Payment Institutions × Technology Data — International / Multilateral · published 2026-05-28 · methodology v2.1

NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance

RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008

What the RLB Specialist Panel found

1. NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance

Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance formally cite or reference the NIST Cybersecurity Framework?
Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016) (Regulator portal: https://www.bis.org)
What AI assistants typically say: AI assistants confidently state that the 2016 Cyber Guidance explicitly references the NIST Cybersecurity Framework as one of several industry best-practice frameworks informing its development, often adding that the document also acknowledges COBIT and ISO/IEC 27001 alongside the NIST CSF.
What the regulator actually says: Whether the 2016 guidance contains a verbatim NIST citation has not been confirmed from the source text. The guidance's five categories are structurally similar to the NIST CSF's five functions but may be independently derived rather than explicitly attributed.
Why the AI went wrong: AI tools translated an observable structural resemblance between the two frameworks into a claimed explicit citation. The similarity in organisation is real; the assertion of a formal reference is not supported by the document text.
Cited source(s):

Impact for this audience

A Technology & Data team that relies on an AI assertion of an explicit NIST CSF citation in the 2016 guidance may build that claim into regulatory mapping documents, framework alignment attestations, or supplier assurance materials — all of which could be tested by an auditor or regulator against the actual document. For a Payment Institution operating in jurisdictions where supervisors cross-reference CPMI-IOSCO and NIST expectations, an unfounded alignment claim creates exposure to supervisory challenge and potential remediation costs if the firm's assurance position is found to rest on an inaccurate premise. The BIS and IOSCO do not impose direct fines on payment institutions, but national supervisors implementing the CPMI-IOSCO framework may treat materially incorrect framework mapping as evidence of inadequate governance — with associated enforcement risk at the domestic level.

References — raw findings (per AI model)

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Opus47 Claude Opus 4.7 (web search on)
RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Sonnet46 Claude Sonnet 4.6 (web search on)

This finding also affects

Next finding → Finding 2. Origin of the phrase 'secure the periphery, protect the core'

Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

Plain text

RegLeg Specialist Panel (2026). "NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance — Payment Institutions × Technology Data — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/audiences/sectors/int/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/

APA 7th edition

RegLeg Specialist Panel. (2026). NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/audiences/sectors/int/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/

Bluebook / OSCOLA (US + UK legal)

RegLeg Specialist Panel, NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/audiences/sectors/int/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/.

BibTeX

@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q008,
  author    = {RegLeg Specialist Panel},
  title     = {NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008},
  url       = {https://reglegbrief.com/audiences/sectors/int/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/}
}

← Back to case study summary Case study detail →

About Citation IDs →