Tag Archives: security

ASTM Introduces Retail Cybersecurity Standard

By Cannabis Industry Journal Staff
No Comments

ASTM International, the international standards development organization, has proposed a cannabis standard for establishing retail cybersecurity protocols. Their D37 cannabis committee is currently working on the development of the standard.

The standard is designed to establish best practices for protecting critical databases in dispensaries, like inventory data, customer and patient information. The guide, developed by subcommittee D37.05, addresses “the company or government organizational need to mitigate the likelihood of cyberattacks and reduce the extent of potential cyberattacks, which can leave sensitive personal data, corporate information, and critical infrastructure vulnerable to attackers,” reads the scope of the project.

Technical Lead for the subcommittee and president of ezGreen Compliance, Michael Coner, says they hope to provide SOPs for retail operations to protect business data while staying compliant. “Cybersecurity is among the most prevailing issues concerning the cannabis industry as well as the global cannabis economy,” says Coner. “Establishing strong cybersecurity protocols for dispensary retail owners will help ensure the protection of data to maintain the integrity of cannabis consumers’ personal information.”

The ASTM committee is currently inviting stakeholders such as retailers and regulators to help with things like “identifying new data security issues that arise while operating active retail dispensary businesses.”

Growing the Seed of Sale: Integrating Security with Business Opportunity

By Ryan Schonfeld
No Comments

Anyone in the cannabis industry is well aware that theft of crops can economically devastate a grower. Security is critical, and thankfully, growers and dispensaries have many tools available to protect their investment. There is simply no excuse for not having a solid security posture to keep your business in compliance, from public-private partnerships to advanced security tools – in fact, it’s required in most jurisdictions.

In 2020, nationwide cannabis sales increased 67%, and support for legal marijuana reached an all-time high of 68%. New Frontier Data found that U.S. legal cannabis market is projected to double to $41.5 billion by 2025.

The industry’s advancement impacts numerous areas such as job and tax revenue creation and providing a wide variety of valuable opportunities. For cannabis facilities to keep up with the market expansion and experience success, they must face two significant challenges: achieving adequate security and efficient business operations. Though both can be seen as separate concerns, growers and producers must merge processes and solutions to tackle the issue as a whole.

Dispensaries are prime targets for burglary. Defending your storefront requires a comprehensive security plan

Along with rapid growth, dispensaries face traditional security risks, such as workplace violence and retail theft, while cybersecurity risks have also become more prevalent. These potential issues make it clear that the stakes are high, and as the potential impact on a business rises, the need for real-time, predictive response increases. Insider threats are another issue plaguing the industry when you look at the rate of theft, diversion and burglary that is attributable to employees.

The cannabis market is complex: it’s expanding rapidly, has to meet essential regulatory requirements and faces high-security risks. Therefore, security needs to be looked at holistically since it can be challenging to determine where a potential threat may originate.

With security top of mind, it is critical to move away from responsive behaviors and seek ways to manage security in a manner that gets ahead of threats, prevent them before they happen and respond to them in real-time. But does a grower or retailer have the time and expertise to manage all this while keeping an eye on how security affects the business?

Remote Security Operations

The ability to comply with government regulations and protect a valuable cannabis crop at all stages of its journey from seed to sale makes security systems a mission-critical asset for cannabis growers. Security operations centers create a safer and more productive environment and provide state-of-the-art tools to protect employees, retail locations and grow facilities. But some businesses in the cannabis market may not have the resources or space to have their centralized security operations, leading them to piece-meal security together or do the best with what they can afford at the time. Running these facilities can also be prohibitively expensive.

Security operations centers create a safer and more productive environment and provide state-of-the-art tools to protect employees, retail locations and grow facilities.

But new options take the process of security off the table. The business can focus on the growth of its core functions. Remote security operations services allow companies to take advantage of advanced security services typically only possible in larger enterprise environments. These services are offered on a subscription basis, delivered through the cloud, and are entirely customizable to detect risks unique to your business operations while saving each company significant expense.

Centralized security operations centers leverage intelligent tools, standard operating procedures and proven analytic methods to provide cannabis facilities with the information and guidance necessary to mitigate issues like retail or grow theft before they can have a significant impact.

The integrated, holistic response center staffed by experienced operators and security experts delivers a comprehensive security and regulatory compliance method. This approach is designed to provide complete data about what is happening across a cannabis business, from seed to sale, and how individual events can impact the company as a whole. As a result, stakeholders get the security intelligence they need, without the high overhead, personnel investments and complex daily management.

For those businesses in the cannabis market looking to supplement their security operations with other workforce but may not have the budget or infrastructure to do so, remote security operations services are something you should consider. With the experts handling all the heavy lifting, leaders can focus on growth. And, right now, in the cannabis industry, the sky is the limit in terms of opportunity.

How Private-Sector-Led Information Sharing Can Transform Cybersecurity in the Cannabis Industry.

By Andy Jabbour, Ben Taylor
No Comments

The cannabis industry’s advancement towards legalization continues to dominate national headlines, from the stance of incoming Attorney General Merrick Garland to deprioritize enforcement of low-level cannabis crimes, Senate Majority Leader Chuck Schumer’s continued advocacy, to the recent passing of legislation in New York, New Mexico and Virginia (the first in the South) to authorize adult-use cannabis. While these updates are likely to intrigue customers and investors alike, they are also sure to draw the attention of cyber criminals who could look at the relative youth of the industry, as well as its rapid growth, as a prime target of opportunity for nefarious acts.

In order to understand risk mitigation best practices across a wide spectrum of private sector industries, this article will first identify the current security environment in order to understand the threats, briefly highlight specific case studies and assess the risks and identify methods that individual organizations, as well as the cannabis industry as a whole, can take action to enhance security and preparedness and to develop resiliency against future attacks.

Understanding the Threats

For an industry that has operated in a largely cash-based system for much of its existence, the idea of security is not foreign. Typically, these concerns focused on physical security implementation. The topic has received plenty of coverage, including a recent article in this journal articulating Important Security Considerations When Designing Cannabis Facilities. While an audit of physical security measures is a valuable part to any all-hazards threat assessment, securing a growing online network – from email to online finances to connected devices within cannabis facilities – can pose more unfamiliar challenges. When consulted for this article, Patten Wood, a former VP of marketing for a prominent west-coast cannabis retail brand noted: “While the topic of cybersecurity is critically important to customers, businesses, and the industry at large, it isn’t top of mind for many of the cannabis companies that I’ve experienced.” Understanding what risks are present is the first step to mitigating them, so we must first discuss several common cyber threats for the cannabis industry.

