Public Statements & Remarks

Keynote Address by Commissioner Christy Goldsmith Romero at FIA & SIFMA Asset Management Derivatives Forum

Adjusting the Sails for Cyber and Climate Resilience

February 10, 2023

Remarks as Prepared for Delivery

Standard Disclaimer

Thank you to FIA and SIFMA.  It is a daunting task to give a keynote on a Friday that is the last day of a conference—particularly a conference that has had engaging substantive heavy content.  It’s been such heavy content that some of you plunged yourselves into the freezing cold ocean after yesterday’s panels.[1]  Please don’t do that after my speech, where I am going to talk about cyber risk and climate risk— two topics that I will admit can feel daunting.

There is an immediate threat before us that must be countered with strong and swift resolve—that is the threat of cybercrime.  Additionally, climate risk has emerged as an area of increasing substantial risk to the economy and a threat to financial stability.

The question I want to engage you on is how do we, the collective “we,” turn risk into resilience.  Resilience is the ability to recover quickly after setbacks, to adapt.

Strengthening the resilience of our markets to cyber risk and climate risk are two of my highest priorities.  I spent the last 14 years in the government helping to make our financial system more resilient to risk after the 2008 financial crisis—a crisis that taught a brutal lesson about unexpected risk.

Far from being unexpected, climate and cyber risk are flashing lights warning of serious dangers ahead.  The collective “we” should expect severe climate events that cause massive financial losses—losses that can impact the real economy and also financial markets.  We should expect ransomware gangs, state actors or state-sponsored cyber criminals to attack at any point of vulnerability.

When we know the risk, we can plan for it.  We can manage around it.  We can use every tool as an opportunity to build resilience.  And we can work together.

I am reminded of a saying, “We cannot direct the wind, but we can adjust the sails.”  This has been credited to several people, including Dolly Parton.  As a Dolly fan, and because I fear I will have no other opportunity to quote Dolly, please allow me to take the opportunity now.  On a sailboat, the sail takes something that serves as risk—wind—and harnesses that wind to propel the boat in the direction that the sailors wish to go.  Racing sailboats are run by an entire team of sailors, and each team member has a specific responsibility and role.

We meet today at a crucial moment to decide which direction to go.  When it comes to cyber risk, there should be complete consensus that there is only one direction to go—to strengthen resilience to cybercrime.  There may be less consensus on how to strengthen resilience to climate risk.  But I hope all can agree on the need to move towards a more climate-resilient market.  To build resilience, it will take each of us working each of our roles and responsibilities, and coming together as a team.

Cyber Risk

Cyber attacks are one of the most persistent and severe threats facing companies today.  Global cyber criminals and state-sponsored efforts can create or leverage a serious disruption to markets and economies.[2] In November, I spoke twice about the need for cyber resilience and warned of the dangers associated with cybercrime from three interrelated threats: (1) zero-day and n-day vulnerabilities; (2) third-party service provider vulnerabilities; and (2) ransomware vulnerabilities.[3]

Last week, a third-party service provider, ION Markets, suffered a cyber attack that compromised a number of brokers in the derivatives markets.  For days, the attack disrupted trade-matching and margin processes at approximately 42 firms, according to news reports.[4]  This type of disruption can also impact exchanges.  According to news reports, a ransomware group known as LockBit claimed responsibility for the ION attack, which I will not confirm. [5]  Fortunately, the damage appears to have been contained.[6]  I appreciate all of you who worked with the CFTC to ensure that was the case.

There are lessons to be learned from last week’s cyber attack.  If we all can discuss those and how to implement those lessons, we can adapt and take steps to build a more resilient market.  I invite further discussion with me on this subject.

After all, in 2012, then-Director of the Federal Bureau of Investigation (“FBI”) Robert Mueller warned, “There are only two types of companies:  those that have been hacked and those that will be.  And even they are converging into one category:  companies that have been hacked and will be hacked again.”[7]  Or as FIA President Walt Lukken said at the start of the conference, there are those that have been hacked and those who don’t know they’ve been hacked.

A 2022 survey of 130 global financial institutions found that 74% experienced at least one ransomware attack over the past year.  Critical market infrastructure, like exchanges and clearinghouses, already experience cyber security incidents.

