← Take me back to my Company Secretarie (INT) overview
AI on Guidance on Cyber Resilience for Financial Market Infrastructures for Company Secretaries in international jurisdictions
Executive Summary
The CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures is the primary international benchmark against which FMIs — and the Company Secretaries who advise them — assess cyber resilience obligations, board-level governance requirements, and cross-border compliance posture. When Company Secretaries in international jurisdictions ask AI tools about this regulation, the AI consistently presents the 2016 guidance as the current, unrevised operative standard. In both questions we tested, AI tools failed to account for a material regulatory development: on 6 May 2026, CPMI-IOSCO published a consultative document placing the 2016 guidance under active revision. A Company Secretary relying on AI-generated advice on this regulation risks producing work product — board papers, compliance opinions, regulatory gap analyses — that misrepresents the status of the governing framework at a moment when that framework is actively changing.
How AI gets this regulation wrong
Every AI failure on this regulation follows the same pattern: the AI presents outdated information as if it were current, stating with confidence that the 2016 guidance remains the operative and unrevised international standard. The table below maps where in the regulatory lifecycle this failure occurs and what kind of incorrect output it produces for Company Secretaries relying on the AI's answer.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| AI gave outdated information as if it were current | 2 | Finding#1 . Finding#2 |
What that means for your practice
For Company Secretaries advising FMIs across international jurisdictions, the risk from these failures concentrates in one area: producing or signing off on work product built on a regulatory baseline that has already shifted. The table below shows how the AI's outdated picture of this regulation translates into concrete deliverable risk for practitioners and their clients.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 2 | Finding#1 . Finding#2 |
When this affects Company Secretaries
Company Secretaries working with financial market infrastructures — central counterparties, central securities depositories, payment systems, and trade repositories — routinely need to advise boards and senior management on the international cyber resilience framework that governs their institution. This might arise when preparing a board resolution or terms of reference for a cyber resilience committee, scoping a regulatory gap analysis ahead of an examination, or briefing an incoming director on the company's obligations under applicable international standards. In each of these scenarios, an accurate picture of whether the governing guidance is stable, under consultation, or superseded is foundational to the quality of the advice.
The AI failures on this regulation are particularly consequential because the question of regulatory status is often treated as a threshold fact. A Company Secretary who asks an AI tool whether the 2016 CPMI-IOSCO guidance is still current — and receives a confident "yes, it has not been revised" — may build an entire board paper or compliance matrix on that premise without independently checking. If the guidance is in fact under active revision, the work product misrepresents the regulatory environment at a moment when the board should be monitoring the consultation process and considering whether to submit a response or adjust forward planning.
The international dimension compounds the risk. Company Secretaries advising FMIs that operate across multiple jurisdictions often use the CPMI-IOSCO framework as a common reference point precisely because it sits above any single national regime. A flawed understanding of the international standard's current status can cascade into errors across multiple jurisdictional compliance assessments simultaneously, multiplying the effort required to correct the record once the mistake is identified.
The findings at a glance
The table below summarises each finding from our testing of AI tools on this regulation, including the question area, the nature of the AI's error, and the risk category for Company Secretaries in international jurisdictions.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | Outdated status of 2016 cyber guidance | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022 |
| 2 | Active revision not disclosed by AI | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022 |
Aggregate impact
Both findings in this cell are structurally identical: two different AI tools, each tested on a question about whether the 2016 CPMI-IOSCO Cyber Resilience Guidance remains the operative standard, each independently produced the same confident but incorrect answer — stating the guidance has not been revised or superseded. The error is not a matter of nuance or interpretation; it is a factual misstatement about the regulatory status of a live international standard at a moment when that standard is under formal public consultation.