  • Phishing: Phishing happens when cybercriminals impersonate a trusted individual or entity, typically through email. The goal in this instance is to get the target to share confidential information or download software that can allow unauthorized access into an organization’s network. Phishing is one of the most common types of cyberattacks as it is relatively easy to conduct and surprisingly effective.
  • Ransomware Attacks: Ransomware attacks are used to gain access to a computer network and then lock and encrypt either the entire system or certain sets of high-value files, which can compromise important business information, and impact client and vendor privacy. A ransom is then demanded for restoring access, but paying the ransom comes with its own risk as it doesn’t guarantee the files will be restored. 
  • Cyber Extortion: Similar to ransomware attacks in their design, cyber extortion typically deals with a threat of leaking personal information and will generally demand payment in cryptocurrency in order to maintain their anonymity. 
  • Lumu: 2020 Ransomware Flashcard

    Remote Access Threats: As 2020 has forced organizations to rethink how they conduct business and shift to more remote operations than they had in the past, it can open up several new threats. According to a survey by IT social network SpiceWorks.com, six out of every ten organizations allow their employees to connect their company-issued devices to public Wi-Fi networks. Utilizing unsecured Wi-Fi networks opens the user up to man-in-the-middle attacks, allowing hackers to intercept company data. Unsecure Wi-Fi also brings the threat of malware distribution. An additional consideration with remote workers is the uptick in cyber attacks against remote access software referred to as remote desktop protocol (RDP) attacks. According to Atlas VPN, RDP attacks skyrocketed 241% in 2020 and we’ve seen numerous RDP attacks against critical infrastructure throughout the pandemic and across all industries.

  • Internet of Things (IoT) Leaks: With IoT devices running everything from security systems to automated growing operations, the convenience has been a huge boost for the industry. Unfortunately, many IoT devices don’t have sophisticated built-in security. Another common problem is the tendency of users to keep default passwords upon installation, which can make devices easy for cyber criminals to access. Once they are inside the system, malware can easily be installed, and the actors can move laterally throughout the network.
  • Personal and Medical Record Security: Many cyberattacks expose some level of personal data, whether that be customer, employee or vendor information. An extra consideration for retail operations that either treat medical patients, or medical and adult-use customers, is the additional information they must store about their clients. Medical facilities will maintain protected health information (PHI), which are much more valuable on the dark web than personally identifiable information (PII). But even adult use facilities may keep government-issued ID or other additional information above that of a typical retailer, which makes the potential value of their information much more intriguing for a cybercriminal.

Assessing the Risks

Depending on where your organization lies in the seed to sale chain, you will have different levels of risk for various types of attacks. We briefly discussed ransomware attacks earlier. Ransoms can range widely depending on the size of the organization that is attacked, but the ransom alone isn’t the only risk consideration. Businesses must also factor in the cost of downtime (an average of 18 days in 2020) caused by the ransomware when evaluating the impact to business operations, as well as reputation. While small – medium businesses are absolutely at risk, especially given their relative lack of cybersecurity resources and sophistication, a recent trend involves “Big Game Hunting” where cybercriminals are targeting larger organizations with the potential for bigger paydays. Criminals understand that big business can rarely afford major delays, and may be more able and willing to pay, and pay big, for a return to normal operations.

Group-IB: Ransomware Uncovered

Below are several examples of attacks which have either directly impacted the cannabis industry, or have valuable lessons the industry can learn from.

GrowDiaries: In October 2020 researcher Bob Diachenko discovered that 3.4 million records including passwords, posts, emails and IP addresses were exposed after two open-source application Kibana apps were left exposed online. As a platform for cannabis growers around the world (who are not all growing legally), this type of exposure puts the community at great risk, and can lower user confidence in the product, as well as putting them at personal risk of harm or legal ramifications. The applications being left open is a prime example of either a lack of good cybersecurity policies, or not following through on those policies.

Aurora Cannabis: On December 25th, 2020 Canadian company Aurora Cannabis suffered a data breach when SharePoint and OneDrive were illegally accessed. Included in the data that was compromised was credit card information, government identification, home addresses and banking details. The access point coming through Microsoft cloud software is a prime example of some of the challenges facing businesses who have an increasingly remote workforce yet still need that workforce to access critical (and usually highly sensitive) information.

THSuite: A database owned by seed to sale Point-Of-Sale (POS) software provider THSuite was discovered by researchers in December 2019. The database contained PHI/PII for 30,000 people, with over 85,000 files being exposed. The information that was left accessible included scanned government IDs, personal contact information and medical ID numbers. Clearly this gets into HIPAA territory, which can result in fines of up to $50,000 for every exposed record.

Door Dash: As cannabis delivery apps become more prevalent, it’s good to reference how similar businesses in other industries have been targeted. In May of 2019 nearly 5 million user records were accessed by an unauthorized third party, exposing PII and partial payment card information.  

Taking Action 

On an organizational level, employee training, password hygiene and malware protection are some of the basic and most important steps that should be taken by all organizations. But, if “knowledge is power,” the best defense for any organization against cyber threats is a well-informed organization- including leadership down to the front-line employees. Excellent tools to assist in this are Information Sharing & Analysis Centers/Organizations (ISACs/ISAOs). ISACs were established under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. The National Council of ISACs currently has over 20 member ISACs including Real Estate, Water, Automotive and Energy. ISAOs were created by a 2015 executive order to encourage cyber threat information sharing within private industry sectors that fall outside of those listed as “critical infrastructure”. Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO) says information sharing enabled by the executive order is critical. “We need to accelerate private sector information sharing, and I believe that the ISAO is the vehicle.”

According to Michael Echols, CEO of the International Association of Certified ISAO’s (IACI) at the Kennedy Space Center, security experts have long understood that threat information sharing can allow for better situational awareness and help organizations better identify common threats and ways to address them. “On the other side, hackers in a very documented way are already teaming up and sharing information on new approaches and opportunities to bring more value (to their efforts).” The ongoing crisis surrounding the Microsoft Exchange Server Vulnerability demonstrates that different cybercriminal groups will work simultaneously to abuse system flaws. As of March 5th it was reported that at least 30,000 organizations in the U.S. – and hundreds of thousands worldwide – have backdoors installed which makes them vulnerable to future attacks, including ransomware.

Below are several links to recent products that have been shared by various ISACs/ISAOs, which are provided as an example of the type of information that is commonly shared via these organizations.

If organizations are interested in learning more about enhancing their cybersecurity resiliency through private-sector led information sharing, please reach out to the newly formed Cannabis ISAO at ben@cannabisisao.org 

Implement These Tips to Quickly Fortify Cannabis Dispensaries

By Heather Bender
No Comments

Based on the recent string of cannabis thefts in Portland, Oregon, the spotlight is shining even brighter on the need for enhanced security measures at cannabis dispensaries throughout the country. According to the Oregon Liquor Control Commission, the Portland metro area alone has experienced more than 120 cannabis shop burglaries since March 2020, resulting in a reported total loss of more than $500,000 in cash and products.

