The enthusiasm towards the marijuana industry is palpable. The cannabis space is growing at a remarkable pace and both voters and legislators are going through the slow process of adapting laws to make room for the industry in the mainstream. However, it is easy for a marijuana company to get lost in the enthusiasm and lose sight of the bigger picture. The reintroduction of cannabis into the mainstream at this time, an era where technology is advancing at a speed most people are challenged to keep up with, presents risks any cannabis entrepreneur should stay current with on a consistent basis. These are the sorts of risks that only the proper marijuana insurance policies may be able to cover. Many companies may feel they have solved their cyber security problems by having anti-virus software throughout their network of company computers. But, many cyber attacks have little to do with the vulnerabilities present in a computer, but instead with the users of the computers.
Recently, the SEC issued a warning to mainstream publicly traded companies that they will soon have little tolerance for negligence in maintaining cyber security. While the advancement of technology is swift, companies have now had decades to become accustomed to electronic financial transactions and the criminal efforts to fool companies into making deposits into fraudulent accounts. Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934 (“Exchange Act”) requires that companies “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization,” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.”
In the SEC report, none of the companies referenced, which lost nearly $100 million in total to cyber fraud, were found to be guilty of negligence. However, the report is a clear warning by the SEC to these companies and others, that anything but the strictest protocol for tracking transactions will be sufficient for publicly traded companies moving forward in order to protect investors. Hardly any of the funds stolen from these companies were recovered. To have a reparation filed against a company by the SEC for negligence in accounting controls on top of losing millions of dollars would scare shareholders away. The incidents referenced in the report involved the simple use of email. In some cases, an email address was created that looked like an official request for payment from an executive at a vendor. On the surface the email may have looked official, but employees working in processing plainly rushed through their tasks without reading emails thoroughly, or they would have likely identified discrepancies. The other cases involved hacking into company email accounts and manipulating financial ledgers. The criminals blended future transactions into the their look-alike vendor accounts with legitimate future transactions. The SEC’s point should be well taken. The stolen funds were ultimately due to the fact that the companies were not following their own sets of checks and balances and failed to identify the scams, when a diligent eye would have caught them.
Now, if we take a look at the cannabis industry, the vulnerabilities to these sorts of attacks seem obvious. Cannabis companies have much more to track on their own due to the federal Schedule 1 status of marijuana. A marijuana business does not have the benefit of bank record keeping to track transactions since most banks refuse to accept the funds of a cannabis company in fear of violating anti-money laundering laws. Granted, cyber attacks like the ones identified in the SEC report rely upon electronic transactions, therefore a cash business would not be the target of this specific sort of cyber crime. However, as long as a criminal can isolate a flaw in a company’s tracking of financial transactions, they will see an opportunity to steal. Should the federal government look to legalize cannabis, and banks do start accepting the funds of the marijuana industry, then cannabis companies may be the biggest target of all. Phases of transition are where mistakes are most likely to occur, and hackers know it.
Tracking products all the way from seed to sale is not only happening in the cannabis industry. With the creation of blockchains that are commonly associated with cryptocurrency, comes a means to create verifiable ledgers for all sorts of transactions that are not centralized and therefore are not as easy to hack. So, if you want to know that you are eating a tomato grown on a certain farm in the United States, the tracking system can confirm where the tomato was grown and where the seed came from. To do this, a strict log of all transactions must be kept and quickly verified by third parties. Any discrepancy in that log throws up red flags and any fraudulent transactions can be rooted out quickly. It is this sort of organized tracking that is the way of the future and intended to eliminate these very sorts of fraudulent cyber attacks. While the advancement of technology provides new and different opportunities to steal, it also provides solutions.
The unfortunate incidents cited by the SEC in their report shows that human involvement is still very necessary when it comes to accounting and logging transactions. It is necessary for all protocol to be be followed exactly on a consistent basis in order to prevent these sorts of breaches that can result in the loss of millions of dollars. Computers are nothing without people still, which means that human error will continue to be a factor. However, cyber security or data breach insurance for a marijuana company can counter those financial losses. It is up to the pioneers of the cannabis industry to set the standard, once marijuana goes completely mainstream, by recognizing cyber threats and continuously staying updated on new threats. Things are happening fast, and should marijuana become rescheduled or even descheduled, then a multi-billion dollar industry will suddenly be thrust upon the banking sector. Clever criminals will identify this transition phase as a time when sloppy accounting and other slip ups are likely to happen leaving cannabis companies vulnerable to cyber attacks.
Eric and David Rahn of S2S Insurance Specialists understand these cyber risks well. With over two decades of working experience in mainstream business and watching technology advance at such a rapid pace, they can help you understand the cyber security risks of your marijuana company. They can review with you the cannabis company data breach policies that would most benefit your company. Contact Eric and David Rahn, the cannabis insurance specialists, for more information.