The threat of ransomware continues to grow and evolve, as does the Department of Justice’s (“DOJ”) ability to counter the threat.  Ransomware is no longer limited to sophisticated actors.  DOJ recently infiltrated and disrupted a ransomware group known as Hive.[8]  Hive and LockBit operate as Ransomware-as-a-Service (“RaaS”).  That’s a model where the developers create ransomware and an easy-to-use interface and recruit affiliates to deploy the ransomware to attack victims in exchange for a percentage of ransom payments.[9]  The result can be extremely disruptive.

Cyber Resilience

Everyone has a part in strengthening cyber resilience across financial markets.  In my discussions with cybersecurity experts, I have learned that many cyber attacks start with common vulnerabilities that can be resolved through good cyber hygiene.  Phishing attempts, attacks on software and systems that have not been updated with patches, access through remote connections, and insiders being tricked into giving access continue as the tools that cyber criminals employ.[10]

One of the lessons learned from last week is that a firm’s cybersecurity is only as strong as its most vulnerable third-party service provider—which is something I warned about in November.[11]  The financial firms at the center of global markets rely on hundreds of third-party service providers.  These financial firms and their third-party service providers employ thousands of people who can open the door to potential exploits of sensitive financial data and systems.  The threat compounds where several firms use the same provider, as was the case with ION.  Firms owe it to their clients—and I would say the markets—to have ongoing communications and other due diligence with third-party service providers to understand their cybersecurity controls and any weaknesses that could put the firm at risk.  One path firms can consider is to request regular updated Systems and Operational Controls 2 (“SOC 2”) audits and opinions that the third party service provider has met, and better yet, exceeded, standards.[12]

The danger of this threat is why I have made cyber resilience one of my top priorities.  I recently supported the CFTC’s proposed rule to expand clearinghouse notification of cybersecurity incidents.[13]  I said at that time, “A major cyber incident involving U.S. clearing houses carries the potential to create disruptions—if not short-term chaos—throughout our financial markets.  Imagine the equivalent of the Colonial Pipeline attack on a clearing house or major clearing member.”[14]

The threat of cyber attacks is so severe that it requires all of us to adapt and evolve to meet the changing threat.  Chairman Behnam has asked me to lead an agency effort to adapt and evolve the CFTC’s cyber-resilience framework for brokers (FCMs) and dealers (Swap Dealers).  We expect to propose a rule in the coming months.  My office has already begun internal and inter-agency discussions, including with colleagues at the prudential regulators and the National Institute of Standards and Technology, among others that can provide valuable insights.

Additionally, I sponsor the Technology Advisory Committee (“TAC”), along with its Cybersecurity subcommittee.  The TAC is a perfect forum to navigate the complexities of cyber resilience to counter the dangerous threat of cybercrime.  We are preparing to announce a remarkable group of members in the next two weeks, including cybersecurity experts, and hold a public meeting next month.

Given the rapidly evolving cybersecurity threat, the public and private sector can be powerful when we join forces to counter that threat.  If we all shore up vulnerabilities, and communicate about rapidly evolving threats, together we can adapt to have a more cyber resilient market.

Climate Risk

As a market regulator, it is no longer a choice, but an imperative, for the CFTC to enhance its ability to identify and monitor climate risk that impacts our markets and market participants.[15]  With severe climate events impacting commodities and derivatives markets, the CFTC should be at the forefront of monitoring both physical risk and transition risk.

Monitoring Physical Climate Risk

The number and severity of severe climate events is increasing and coming at greater cost.[16]  In the last three years, the United States suffered the highest number of weather/climate disaster events with losses of at least $1 billion.[17]  From California wildfires, to floods in Kentucky and Missouri, to Hurricane Ian, to a drought that left the Mississippi River at historically low levels during a crucial time to ship crop harvests, the year 2022 was the third most costly year on record.[18]  Extreme climate events are crippling infrastructure, supply chains, transportation, and agricultural production.  For example:

