Recently, one of the biggest names in cannabis, Metrc, has come under scrutiny following a lawsuit from a former-employee alleging that the nation’s largest seed-to-sale tracking software provider was actively involved in a conspiracy to allow for “illegal interstate” cannabis sales. The former employee, Marcus Estes, who worked as an executive vice president for a year at Metrc, alleged that the company did not identify questionable activity within its data to California state regulators despite having a $40 million annual contract with California requiring that they “flag irregularities.” 

Now we won’t dive into every detail associated with this lawsuit specifically, but we did think this is an opportune time to raise awareness about some of the risk cannabis business face when it comes to cybersecurity and what to do when technological procedures with the operations fail. 

Seed-to-Sale Compliance 

What does make this Metrc story particularly newsworthy is that of all the technological elements associated with a cannabis business, perhaps none are more essential to operational readiness than the seed-to-sale system. For those who may be unaware, seed-to-sale is more often than not a requirement for cannabis licensure and is essential for documenting and tracking cannabis from its plant form to its final product form on a dispensary shelf.

For any reputable cannabis business, having a compliant seed-to-sale system is crucial. But it’s not just about selecting the right vendor for your needs, but continuing to monitor the systems subsequently in place. This is a risk mitigating step that is often overlooked by current operators and can often lead to illicit activities—be it intentionally or unintentionally. From a compliance perspective it’s always recommended to: maintain constant oversight, perform regular check-ins and audits of the systems; and, be an active business when it comes to relations with the seed-to-sale provider while being sure to ask your vendor how they are addressing the most topical issues in the cannabis industry.   

Cybersecurity and Hacking 

In a poll from MJBiz Daily, 59% of cannabis companies said that they had not taken steps to prevent cyberattacks. Ransomware attacks are a constant in business operations these days, not just with cannabis. Recently companies and business as varied as DaVita, Kuala Lumpur International Airport, and IKEA have gone through the grueling process of dealing with malware attacks. Most notably, these attacks are on the rise with ransomware attacks increasing some years by upwards of 150% and the amount victims of said attacks also rising by more than 300%. 

Ultimately, one of the shrewdest and easiest steps a cannabis business can do to better address the risk inherent with hacking and cybersecurity is to address the culture of such and make employees more cognizant of the risk. As observed in another NCIA blog, “Any cultural shift at an organization needs to start from the top, and that includes security. Security culture needs to be driven from the top. Adopting proper policies and procedures to properly safeguard organization networks and personnel is key. This includes regular employee training. As many as 95% of attacks are caused by human error.” 

What to Do with Irregularities

There are countless “irregularities” which can occur in the realm of cybersecurity. But what exactly can one do to address those and bolster their own risk management strategies? The first, as mentioned earlier, is to make sure the business has a culture which understands the inherent risks of cybersecurity and technological failures. This involves having robust policies and procedures, training which occurs at the time of hiring new employees and annually, and offering anonymous reporting structures. 

Additionally, it’s vital to invest in security hygiene. This includes multi-step authentication, cybersecurity specific trainings and guides to address phishing or smishing, and reviewing best practices with vendors used. And when such security issues arise, what is one to do? When in doubt, raise concerns up the proper channels within your business. Be sure to document the irregularities thoroughly, including with timestamps. If necessary, discuss matters with legal counsel and be sure to notify the necessary state agencies too. 

Ultimately, the risks for cybersecurity are high for any business, but are even higher for a business such as one in cannabis which relies on technology for operational compliance and has less vendor options available than other businesses to work with. Finding the best—from vendors to employees to SOPs—is essential for good, smooth, and compliant practices.