Robbing a cannabis dispensary is as lucrative as robbing a bank. Cash is king in the shops until the Secure and Fair Enforcement (SAFE) Banking Act is passed to prohibit federal banking regulators from penalizing depository institutions that provide banking services to legitimate cannabis businesses. Until the Act is passed, it is widely known that all transactions must be done in cash—which makes cannabis dispensaries a prime target for thieves.

Dispensaries are prime targets for burglary. Defending your storefront requires a comprehensive security plan.

While many security protocols—such as product traceability systems and security cameras—are mandated by each individual state, dispensary owners should take measures to actively secure their product, protect their employees and preserve their businesses as theft increases.

One of the quickest and most cost-effective ways to fortify shop security is by implementing rolling security doors. After determining what level of security is needed, consider these four tips to help deter criminal activity and ensure the safety of both employees and products.

Tip 1 – Defend The Storefront
Designed to prevent against looting events and burglaries, heavy-duty rolling steel doors offer cannabis business owners robust security. They can be retrofitted into existing buildings, are exterior mounted and are ideal for storefront defense—including protecting glass windows, which can be expensive to replace. Unlike more common rolling grilles, thieves can’t see merchandise when the rolling door is lowered. In addition to the door giving the building a secure look, blocking sight access is key to deterring criminals.

Heavy-duty steel doors must also be lift- and pry-resistant. Manufacturers put the doors through rigorous testing, and some security doors even meet Department of Defense forced entry standards, which can provide up to an hour of protection against violent attacks against the door to gain entry. Look for rolling security doors that can withstand heavy impact and resist pry attempts with common tools, as well as doors that are lift resistant. Some manufacturers offer doors with robust slide locks and rigid heavy-duty bottom bars, enabling the doors to withstand up to 4,500 lbs of lifting effort.

Tip 2 – Protect While Allowing Visibility and Airflow
If product visibility is desired, but more robust security is needed at the storefront—beyond a security measure such as impact glass—a heavy-duty security grille is an excellent choice. Security grilles are easy to custom order and don’t require structural modifications to fit individual spaces. They are easily installed behind storefront glass, are compact enough to remain out of sight when not in use and require little maintenance.

Strong rolling service doors can protect delivery entrances well

It’s important to work with a manufacturer to select a rolling grille that provides dependable, increased security. Choose grille curtains with rods that are spaced closer together and have heavier links. Security grilles with these features are harder to lift and pry than standard rolling grilles.

Rolling security grilles are also an ideal solution to protect counters inside the dispensary. They can be easily concealed in small headspaces where there is limited ceiling room.

Tip 3 – Fortify A Store Within A Store
For cannabis dispensaries located within high-end retail shops, it is important to consider additional security measures to separate the dispensary from the rest of the store.

A metal grille can be a good barrier for a store within store

A store within a store may be subject to different hours of operation as states often dictate specific operating hours for cannabis dispensaries. Altered operating hours necessitate an easy way to secure only a small section of a larger store.

If aesthetics are of concern inside retail shops, a woven metal mesh grille will provide both beauty and security without imposing looks while securing cannabis products as customers browse throughout the store. Manufacturers offer a variety of patterns and even logo designs as a way to bring more creativity to a grille’s aesthetics—making them rolling pieces of art.

Tip 4 – Secure Deliverables
Dispensary owners sometimes overlook the fact that thieves target deliveries. Deliveries that are made at the back of the store or in receiving areas may be the most at risk. It is of utmost importance to be aware of how deliveries are timed, who is present during them, and how the product is handed off.

Robust rolling service doors provide the best security for delivery entrances and are more secure than traditional rolling sectional doors. Made from slats of formed galvanized steel, aluminum or stainless steel, these rolling doors are completely customizable to meet existing building designs and are ideal for areas with limited overhead room.

Robust Protection
By closely evaluating the levels of security needed, the layout of the building and where deliveries take place, security updates and enhancements are easily implemented with the right rolling doors. Every door is made for a specific opening, so each one is custom-made for its application. Choose a knowledgeable manufacturer that will help determine which rolling closure suits the dispensary’s needs.

Due Diligence for Suppliers & Cannabis Supply Chain Partners

By Mark Slaugh
1 Comment

Between the patchwork quilt of rules and regulations that is the modern cannabis industry, products pass through many hands before being sold to a customer. From sourcing, cultivating, manufacturing, distributing and vending, the relationships between a licensee and their vendors/partners up and down the supply chain is complex and touches many stakeholders along the way.

While the focus on quality packaging, dope labeling, delicious ingredients and consistently potent cannabis is a priority for most companies, what often isn’t thought about is the liability in bringing these components together in terms of compliance.

Compliance responsibility falls on licensees as a direct term and condition of licensure within their state. To operate, licensees must maintain and be able to demonstrate compliance with a plethora of rules and regulations. Compliance is the name of the game in cannabis.

While most operators understand this, what most do not think about is how the compliance or noncompliance of their vendors affects their own liability.

Sharing Noncompliance & Liability

Supply chain partners are automatically segregated by whether or not they are plant touching licensees or not.

Licensees are the only entities in the supply chain that can be fined, administratively held, suspended, revoked or even arrested due to noncompliance. This fundamental nature means that supply chain partners are automatically segregated by whether or not they are plant touching licensees or not.

In the case of mutual licensees such as a manufacturer and dispensary, the liability for compliance falls on both entities. A single manufacturer that makes an error on labeling language or a cultivator using the incorrect containers both pass on their liability to any downstream partners.

iComply has seen regulators quarantine hundreds of products among multiple dispensaries who never checked the compliance of the supplying manufacturer. Surprisingly, most dispensaries don’t think of the liability passed to them amid hundreds of SKUs and multiple manufacturers and cultivators. Confounding the issue further is that everyone in the industry can interpret the same rules in completely different ways.

Assuming your supply chain partners are 100% compliant is a dangerous pitfall.

By not checking noncompliance from supply chain partners, operators accumulate evidence dating back years. Like METRC being off, these issues tend to snowball until they seem overwhelmingly difficult to handle. And it doesn’t just stop at labeling issues. Noncompliance can fall on all supply chain partners and be left in the hands of a licensee in a variety of ways.

Business partners like security contractors can often run afoul of regulations and put their licensed partners at risk.

Even worse, are supply chain partners who don’t have a motive to be compliant as they do not own licenses and often have a poor understanding of cannabis compliance. A packaging provider, marketing company, CBD provider, security company, vending machine providers, waste disposal companies and other commonplace suppliers and partners can often run afoul of regulations and put their licensed partners at risk.

Since regulators can only enforce the licensed entity, many states have made it clear that licensees are ultimately and fully responsible for any actions of noncompliance taken by third parties contracted by the company – regardless if they touch cannabis or not.