  • California wildfires have become more destructive and costly, with more than $65 billion in losses over the last six years.[19]  California wildfires have impacted farms and ranches—displacing animals, and burning grazing land, barns, irrigation systems, equipment and machinery.[20]
  • On the east coast, and the Gulf, hurricanes have intensified with Category 4 or 5 hurricanes making landfall in the last five of six years—the highest frequency on record.[21]  Hurricane Ian significantly impacted farmers and livestock producers.[22]  Destructive winds, heavy rains, and flooding impacted nearly five million acres of agricultural lands that produce over $8.12 billion dollars of agricultural products.[23]
  • Winter storm Uri left two-thirds of Texans without power and contributed to 210 deaths.[24]  Uri left significant questions about the energy market that Texas relied on for power generation.  Ranchers lost cattle, sheep, goats and poultry to the extreme cold.
  • Severe drought dropped Mississippi River water levels to historical lows in October 2022, during shipping crop harvests.[25]  The Mississippi is the major route for most of the nation’s soybeans and corn.  Barges became stranded as the river became too shallow for passage. Some barges could only move with reduced cargo.

Climate financial risk can impact financial stability.  Each region faces unique climate risks to their economy.  Climate events can have longer lasting economic shocks, such as lost production capacity in subsequent seasons, impacting financial institutions and markets.  Some local industries or economies may fail to recover.

Climate events hold the potential to pose systemic risk.  The risk of contagion across regions or industries, simultaneous shock events in multiple regions, and shocks that run through supply chains and value chains that cross regions, could trigger a domino effect throughout our national economy.

Monitoring Transition Risk

It is important for the CFTC to monitor the risk of markets transitioning to a lower-carbon economy as nations and nearly 8,000 companies have pledged to reduce greenhouse gas (“GHG”) emissions in accordance with the Paris Agreement.[26]  Transition risk includes policy, technical, legal, and geopolitical issues—such as Russia’s invasion of Ukraine.  The pace of transition will be an important risk factor to monitor.  There remains a need for some fossil fuel to meet energy demand, even as renewable energy supply increases.  However, given the significant financial climate-risk, continued transition to a lower carbon environment can help mitigate those risks.

Climate Resilience

Given that we (the collective “we”) know the risk, we can plan for it.  We can manage around it.[27]  We can use every tool at our disposal as an opportunity to manage risk and promote climate resilience.  In the end, that’s what derivatives markets are all about.

Markets can serve as sails that harness the power of the wind to propel in the direction of a more sustainable future, while meeting investor demand.  A 2022 trend report found that climate change presented the leading ESG criterion by institutional investors and money managers.[28]  The FTSE Russell 2021 survey showed that 84% of asset owners were evaluating or implementing sustainable investment considerations in their strategies—up from a little over half in 2018.[29] 

A 2022 survey of asset managers and asset owners found that nearly all report—or plan to report—on climate-related information, largely because of direct requests from clients and beneficiaries.[30]  About 65% of asset managers reported climate-related information directly to clients at the fund level, while 64% report at an entity or aggregate portfolio level.[31]  At least half of the asset managers reported on climate-related metrics (53%), governance (50%), and risk identification and assessment process (50%).[32]  About 42% asset managers report GHG emissions of assets under management, with another 42% indicating that they plan to report.[33]

With all of the current and planned reporting being requested by clients and beneficiaries, the question becomes how confident asset managers or others are with the data on which that reporting is based.

Insert polling question 1: What is your biggest concern about ESG climate-related products?

  1. Lack of data
  2. Lack of standardization
  3. Concerns about integrity

A lack of transparency through consistent, comparable data with an agreed-upon taxonomy can present challenges to the proper functioning of markets, including price discovery.  Questions arise about whether the underlying project achieves the carbon reduction or other sustainability promised.  These challenges can be compounded by market demand for bespoke, customized ESG products.

Some market participants see potential in voluntary carbon credits as an opportunity to manage climate-related risk.

Insert polling question 2: Has your fund or business invested in or participated in voluntary carbon markets?

