Check out the latest blog highlighting security issues important to cannabis security!

In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories relevant to the cannabis industry.

Physical Security

Cannabis Security Town Hall- Tuesday March 1

The Cannabis ISAO is pleased to welcome an expert panel of seasoned cannabis industry and law enforcement professionals as we discuss the current physical security threat landscape in the industry. From armed robberies and vehicle rammings, to smash-and grab caravan style crimes, the industry has been seeing an increase in these incidents which not only impacts business bottom lines, but puts employees, customers, and community safety at risk. In this session we will not only discuss best practices for physically securing our cannabis facilities, but we will also examine the ways in which the industry and law enforcement can most effectively work together to both prevent these crimes, as well as investigate those which have already occurred.

Panelists:

  • Terry Blevins- CEO, Armaplex Security
  • Alphonso “Tucky” Blunt Jr.- Owner, Blunts & Moore
  • Debby Goldsberry- CCO, Hi Fidelity
  • Captain Wingate, Lt. Thomason- Oakland Police Department

We hope that you will be able to join us on Tuesday, March 01 from 6:00 – 7:00 PM ET. If not, the session will be available to view on-demand after the session concludes. Register here.

Additional headlines related to cannabis business robberies include:

A Truck Caravan With Far-Right Links Heads to Washington, D.C.

Washington D.C. issued an alert Tuesday as officials brace for an expected caravan of trucks arriving in the nation’s capital to emulate the anti-mandate trucker protests in Canada. “Layered mitigation measures are being put in place, including some that will be visible to the public and others that are not,” the alert states. “We appreciate the approval of our DC National Guard traffic support request as we pull together the resources to support out public safety personnel.”

Several different convoys of trucks are expected from across the country to be headed to the city but it isn’t clear how large the turnout will be, or when the protesters will arrive. Some trucks may arrive as soon as Wednesday while others may arrive to coincide with President Joe Biden’s State of the Union speech next week. The People’s Convoy website shows a current route with planned stops culminating with an arrival at the D.C. beltway on March 5.

According to the official press release, “The People’s Convoy will abide by agreements with local authorities, and terminate in the vicinity of the DC area, but will NOT be going into DC proper.” For those members with operations D.C. Metro area (particularly inside the beltway) it would be advisable to check with local authorities to gain an understanding of what they have been told in relation to the convoys. That will help inform situational awareness, and potentially assist in identifying suspicious/concerning activity that is outside of what the convoy organizers have coordinated. As with any mass gathering, the convoy offers the opportunity for violent actors to use the event for cover as they seek to conduct hostile events. Signs of RVs, campers, water tanks, portable toilettes, could all indicate that the convoy plans to remain in the D.C. area for an extended period of time.

Organizations who identify suspicious activity in relation to the convoys are encouraged to report it to the proper authorities. As a significant blockage of the beltway could impact organizations from receiving deliveries, either from a lack of access or a lack or truckers having a willingness to “cross the line”, cannabis businesses in the area are encouraged to review their on-hand supplies, and where possible to consider keeping additional supplies on hand, and perhaps scheduling deliveries for before 05 March to avoid supply chain disruptions.

Some links of note for The People’s Convoy include:

Additional Trucker Convoy headlines include:

TLP:GREEN Criminals Extorting Medical Professionals by Impersonating Medical Licensing Boards and the FBI

We have loaded into our Cannabis ISAO Slack Workspace an FBI Liaison Information Report (LIR) which was developed by the FBI New York Office, in coordination with the Office of Private Sector (OPS). The report documents a scheme in which criminal actors have called licensed medical professionals to imply that the professional’s license has been connected to a criminal investigation. This document would be could for any licensed medical professional who operates in the realm of cannabis to review

The criminal actors claim to be from licensing boards or the FBI and indicate that the professional is a subject of a drug trafficking or money laundering scheme and request that the professional pay a “bond” in the tens of thousands of dollars. The money is then remitted overseas. The report outlines three instances, two in Texas and one in New York that occurred between January 2021 and September 2021. If you do not yet have access to our FREE information sharing Slack workspace, you can request it here.

