The information that was left accessible included scanned government IDs, personal contact information and medical ID numbers. Clearly this gets into HIPAA territory, which can result in fines of up to $50,000 for every exposed record.

Door Dash: As cannabis delivery apps become more prevalent, it’s good to reference how similar businesses in other industries have been targeted. In May of 2019 nearly 5 million user records were accessed by an unauthorized third party, exposing PII and partial payment card information.  

Taking Action 

On an organizational level, employee training, password hygiene and malware protection are some of the basic and most important steps that should be taken by all organizations. But, if “knowledge is power,” the best defense for any organization against cyber threats is a well-informed organization- including leadership down to the front-line employees. Excellent tools to assist in this are Information Sharing & Analysis Centers/Organizations (ISACs/ISAOs). ISACs were established under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. The National Council of ISACs currently has over 20 member ISACs including Real Estate, Water, Automotive and Energy. ISAOs were created by a 2015 executive order to encourage cyber threat information sharing within private industry sectors that fall outside of those listed as “critical infrastructure”. Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO) says information sharing enabled by the executive order is critical. “We need to accelerate private sector information sharing, and I believe that the ISAO is the vehicle.”

According to Michael Echols, CEO of the International Association of Certified ISAO’s (IACI) at the Kennedy Space Center, security experts have long understood that threat information sharing can allow for better situational awareness and help organizations better identify common threats and ways to address them. “On the other side, hackers in a very documented way are already teaming up and sharing information on new approaches and opportunities to bring more value (to their efforts).” The ongoing crisis surrounding the Microsoft Exchange Server Vulnerability demonstrates that different cybercriminal groups will work simultaneously to abuse system flaws. As of March 5th it was reported that at least 30,000 organizations in the U.S. – and hundreds of thousands worldwide – have backdoors installed which makes them vulnerable to future attacks, including ransomware.

Below are several links to recent products that have been shared by various ISACs/ISAOs, which are provided as an example of the type of information that is commonly shared via these organizations.

If organizations are interested in learning more about enhancing their cybersecurity resiliency through private-sector led information sharing, please reach out to the newly formed Cannabis ISAO at ben@cannabisisao.org 

Why You Should Consider Parametric Insurance to Protect Your Outdoor Cannabis Crop

By Evan Stait
1 Comment

In May 2019, there were 4,400 reports of tornadoes, hail and high winds across the U.S. That’s the highest number of similar weather incidents on record since 2011. This increasing number of weather incidents has a huge effect on the cannabis industry, which has turned more frequently to outdoor cultivation since legalization.

While outdoor cultivation can develop the flavor of the cannabis crop, much like wine, it also brings with it some unique challenges. Each component of the weather – wind, rain, temperature – plays a role in whether a crop succeeds or fails. While conditions one year may easily lead to a bumper crop, the conditions the following year may not be as favorable. And as the weather becomes more volatile due to climate change, growers are ever more at risk, especially when they aren’t insured.

Evan Stait, author and commercial account executive for HUB International

Unfortunately, traditional crop insurance isn’t available for outdoor cannabis cultivators, primarily because of a lack of data on yield performances – and the impact the weather has on yields. Insurance companies don’t create policies until they have the data to back the policy. But meanwhile, the growers are assuming all the risk.

Enter parametric insurance. Parametric insurance is a program that pays out after a certain parameter is met. In the case of cannabis growers, the parameters are weather-related. The policy is triggered when the weather varies from the average – if there is too much rain during a specific period of time, for example, or an occurrence of large hail. Because the policy is related to average weather, it has to be tailored to the specific growing region – which means the parameters for Colorado won’t be the same as a policy for Maine.

For cannabis crops, coverage can be created for the following parameters:

  • Rain (recorded in inches of rainfall over a period of time)
  • Wind (recorded in miles per hour)
  • Early freezing (using recorded temperatures)
  • Hail (measures intensity and size of the hail)
  • Drought (for non-irrigated plots)

Once a parameter has been set, the policy starts to pay out at the strike point, or the average measurement specified in the policy. Coverage continues to pay out until the exhaust point, or the entire limit of the coverage is paid out. It works well because it’s straightforward: The further away from the average, the more the likelihood of catastrophic loss.

Parametric insurance isn’t for everyone. It’s a program designed to fill gaps that exist within the traditional insurance system. Nor is it designed to stand alone. But it can protect outdoor cannabis cultivators from weather risks that are truly beyond their control, especially given the hardening property insurance market.