  1. Yes
  2. No
  3. Considering investing/participating

Voluntary carbon credits should represent one ton of greenhouse gases reduced or removed.  But not all carbon credits are created equal.  Concerns about integrity abound.[34]

The market should signal through pricing those carbon credits that are high quality, compared with credits reflecting projects that do not achieve the requisite level of carbon reduction or are temporary.  However, there is insufficient price transparency given that the market is largely over the counter and has challenges of credibility, fragmentation, a lack of standardization, and the potential for conflicts of interest (e.g. a registry that is also connected with the underlying product)—all of which can limit trust and confidence in the market.

Additionally, it is increasingly becoming important to market participants to understand what corporate commitments actually mean in practice—a topic discussed at this conference by market participants.  For example, market participants are increasingly looking to see if companies plan to reduce or avoid greenhouse gas emissions, with carbon offsets only accompanying, not replacing GHG reductions.

Asset managers, brokers and other intermediaries have an important role to play in promoting the responsible innovation of high quality ESG products.  As we heard on the first day of this conference from market participants, third parties that set standards can help bring some level of comparable data, and help avoid getting entangled in greenwashing, but total reliance on those third parties may not be enough on its own.  Best practices in due diligence include increasing knowledge and expertise, reviewing disclosure and marketing material, requesting supporting documents and data, and vetting companies, indexes and registries, to understand their governance and credibility.  This will build resilience in this new, emerging and innovative market.

Markets can provide powerful economic incentives to separate those companies or products that provide transparency and the data needed to prove claims of GHG reduction over those that remain shadowed.  The private sector can request more and better data and communication.

The CFTC’s Role

I support Chairman Behnam’s leadership in the area of climate risk, and agree with him that, “The CFTC is uniquely poised as the regulator at the forefront of climate-related risk management as firms and individuals will increasingly turn to the derivatives markets to mitigate climate change-induced physical and transition risk and seek price discovery for new and evolving risk management products.”[35]

Commodity derivatives markets have a long history of helping market participants manage climate-related risk, with derivatives serving as a tool to protect against climate-related price uncertainty.  Markets are signaling in the direction of investor demand for ESG products, including the 200+ environmental or sustainability derivatives products that trade on CFTC-registered exchanges, along with environmental-related swaps.[36] The CFTC has authority over these products and trading.  The CFTC also has anti-fraud authority over the spot market.

I have three proposals to promote resilience to climate risk.

Proposal 1: The Commission should promote market integrity by increasing enforcement resources and expertise to combat greenwashing and other forms of fraud.

The CFTC, through its enforcement program, should combat greenwashing, other fraud, and other illegality in derivative markets and spot markets under our jurisdiction.  This exercise of authority is no different than what we do with digital assets.  That starts with increasing enforcement resources and expertise.

The fact that there is no consistent definition of greenwashing presents a challenge in market participants knowing if it is present.

Insert polling question 3: Have you ever been aware of an instance of greenwashing?

  1. Yes
  2. No
  3. The definition of greenwashing is unclear 

As a 20 year federal law enforcement official, I take the position that greenwashing is one type of fraud.  In the narrowest sense, greenwashing is limited to an issuer (a public company) making false claims about the environmental qualities of their products.  But products traded in the derivatives markets or the voluntary carbon credit markets that only purport to reduce or remove GHG emissions, with no emissions reduction (or less than one ton of reduction) could also be greenwashing.

Funds that claim to be involved in green or sustainable investing should take care to ensure the accuracy of their disclosures.  This necessarily involves conducting the due diligence that I talked about earlier.

Voluntary carbon markets carry particular concerns of greenwashing, fraud, and manipulation.  In 2013, Interpol said that carbon markets are at risk of exploitation by criminals due to the large amount of money, the immaturity of the regulations, and lack of oversight and transparency.[37]  The Environmental Defense Fund raised fraud concerns in voluntary carbon markets, including fraud or misleading claims with respect to the environmental benefits of purchased carbon credits, and fraudulent misrepresentation of measurements to claim more carbon credits from a project than were actually generated.[38]  IOSCO raised concerns about greenwashing, fraud and manipulation in voluntary carbon markets, including:[39]

  • The risk of fraudulent selling of carbon credits that do not exist or do not belong to the seller;
  • Different methodologies to quantify the carbon avoided or reduced poses risks for greenwashing;
  • Conflicts of interests between traders and investors could lead to traders manipulating carbon credit prices by issuing buy/sell recommendations to their customers, while doing the opposite with their own credits; and
  • The risk of unclear and misleading communications around the use of carbon credits by buyers could result in greenwashing.