Areas of Common Noncompliance in Cannabis

Like a game of “Hot Potato” (worth millions of dollars), we’ve seen common noncompliance liability get passed down the supply chain in the following areas of cannabis operations:

  • Product liability
  • Packaging and labeling
  • Test result manipulation
  • Expired licenses
  • Input or ingredient defects
  • Inventory tracking errors
  • Recordkeeping and manifest errors

Some of these areas of noncompliance rely with non-licensed supply chain partners such as packaging, ingredients or third party printed labels. Often, these folks simply don’t know what they don’t know and make mistakes – not knowing the thousands of dollars they could be costing their licensed partner down the line.

Other areas in which compliance should be expected from licensed partners lies in product liability, test result issues, inventory tracking, manifests and recordkeeping. No one usually wants to be out of compliance and usually these issues arise from licensed partners who are simply confused, mistaken or ignorant to the requirements of ongoing and changing rules.

It’s hard to keep all of one’s suppliers and supply chain partners on the same page over the long run and amid a multitude of changing rules. But what you resist, persists…

Managing Compliance in the Cannabis Supply Chain

Nothing worth it is ever easy; but it is possible to identify common areas of noncompliance in one’s cannabis operation and supply chain partners and to do something about.

To identify problem areas, iComply recommends conducting regular auditing at a macro level; but to also dive deeper into micro level audits of all of one’s books and records (covering vendor files) and packaging and labeling for at least 12 months.

You don’t know what you don’t know, so one must begin by investigating and understanding where liabilities are occurring between themselves and their supply chain partners. Once valid feedback and noncompliance is discovered, it can be remediated.

Like triage, you have to stop the bleeding before you can prevent further injury.

Consistency in quality standards requires meticulous SOPs

It is always more expensive and time consuming to continue reacting to noncompliance and trying to fix issues after the fact. This is how snowball effects happen until the problems seem so overwhelming, operators tend to simply ignore the liability. While it is human nature, it is also extremely dangerous and detrimental when multimillion dollar licenses are on the line.

An ounce of prevention is worth a pound of cure –Benjamin Franklin

By implementing proactive compliance measures, cannabis businesses can avoid costly noncompliance consequences and position themselves as proactive checkpoints of supply chain compliance. We recommend integrating the following procedures, documents, training and tools into one’s operational compliance infrastructure:

  • New vendor checklist
  • Packaging and labeling checklists by product type
  • Virtual review of labels/non-cannabis packaging
  • Calendar expiration dates for licenses and products
  • Compliance auditing of key vendors and strong contracts regarding liability
  • Input product checklists and tracking as per GMP compliance

This snapshot is just the tip of the iceberg when it comes to the depths of liability a cannabis business is exposed to by its supply chain partners. To truly manage compliance, one must be aware of shared risk and implement proactive measures to prevent suppliers and supply chain partners from inadvertently affecting the operational compliance of your cannabis business.

Selecting Supply Chain Partners

There are plenty of fish in the sea and plenty of suppliers vying to do business with you. iComply has seen the good, the bad and the ugly. We’ve been on the front lines of developing markets like California where we warned our clients to steer clear of companies like Kushy Punch long before they finally lost their license for noncompliance.

control the room environment
Preventing contamination can save a business from extremely costly recalls.

We advise our clients on the importance of being selective and conducting due diligence in vetting supply chain partners and vendors. Most fundamentally, how aligned are the values of potential partners? Are they in the business for the same reasons you are? What brought them to the cannabis space? How do they value relationships and what do they know about compliance?

Too often when focused on price or speed, people miss the more important fundamentals of relationships. We serve as vetters for our clients whether they are shopping for a POS provider, a bank or a waste disposal company. Beyond the cultural alignment, the more objective questions begin to take shape in vetting a potential partner. This can differentiate between license holding and non-holding supply chain partners.

For plant-touching licensed partners, we recommend answering the following before entering into business partnerships that affect your supply chain:

  • Copies of licenses, contracts, and a catalogue of products
  • For products being selected, prior to ordering a sample, obtain a copy of the label by email first. Or an EMPTY sample of product packaging and labeling to vet against a packaging and labeling checklist.
  • Search news articles on the company and ask if they have had compliance issues before. Obtain documentation if there have been compliance issues previously.
  • Ask how they manage their compliance and prevent noncompliance down their supply chain. Do they train their staff? Do they conduct regular audits internally? How often do they update SOPs and reconcile inventory?

For non-plant touching partners, we recommend answering the following:

  • Obtain any certifications for quality assurance or in credentials for services.
  • Ask for references from other customers who have cannabis licenses.
  • Discover how familiar they are with the cannabis industry AND the rules and regulations in your market.
  • Ensure they have an understanding of how they impact your compliance. Discover how they plan on preventing areas of concern together.
  • Make sure they know you are ultimately responsible for noncompliance and understand what they are willing to do to protect you.

Ensuring accountability across the supply chain means selectively choosing partners who share the same values of integrity and professionalism. On more complicated deals, such as licensing IP or your brand to operators in new states or markets, we recommend that you mandate a compliance program that offers third-party validation to ensure the internal integrity of your partners. Too often, brand risk isn’t considered in the fast-paced expansion of the industry and operators must not only be vetted, but held accountable, when representing one’s brand and products.

For all intents and purposes, the wild web of the supply chain in cannabis is the industry. We are a collective of collaborators who all serve the goal of delivering high quality and safe products to cannabis consumers globally. For those committed to minimizing their risk to protect their profits, cannabis compliance is the key to success.

Ensuring accountability across the supply chain means selectively choosing partners who share the same values of integrity and professionalism. In doing so, the industry elevates its legitimacy and more effectively expands in a sustainable manner that protects all stakeholders involved.

Noncompliance affects licensees the most and they must be the most vigilant, but it takes a village to raise an industry. Compliance affects most everyone in the supply chain and the loss of any operator hurts the entire industry.

Important Security Considerations When Designing Cannabis Facilities

By Heather Bender
No Comments

The cannabis industry is growing so quickly that even COVID-19 can’t slow it down. Before the pandemic, the industry amassed $13.6 billion in U.S. legal cannabis sales in 2019 – a figure that is expected to more than double to $30 billion in the next five years, according to New Frontier Data.  In states where cannabis is legal for medical or recreational use, dispensaries have been deemed necessary, essential businesses – especially when it comes to calming stress and anxiety in our ever-changing times.

Cannabis legalization and newly budding dispensaries have expanded across the U.S., which may come with an unfortunate counterpart – a higher incidence of crime. Despite lower prices in states that have legalized cannabis, as compared to states where it is still illegal, theft has run rampant across grow operations, warehouses and, most often, dispensaries.

Heavy-duty security doors at the front of the dispensary block sight access and provide a visual deterrent.