In addition, it works for two simple reasons:

  1. Simplicity: Recorded weather events leave no room for ambiguity or dispute. You don’t even need an adjuster to guide the claims process. The official weather data proves what happened.
  2. Correlation: There is a high degree of correlation between measurable weather events and potential damage to outdoor crops.

Parametric coverage is not widely available. Many insurance professionals may not even know of it. But with the property insurance market hardening and a growing need to protect you and your cannabis business from weather-related disaster, parametric coverage may be your best bet. Make sure you speak to a broker who knows about it.

Cannabis Industry Journal

Cannabis Property Coverage: Understanding Risk Management & Communication

By Bradley Rutt
No Comments
Cannabis Industry Journal

For cannabis companies, property coverage can cost as much as seven to 10 times what traditional manufacturing and retail outlets pay. That is, of course, because of the inherent hazards involved in manufacturing and selling cannabis, in a difficult insurance market.

For landlords and building owners, taking in a cannabis tenant can be tricky as well. Because of the higher theft and manufacturing risks, many underwriters are unwilling to offer coverage. And, failure by a landlord to disclose a cannabis tenant is likely to result in a denied claim. Keeping property coverage in check by implementing risk management best practices and working to expand coverage and reduce premium costs can propel a cannabis business even further.  

Moreover, some landlords and building owners will require businesses to maintain occurrence-based liability coverage, which is harder to secure when running a cannabis operation. An occurrence-based liability policy is one that covers the renter for an accident occurring during the policy period, regardless of when a claim is made.

Instead, some insurance companies will only cover cannabis business’ high risks with a claims-made policy, or one in which claims must be made during the policy period only. Landlords will often stipulate their requirement for an occurrence-based policy in their lease. That means that cannabis businesses with a claims-made policy could unknowingly be in violation of their lease.

These issues and others have allowed landlords to command premium rent from cannabis business owners who find obtaining the right property coverage difficult.

To calm the rising tide of rent and property coverage costs, cannabis business owners and operators can engage in the following risk management considerations.

 Risk Management Considerations for Facilities with a Cannabis Operation 

Carriers are more likely to provide a policy to cannabis businesses that are doing what they can to minimize their risk. Here are six ways cannabis businesses can reduce their costs, minimize exclusions and obtain broader property coverage.

  1. If you are a retailer, have a plan to prevent or respond in the event of a robbery.
  2. Install and know how to use vaults and safes properly.
  3. Install central station alarms, cameras and other safeguards. Have them tied to your phone for easy access.
  4. Depending on the nature of the operations, install and regularly test fire sprinklers on site to make sure they are in working order.
  5. Consider hiring a third party, properly-insured, armed guard to safeguard your storefront on a regular basis.
  6. Institute industry-known best practices for high-risk manufacturing processes, like oil extraction.

Insurance Considerations for Facilities with a Cannabis Operation 

Risk management is critical to controlling risk, and insurance considerations can help your cannabis business obtain broader coverage and reduce premium costs.

  1. Communicate with your insurance broker.If you’re a landlord and you want to rent to a cannabis tenant, have a conversation with your insurance carrier at least 30 days before the lease begins. Even if you do, there’s a good chance that your carrier will issue a notice of cancellation (NOC) because they don’t want to engage with cannabis risk. On the other hand, if you don’t disclose the new tenant risk, should a claim be filed, it will could be denied, and the non-disclosure could cost you your policy.
  2. Engage a broker/carrier that specializes in cannabis.In such a volatile market, it is important to work with a broker and carrier that specialize in cannabis. This will enable hidden exclusions to be removed and help you procure the best policy and pricing possible for your organization.
  3. Tell your insurance “story.”Let the carrier understand your business and its risks by telling them your “story.” Tell them what your business does well, including current risk management practices and how you’ve been able to reduce claims. This will go a long way toward potentially minimizing premium costs and exclusions and obtaining broader coverage.
  4. Get another set of eyes. Most carriers will require a lengthy application from cannabis businesses in which the carrier may require the business to comply with certain requirements like having an approved safe or vault room. Your business will be held to the requirements stipulated in the application should you sign and submit it. Ask your broker or a reliable attorney to review the contract for anything you may have missed. Some carriers will incorporate the submitted application into the policy. Any changes between policy inception and a claim could cause coverage issues.

The fast-growing nature of the cannabis industry has ushered in a new set of challenges for business owners and operators. Keeping property coverage in check by implementing risk management best practices and working to expand coverage and reduce premium costs can propel a cannabis business even further.