Whatever the label used—greenwashing, fraud, or misrepresentation—these can all lead to serious harm, distort market pricing, seriously damage a company’s reputation, and undermine the integrity of the markets.  One indication of greenwashing is that there is no evidence to support the claim.  Market participants can protect themselves by asking for, and validating, information to backup claims.  Exchanges also have a role to play to prevent and catch greenwashing.  And of course, the Commission also has an important enforcement role.

Proposal 2: The Commission should promote market resilience to climate-related risk by monitoring climate-related financial risk to commodities and derivatives markets and working with exchanges, clearing houses, and market intermediaries to understand how they are managing climate risk.  

The Commission should promote market resilience to climate-related risk.[40]  This starts with the CFTC identifying, understanding and monitoring climate-related financial risk to commodity and derivatives markets in regions across the country, and any systemic or sub-systemic shocks.  The CFTC should work with exchanges, clearing houses and market intermediaries to understand how they are managing climate risk.

I have been working with the National Futures Association (“NFA”) during my entire tenure this past year, which resulted in the NFA including climate risk in their review of members this year.  What has emerged are best practices that I have encouraged NFA to share.  I am also regularly talking to market participants who are involved with environmental products to understand the opportunities and challenges they are experiencing in the market.

Proposal 3: The Commission should work with exchanges and market participants to ensure the integrity of derivatives markets and promote responsible innovation in climate/sustainability products.

I have talked to a number of market participants who have asked the CFTC to become more involved in setting rules of the road and/or guardrails in this area given concerns about integrity.  I also heard that same request on the first day of this conference.  I believe that there are actions that the CFTC can take within our existing authority, including what we do already, for example, with digital assets trading in our markets.

I agree with former CFTC Commissioner Dan Berkovitz who said at this conference two years ago, “the CFTC should work with exchanges and market participants on the development and approval of new products that are intended to help companies hedge their climate-related risk.”[41]  Just as we have done with digital assets, working with exchanges and market participants on new products in this emerging area would fulfill the Commission’s critical role of ensuring integrity in our markets.

In doing so, the CFTC should collaborate with market participants, exchanges, standards bodies, including international standards bodies, and other stakeholders.  To that end, I have been meeting with market participants, exchanges, standard setters, and even carbon credit registries to understand the challenges, any guidance and/or guardrails needed, and to discuss the appropriate role of the CFTC.  I invite further discussion from you on these topics.

I believe that the CFTC can do more within our existing authority to set guardrails, just as we have for digital assets.  Ensuring that innovation is responsible will deter greenwashing and help protect market integrity.

Conclusion

My message today is that we can turn risk into resilience.  Everyone has a responsibility when it comes to strengthening market resilience against cyber risk and climate risk.  We know what is coming.  We are all on the same boat together.  If each of does our part, together we will adapt to become more resilient.

The threat of cybercrime is so pervasive and severe that it will take private and public counteractions to combat the threat.  By working together, the public and private sector can shore up vulnerabilities and closely monitor, and communicate about, any active threat.  After all, cyber attacks have revealed how interconnected we all are.

Climate change poses such significant risks to the economy and financial stability that it will also take both private and public action.  If the CFTC exercises its existing authorities, and all in the private sector do their part to promote integrity and responsible innovation in these emerging markets, the opportunities to manage climate risk may be fully realized.

It will not be easy, and will take adjusting the sails.  If done right, the markets will lead us to a more sustainable economy—one that is resilient to climate risk, and less susceptible to cyber attack.

These are the threats of our day.  It is our responsibility to rise up and counter them by adapting into a market that is more resilient.


[1] My hat is off to those of you who did the polar plunge for charity.

