Robust compliance, security planning nonnegotiable for licensed cannabis businesses

This year promises to be a landmark year for adult-use cannabis in New York State, as state regulators at the Cannabis Control Board (CCB) and Office of Cannabis Management (OCM) seek to transition the existing conditional market into the fully functional permanent licensing structure set forth in the Marijuana Regulation and Taxation Act (MRTA).

In 2022, the CCB awarded the first conditional adult-use licenses to 200-plus cultivators and 30-plus processors—all licensees under the state’s cannabinoid hemp program—who began growing the first cannabis crops and manufacturing the first adult-use products.  Further, the Empire State’s first conditional adult-use dispensary opened in late December 2022, with an expected 149 more coming online in 2023.  Finally, with the OCM expected to finalize adult-use regulations that define permanent licenses by mid-2023, New Yorkers will have never before seen access to adult-use cannabis products and the businesses that comprise the market.

Yet, as the OCM and CCB continue to build out the adult-use market, first-time cannabis entrepreneurs and experienced operators alike face a challenging road ahead.  Two of the most notable challenges that initial licensees face are (1) abiding by all compliance requirements posed by state regulators, and (2) maintaining robust security measures. These categories are addressed in turn below.

Compliance

Given its status as a federal Schedule I illegal substance under the Controlled Substances Act, state-licensed cannabis businesses are already under the microscope as any slip up could potentially run afoul of Federal cannabis laws and trigger the jurisdiction of the federal government. To insulate its operators, state regulators, including the OCM and CCB, have developed intricate compliance regimes that ensure licensees are operating above board in all aspects of their businesses.

Indeed, the New York State regulatory landscape is loaded with recordkeeping and document submission requirements that are enough to keep even the most experienced operators on their toes.

For example, OCM requires the following base level compliance documentation for its conditional processor licensees:

• Architectural diagrams and floorplans of the entire licensed premises;
• Certification by an architect that the licensed facility complies with the 2020 NYS Stretch Energy Code;
• Annual benchmarking of energy and water usage;
• A written sustainable packaging plan that lists the total amount of packaging material by weight, sold, offered for sale, or distributed into the state in the prior calendar year;
• Written plans for the handling, storage, and disposal of waste;
• Financial records maintained in accordance with generally accepted accounting principles;
• Personnel records, including each employee’s full name, SSN, date of employment, and evidence of a background check;
• Mandatory training and records of the same for each employee;
• Maintenance and availability of all contracts dealing with licensed activities;
• All advertising and marketing materials;
• Standard operating procedures, including a product quality plan;
• Lab testing results for each lot or batch of cannabis product produced;
• A business code of ethics and
• Polices demonstrating diversity in the workplace.

License holders must also send in periodic submissions to the OCM to certify ongoing compliance and are subject to periodic inspections and audits, whether scheduled or not.

Should an operator run afoul of any of these requirements, it risks either suspension or outright revocation of their license.  And that’s just for conditional licensees.

Security

As it stands, with no SAFE Banking Act passed in Congress, adult-use licensees in legal markets across the country are required to largely deal in cash.  News of recent smash and grabs at dispensaries or break-ins to state-licensed growing facilities prove a clear and present danger that plant-touching businesses must accept and plan against on a daily basis.  Less heard of, but equally concerning, are the social engineering scams or cybersecurity attacks on unassuming license-holders that gut the operators’ assets electronically.

Nevertheless, while security risks remain an unfortunate byproduct of the adult-use landscape, ignorance and/or failure to plan do not excuse these events.  Instead, licensees should treat security as a bet-the-business type of risk due to the impact just one physical break-in or cyberattack could have on the future of operations.  Luckily for New York State licensees, preparedness is not just rewarded, it is required.

As seen in 2022, all conditional cultivation and processor licensees were required to develop and implement a business-specific written security plan that was ultimately submitted and approved by the OCM.  This is no different for permanent licensees, as the initial draft regulations introduced in November 2022 require permanent licensees to include robust security plans as part of the application process.  In theory, the concept makes sense, but what does this plan actually look like?

Forseti Protection Group advises that a robust security plan should be comprehensive, flexible, and tailored to the specific needs of your business. Not every business is the same, despite being in the cannabis industry. A security plan should address all elements, including the elements, as major weather events like blizzards are commonplace in Western New York. To that end, a licensee’s standard operating procedures for an emergency response, employee training, cash handling, deliveries of product, and treatment of smart safes is essential. Additionally, the OCM’s mandatory specifications for surveillance cameras, storage, biometric authentication, security clearances for employees and vendors, and audit plans should be included in a security plan. Together, this will help protect assets, ensure compliance with state regulations, and mitigate risk.

Beyond physical security, cybersecurity attacks like those described above are becoming more prevalent, especially for small and early-stage businesses.  Accordingly, cannabis operators must not only take care to protect digital information at all costs, but also train employees across all levels to watch out for social engineering or phishing attempts that take aim at the business’ cash or inventory.

Conclusion

The regulatory requirements and potential security threats conditional licensees have faced in the early stages of New York’s adult-use cannabis market demonstrate how crucial the compliance and security are on a daily basis.  The earlier licensees can plan ahead for, and even automate these requirements, the simpler their operations will become, in what promises to be a very complex industry. Lippes Mathias’ cannabis practice team and Forseti Protection Group will continue to monitor developments in the New York State cannabis market. Should you have any questions, please contact either of our teams.

Mario Rodriguez is President of Forseti Protection Group, one of the nation’s leading Minority Owned security risk management firms, with offices in Boston, Massachusetts and Buffalo, New York. Recognized as a security expert, Mario is also an adjunct professor of criminal justice at a local college in Buffalo, New York. Mr. Rodriguez is also a Business First 2022, 40 under 40 Honoree.

Joe Schafer assists clients with mergers & acquisitions, business formation and structuring, licensing, contract review and other general matters.As a member of the firm’s Cannabis Practice Team, Mr. Schafer has advised clients on hemp regulations, the Marijuana Regulation and Taxation Act, and has handled litigation matters for clients involved in the cannabis industry.