AI Hallucination ResearchAudiencesSectorsInternational / MultilateralInvestment BankingOperationsDetail › Finding
Investment Banking × Operations — International / Multilateral · published 2026-05-28 · methodology v2.1

Scope of 2016 CPMI-IOSCO cyber resilience guidance

RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019
What the RLB Specialist Panel found

1. Scope of 2016 CPMI-IOSCO cyber resilience guidance

  • Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance specify detailed operational practices for cyber incident response and recovery, or is that level of detail addressed by a later document?
  • Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016) (Regulator portal: https://www.bis.org)
  • What AI assistants typically say: AI assistants typically respond that the 2016 CPMI-IOSCO guidance does contain detailed operational expectations for cyber incident response and recovery, listing specific elements — including incident response plans, recovery time objectives, secondary site requirements, and incident communication protocols — as though they are comprehensively addressed by the 2016 document alone.
  • What the regulator actually says: The FSB published "Effective Practices for Cyber Incident Response and Recovery" in October 2020 — four years after the 2016 CPMI-IOSCO Cyber Resilience Guidance — and that later document contains operational detail for the Response and Recovery phase that goes beyond what the 2016 guidance specifies.
  • Why the AI went wrong: The AI conflated the 2016 guidance with the more operationally detailed 2020 FSB publication, characterising the earlier document as self-contained and comprehensive without acknowledging that authoritative operational requirements for incident response and recovery were substantially developed in the later framework.
  • Cited source(s):
Impact for this audience

An operations team at an investment banking firm that asks AI tools about the scope of the 2016 CPMI-IOSCO Cyber Resilience Guidance is likely to receive a response presenting the document as comprehensively addressing operational incident response and recovery requirements, with no indication that a substantially more detailed FSB framework was published in 2020. If that AI answer feeds into the firm's cyber incident response plan, BCP documentation, or vendor due-diligence questionnaire, the firm may construct its resilience governance around an incomplete picture of international expectations — leaving it exposed during supervisory review by regulators with oversight of FMI-connected activity. The cost to the firm could include required remediation of incident response frameworks at significant internal and external expense, adverse supervisory findings, and reputational damage if the gap surfaces during an actual cyber incident or regulatory examination.

References — raw findings (per AI model)
This finding also affects
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

Plain text 
RegLeg Specialist Panel (2026). "Scope of 2016 CPMI-IOSCO cyber resilience guidance — Investment Banking × Operations — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/audiences/sectors/int/investment_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
APA 7th edition 
RegLeg Specialist Panel. (2026). Scope of 2016 CPMI-IOSCO cyber resilience guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/audiences/sectors/int/investment_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
Bluebook / OSCOLA (US + UK legal) 
RegLeg Specialist Panel, Scope of 2016 CPMI-IOSCO cyber resilience guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/audiences/sectors/int/investment_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/.
BibTeX 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q019,
  author    = {RegLeg Specialist Panel},
  title     = {Scope of 2016 CPMI-IOSCO cyber resilience guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019},
  url       = {https://reglegbrief.com/audiences/sectors/int/investment_banking/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/}
}
← Back to case study summary Case study detail →
About Citation IDs →