[2] In my remarks from my November 30, 2022 speech, Protecting Against Emerging Global Fintech Threats in Cyberspace and Cryptocurrencies (see fn. 3), I noted the following:

The threat of a cyber-related shock to global financial markets is growing and taking on new and increasingly sophisticated forms.  Global cyber criminals and state-sponsored efforts can create or leverage a serious disruption to markets and economies.  Critical market infrastructure around the world, like exchanges and clearinghouses, already experience cyber security incidents . . . . Even if financial firms have strong cybersecurity systems, their cybersecurity is only as strong as their most vulnerable third-party service provider.  The threat can compound where several firms use the same software or other provider . . . .

In March 2022, FBI Director Christopher Wray said that last year, 14 of 16 critical U.S. infrastructure sectors saw ransomware incidents.  This includes the Colonial Pipeline and JBS, the world’s largest meat supplier.  The world faced a 93% rise in ransomware attacks this year . . . A 2022 survey of 130 global financial institutions found that 74% experienced at least one ransomware attack over the past year, and 63% experienced an increase in destructive attacks designed to counter incident responses.  Ransomware is no longer limited to sophisticated actors.  Anyone can purchase and deploy a ransomware kit, auction off stolen data on the dark web, and obtain payment in cryptocurrency.

My warnings are just as urgent today.

[3] See Commissioner Christy Goldsmith Romero, U.S. Commodity Futures Trading Commission, Protecting Against Emerging Global Fintech Threats in Cyberspace and Cryptocurrencies, Nov. 30, 2022, Keynote Remarks of Commissioner Christy Goldsmith Romero at the Futures Industry Association, Asia Derivatives Conference, Singapore | CFTCSee also C. Goldsmith Romero, Commissioner, U.S. Commodity Futures Trading Commission, Proposal for Expanded Cybersecurity Incident Notification, Nov. 10, 2022, Statement of Commissioner Christy Goldsmith Romero on Proposed Rule on Cybersecurity Incident Reporting | CFTC.  Zero-day vulnerabilities are flaws in systems or software that remains unknown to the developer and user of the system or software.  N-day vulnerabilities are flaws that continue in systems or software due to a failure to implement a corrective patch, as recently happened in the Equifax exploit. Ransomware is malicious code that steals or encrypts critical data and then allows a criminal organization to extort companies to do something—usually pay hefty sums.  Once the ransom is paid, the organization returns the stolen data (or does not publish it) or provides the keys necessary for decryption.

[4] See R. Gallagher, M. Murphy, Ransomware Gang in Trading Hack Says Ransom Was Paid, Bloomberg, Feb. 3, 2023, https://www.bloomberg.com/news/articles/2023-02-03/ion-removed-from-hacker-s-target-list-deadline-for-ransom-.suspended; see also R. Satter, Hackers who breached ION say ransom paid; company declines comment, Feb. 3, 2023, https://www.reuters.com/technology/hackers-say-ransom-paid-case-derivatives-data-firm-ion-company-declines-comment-2023-02-03/.

[5] See R. Gallagher, M. Murphy, Ransomware Gang in Trading Hack Says Ransom Was Paid, Bloomberg, Feb. 3, 2023, https://www.bloomberg.com/news/articles/2023-02-03/ion-removed-from-hacker-s-target-list-deadline-for-ransom-suspended.

[6] Todd Conklin, Deputy Assistant Secretary of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection, is reported to have told the press that the issue is “currently isolated to a small number of smaller and mid-size firms and does not pose a systemic risk to the financial sector.”  See I. Almeida, M. Burton, K. Doherty, US Plays Down ION Cyberattack, Sees No ‘Systemic Financial Risk’, Bloomberg, Feb. 1, 2023, https://www.bloomberg.com/news/articles/2023-02-01/cyberattack-hits-derivatives-unit-of-trading-software-firm-ion#xj4y7vzkg.

[7] Robert S. Mueller, III, Director, Federal Bureau of Investigation, Remarks as Prepared for Delivery to the RSA Cyber Security Conference, Mar. 1, 2012, FBI — Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies.

[8] U.S. Department of Justice, U.S. Department of Justice Disrupts Hive Ransomware Variant, Jan. 26, 2023, https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant (Hive has targeted more than 1,500 victims and received over $100 million in ransomware payments).

