for the Cannabis Industry March 7 2019 About Chris Marquet President of Investigative Services for SunBlock Systems and practice leader for the CRA based in Mass 35 years experience in the Risk Mitigation Industry including international investigations amp security consulting sp ID: 785686
Download The PPT/PDF document "Security Considerations" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Security Considerations for theCannabis IndustryMarch 7, 2019
Slide2About Chris MarquetPresident of Investigative Services for SunBlock Systems and practice leader for the CRA, based in Mass.
35+ years experience in the Risk Mitigation Industry, including international investigations & security consulting, specializing in employee misconduct, fraud, integrity due diligence, & special fact finding missions.
Nationally recognized speaker & author on risk issues
Slide3About Cannabis Risk AdvisoryCross-disciplinary teams of former law enforcement and retail/manufacturing security & financial experts devoted to customized, innovative, cost-effective, and sustainable solutions.
Counsel and train organizations on how to strengthen their security, develop and implement privacy and data protection programs, and comply with applicable regulations.
Understanding of enterprise risks, including those involving personal information and safety, financial, physical, and cyber risks.
Slide4What are the Risks in the Cannabis Industry?Same as most industries but orders of magnitude greater:Legal & Regulatory Environment
Physical Security & Inventory Control
People Issues
Information Security & Cyber Risks
Financial
Controls
Slide5Cannabis Security Similarities with Other Businesses:Early DetectionReal Time Alerts
Protect Highest Value AssetsTake Storage Seriously
Strong Access & Perimeter Security (Locks, Fences, Walls, Cameras, etc.)
Inside Jobs More Likely
Strong Password/Security Codes & Protocols
Create Culture of Compliance
Slide6Legal & Regulatory ComplianceStates with legal cannabis require security plans & vetting. In Mass, for example, basic requirements:Access controls
Video monitoringInventory controls
Transport & storage security
Incident reporting
Crisis plans
Security audits
Staff vetting (background checks)
Slide7Physical Security & Inventory ControlBasic requirements:Secure building/facility
Access controls – locks, identification requirements, limited access areas
Video monitoring
Security officers
Inventory controls – diversion controls, storage & destruction security & reporting
Cash controls – safes/vaults
Transport security & controls
Slide8Inventory ControlSeed to Sale Tracking:Software program & RFID tags
Tagging plants & packages (tags are onetime use)Plant stages tagged
- immature,
vegetative & flowering
Batch numbers assigned in harvesting & curing process
Packaging tagged
Data entered into system at each stage – CCC monitoring & audits
Slide9Security Risks – Some HeadlinesFive arrested in Woodland with nearly 200 pounds of stolen marijuana, Sacramento Bee, 2/19
North Bethesda Cannabis Store Broken Into…,
Bethesda Magazine
, 2/19
Felonies
filed in case allegedly involving assault and theft of
marijuana,
Aspen Daily News
, 1/19
Cannabis Delivery, Theft,
Battery,
Oswego Patch
, 1/19
Marijuana
dispensary owned
robbed
,
Detroit Free Press
, 12/18
Bong thwarts attempted robbery at pot dispensary,
New York Post
, 9/18
Employees assaulted and tied up during marijuana grow robbery in Monterey
County,
KION Ch. 5
, 7/18
Man sentenced to probation in $428k pot
thefts,
Mail Tribune
, 1/18
Slide10People Issues“In any organization, at any time, there is always someone who is up to no good…” - C. Marquet axiom
Slide11People Issues – Some HeadlinesThe collapse of this cannabis stock offers a valuable lesson to every investor, Marketwatch, 11/18 (India Global Capitalization)
Police: Employee stole cannabis goods from Framingham lab,
Metrowest
Daily News
10/18
Former Berkeley cannabis official sentenced to 3 years in prison for money laundering, Daily Californian, 11/17
Scott Pack Indicted in Colorado Pot Biz's Largest Fraud Case Ever,
Westword
,
6/17 (Harmony & Green)
Colorado
pot shop employees accused of
embezzling,
The
Cannabist
, 2/17
Eureka insurance broker accused of embezzling cannabis business’
payments,
Times Standard
, 1/17
Slide12People Issues – Background checksLegal states require background checks on everyone – all employees, plus board members, capital contributors, volunteers & consultants
For Massachusetts, background checks must include:1. A Criminal History Search, including county, state, federal, international records for the past 7 years, for instances of: a. Conviction; b. Guilty Plea; c. Nolo Contendere; d. Admission to sufficient facts; and e.