Priorities During the Pandemic: How to Run a Lab Under COVID-19

By Dr. Peter Krause, Udo Lampe
No Comments

During the COVID-19 pandemic, most testing laboratories have been classified as relevant for the system or as carrying out essential activities for national governments. Therefore, it is crucial to maintain activities and optimally assess the changes that are occurring, framed within the spread of the SARS-CoV-2 virus. Analytica Alimentaria GmbH, a testing laboratory with its headquarters in Berlin, Germany and a branch office in Almeria, Spain, decided to focus its management on the analysis of events and the options available, at the legal and employment level, to ensure continuity of activities and reducing, as much as possible, the damage for the parties involved: employees and company. Accredited by the International Accreditation Service (IAS) to ISO/IEC 17025:2017, Analytica Alimentaria GmbH is required to implement risk-based thinking to identify, assess and treat risks and opportunities for the laboratory. Since March 12, 2020 a crisis committee was established, formed by the six members of the company’s management, covering general management, human resources, direction of production, finance and IT. The committee meets every day and it intends to:

  • Minimize the risks of contagion
  • Be able to continue providing the service required by our clients
  • ensure that the company as a whole will survive the economic impact of the crisis
  • Take measures that are within the legality of both countries where the laboratory operates (Spain and Germany),
  • Manage internal and external communication related to the crisis

To achieve correct decision making, daily meetings of the committee were established, to review the situations that were presented day after day and the actions that should be carried out. Each decision was analysed in a prioritized, objective, collaborative and global way.

The basis of the lab’s action plan was a well-developed risk assessment. In addition to the risk of getting a droplet or smear/contact infection with the coronavirus SARS-CoV-2 (risk I) by contact with other people, psychological stress caused by changing working conditions (home office), contact options and information channels were also identified (risk II).

As a result of the risk assessment, the conclusion was that a mix of various measures is the best form of prevention:

  • Keep distance
  • Avoid “super spreader” events
  • Personal hygiene
  • Regular communication between managers and personnel about the current situation and possible scenarios

The risk assessment took both areas into account. The following assessment was developed together with an external specialist and focused on risk I:

Risk I Assessment Protective measures / hygiene plan
Organisation
Working hours and break arrangements High Limit the gathering of people and ensure a minimum distance:

  • Relocated work, break and mealtimes
  • Create fixed groups of shift-working staff
  • Time gap of 20 min. between the shifts
  • Enable home office wherever it is possible
Third party access Moderate Few but “well-known” visitors:

  • Reduce the number of visits and keep internal contacts to a minimum
  • Ensure the contact chain
  • Inform visitors about the internal rules and obtain written consent
Dealing with

suspected cases

High Isolation and immediate leave of the company:

  • Contactless fever measurement (in case of typical symptoms)
  • Leave the company or stay at home
  • If the infection is confirmed, find contact persons (including customers or visitors) and inform them about a possible risk of infection
Contact with other persons
Traffic route from home to work Moderate Avoid public transportation:

  • Take a car, bicycle or go by foot
  • Enable mobile work and teleworking
At work High Always keep a sufficient distance of 2.0 m from people:

  • If minimum distances cannot be maintained, wear protective masks or install physical barriers (acrylic glass)
  • Organize traffic routes so that minimum distances can be maintained (one-way routes, floor markings indicating a distance of 2 m)
  • Use digital meetings instead of physical ones
Sanitary facilities Moderate Remove virus-loaded droplet as often as possible:

  • Provide skin-friendly liquid soaps and towel dispensers
  • Shorten or intensify cleaning intervals
  • Hang out instructions for washing hands at the sink
  • Include instructions for proper hand-disinfection
Canteens, tea kitchens and break rooms High One person per 10 m² = minimum:

  • Reduce the number of chairs per table
  • Informative signs in every room, indicating the maximum number of permitted persons
Ventilation High Diluting or removing bioaerosols (1 µm virus-droplets):

  • Leave as many doors open as possible
  • Regular and documented shock ventilation every 30 minutes or more frequently, depending on the size of window
  • Operate ventilation and air-conditioning systems, since the transmission risk is classified as low here
Use of work equipment Moderate Use tools and work equipment for personal use:

  • Regular cleaning with changing use (PC, hand tools, coffee machine, …)
  • If possible, use gloves when using equipment for a larger number of users
Protective masks Moderate
  • Use of protective masks as an additional measure, indicating that this does not replace keeping distance
  • Recommend wearing masks in commonly used areas and explain that they do not protect yourself, but help to protect others
  • Give clear instructions (written and oral) on how to use a mask correctly and explain the use and purpose of different mask-types
  • Distribute masks freely

A number of guidelines and concrete measures addressing the risks related to health issues are already in place. Those health issues in risk group II are more closely related to the psychological effects of the crisis, however, are also more complex to mitigate. The key strategy is communication and, in particular, actively listening to all employees of the company.