[9] See Id.; see also Department of Justice, Man Charged for Participation in LockBit Global Ransomware Campaign, Nov. 10, 2022, Man Charged for Participation in LockBit Global Ransomware Campaign | OPA | Department of Justice  (DOJ describes LockBit as one of the most active and destructive ransomware variants in the world, with as many as 1,000 victims, and having extracted tens of millions of dollars in ransom payments); See U.S. Department of Justice, U.S. Department of Justice Disrupts Hive Ransomware Variant, Jan. 26, 2023, https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant.

[10] According to DOJ, Hive affiliates gained access to victims networks through single factor logins via Remote Desk Protocol, virtual private networks and other remote connection protocols, including by sending phishing emails with malicious attachments.  See U.S. Department of Justice, U.S. Department of Justice Disrupts Hive Ransomware Variant, Jan. 26, 2023, https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant; According to the FBI, LockBit uses a wide variety of tactics, including unpatched vulnerabilities, insider access, and zero day exploits.  See Federal Bureau of Investigation, Flash Report, Feb. 4, 2023, Microsoft Word - LockBit_2.0_FLASH FINAL (ic3.gov).

[11] See Commissioner Christy Goldsmith Romero, U.S. Commodity Futures Trading Commission, Protecting Against Emerging Global Fintech Threats in Cyberspace and Cryptocurrencies, Nov. 30, 2022, Keynote Remarks of Commissioner Christy Goldsmith Romero at the Futures Industry Association, Asia Derivatives Conference, Singapore | CFTC.

[12] Created by the Association of International Certified Professional Accountants (“AICPA”), a “SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.  SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by those systems.”  See AICPA, SOC 2, last visited Jan. 18, 2023, SOC 2® | AICPA.

[13] Commissioner Goldsmith Romero, Proposal for Expanded Cybersecurity Incident Notification, Nov. 10, 2022 Statement of Commissioner Christy Goldsmith Romero on Proposed Rule on Cybersecurity Incident Reporting | CFTC.

[14] See Id.

[15] In October 2021, the Financial Stability Oversight Council (“FSOC”), which includes the CFTC, identified climate change as an emerging and increasing threat to U.S. financial stability.

[16] See NOAA National Centers for Environmental Information (NCEI) U.S. Billion-Dollar Weather and Climate Disasters, 2023, Billion-Dollar Weather and Climate Disasters | National Centers for Environmental Information (NCEI) (noaa.gov).  For 42 years from 1980-2022, the United States had an annual average of 7.9 severe climate events.  That more than doubled (17.8) in the last five years. In the last five years, 89 climate events costing more than $1 billion each resulted in the deaths of 1,751 people and cost approximately $600 billion.  Every state has faced a $1 billion climate event.  This is just the events costing more than $1 billion each, not the cost of all weather and climate disasters.  However, these events account for a significant portion of loss from all events.

[17] See NOAA National Centers for Environmental Information (NCEI) U.S. Billion-Dollar Weather and Climate Disasters, 2023, Billion-Dollar Weather and Climate Disasters | National Centers for Environmental Information (NCEI) (noaa.gov).  There were 22 of these costly climate disasters in 2020, 20 in 2021, and 18 in 2022.

[18] See Id. (In 2022, there was $165 billion in damage and the death of 474 people.  “During 2022, there were 18 separate billion-dollar weather and climate disaster events.  These events included: eleven severe storm events (tornado outbreaks, high wind, hailstorms and a derecho), three tropical cyclones (Ian, Fiona, Nicole), the Kentucky/Missouri flooding, the late-December Central and Eastern winter storm/cold wave, the Western and Central drought/heat wave and Western wildfires.”)

[19] See Id.

[20] See California State Assembly, Impact of Wildfire on Agriculture Background.pdf (ca.gov), Nov. 18, 2020.

[21] See Id.

[22] See USDA, USDA Offers Disaster Assistance and Program Flexibilities to Farmers and Livestock Producers in Florida Impacted by Hurricane Ian, Oct. 14, 2022.

[23] See University of Florida-Institute of Food and Agricultural Science, Preliminary Assessment of Agricultural Losses Resulting from Hurricane Ian (ufl.edu), Oct. 17, 2022.