Dispensaries can be targeted more frequently. Robbers may perceive them as an easy target, because they are businesses that have larger amounts of cash on hand. Many dispensaries only accept cash because payment processors and financial institutions aren’t willing to work with them. This is primarily because cannabis is still deemed an illegal substance under federal law, and the actions of financial institutions are governed by federal, not state, laws. Once the Secure And Fair Enforcement (SAFE) Banking Act is approved, cannabis businesses will be able to work more easily with banks, in turn reducing the amount of cash on site and erasing the dollar signs in opportunistic thieves’ eyes.

However, cash isn’t the only high thieves seek when they break into dispensaries. There’s also the product itself. Protecting it – and providing peace of mind to the facilities’ owners and occupants – is a concern for dispensaries, grow operations and warehouses. Robbers are motivated by the opportunity to make even more fast cash through reselling the product found onsite.

To eliminate such easy targets, security requirements for the cannabis industry are a necessity. They are also involved, complicated, and vary from state to state. A number of security specifications apply between state laws and local ordinances. Inventory must be properly surveilled and managed at all stages of transportation and storage. Any discrepancies in inventory can result in large fines and other penalties. To aid in understanding security compliances, the National Cannabis Industry Association (NCIA), a national trade association, recommends that start-ups obtain attorneys to guide businesses through their state’s laws and regulations.

This is why, especially for new business owners, it is critical to consider the best, most advanced security solutions – especially when it comes to doors and points of egress – that are easily integrated into buildings during the design phase. These solutions protect the products, properties, and people throughout the cannabis supply chain.

Understanding State Security Regulations
While there are no federally recognized security requirements for the cannabis industry, there are similar requirements across all states that have legalized cannabis, including:

  • Maintaining strict access control throughout the facility – this is especially important for grow operations and warehouses
  • Functional alarm systems
  • Documented standard operating procedures
  • Video surveillance systems – many states mandate very precise requirements, such as length of storage time and even video resolution specifications
  • Notifying appropriate regulatory agencies immediately or within a strict timeframe after a security incident or theft
  • Securing all records and record storage

While these are common, state-mandated security requirements, it is critically important to know and understand all rules, regulations, and laws concerning the industry within the business’s specific state. Making sure the business is compliant with all aspects of state laws for security and preventing violations, including the hefty financial penalties that can accompany them, is key.

States require cannabis facilities to implement sophisticated security features for several reasons. One of the most obvious is the fact that the industry supplies a high-value product and is a cash-intensive business. Integrating security features into the building can be a challenging task for architects and designers. To help tackle these challenges, manufacturers have introduced products to the cannabis industry, creating easier, more effective and aesthetically pleasing security solutions.

Integrated Designs For High Level Security
Security shouldn’t be a constraint when considering design aesthetics. Certain elements can be discretely tucked away, including cameras and security doors by way of specifying a concealed rolling door, conveniently disguised in the ceiling during operating hours. These doors can even close under alarm eliminating the need for manual intervention. Other security measures, such as bullet resistant glass, are hidden in plain sight.

Rolling doors like this one can be conveniently disguised in the ceiling during operating hours.

Untrustworthy employees, smash-and-grab thefts or meticulously planned heists mean secure building design is of the utmost importance. In order to have the most effective security, there needs to be design vision – a clear intent for incorporating advanced security into the facility, whether visible or not.

Suggested security measures include video surveillance around the outdoor perimeter of the property as well as inside the facility. Physical barriers, such as specialized entrance locking systems – including fingerprint-scanning biometric technology – and security doors that may also include intrusion detection and automatic closure systems are recommended. All systems may be paired with 24/7 visual monitoring by security personnel.

Many state regulations also require restricted access to specific areas within dispensaries, grow operations and warehouses, with employee names and activities logged for reference. These necessary measures aid in inventory monitoring and control, further reducing the likelihood of internal theft.

When specifying building security, it’s important for architects to consider what type of building they are designing. There are differences in providing security for dispensaries versus warehouses and grow operations. Dispensaries and storefronts are frequently out in the open and in locations that are well-known to consumers. Warehouses and grow operations are usually tucked out of the way, rarely publicized, and less noticeable.

Rolling Grilles And Doors Deter Dispensary Theft
With a high-value product and cash on hand, dispensaries in particular have unique security challenges. And because they are retail businesses, egress and fire codes must be strictly adhered to, in addition to special security regulations.

Rolling grilles can be an effective deterrent against dispensary theft

In light of this, security doors require special consideration. They are necessary to provide secure protection against theft but shouldn’t distract from the architectural vision of the building or interior design.

Rolling security grilles are the ideal solution to protect the counter inside the dispensary and may also be ideal for the front of the store. They fit in small headspaces where there is limited ceiling room and can be easily concealed when not in use.

Even heavy-duty rolling doors used to protect the glass storefront of the dispensary and prevent intruders from entering the building’s dock area can be hidden when not in use. If building code allows, architects may specify a rolling door that coils up into the door’s header, residing behind an exterior soffit. These robust security doors’ lift-resistant bottom bars also can be obscured from sight.

Heavy-duty security doors at the front of the dispensary block sight access and provide a visual deterrent. They give the building a secured look when in use, but heavy-duty rolling doors don’t need to be imposing to customers during the dispensary’s operating hours.

Robust Visible Protection For Grow Operations And Warehouses
Grow operations and warehouses usually opt for more visible security doors to deter criminal activity. They also have different design considerations because of building layout and production needs. For instance, larger grow operations house plants and supplies which require heavy equipment to move throughout the facilities.

A heavy duty steel rolling grille

Heavy duty rolling security doors can be made with up to 12-gauge steel with interlocking slats and tamper resistant fasteners – making them stronger than standard garage doors. They provide high-end security at loading docks and limit access to restricted areas inside.

Rolling doors can also be used to block employee access to off-limits areas common in grow operations and warehouses. Because they are heavily reliant on utilities and infrastructure, such as water mains and humidity and temperature controls, warehouses and grow operations are ideal applications for rolling doors. If unauthorized personnel with ill intentions access these utility areas, it could spell disaster with ruined crops and damaged or unsafe products – turning into substantial financial losses. From a design standpoint, these doors do not need to be concealed. In fact, their visibility signals restricted access areas and hints at the security measures taken to protect these facilities.

Enhanced Security Features
Whether designing a dispensary, a grow operation facility, or a warehouse, rolling doors may be paired with automatic protection features to enhance the building’s security and help workers feel safe. These automatic closing systems allow the security doors to be immediately activated by a building alarm or the push of a panic button in emergency situations. The doors also feature advanced locking systems – some of which are hidden in non-traditional locations – providing further tamper resistance.

