Payment Institutions × Internal Audit — International / Multilateral · published 2026-05-28 · methodology v2.1

Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance

RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022

What the RLB Specialist Panel found

2. Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance

Question (paraphrased to protect IP): Is the CPMI-IOSCO 2016 Cyber Resilience Guidance still the operative international standard for FMI cyber resilience, or has it been revised or updated?
Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016) (Regulator portal: https://www.bis.org)
What AI assistants typically say: Multiple AI tools gave similar incorrect responses, each stating that the 2016 guidance remains the operative international standard, has not been formally revised or superseded, and is still the canonical document for FMI cyber resilience.
What the regulator actually says: A BIS press release of 6 May 2026 announced that CPMI-IOSCO published a consultative document for public comment on updated guidance. The 2016 guidance is under active revision as of May 2026.
Why the AI went wrong: The consultative revision document was published only weeks before these responses were produced, and the AI tools' training data did not include this very recent development. Both tools stated with confidence that no revision had occurred, a claim that was already factually incorrect at the time the responses were given.
Cited source(s):

Impact for this audience

An Internal Audit team that relies on AI tools to confirm the currency of the CPMI-IOSCO Cyber Resilience Guidance risks conducting and reporting an audit cycle against a standard that is under active revision, without flagging to the board or audit committee that the underlying international framework is changing. If the firm's cyber resilience framework or internal audit criteria are not updated to reflect the consultative revision process, the firm may be behind the regulatory curve when the updated guidance is finalised — a position that supervisors may treat as a control failure. The cost to the firm includes both the direct remediation expense of updating audit programs and frameworks mid-cycle, and the reputational cost of having to explain to a regulator why the Internal Audit function was not tracking a publicly announced revision to a foundational international standard.

References — raw findings (per AI model)

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Opus47 Claude Opus 4.7 (web search on)
RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Sonnet46 Claude Sonnet 4.6 (web search on)

This finding also affects

← Previous finding Finding 1. Operational detail in the 2016 CPMI-IOSCO Cyber Resilience Guidance

Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

Plain text

RegLeg Specialist Panel (2026). "Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance — Payment Institutions × Internal Audit — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/audiences/sectors/int/payment_institutions/internal_audit/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/

APA 7th edition

RegLeg Specialist Panel. (2026). Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/audiences/sectors/int/payment_institutions/internal_audit/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/

Bluebook / OSCOLA (US + UK legal)

RegLeg Specialist Panel, Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/audiences/sectors/int/payment_institutions/internal_audit/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/.

BibTeX

@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q022,
  author    = {RegLeg Specialist Panel},
  title     = {Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022},
  url       = {https://reglegbrief.com/audiences/sectors/int/payment_institutions/internal_audit/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/}
}

← Back to case study summary Case study detail →

About Citation IDs →