Analytica’s robust company culture, based on values established in coordination with the whole staff, has been of significant help during the crisis. The some 150 staff members are organized by over 22 team coordinators. During the crisis, active communication has been intensified significantly. The crisis management team set up regular alignment meetings with all the coordinators and with individual persons with particular situations. This way, not only was it possible to explain the development of the crisis and the subsequent measures, the conversations with coordinators were also the most important source of information enabling the appropriate decisions. The coordinators, closely aligned and in sync with management, were then able to communicate with their team members with a high degree of confidence. One outcome of the communication was a measure that proved very effective in fortifying trust within the company: all measures and evaluations, as well as a chronological review, are published in a dynamic internal report and are made available, with full transparency, to all staff members. Besides the many individual and group alignment meetings (usually held by video conference), this has been a key measure to establish confidence and security within the company.

On the other hand, the company made a great effort to balance the effect of the general closure of kindergartens and schools in Spain and Germany. Each case where staff members were required to care for children at home was studied individually and agreements were established, adapting shifts and making use of time accounts, to allow childcare at home without significant loss of income.

The success of the measures is shown by the continuous work of both laboratories during the crisis. Besides the personal tragedy of a possible infection, the identified risk to the company has the consequence of a (partial) quarantine due to an infected person in contact with the staff and the consequent loss of work-power which might lead, in extreme cases, to a closure of the laboratory. According to the governmental regulation in Germany, if an infection occurs (confirmed by the health department), contact persons cat. 1 (more than 15 min. contact face to face) are identified and sent to quarantine. Other contact persons, e.g. contact persons cat. 2 (same room without face to face) must be identified quickly with the collaboration of the infected person and notified and, if necessary, sent in quarantine. In this case, there is a confirmed emergency plan that maintains the laboratory’s ability to work, defining replacements and alternative work-flow strategies.

It has been part of our strategy to validate all our measures with the relevant guidance documents made available by the official competent institutions. The German Federal Office for Public Safety and Civil Protection (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe) has published a guide, “Crisis Management in Companies, 9-point Checklist” especially for critical infrastructure companies in the CoVid-19 crisis.

Having been classified as a core business enterprise (Spain) and “relevant to the system” (Germany), we consider it important to use them as a reference to confirm our level of alignment with your proposal for crisis management.

An important effect, relevant to any leader in times of crisis, is that the confirmation of all points of such a checklist provides certain peace of mind regarding the question: Have we done everything we could?

SAFE Banking Act Included in COVID-19 Legislation

By Aaron G. Biros
2 Comments

UPDATE: Late in the evening on May 15, the House of Representatives passed the HEROES package, voting 208-199 (with 23 abstentions). The bill now now heads to the Senate where its fate is more uncertain. 


Earlier today, Speaker Nancy Pelosi debuted the latest piece of legislation to help Americans impacted by the coronavirus pandemic. The Health and Economic Recovery Omnibus Emergency Solutions Act (HEROES Act) is a large bill containing emergency supplemental appropriations more than 1,800 pages long.

On page 1,066, those in the cannabis industry will find a very exciting addition: the Secure and Fair Enforcement (SAFE) Banking Act. For the uninitiated, the SAFE Banking Act would ensure access to financial services for cannabis-related businesses and service providers.

Currently, federally regulated financial institutions face penalties for dealing with cannabis companies due to the Controlled Substances Act. The bill, if passed, would eliminate the possibility of any repercussions for doing business with cannabis companies.

The impact of this bill becoming law would be widespread and immediate for both the cannabis market and banks looking to invest in the cannabis industry. With banks given the green light to conduct business with the cannabis industry, there is no doubt that many financial institutions will rush to the opportunity. Cannabis businesses will benefit greatly, no longer having to deal with massive quantities of cash and gain access to things like loans, bank accounts and credit lines. Furthermore, cannabis companies will benefit from the rush of banks getting in the game, leading to a competitive and affordable banking market.

It is no secret that cannabis businesses have had a cash problem for decades now. Given the coronavirus pandemic, CDC guidelines dictate minimizing the handling of cash and encourage payment options like credit cards. Cannabis businesses dealing with large quantities of cash puts them, their employees, their customers and even regulators at risk.