Pending
charges
2
. Professional License Verification;
3
. Marijuana Professional License Verification/ Industry Compliance Check;
4
. Restricted Parties Search;
5
. Civil History Search;
6
. 7 Year Sex Offender Search;
7
. NPDB (National Practitioner Data Bank);
8
. FACIS (Fraud and Abuse Control Information Systems; and
9
. Media/Social Media
Slide13People Issues – Enhanced Integrity Due DiligenceCheck out not only employees, execs & investors, but vendors and other affiliated businesses
Lookback to college yearsOnsite criminal searches
Multijurisdictional searches
Comprehensive civil searches
Financial red flags
Relationship
vetting & corporate affiliations
Interviews
Beyond traditional & social media - Deep & Dark Web Searches
Slide14Information Security & Cyber RisksInformation governance policies & procedures
Identifying and segmenting confidential informationEmployee information, HIPAA information, other customer info
Network design and implementation
Security testing and ongoing monitoring
Cyber risk assessment
Penetration tests
Monitoring products
Advanced firewalls and security measures
Encryption
Multi-Factor Authentication
Employee training
Enforcement
Slide15Almost all compromises occur due to human factor:Clicking on malwareDivulging access credentials
IT team configuration errorTheft of proprietary data (internal & external threat)
Security is a chain that requires all links to be strong:
People
Process
Systems
Slide16Financial Controls & AML
Slide17Financial Controls & AMLFrom the Cole Memo, 8 key guidelines relating to Cannabis:Preventing distribution to minorsKeeping proceeds out of the hands of gangs and cartels
Stopping marijuana from crossing state linesNot letting marijuana be used as a cover for other illegal activities
Preventing violence and the use of firearms in cultivation and distribution of marijuana
Preventing drugged driving and other adverse health consequences
Not allowing marijuana to be grown on public lands
Preventing possession or use on public property
Slide18Financial Controls (cont.)In 2014, for the first time, DOJ acknowledged that violation of the Controlled Substances Act (and the 8 guidelines) had implications for money laundering and the Bank Secrecy Act. This laid the foundation for
guidance from Financial Crimes Enforcement Network (FinCEN).
Slide19FinCEN Guidance:Know Your Customer (KYC) is criticalThree types of Suspicious Activity Reports (SARs) to file:
Marijuana limited SAR The bank reports that business doesn’t violate any of the guidelines.
Marijuana priority SAR
If DOJ priorities have been violated, or business not in full compliance with state law requirements, then it files a SAR that identifies the wrongful activity.
Marijuana
termination
SAR
Though the business may be operating in compliance with state law and satisfying all 8 priorities, a bank might not feel comfortable maintaining a relationship with the business, “in order to maintain an effective anti-money laundering program
.”
Also, FinCEN identifies these red flags: Activity or revenue inconsistent with the business or its competitors
Excessive cash deposits or withdrawals
Structuring
Rapid
movement of
funds
Deposits
by third parties unrelated to the business, excessive commingling of funds with other accounts of the
owners
S
udden
surge in activity.
Slide21Federal RegulationsDespite decriminalization or legalization in over 36 states:Still illegal at Federal levelHemp now legal; CBD FDA hearings taking place
Banking not yet approved for all services/suppliers
AML an issue because MJ still predominantly cash business
3 Tiers of
FinCEN
reporting for MJ
Slide22State Regulations (MA)Marijuana is legal for people 21 and older.
You can’t use marijuana in any form (smoking, vaping, edibles, etc.) in public or on federal land.
You can have up to 1
oz.
on you and up to 10
oz.
in your
home.
Grow up
to 6 plants in your
home
(12
plants for 2 or more
adults).
More than
1
oz.
of marijuana in your
home: must
be locked up.
No
open container
in your
car while on the road or at a
public place.
It’s
illegal to drive under the influence of
marijuana.
Slide23Thank you for joining us today.
Chris Marquet can be reached at
cmarquet@sunblocksystems.com
or
617-733-3304