skip to Main Content
Three Threats That Can Harm a Cannabis Business: Cyberattacks, Fraud, and Non-Compliance

By Mark Bednarz, CPA, CISA, CFE, Partner

Board members and company executives know the importance of preserving an organization’s reputation and taking action to safeguard it from threats. Having a positive image can help drive value for a cannabis business. Conversely, news of a negative event can spread like wildfire and require management to implement costly crisis management procedures to deal with the aftermath.

Failure to properly respond to events in a timely manner can adversely impact investor value and quickly erode customer loyalty. These three threats can put management’s business strategy on hold: cyberattacks, fraud risks, and non-compliance with federal and state laws and regulations.

Cyberattacks

The overwhelming number of cybercrime incidents has forced companies to evaluate their information technology environment from a security and resilience standpoint. There are a number of attack vectors that can result in a cybersecurity breach, which can lead to unauthorized access to sensitive information and even the extortion of payment (e.g., ransomware demands). Management and those responsible for the information technology function must work together to develop a cybersecurity risk program, identify the different threats they may face, determine what mitigating controls are already in place, and address the gaps that exist. Due to limited IT staff and complexity of the IT environment, management should consider using a firm that can support the company’s IT security needs.

While organizations implement policies, procedures and technology solutions to harden their network and systems, employees tend to be one of their weakest links. Providing periodic security awareness training and conducting simulated phishing campaigns are two inexpensive, yet effective, ways to arm employees with the knowledge necessary to combat these threats and the understanding of how their actions can create business vulnerabilities.

Fraud Risks

Given federal guidelines regarding the cannabis industry, most financial activities occur outside of the banking system. As a result, the cannabis industry has a high reliance on cash transactions, which significantly elevates the level of fraud risk because a “bad actor” ‒ such as a rogue employee ‒ can access the funds of the business. Incidents of fraud can have both a financial and reputational impact to a business because the amounts lost may not be recovered and investigations are costly, disrupt operations, reduce customer trust, and distract management.

Establishing an effective internal control environment can help deter fraud from occurring. A fraud risk assessment should be performed and reviewed annually, unless there are changes to the business strategy, staffing, processes, and technology that warrant more frequent updates. In performing this assessment, the company should involve process owners from different departments and brainstorm the different fraud schemes that could occur by function or process, identify where control gaps and weaknesses exist, and what changes are required.

Leveraging the Integrated Framework for Internal Controls of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission provides a structured, principles-based approach to implementing internal controls within an organization and considers the financial, operational and compliance elements. While “bad actors” will always find new and creative ways to commit fraud, applying the 17 COSO principles to the company’s internal control environment can increase the likelihood that fraud can be prevented or detected.

Non-Compliance with Laws and Regulations

Maintaining compliance is important in the cannabis industry and management must deal with a plethora of requirements, such as strict accounting rules, seed-to-sale tracking, and federal and state laws and regulations. In addition, accountability, data integrity, and dependence on service providers are other factors that increase the complexity of adhering to applicable legal and regulatory guidelines.

According to Allison Kopf, Founder and CEO of Artemis, “Compliance in the cannabis industry is a way to demonstrate accountability to consumers. When you protect your customers, you protect your business. In this rapidly shifting regulatory environment, tomorrow may bring completely new compliance concerns. Creating a robust compliance program with a process for handling regulatory uncertainty strengthens the stability of your operation.”

A compliance program should be designed to establish a culture that promotes prevention, detection and resolution of conduct that does not conform to government regulations as well as each company’s own policies and procedures. Establishing a “three lines of defense” model can help structure an effective compliance and risk management program, which senior management and the board should oversee. Under such a model:

  • Operations Management owns and manages the compliance program.
  • Risk Management, Compliance and Legal departments oversee the process
  • Internal Audit provides the independent assessment as they review the different auditable areas.

Recap

Sustaining a strong governance posture and an effective internal control environment are essential to cannabis businesses that operate in a cash-centric, high profile industry that is subject to the forces of change, the watchful eye of federal and state authorities, and draws the attention of the media and other interested parties. Business owners, the Board and management should be mindful of the need to combat cyberattacks, remain compliant with applicable laws and regulations, and prevent fraud. They should take advantage of the feedback provided by the independent assessments performed by a company’s external financial statement auditors, cybersecurity specialists, internal auditors, and risk management specialists.

Staying focused on managing risk is critical to overall business success. 

Reprinted With Permission of PKF O’Connor Davies

Mark Bednarz

Mark Bednarz

Mark Bednarz is a Partner and the leader of the Risk Advisory Group of PKF O’Connor Davies. He combines more than 20 years of public accounting and Fortune 500 experience and expertise in attestation and consulting services for a variety of industries.

Mark’s extensive experience includes internal audit, board governance, business reengineering, forensic accounting, system implementations, compliance, Sarbanes-Oxley consulting, IT audits and governance, service organization control reporting (SOC), attestations and risk assessments.

He is a frequent presenter, training evaluator and webinar leader on subjects related to governance, risk and compliance for several professional organizations. Mark also serves as an author and contributing editor to articles that appear in professional newsletters and other publications. Mark can be reached at [email protected].

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Stories

Dug In: Big Island Grown’s Deep Cannabis Roots

Big Island Grown (BIG) is a vertically integrated cannabis company based in Kailua-Kona, Hawaii County, on the Big Island of Hawaii, whose reach now extends to several islands in the…

Unlock the Secrets of Social Media for Cannabis Brands

There are three primary ways that brands can use social media platforms for marketing: organic posts, shared posts, and paid posts. With paid posts still off limits to most businesses…

California’s Cannabis Industry Conundrum and the Road Ahead

By Aaron Pelley, Attorney at Harris Sliwoski Despite continuously surpassing every other state with recreational cannabis in terms of total retail sales, California’s cannabis industry has faced continuous and far-reaching…

The High Rate of Dependence Among Medical Cannabis Users

The difference between medicinal and recreational marijuana has always been arbitrary. For example, after legalizing recreational cannabis, California initially required each cultivated seedling to be designated by growers as either…

More Categories

Back To Top
×Close search
Search