Pot Stocks Are Getting Crushed. What You Need to Know.

What goes up, must come down. But not necessarily this fast.

Canadian marijuana stocks that posted staggering gains on Wednesday fell just as fast Thursday, while U.S. multistate operators, or MSOs, were dragged down, but fared a bit better.

Tilray stock (ticker: TLRY) fell 49.7% Thursday, erasing all its gains from the prior trading day. Aphria stock (APHA) closed down 35.8%. Those companies expect to close a merger in the first half of the year. Under the deal announced in December, an investor would receive about 0.84 shares of the combined Tilray for every share of Aphria that they owned. Aurora Cannabis shares (ACB) were down 23.5%, while Canopy Growth (CGC) fell 22.1%.

ETFMG Alternative Harvest (MJ), an exchange-traded fund with exposure to the pot business, fell 24.6% from its Wednesday close. The ETF is still up about 74.5% year-to-date.

Meanwhile, Curaleaf (CURLF), a U.S. operator that lists shares over-the-counter in the U.S., fell 7.2%. Peers Green Thumb Industries (GTBIF), Cresco Labs (CRLBF), and Trulieve Cannabis (TCNNF) were down between 6% and 8%.

Canadian pot stocks, especially, have rallied in recent months on a wave of sentiment-driven gains as investors bet on positive political developments. Meanwhile, U.S. growers, which would benefit from an improved legal landscape, have lagged their competitors that operate in the smaller Canadian market.

Cantor Fitzgerald analyst Pablo Zuanic told Barron’s in an email that the recent action in pot stocks involving Reddit traders makes it hard to predict day-to-day moves, especially with the more-liquid Canadian growers.

“A look at the [GameStop] stock chart should be cautionary,” Zuanic added. “That said, we continue to think the top US MSOs are attractively valued taking a long-term view, even though they will get some of the Canadian downdraft.”

Ironically, some observers last month likened the move in GameStop (GME) to Tilray’s brief parabolic jump in 2018. The WallStreetBets forum on Reddit was recently littered with posts about pot stocks. One of the top posts Thursday morning likened the recent action in Canadian pot stocks to a casino.

Zuanic said on Wednesday that the gap in performance between U.S. and Canadian licensed producers, or LPs, could signal interest from the Robinhood crowd. Robinhood users can’t trade over-the-counter stocks on the platform.

“Sure, the news flow backdrop has also helped (the notion the US will open soon and Canadian LPs will benefit; news about exports), but we think this does not explain the big delta in Canada vs. US performance,” he said. “We wonder if the average RH retail investor knows the difference between an MSO and an LP, and the very different fundamentals of both cannabis markets.”

Ihor Dusaniwsky, a managing director at short-selling analytics firm S3 Partners, noted on Wednesday that there’s also a short-selling angle at play. Tilray began the year with short interest at about 48% of shares available for trading, according to S3 Partners. S3 estimates a recent short interest at 23% of shares available for trading, implying a large amount of covering, which helps drive prices up.

Short sellers sell borrowed shares with the hope they can replace the stock by purchasing it at a lower price. Dusaniwsky notes that Tilray and Cronos (CRON) saw the largest yearly decrease in short interest as a percentage of shares available for trading. He added that the top 20 cannabis shorts in the sector were down $4.32 billion in net-of-financing mark-to-market losses in 2021 by Wednesday.

“The yearlong rally has spurred short squeezes in most of the top 20 most shorted stocks in the sector and we should see the squeezes continuing, especially if the potential for nationwide U.S. cannabis legalization continues to increase,” Dusaniwsky added.

As with GameStop, the traditional buy-and-hold investor might want to stay away until things cool down.

As tech leaders race to bring Windows systems back online after Friday’s software update by cybersecurity company CrowdStrike crashed around 8.5 million machines worldwide, experts share with CIO Journal their takeaways for preparing for the next major information technology outage.

Be familiar with how vendors develop, test and release their software

IT leaders should hold vendors deeply integrated within IT systems, such as CrowdStrike , to a “very high standard” of development, release quality and assurance, said Neil MacDonald , a Gartner vice president.

“Any security vendor has a responsibility to do extensive regression testing on all versions of Windows before an update is rolled out,” he said.

That involves asking existing vendors to explain how they write software, what testing they do and whether customers may choose how quickly to roll out an update.

“Incidents like this remind all of us in the CIO community of the importance of ensuring availability, reliability and security by prioritizing guardrails such as deployment and testing procedures and practices,” said Amy Farrow, chief information officer of IT automation and security company Infoblox.

Re-evaluate how your firm accepts software updates from ‘trusted’ vendors

While automatically accepting software updates has become the norm—and a recommended security practice—the CrowdStrike outage is a reminder to take a pause, some CIOs said.

“We still should be doing the full testing of packages and upgrades and new features,” said Paul Davis, a field chief information security officer at software development platform maker JFrog . undefined undefined Though it’s not feasible to test every update, especially for as many as hundreds of software vendors, Davis said he makes it a priority to test software patches according to their potential severity and size.

Automation, and maybe even artificial intelligence-based IT tools, can help.

“Humans are not very good at catching errors in thousands of lines of code,” said Jack Hidary, chief executive of AI and quantum company SandboxAQ. “We need AI trained to look for the interdependence of new software updates with the existing stack of software.”

Develop a disaster recovery plan

An incident rendering Windows computers unusable is similar to a natural disaster with systems knocked offline, said Gartner’s MacDonald. That’s why businesses should consider natural disaster recovery plans for maintaining the resiliency of their operations.

One way to do that is to set up a “clean room,” or an environment isolated from other systems, to use to bring critical systems back online, according to Chirag Mehta, a cybersecurity analyst at Constellation Research.

Businesses should also hold tabletop exercises to simulate risk scenarios, including IT outages and potential cyber threats, Mehta said.

Companies that back up data regularly were likely less impacted by the CrowdStrike outage, according to Victor Zyamzin, chief business officer of security company Qrator Labs. “Another suggestion for companies, and we’ve been saying that again and again for decades, is that you should have some backup procedure applied, running and regularly tested,” he said.

Review vendor and insurance contracts

For any vendor with a significant impact on company operations , MacDonald said companies can review their contracts and look for clauses indicating the vendors must provide reliable and stable software.

“That’s where you may have an advantage to say, if an update causes an outage, is there a clause in the contract that would cover that?” he said.

If it doesn’t, tech leaders can aim to negotiate a discount serving as a form of compensation at renewal time, MacDonald added.

The outage also highlights the importance of insurance in providing companies with bottom-line protection against cyber risks, said Peter Halprin, a partner with law firm Haynes Boone focused on cyber insurance.

This coverage can include protection against business income losses, such as those associated with an outage, whether caused by the insured company or a service provider, Halprin said.

Weigh the advantages and disadvantages of the various platforms

The CrowdStrike update affected only devices running Microsoft Windows-based systems , prompting fresh questions over whether enterprises should rely on Windows computers.

CrowdStrike runs on Windows devices through access to the kernel, the part of an operating system containing a computer’s core functions. That’s not the same for Apple ’s Mac operating system and Linux, which don’t allow the same level of access, said Mehta.

Some businesses have converted to Chromebooks , simple laptops developed by Alphabet -owned Google that run on the Chrome operating system . “Not all of them require deeper access to things,” Mehta said. “What are you doing on your laptop that actually requires Windows?”