The underlying cause is consistent across both findings. The CPMI-IOSCO consultative document was published on 6 May 2026 — a development that falls outside or at the edge of the AI tools' training data horizon. This is not a failure of reasoning; it is a failure of currency. The AI tools are drawing on a factually accurate picture of the world as it existed before May 2026, but presenting that picture as if it describes the world today. For a regulation whose status is precisely the thing a Company Secretary needs to know, this is the most damaging kind of error.
For Company Secretaries advising multiple FMI clients across international jurisdictions, the aggregate risk is material. If a practitioner uses AI tools to orient themselves on this regulation — even as a starting point before deeper research — the consistent false signal that "nothing has changed" may suppress the further inquiry that would have surfaced the consultative revision. Work product issued under that premise is not merely incomplete; it is affirmatively misleading about the regulatory trajectory of a framework that national regulators cite directly when setting their own cyber resilience expectations.
Findings
Hallucinations (2)
Finding#1 — Outdated status of 2016 cyber guidance
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022
- AI's failure: AI gave outdated information as if it were current
- Risk for the Company Secretaries: Statutory filing or board pack rests on a procedural requirement that doesn't exist
- see this finding →
Finding#2 — Active revision not disclosed by AI
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022
- AI's failure: AI gave outdated information as if it were current
- Risk for the Company Secretaries: Statutory filing or board pack rests on a procedural requirement that doesn't exist
- see this finding →
What your team should do
The default position for Company Secretaries should be: never rely on AI tools to confirm the current status of an international standard without independently verifying against the issuing body's own publications. For this regulation, that means checking the BIS website directly at bis.org before issuing any advice that depends on whether the 2016 guidance is still operative. This is a one-step verification that takes less than a minute and eliminates the specific category of error documented here.
For ongoing client work involving FMI cyber resilience governance, teams should establish a simple standing check: at the start of any engagement or board cycle that touches international cyber standards, confirm the current status of the CPMI-IOSCO framework directly from the BIS. Where a consultative document is open for comment — as is the case as of May 2026 — the board should be made aware that the framework is in transition and that current obligations are under the 2016 guidance while the revision process is live. That nuance is material to how a board frames its forward-looking governance decisions.
AI tools remain useful for Company Secretaries working on this regulation in areas that are less time-sensitive: explaining the structure and principles of the 2016 guidance, summarising the governance and oversight expectations that have been stable since publication, or drafting discussion questions for a board cyber resilience session that tracks the published framework. The risk is specifically in using AI to answer questions about regulatory status or recent developments — questions where currency matters and where the AI's training horizon creates a systematic blind spot.
How RLB Can Help
RegLeg's published Hallucination Research gives Company Secretaries a practical pre-flight check before acting on AI-generated answers to regulatory questions. Each research entry documents the specific ways AI tools have misrepresented a regulation — wrong thresholds, fabricated obligations, outdated requirements presented as current — so that a Company Secretary can cross-reference those documented failure modes against any AI output before it reaches a board paper, a filing, or a governance record. The research is freely accessible and structured around the failure types most relevant to secretarial practice: misstatement of procedural deadlines, incorrect attribution of disclosure obligations, and confusion between jurisdictional variants of the same rule.
For firms where multiple Company Secretaries work across a shared regulatory portfolio, RegLeg offers bespoke regulation deep-dives tailored to the specific instruments in scope. These engagements go beyond the published research to examine the precise provisions your team relies on most heavily, map the failure modes that carry the greatest secretarial risk for your firm, and produce a reference document your team can embed in its own AI-use workflow. The output is designed to be updated as regulations are amended, giving your team a living resource rather than a one-off snapshot.
RegLeg also develops training material and CPD-aligned content that equips Company Secretaries to recognise AI failure modes independently — not just to distrust AI output, but to interrogate it intelligently. Separately, RegLeg can conduct a confidential review of a firm's existing AI-use policy against its failure-mode catalogue, identifying where current controls adequately address known hallucination patterns and where gaps exist. Both services are delivered collaboratively, working alongside your governance and legal teams rather than as an external audit imposed on them.