AI Hallucination ResearchAudiencesSectorsInternational / MultilateralCorporate BankingTechnology DataDetail › Finding
Corporate Banking × Technology Data — International / Multilateral · published 2026-05-28 · methodology v2.1

NIST Cybersecurity Framework citation in the CPMI-IOSCO 2016 Guidance

RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008
What the RLB Specialist Panel found

1. NIST Cybersecurity Framework citation in the CPMI-IOSCO 2016 Guidance

  • Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance formally cite or reference the NIST Cybersecurity Framework?
  • Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016) (Regulator portal: https://www.bis.org)
  • What AI assistants typically say: AI tools confidently assert that the 2016 guidance explicitly references and takes into consideration the NIST Cybersecurity Framework as an industry best-practice framework informing its development, and further state that other frameworks including COBIT and ISO/IEC 27001 are also acknowledged in the document.
  • What the regulator actually says: Whether the CPMI-IOSCO 2016 guidance contains a verbatim citation of the NIST Cybersecurity Framework is unconfirmed. The five guidance categories are structurally similar to the NIST CSF five functions but may be independently derived rather than explicitly drawn from that source.
  • Why the AI went wrong: The AI appears to have treated an observable structural resemblance between the guidance categories and a well-known external framework as evidence of a formal citation — then compounded the error by naming additional frameworks as also acknowledged, none of which can be verified from the source text. Similarity was converted into a stated explicit reference.
  • Cited source(s):
Impact for this audience

A Technology & Data team relying on this AI response might build a cyber resilience framework that lists NIST CSF, COBIT, and ISO/IEC 27001 alignment as CPMI-IOSCO requirements, include those frameworks in supplier due-diligence questionnaires, or represent to the business that the guidance mandates alignment with named external standards. If regulators or auditors review the firm's programme against the actual CPMI-IOSCO text, the firm faces the cost of unwinding incorrectly stated obligations, rewriting affected policies, and potentially explaining to its board or a regulator why its regulatory mapping was based on unverifiable claims. The BIS and national supervisors overseeing firms with FMI-adjacent activity have authority to require remediation of inadequate cyber resilience frameworks.

References — raw findings (per AI model)
This finding also affects
Next finding → Finding 2. Detail level of incident response and recovery provisions in the 2016 Guidance
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

Plain text 
RegLeg Specialist Panel (2026). "NIST Cybersecurity Framework citation in the CPMI-IOSCO 2016 Guidance — Corporate Banking × Technology Data — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/audiences/sectors/int/corporate_banking/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/
APA 7th edition 
RegLeg Specialist Panel. (2026). NIST Cybersecurity Framework citation in the CPMI-IOSCO 2016 Guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/audiences/sectors/int/corporate_banking/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/
Bluebook / OSCOLA (US + UK legal) 
RegLeg Specialist Panel, NIST Cybersecurity Framework citation in the CPMI-IOSCO 2016 Guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/audiences/sectors/int/corporate_banking/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/.
BibTeX 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q008,
  author    = {RegLeg Specialist Panel},
  title     = {NIST Cybersecurity Framework citation in the CPMI-IOSCO 2016 Guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008},
  url       = {https://reglegbrief.com/audiences/sectors/int/corporate_banking/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/}
}
← Back to case study summary Case study detail →
About Citation IDs →