Duty of Care in the Cannabis Industry

In today’s climate, businesses worldwide face serious security threats nearly every day. This means investing in physical security for the protection of employees, as well as company assets, is critical in order to remain prosperous. As such, leadership teams must prioritize risk assessment to identify their current vulnerabilities and potential hazards and provide top-tier employee safety. This article reviews the following considerations that cannabis companies are advised to review:

  • Crime and theft
  • Workplace safety
  • Regulations

Cybersecurity

ESG Risks for Cannabis Companies Will Impact Directors and Officers

Corporations are increasingly responding to environmental, social and corporate governance (ESG) concerns, driven by evolving public sentiment and investor demands. This has taken the form of corporate pledges of action on ESG issues, sometimes from the directors and officers (D&Os). Cannabis companies have been trailblazers on social equity, inclusion and environmental issues, highlighting their importance long before ESG gained traction in the wider corporate world. Despite its well-intentioned words and actions, however, the cannabis industry is not free from potential ESG-related exposures that may lead to additional risks for cannabis executives in the years to come.

According to Lexology, “Cannabis companies also have been subject to litigation for cyber breaches. In Warshawsky et al. v. cbdMD, Inc et al., a class action was brought by customers who purchased CBD products from cbdMD Inc and had their personal information compromised when cbdMD suffered two cyber-attacks on its e-commerce platform in the spring of 2020. As alleged in the complaint, the breaches occurred as a result of cbdMD’s failure to implement reasonable security procedures and practices appropriate to the nature of the information they collected from customers. This case was settled in March 2021.

Other cyber breaches have impacted the cannabis industry, such as the data breach involving Sunniva, a cannabis company in Canada, and the unsecured database belonging to THSuite, a point of sale software platform used by many cannabis businesses. While these actions did not name the D&Os, there have been a number of data breach lawsuits where D&Os have been named, including recent ones in 2021 involving T-Mobile, Ubiquiti  and 360 DigiTech.”

In addition to the items mentioned above, we outlined last year an incident where a cannabis cultivator was the victim of a ransomware attack. If cannabis organizations are unsure of where to start with their cybersecurity, CISA has a great resource called their Cyber Essentials Starter Kit. We reviewed the resource in a recent blog

Russian Forces Capture Chernobyl Zone, U.S. Officials Fears Kyiv Could Fall Quickly

Senior U.S. government officials believe Ukraine’s capital could fall quickly to advancing Russian forces, according to details of a phone call they had with congressional lawmakers Thursday evening. Ukrainian President Volodymyr Zelensky says “enemy sabotage groups” have entered Kyiv, the capital, as Russian forces close in.

In the wake of Russia’s unprovoked attack on Ukraine and rising geopolitical tensions, which have been accompanied by cyber-attacks on Ukrainian government and critical infrastructure organizations, there may be consequences to U.S. and allied organizations and infrastructure. This has been a potential risk we have been warning about in recent months and would like to remind our partners to remain vigilant. While there are no specific or credible cyber threats to the U.S. homeland at this time, CISA urges organizations to “remain cautious of the potential for Russia’s actions to grow beyond the region, given recent sanctions imposed by the United States and our Allies.”

A recent message from the Cybersecurity & Infrastructure Security Agency (CISA) indicates that they stand “ready to support our public and private sector partners and is monitoring the threat environment 24/7 to determine potential risks to the U.S. homeland.” CISA has recently created a new webpage with the latest guidance on how organizations can adopt a heightened posture when it comes to cybersecurity and protecting their assets, and encourage all organizations to review and take advantage of the following resources:

  • Shields Up – CISA launched a new Shields Up webpage that provides actionable information on urgent steps to harden systems given the heightened threat environment.
  • Pro Bono Services – CISA recently launched a new catalog of free cybersecurity services from CISA, the open-source community, and our private sector partners in the Joint Cyber Defense Collaborative. The catalog is designed to help under-resourced organizations improve their security posture.  
  • Mis-, dis-, Malinformation (MDM) – CISA released a CISA Insights titled, Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides critical infrastructure owners and operators with guidance on how to identify and mitigate the risks of influence operations using MDM narratives from steering public opinion and impacting National Critical Functions and critical infrastructure.