Cannabis Industry Compliance and Security
The legal cannabis industry in the United States generated $30 billion in revenue in 2024 and operates under a complex regulatory framework that governs product tracking, financial services, physical security, and data protection[^c9]. State regulators mandate seed-to-sale tracking systems to monitor inventory and prevent diversion[^c1], but cannabis businesses lose an estimated $2.6 billion annually to theft, diversion, and inventory shrinkage[^c2], with roughly 90 percent of losses attributed to employees rather than external criminals[^c11].
Banking access remains one of the industry's most persistent operational challenges. Recreational cannabis is classified as a Schedule I substance under federal law[^c6], causing most financial institutions to decline service and resulting in predominantly cash-based operations[^c7]. The lack of traditional financing creates cascading cash-flow problems throughout the supply chain[^c3]. In April 2026, the Department of Justice and DEA issued a [[regulation/schedule-iii-cannabis-rescheduling|Final Order]] placing FDA-approved products and state-licensed medical marijuana into Schedule III[^c10], but recreational cannabis remains Schedule I, and the order has not opened mainstream banking access. The order faces immediate legal challenges in the D.C. Circuit, with three consolidated petitions arguing that the acting attorney general exceeded his statutory authority[^c14]. The SAFER Banking Act remains stalled in Congress, while the narrower CLIMB Act was introduced in March 2026.
The industry is particularly vulnerable to cyberattacks, and 59 percent of cannabis companies have not taken steps to prevent them[^c5]. Schedule III rescheduling introduces new cybersecurity compliance obligations under HIPAA, the HITECH Act, and other federal data privacy laws for medical cannabis operators[^c13]. Ransomware groups such as Qilin and NightSpire have begun targeting cannabis businesses in 2026, while the Ohio Marijuana Card breach exposed nearly one million patient records[^c12]. The industry's reliance on third-party vendors for payment processing and compliance tracking creates multiple points of potential exposure[^c8].
Physical security requirements vary by state but generally mandate video surveillance, access control systems, perimeter barriers, and alarm systems for licensed facilities. A wave of violent incidents in California in early 2026 — including a fatal shooting at a Sacramento cannabis warehouse and organized burglaries targeting cultivation operations — highlighted ongoing security risks. Product safety testing has also emerged as a significant concern, with documented laboratory fraud and contamination issues in multiple states raising questions about supply chain integrity as federal rescheduling proceeds. In May 2026, a landmark class action lawsuit compared cannabis marketing practices to the Big Tobacco litigation playbook, signaling a new era of litigation risk for the industry[^c15].