AI Hallucination ResearchAudiencesSectorsInternational / MultilateralCorporate BankingOperationsDetail › Finding
Corporate Banking × Operations — International / Multilateral · published 2026-05-28 · methodology v2.1

Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance

RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019
What the RLB Specialist Panel found

1. Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance

  • Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance specify detailed operational practices for cyber incident response and recovery, or is that level of detail addressed by a later document?
  • Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016) (Regulator portal: https://www.bis.org)
  • What AI assistants typically say: AI tools affirmed that the 2016 guidance dedicates specific sections to cyber incident response and recovery and described it as providing detailed operational expectations — including having a cyber incident response plan, achieving a two-hour recovery time objective, use of a secondary site, and communication protocols during incidents — without acknowledging that this level of operational detail was not consolidated until later regulatory work.
  • What the regulator actually says: The FSB published "Effective Practices for Cyber Incident Response and Recovery" in October 2020 — four years after the 2016 CPMI-IOSCO Cyber Resilience Guidance. This contains operational detail for the Response and Recovery phase that goes beyond what the 2016 guidance specifies.
  • Why the AI went wrong: The AI conflated the high-level principles set out in the 2016 document with the more granular operational practices elaborated in a subsequent FSB publication, presenting an artificially complete picture of a single source and omitting the regulatory evolution that filled the gap.
  • Cited source(s):
Impact for this audience

An Operations team that accepts the AI's description of the 2016 guidance as already detailed and comprehensive may not consult the FSB's 2020 Effective Practices document, and may build incident response plans, supplier assurance frameworks, and operational resilience policies that reflect the earlier document's high-level principles rather than the fuller set of expectations that supervisors now apply. When a regulatory review or examination tests the firm's cyber incident response arrangements against the current international standard — which encompasses both the 2016 and 2020 publications — the gap will appear as a substantive compliance deficiency. The firm faces the cost of remediation, potential enforcement action from relevant supervisory authorities, and the reputational exposure of having submitted documentation to regulators or counterparties that misstated the basis for its resilience framework.

References — raw findings (per AI model)
This finding also affects
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

Plain text 
RegLeg Specialist Panel (2026). "Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance — Corporate Banking × Operations — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/audiences/sectors/int/corporate_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
APA 7th edition 
RegLeg Specialist Panel. (2026). Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/audiences/sectors/int/corporate_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
Bluebook / OSCOLA (US + UK legal) 
RegLeg Specialist Panel, Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/audiences/sectors/int/corporate_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/.
BibTeX 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q019,
  author    = {RegLeg Specialist Panel},
  title     = {Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019},
  url       = {https://reglegbrief.com/audiences/sectors/int/corporate_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/}
}
← Back to case study summary Case study detail →
About Citation IDs →