[24] See Texas Comptroller of Public Accounts, Winter Storm Uri 2021 (texas.gov), Oct. 2021.

[25] See USDA, Water & Climate Update (usda.gov), October 27, 2022.

[26] See Task Force on Climate-Related Financial Disclosures, 2022-TCFD-Status-Report.pdf (bbhub.io), Oct. 2022 (The Paris Agreement is the agreement by more than 200 governments, including the United States to address climate change by avoiding irreversible global warming by holding the increase in the global average temperature to 1.5°C above pre-industrial levels.  A subsequent report indicated that this requires greenhouse has (GHG) emissions to peak before 2025 and be reduced by 43% by 2030 to reach net zero by 2050.)

[27] See Climate Solutions | USDA.  Agriculture plays a critical role in delivering climate change risk management.  “The American agriculture sector has an incredible potential to reduce greenhouse gas emissions, sequester carbon, and deliver lasting solutions to the climate crisis.  America’s producers are already leading the way.  In recent years, carbon stored in cultivated cropland soils increased by more than 8.8 million tons annually thanks to their voluntary conservation efforts.”

[28] See US SIF Foundation, The Forum for Sustainable and Responsible Investing, “2022 Report on US Sustainable and Impact Investing Trends,” Dec. 2022, Trends 2022 Executive Summary.pdf (ussif.org).

[29] Available at https://solutions.lseg.com/si-asset-owner-survey-2022.

[30] See Task Force on Climate-Related Financial Disclosures, “Summary of Asset Manager and Asset Owner Survey Results,” Nov. 2022, PowerPoint Presentation (bbhub.io); see also Task Force on Climate-Related Financial Disclosures,”2022 Status Report,” Sept. 15, 2022 2022-TCFD-Status-Report.pdf (bbhub.io).

[31] See Id.

[32] See Id.

[33] See Id.

[34] See Board of the International Organization of Securities Commissions (“IOSCO”) Discussing concerns raised about the voluntary carbon markets relate to market integrity. Voluntary Carbon Markets Discussion Paper, November 2022,  CR06/2022 Voluntary Carbon Markets (iosco.org).

[35] See Chairman Rostin Behnam, “Opening Statement of Chairman Rostin Behnam at the CFTC Voluntary Carbon Markets Convening,” June 2, 2022, https://www.cftc.gov/PressRoom/SpeechesTestimony/behnamstatement060222.

[36] CFTC-registered exchanges such as CME, ICE, and Nodal Exchange list more than 200 environmental/sustainability products.  These include, for example, products related to ESG indexes, renewable energy products or credits, and carbon allowances or offsets (both in compliance markets and voluntary markets).

[37] See Interpol, Guide to Carbon Trading Crime.pdf, June 2013.

[38] See Environmental Defense Fund, Letter to Secretary Christopher Kirkpatrick on Request for Information on Climate-Related Financial Risk, October 7, 2022, 70849HollyPearen.pdf, Risks include: 1) Fraud or misleading claims with respect to the environmental benefits of purchased carbon credits; 2) Fraudulent misrepresentation of measurements to claim more carbon credits from a project than were actually generated; 3) Exploitation of the lack of regulations on the carbon market to commit financial crimes, such as money laundering, securities fraud or tax fraud; and 4) Computer hacking/phishing to steal carbon credits and the theft of personal information.

[39] See IOSCO Voluntary Carbon Markets Discussion Paper, November 2022,  CR06/2022 Voluntary Carbon Markets (iosco.org).

[40] See Commissioner Christy Goldsmith Romero, “Statement of Commissioner Christy Goldsmith Romero before the Market Risk Advisory Committee,” September 28, 2022, https://www.cftc.gov/PressRoom/SpeechesTestimony/romerostatement092822.

[41] See Commissioner Dan Berkovitz, “Keynote Address of Commissioner Dan M. Berkovitz Before FIA and SIFMA-AMG, Asset Management Derivatives Forum 2021, June 8, 2021, https://www.cftc.gov/PressRoom/SpeechesTestimony/opaberkovitz7.

-CFTC-