Some rolling door manufacturers offer in-house architectural design groups to guide architects and designers in choosing the ideal security doors. These groups can address and solve any design dilemmas that arise during the project. Every rolling door is built to a specific opening, making each product unique to that area of the project. Because of this customization, manufacturers can meet virtually any specification.

Meeting Insurance Requirements
Selecting the correct rolling door along with other advanced security features aids in meeting insurance requirements. Each insurance company has individual minimum-security conditions in its policy. Many insurance companies will not provide theft insurance if cannabis businesses do not have adequate security or cannot demonstrate they have it.

Planning Leads To Integrated Protection
The technical and legal aspects of securing dispensaries, grow operations, and warehouses can be overwhelming and, at times, confusing. Legal counsel, state agencies, industry associations, and manufacturers encourage new cannabis businesses to use them as resources as they unravel the nuances of the industry’s security regulations.

By combining robust security features such as video surveillance, proper access controls, rolling doors or grilles and automatic closure systems, cannabis facilities can meet state and insurance requirements and deter theft. With thoughtful design consideration and planning, these security features also have the capabilities to seamlessly blend with interior and exterior design aesthetics.

The Cannabis Industry Sees Record Growth Despite Continuous Obstacles

By Jay Virdi
No Comments

Worth an estimated $54 to $67 billion, the bourgeoning U.S cannabis industry continues to grow at record pace despite conflicting state and federal laws that cause obstacles at every turn.

This conflict remains a source of uncertainty for retailers, cultivators and the general public. And, unfortunately, the palpable tug of war between the states and the federal government will only increase when legalization is introduced at the federal level, putting tax dollars up for grabs.

A tug-of-war between the states and the federal government makes it difficult for cannabis businesses to obtain bank accounts, insurance and investors. It also means additional security and compliance challenges. It is the reason that the cannabis industry is an unsupportive environment for start-ups and employees who face primitive or even dangerous R&D conditions in order to advance the extraction process.

As cannabis companies fight to grow their market share, many lag behind when instituting a proper risk management structure from R&D to daily operations. Cannabis businesses that haven’t incorporated risk management will need to in 2021, especially when seeking to secure funding from PE firms.

As the 8th fastest growing industry in the U.S., maturing at more than 25% annually, adult use and medical cannabis sales are unlikely to decrease anytime soon. Rather, experts predict continued growing pains – and gains – to shape the U.S. cannabis industry in 2021.

The COVID-19 pandemic will continue to increase the growth of the cannabis industry— with a few roadblocks

Deemed “essential businesses,” many retail outlets and dispensaries stayed open throughout the pandemic and adopted new ways of serving customers, from curbside pick-up to drive-through windows and deliveries. At the same time, the pandemic hindered growth for some cannabis operations on the cusp of obtaining a license, as many applications were put on hold when state offices closed their doors for months. In some cases that meant raised capital was pulled and funding ceased. For start-ups who are seeking to apply again in 2021, it’ll be an uphill climb.

As a result of routine COVID-19 inspections in 2020, state officials uncovered a host of other issues at cannabis operations, including improper labeling, poor health and safety practices, lack of PPE compliance by staff and customers, incorrect counting of cash and more. In extreme cases, these visits resulted in regulatory fines and shutdowns. This led to the need to use seed money for something other than the organization’s original mission. In 2021, these scenarios are likely to turn into lawsuits from shareholders and activate directors & officers (D&O) and employment practices liability (EPL) claims from laid-off workers. These accusations dovetail with another major charge often levied against cannabis businesses —lightning speed growth without the business operations and risk management protocols necessary to support it.

Many cannabis businesses have not procured the necessary liability insurance coverage for the great risk that come with rapid growth. Whether it’s D&O and EPL policies as in the case above, or cyber, property or general liability (GL) policies, it’s critical to think more holistically about insurance coverage. Cannabis operations need to work with an insurance broker who specializes in the cannabis industry and understands different operations and business location, as exposures vary greatly.

R&D extraction dangers lead to unique risks

extraction equipmentIn 2021, extraction will be a major focus for cannabis organizations. Operations will continue searching for a competitive advantage to increase yield and develop superior products. Cannabis extractors will experiment with new ways to apply existing laboratory methods utilizing ethanol and CO2 as well as innovative cultivation methods adopted from the agriculture industry, using water and light exposure and different nutrients. R&D becomes a potential liability when cannabis extractors modify the use of existing equipment for a different type of extraction. Flammable products are often required, and explosions can occur.

If you are considering experimenting with R&D, engage your insurance broker to ensure the risk is covered within your existing policies and to explore best practices for experimentation and varying equipment use.

Desire for more security both inside and outside the operation

A cannabis operation’s security risk is two-fold. In light of the looting and civil unrest across the U.S. this year, heightened security measures were necessary for cannabis businesses to secure their goods. Additionally, a common risk— employee theft —increased as well.

Cannabis retail operations maintain a large supply of cash and product. As looting occurred, it was impossible to relocate cannabis product away from retail storefronts as a majority of state regulations prohibit cannabis to be removed from retail facilities. Owners and operators who did so risked being fined for non-compliance or losing their license.

The majority of cannabis theft — as high as 90% by some estimates — is employee related. In many cases, employees in cannabis grow facilities and retail storefronts scheme to cheat employers. Part of the challenge is that state regulations require plant and production facility blueprints to be publicly available. Thieves are using these layouts to plot their infiltration. In other scenarios, cannabis operators are recording walk-throughs of their facilities and publishing online documentaries. These also leave operators vulnerable.

Employers can increase security by restricting access exclusively to employee areas, while also investing in better internal access controls. Conduct an audit of your work areas with your cannabis insurance broker who can provide you with a list of best practices and do’s and don’ts for reducing theft.

Complications continue in compliance, banking and financial services 

Even though cannabis is legal for medicinal or recreational use in 43 states, businesses still struggle to secure bank accounts, business loans and insurance coverage. Small local banks and savings and loan businesses may be more willing to engage with cannabis businesses in 2021, while large institutions will keep shying away.

At every stop of the supply chain, cannabis business operators need to be proactive when developing strategies to manage risk. That means implementing risk management protocols to protect their business, their workforce as well as securing the proper insurance coverage.

This also includes growing the cannabis business’ safety net by engaging necessary insurance policies, appropriate to the business’ size and exposure, including cyber, environmental liability and crime policies, or applying for emerging loan programs in an effort to secure additional capital.

Evolution of the industry into 2021 and beyond

While the cannabis industry is evolving and changing, much will ultimately remain the same in 2021. Even if the U.S. government takes steps to federally legalize cannabis, a bill would not go into effect until later in the year at best, more likely in 2022 or beyond. Until a bill is passed, cannabis businesses will look to remain viable beyond the state level. For all cannabis businesses, 2021 will be about building on what they’re already doing and preparing for what will hopefully come next.

