Practitioners — Public Auditors · published 2026-05-26 · methodology v2.1

Currency of the 2016 Cyber Resilience Guidance as the operative international standard

RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022

What the RLB Specialist Panel found

4. Currency of the 2016 Cyber Resilience Guidance as the operative international standard

Question (paraphrased to protect IP): Is the CPMI-IOSCO 2016 Cyber Resilience Guidance still the operative international standard, or has it been updated or put out for revision?
Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016)
What AI assistants typically say: Multiple AI tools gave similar incorrect responses, each stating that the 2016 guidance remains the operative international standard for FMI cyber resilience and has not been formally revised or superseded.
What the regulator actually says: In May 2026, CPMI-IOSCO published a consultative document for public comment on updated guidance, placing the 2016 guidance under active formal revision.
Why the AI went wrong: The 2026 CPMI-IOSCO consultation was published after the training data cutoff for the AI tools tested. Both AI tools stated with confidence that no revision had occurred, when the absence of that information from their training data simply reflects a knowledge boundary — not the current regulatory reality. Practitioners have no way to detect this failure mode from the AI's response alone, as the AI presents its outdated information as a current fact.
Cited source(s): Regulator portal: https://www.bis.org

Impact for this audience

An auditor advising a client in May 2026 that the 2016 CPMI-IOSCO guidance remains the unchanged operative standard is giving materially incorrect advice. Clients with FMI oversight responsibilities — central counterparties, securities settlement systems, payment system operators — need to know that a formal revision process is underway so they can monitor the consultation, prepare for potential changes to their compliance obligations, and ensure their boards are informed. A practitioner who fails to flag this could be seen as having provided inadequate regulatory horizon-scanning advice, with consequences for both the client relationship and the auditor's professional standing.

References — raw findings (per AI model)

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Opus47 Claude Opus 4.7 (web search on)
RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Sonnet46 Claude Sonnet 4.6 (web search on)

This finding also affects

← Previous finding Finding 3. Definition of 'cyber resilience' and alignment with the 2018 FSB Cyber Lexicon

Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

Plain text

RegLeg Specialist Panel (2026). "Currency of the 2016 Cyber Resilience Guidance as the operative international standard — Practitioners — Public Auditors." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022. RegLegBrief AI Hallucination Research, published 2026-05-26. https://reglegbrief.com/audiences/practitioners/int/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/

APA 7th edition

RegLeg Specialist Panel. (2026). Currency of the 2016 Cyber Resilience Guidance as the operative international standard [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/audiences/practitioners/int/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/

Bluebook / OSCOLA (US + UK legal)

RegLeg Specialist Panel, Currency of the 2016 Cyber Resilience Guidance as the operative international standard [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022], RegLegBrief AI Hallucination Research (May 26, 2026), https://reglegbrief.com/audiences/practitioners/int/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/.

BibTeX

@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q022,
  author    = {RegLeg Specialist Panel},
  title     = {Currency of the 2016 Cyber Resilience Guidance as the operative international standard},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022},
  url       = {https://reglegbrief.com/audiences/practitioners/int/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/}
}

← Back to case study summary Case study detail →

About Citation IDs →