AI Hallucination ResearchFindings by audienceSectorsInternational / MultilateralInvestment BankingOperationsDetail › Finding
Investment Banking × Operations — International / Multilateral · Last updated 28 May 2026 · methodology v2.1 · Hallucination Register
Share / Print X LinkedIn Email

Scope of 2016 CPMI-IOSCO cyber resilience guidance

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019
AI's failure:Misattributed Risk for Investment Banking × Operations:Wrong deliverable on cybersecurity framework alignment
What the RLB Specialist Panel found

1. Scope of 2016 CPMI-IOSCO cyber resilience guidance

  • Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance specify detailed operational practices for cyber incident response and recovery, or is that level of detail addressed by a later document?
  • Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016) (Regulator portal: https://www.bis.org)
  • What AI assistants typically say: AI assistants typically respond that the 2016 CPMI-IOSCO guidance does contain detailed operational expectations for cyber incident response and recovery, listing specific elements — including incident response plans, recovery time objectives, secondary site requirements, and incident communication protocols — as though they are comprehensively addressed by the 2016 document alone.
  • What the regulator actually says: The FSB published "Effective Practices for Cyber Incident Response and Recovery" in October 2020 — four years after the 2016 CPMI-IOSCO Cyber Resilience Guidance — and that later document contains operational detail for the Response and Recovery phase that goes beyond what the 2016 guidance specifies.
  • Why the AI went wrong: The AI conflated the 2016 guidance with the more operationally detailed 2020 FSB publication, characterising the earlier document as self-contained and comprehensive without acknowledging that authoritative operational requirements for incident response and recovery were substantially developed in the later framework.
  • Cited source(s):
Impact for Operations Teams in Investment Banking Sector in international jurisdictions working with the Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016)

For Operations teams at Investment Banking firms, characterising the 2016 guidance as carrying forensic-analysis-database depth on incident response misreads the standard's level of operational specification and points the deliverable at the wrong source for operational depth. The granular content is in FSB 2020 'Effective Practices'. A programme design or attestation that anchors on the 2016 guidance for that level of detail understates the FSB 2020 gap supervisors will expect to see addressed.

References — raw findings (per AI model)
This finding also affects
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019
Plain text Download 
RegLeg Specialist Panel (2026). "Scope of 2016 CPMI-IOSCO cyber resilience guidance — Investment Banking × Operations — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/investment_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
APA 7th edition Download 
RegLeg Specialist Panel. (2026). Scope of 2016 CPMI-IOSCO cyber resilience guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/investment_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
Bluebook / OSCOLA (US + UK legal) Download 
RegLeg Specialist Panel, Scope of 2016 CPMI-IOSCO cyber resilience guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/investment_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/.
BibTeX Download 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q019,
  author    = {RegLeg Specialist Panel},
  title     = {Scope of 2016 CPMI-IOSCO cyber resilience guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019},
  url       = {https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/investment_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/}
}
← Back to case study summary Case study detail →
About Citation IDs →

Every finding on this page compares an AI subject's account of the rule against the regulator's verbatim text from the regulator's own portal. Both are linked. Each delta, its root causes, and impact analysis are documented and published with immutable Citation IDs.