Using Spreadsheets as Your ERP? Your Supply Chain Could Take a Hit

By Tom Brennan
3 Comments

The cannabis supply chain – from seed to sale – is rife with intricacies including regulations and compliance. It requires coordination from multiple vendors responsible for different aspects of the end product. And as the industry either grows or retracts, use of data is vital to right-size supply to demand, enhance operational efficiencies and boost cost effectiveness.

However, there’s an industry-wide, data-management vulnerability among many cannabis companies, and it’s this: many are using spreadsheets in different aspects of data collection, management and analysis. This becomes a shaky foundation on which to manage processes, especially for applications like quality management. And to be fair, it’s not just this industry, but arguably cannabusinesses have more on the line in light of the ever-changing regulatory environment.

Many cannabis companies have some systems in place for order processing, inventory management, production management and the like, but they often still use spreadsheets to fill the intelligence gaps among various systems that don’t talk to one another. Managing supplier quality often falls into one those gaps.

The Problem with Spreadsheets

Most businesspeople understand spreadsheets. They know how to build and use them. Spreadsheets are incredibly powerful tools that are used to run more business processes than perhaps any other software product in the world. When a cannabis business first starts out, spreadsheets offer an affordable data management capability. But there comes a time when the business will need a more sophisticated, end-to-end enterprise solution.

Consider a recent incident in which the use of spreadsheets went terribly wrong. The British Government recently misplaced nearly 16,000 COVID-19 test results due to an Excel spreadsheet error. As a result, potentially infectious people may not have been notified by contact tracers that they should self-quarantine.

Companies can outgrow spreadsheets quickly as their business grows

In the ERP space, spreadsheets have been an issue since the 90’s, but this recent incident serves as a reminder that an overreliance on spreadsheets is still alive and kicking. One of the problems is that spreadsheets are often pushed beyond their intended use. Microsoft Excel has become the software Swiss Army Knife. There’s a development environment inside the software, and the system is often used as a database, not just as a calculation engine.

Companies outgrow spreadsheets when the volume of data fields increase, multiple users need access to the data, iron-clad audit trails are needed and when processes become more complex.

There’s also a breaking point. Cannabis companies may enter a dangerous zone of “too many spreadsheets,” when data security and integrity are at risk. Interestingly enough, this also happens in large companies, as they often have a mish-mash of on-premises legacy systems, acquired systems and new cloud-based systems – and spreadsheets are then used as the data consolidation tool for all these applications.

Applicability to the Cannabis Supply Chain

Visibility into the cannabis supply chain requires detailed track and trace capabilities across many suppliers. Anything left out means guesswork and more opportunities for mistakes. In other words, cobbled-together spreadsheets are the last thing cannabis businesses should rely on. Aggregating data into a spreadsheet from various systems and paper-based processes invites errors and can result in insights that are weeks or months out of date. Worse yet, there’s no drilldown capability when questions arise and no easy roll-up of information for decision-making.

Modern cloud ERP software can integrate an entire supply chain with ease

When supply chain quality must be sustained, the role of a common and integrated cloud platform for quality and ERP cannot be understated. Such a platform can capture sales, operations, inventory and purchasing data, and also integrate with production and quality control. This makes your quality processes and data integral to ERP and eliminates the data fragmentation, control and auditability issues associated with spreadsheets. In addition, companies can leverage operational insights from data reporting and analytics to find areas where they can enhance productivity, optimize inventory, improve planning accuracy and build better forecasts.

Moving to the Cloud

Modern cloud ERP provides this type of seamless platform. It’s easier to implement and does not consume as many IT resources as traditional on-premise ERP systems. Better yet, the more recent versions of cloud ERP are built using low-code technology which enables business users to customize screens, modify workflow processes, build their own apps and embed AI without needing expensive IT consultants or waiting for busy IT staff.

In other words, the flexibility that’s been the lure of spreadsheets is now available in cloud ERP, but the system utilizes proverbial governance guardrails that keep business users from swerving off the road and completely wrecking the system. For example, templates for apps and workflows are provided as a starting point. Business rules and “drag and drop” customization capabilities offer guided options, clearly defining what can and cannot be changed.Rootstock will be presenting during the Cannabis Quality Virtual Conference episode, Supply Chain Quality, on October 27. Click here to learn more

And as a result, quality steps aren’t skipped; audit trails remain intact and data is protected with rock-solid security permissions and data backups. And unlike spreadsheets, new ERP systems are designed for multiple users and remote access via mobile devices. In short, with the latest generation of ERP, companies can leverage the best of both worlds – an end-to-end cloud platform that provides data integration across an organization’s operation and the flexibility and ease-of-use of spreadsheets.

Supply Chain Case in Point

One customer we worked with previously coordinated its supply chain via email and Excel spreadsheets. It cut and pasted requisitions into individual supplier spreadsheets and emailed those out, and it kept a master spreadsheet to keep track of all supplier performance. Team members had to sift through spreadsheet columns and rows to find information they needed.

Today with a cloud platform, the company built an online community so processes could be automated and conducted via real-time connection and communications. Another immediate benefit was the customized supply chain dashboard. All relevant data across their entire supply chain was displayed in one place and in a user-friendly manner.

The dashboard showed production forecasts over a certain period of time. The company could detect whether the supply chain was on track or having issues with certain suppliers. It could see planned requisitions and monitor them until fulfillment was complete. It could also monitor the performance of various suppliers, whether they had on-time deliveries or not – and trace back items received. The company essentially has a snapshot of the overall health of its supply chain and all the underlying activity.

Let’s face it. 2020 has been a difficult year, but perhaps it’s the year that companies finally forego spreadsheets and enlist an industrial-strength cloud platform.

3 Ways IP Security Cameras Can Help Cannabusinesses Comply with COVID-19 Health Requirements

By Jeremy White
No Comments

The cannabis industry, like many others, felt the effects of the stay-at-home orders issued in March in response to the COVID-19 healthcare crisis. While medical cannabis companies were considered “essential” in most states, many recreational dispensaries had to close their doors, or pivot to a curbside pickup operations model. According to the State of the Cannabis Industry 2020 report, following a two-week spike in mid-March, as consumers stockpiled product ahead of stay-at-home mandates, sales took a temporary downturn.

The industry rebounded in a big way, however. The report notes that, since April 20, cannabis sales have steadily increased, and are, in fact, up approximately 40% from 2019. But while medical and recreational dispensaries are now open to the public and thriving, it’s far from business as usual.

Like any other retail store, cannabusinesses must follow local- and state-issued health and safety mandates designed to prevent the spread of COVID-19. Complying with these new requirements can be difficult for business owners and management teams on a normal business day – never mind in today’s climate, where demand for cannabis products continues to soar.

