AI Hallucination ResearchAudiencesSectorsInternational / MultilateralPayment InstitutionsInternal AuditDetail › Finding
Payment Institutions × Internal Audit — International / Multilateral · published 2026-05-28 · methodology v2.1

Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance

RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019
What the RLB Specialist Panel found

1. Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance

  • Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance specify detailed operational practices for cyber incident response and recovery, or is that level of detail addressed by a later document?
  • Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016) (Regulator portal: https://www.bis.org)
  • What AI assistants typically say: The AI affirmed that the 2016 guidance dedicates specific sections to cyber incident response and recovery and described it as providing detailed expectations for FMIs — including specific recovery time objectives, secondary site requirements, and communication protocols — without acknowledging that this level of operational detail is addressed primarily in a later document.
  • What the regulator actually says: The FSB published "Effective Practices for Cyber Incident Response and Recovery" in October 2020 — four years after the 2016 CPMI-IOSCO Cyber Resilience Guidance. This later document contains operational detail for the Response and Recovery phase that goes beyond what the 2016 guidance specifies.
  • Why the AI went wrong: The AI conflated the high-level principles in the 2016 guidance with the more granular operational content published later by a different body, presenting an inflated description of what the 2016 document actually contains. It answered a question about the 2016 guidance as though the regulatory landscape had not evolved beyond it.
  • Cited source(s):
Impact for this audience

An Internal Audit team that accepts the AI's characterisation of the 2016 guidance as providing 'detailed expectations' for incident response and recovery — including specific recovery time objectives and communication protocols — may scope audit fieldwork against criteria that the 2016 document does not actually contain, while failing to identify that the more operationally specific FSB 2020 guidance exists and applies. Audit findings and management letters produced on this basis may misstate the applicable standard, creating regulatory exposure when supervisors or external reviewers assess the quality of the firm's Internal Audit function. Remediation of a misfounded audit program — including re-scoping, re-execution, and re-reporting — carries significant cost in staff time and potential reputational harm with the board and regulators.

References — raw findings (per AI model)
This finding also affects
Next finding → Finding 2. Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

Plain text 
RegLeg Specialist Panel (2026). "Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance — Payment Institutions × Internal Audit — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/audiences/sectors/int/payment_institutions/internal_audit/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
APA 7th edition 
RegLeg Specialist Panel. (2026). Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/audiences/sectors/int/payment_institutions/internal_audit/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
Bluebook / OSCOLA (US + UK legal) 
RegLeg Specialist Panel, Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/audiences/sectors/int/payment_institutions/internal_audit/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/.
BibTeX 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q019,
  author    = {RegLeg Specialist Panel},
  title     = {Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019},
  url       = {https://reglegbrief.com/audiences/sectors/int/payment_institutions/internal_audit/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/}
}
← Back to case study summary Case study detail →
About Citation IDs →