Aaron Smith, executive director of NCIA

According to Aaron Smith, executive director of the National Cannabis Industry Association (NCIA), the cash problem is a serious, unnecessary health risk. “On behalf of the legal cannabis industry, we commend the congressional leadership for prioritizing public health and safety by including sensible cannabis banking policy in this legislation,” says Smith. “Our industry employs hundreds of thousands of Americans and has been deemed ‘essential’ in most states. It’s critically important that essential cannabis workers are not exposed to unnecessary health risks due to outdated federal banking regulations.”

In fact, it was the NCIA and a handful of other industry organizations that lobbied Congress last week to include language from the SAFE Banking Act in the HEROES Act, citing the known fact that cash can harbor coronavirus and other pathogens, along with the “personal proximity required by cash transactions as reasons for urgency in addition to the other safety and transparency concerns addressed by the legislation.”

The SAFE Banking Act was already approved by the House of Representatives. In September of 2019, the bill made a lot of progress through Congress, but stalled once it made it to the Senate Banking Committee.

The HEROES Act will be debated by the House of Representatives prior to a floor vote. If it passes the House, it moves to the Senate, which is about as far as it made it the last go around. However, because the banking reform is included in coronavirus relief legislation, there is a newborn sense of hope that the bill could be signed into law.

Cannabis Retailers Considered Essential: Safety Tips for Running Dispensaries During COVID19

By Aaron Green
No Comments

Dispensary sales in key US markets (CA, CO, WA, NV) remain up in Q1 2020 over Q1 2019, though the end of March saw sharp declines in sales according to a recent Marijuana Business Daily report. Massachusetts is also on track for record Q1 sales despite the closure of recreational stores, according to a recent BDS Analytics report.

budtenderpic
A bud tender helping customers at a dispensary

While it is still early to say what the impact of COVID-19 will be on dispensary sales into April, it is clear that the cannabis industry’s position as an ‘essential business’ is likely to help. States like Massachusetts are just allowing medical use businesses to remain open while states like California and Washington are allowing cultivators, producers and dispensaries to remain open. Meanwhile, according to Locate.AI’s analysis of retail traffic, the rest of the retail sector is down between 44% and 99% recently, depending on the category.

On March 24, the Washington State Liquor and Cannabis Board declared cannabis an essential industry including producers, processors and retailers. For dispensaries, they are now allowing curbside pick-ups for all adult customers. Colorado has gone further to restrict adult sales to curbside pick-ups only for recreational cannabis. Medical customers are still allowed to enter stores, but must practice social distancing. Across the states, dispensaries are offering curbside and in-store pick-up. In addition, at some dispensaries, delivery fees are being waived for larger purchases.

The International Chamber of Commerce recently published “Coronavirus Guidelines for Business,” summarizing actions businesses can take to reduce risks for operations and employees. Going further, The New England Complex Systems Institute (NECSI) recently published practical business safety guidelines detailing how these essential businesses can stay open and ensure safety. The guidelines, which are typically one to two pages and easily readable, are applicable to dispensaries. Certain suggestions, such as avoiding crowded spaces and maintaining 6ft distance will be familiar. Other suggestions go beyond common advice offering sensible recommendations to reduce risk of transmission as much as possible, such as the following:

Consider setting up one or more ‘necessities only’ sections that enable a short shopping trip for most of the customers. Setting up such short shopping areas outside when weather permits, or at remote locations, can dramatically reduce the shopping density inside the store.” or

Use floor markings or other visual system to indicate a one-way loop (with short cuts, but no back way) inside the store to promote a dominant walking direction and avoid customers crossing paths or crowding.

While many cannabis businesses have already gone beyond recommendations from the local health authorities, there are some that would still benefit from adopting the NECSI Guidelines to further protect their customers and employees. The guidelines are written for laypeople and are easy to print and share.

NECSI’s coronavirus guidelines can be found on the group’s volunteer website endcoronavirus.org.

endCoronavirus.org is a volunteer organization with over 6,000 members built and maintained by the New England Complex Systems Institute (NECSI) and its collaborators. The group specializes in networks, agent-based modeling, multi-scale analysis and complex systems and provides expert information on how to stop COVID-19.

The New England Complex Systems Institute (NECSI) is an independent academic research and educational institution with students, postdoctoral fellows and faculty. In addition to the in-house research team, NECSI has co-faculty, students and affiliates from MIT, Harvard, Brandeis and other universities nationally and internationally.