Turning to Technology

With more health regulations to follow than ever before and stores experiencing a consistent increase in daily foot traffic, it’s no longer realistic to expect managers to manually monitor every employee and customer to make sure guidelines are met. For example, it’s difficult to manage social distancing within the store – but there are commonly lines outside of cannabusinesses, where social distancing and mask-wearing precautions also need to be followed. Wouldn’t you rather have managers spend their time on customer service and initiatives that will deliver business value, rather than spending time making sure people are following safety protocols?

Technology can help mitigate these new health compliance challenges – and you may even already have the solution deployed: Internet Protocol (IP) security cameras. Often implemented by businesses as a security tool, IP cameras are now also an effective way to ensure employees and customers are following health and safety protocols.

Most IP cameras are equipped with artificial intelligence (AI) that can analyze information in real-time and make split-second response decisions. In the context of health compliance, they can be trained over time to recognize when requirements are not being followed and immediately alert the appropriate managers. This means managers only need to address violations, rather than observing everyone all the time, and they can resolve compliance gaps as they’re happening. In other words, AI takes on the compliance burden for you. And, as an added bonus, many AI-enabled surveillance systems give managers the ability to pull up live video feeds from their smartphone, so they can conduct compliance checks remotely, at any time. This is especially helpful to managers covering multiple stores (suddenly, they can be in more than one place at a time!).

Here are three specific ways IP security cameras can help dispensaries and other cannabusinesses ensure compliance with COVID-19-prompted health guidelines:

  1. Social distance monitoring

Six-feet social distancing rules are now the norm across the U.S., and IP security cameras are able to measure the space around employees and customers to detect when the six-foot rule is violated. For example, some systems place a ring around each person, and the ring’s color changes when people come within six feet of each other. This capability can be helpful when trying to do things such as supervise the line to get into your store, manage your checkout queue, or monitor the distance between customers browsing in store aisles.You can use IP security cameras to create a healthier and safer work environment

  1. Occupancy management

In many states, organizations must follow orders that restrict occupancy to 50% capacity. Rather than having an employee at your front door tallying the number of people going into and out of your store, IP security cameras can do the counting for you. With this capability, you can control foot traffic and keep the number of shoppers within defined occupancy requirements – without having to allocate personnel to do the task manually.

  1. Face mask detection

AI-enabled IP security cameras can also help businesses comply with mandatory face mask orders. The technology can be trained to detect employees and customers who aren’t wearing face masks or other required personal protective equipment, and then alert appropriate management personnel.

A Dual Purpose – Security and Compliance

IP security cameras now have a dual purpose. Beyond simply helping organizations protect their premises from crime, they now also empower them to ensure compliance with health and safety requirements. You can leverage the technology to remediate compliance issues in real-time and demonstrate to public officials that your business remains in compliance with all health mandates. Most importantly, you can use IP security cameras to create a healthier and safer work environment – and, in these uncertain times, this is a certainty you can count on.

Cannabis Industry Journal

Cannabis Property Coverage: Understanding Risk Management & Communication

By Bradley Rutt
No Comments
Cannabis Industry Journal

For cannabis companies, property coverage can cost as much as seven to 10 times what traditional manufacturing and retail outlets pay. That is, of course, because of the inherent hazards involved in manufacturing and selling cannabis, in a difficult insurance market.

For landlords and building owners, taking in a cannabis tenant can be tricky as well. Because of the higher theft and manufacturing risks, many underwriters are unwilling to offer coverage. And, failure by a landlord to disclose a cannabis tenant is likely to result in a denied claim. Keeping property coverage in check by implementing risk management best practices and working to expand coverage and reduce premium costs can propel a cannabis business even further.  

Moreover, some landlords and building owners will require businesses to maintain occurrence-based liability coverage, which is harder to secure when running a cannabis operation. An occurrence-based liability policy is one that covers the renter for an accident occurring during the policy period, regardless of when a claim is made.

Instead, some insurance companies will only cover cannabis business’ high risks with a claims-made policy, or one in which claims must be made during the policy period only. Landlords will often stipulate their requirement for an occurrence-based policy in their lease. That means that cannabis businesses with a claims-made policy could unknowingly be in violation of their lease.

These issues and others have allowed landlords to command premium rent from cannabis business owners who find obtaining the right property coverage difficult.

To calm the rising tide of rent and property coverage costs, cannabis business owners and operators can engage in the following risk management considerations.

 Risk Management Considerations for Facilities with a Cannabis Operation 

Carriers are more likely to provide a policy to cannabis businesses that are doing what they can to minimize their risk. Here are six ways cannabis businesses can reduce their costs, minimize exclusions and obtain broader property coverage.

  1. If you are a retailer, have a plan to prevent or respond in the event of a robbery.
  2. Install and know how to use vaults and safes properly.
  3. Install central station alarms, cameras and other safeguards. Have them tied to your phone for easy access.
  4. Depending on the nature of the operations, install and regularly test fire sprinklers on site to make sure they are in working order.
  5. Consider hiring a third party, properly-insured, armed guard to safeguard your storefront on a regular basis.
  6. Institute industry-known best practices for high-risk manufacturing processes, like oil extraction.

Insurance Considerations for Facilities with a Cannabis Operation 

Risk management is critical to controlling risk, and insurance considerations can help your cannabis business obtain broader coverage and reduce premium costs.

  1. Communicate with your insurance broker.If you’re a landlord and you want to rent to a cannabis tenant, have a conversation with your insurance carrier at least 30 days before the lease begins. Even if you do, there’s a good chance that your carrier will issue a notice of cancellation (NOC) because they don’t want to engage with cannabis risk. On the other hand, if you don’t disclose the new tenant risk, should a claim be filed, it will could be denied, and the non-disclosure could cost you your policy.
  2. Engage a broker/carrier that specializes in cannabis.In such a volatile market, it is important to work with a broker and carrier that specialize in cannabis. This will enable hidden exclusions to be removed and help you procure the best policy and pricing possible for your organization.
  3. Tell your insurance “story.”Let the carrier understand your business and its risks by telling them your “story.” Tell them what your business does well, including current risk management practices and how you’ve been able to reduce claims. This will go a long way toward potentially minimizing premium costs and exclusions and obtaining broader coverage.
  4. Get another set of eyes. Most carriers will require a lengthy application from cannabis businesses in which the carrier may require the business to comply with certain requirements like having an approved safe or vault room. Your business will be held to the requirements stipulated in the application should you sign and submit it. Ask your broker or a reliable attorney to review the contract for anything you may have missed. Some carriers will incorporate the submitted application into the policy. Any changes between policy inception and a claim could cause coverage issues.

The fast-growing nature of the cannabis industry has ushered in a new set of challenges for business owners and operators. Keeping property coverage in check by implementing risk management best practices and working to expand coverage and reduce premium costs can propel a cannabis business even further.