<- Take me back to my Company Secretaries (INT) overview
Executive Summary
The CPMI-IOSCO 2016 Cyber Resilience Guidance is the international FMI cyber standard, and it sits at the centre of cyber-programme posture work for company secretaries preparing board and committee papers on cyber programme status, regulator alignment, and operative-standard tracking for FMIs and regulated financial institutions. Across 9 findings in this cell, AI models on web search produced confident answers on the regulator-framework alignment, the strategic provenance of CPMI cyber language, the depth of incident response and recovery content, the definitional consistency of cyber-resilience terminology with the 2018 FSB Cyber Lexicon, and the operative status of the 2016 guidance.
Each answer recorded a position the source documents do not support, and each one converts into board paper accuracy exposure on cyber programme alignment and operative-standard status when the AI output enters a Company Secretaries deliverable without verification.
How AI gets this regulation wrong
The 9 findings cluster across 3 failure modes on the 2016 guidance. The models inferred regulator-framework cross-references that the source does not establish, misattributed regulator strategic language to the wrong publication, overstated the operational depth of the 2016 standard against later FSB work, asserted definitional consistency with the FSB Cyber Lexicon across a two-year publication gap, and missed the active CPMI-IOSCO revision cycle opened by the May 2026 consultative document. The table below maps each finding to its failure mode.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Inference Drift | 1 | Finding#1 |
| Inference Drift | 1 | Finding#2 |
| Misattributed | 2 | Finding#3 · Finding#4 |
| Misattributed | 1 | Finding#5 |
| Inference Drift | 1 | Finding#6 |
| Inference Drift | 1 | Finding#7 |
| Outdated | 1 | Finding#8 |
| Outdated | 1 | Finding#9 |
What that means for your practice
For Company Secretaries working with the 2016 guidance, every failure in this cell feeds into the same risk concentration: board paper accuracy exposure on cyber programme alignment and operative-standard status. The table below shows how that risk distributes across the individual findings; whether the underlying fault was an asserted regulator-framework alignment, a misattributed strategic phrase, or a missed revision cycle, the deliverable exposure for the advising Company Secretaries is materially the same.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable on cybersecurity framework alignment | 2 | Finding#1 · Finding#2 |
| Wrong deliverable from misattributed regulator phrase | 2 | Finding#3 · Finding#4 |
| Wrong deliverable on incident response and recovery scope | 1 | Finding#5 |
| Wrong deliverable on definitional alignment with FSB Lexicon | 1 | Finding#6 |
| Wrong deliverable on definitional derivation from FSB Lexicon | 1 | Finding#7 |
| Outdated deliverable on the current operative cyber guidance | 2 | Finding#8 · Finding#9 |
When this affects Company Secretaries
Company Secretaries encounter the 2016 CPMI-IOSCO Cyber Resilience Guidance across board cyber and operational resilience updates, audit committee briefings on international standard alignment, risk committee horizon-scanning packs on regulator consultations, and director-induction material on the international cyber framework architecture. AI tools enter the work at the moments where Company Secretaries are drafting first-pass board paper passages on the regulator framework, framing horizon-scanning entries on open consultations, characterising the relationship between the 2016 guidance and adjacent FSB or NIST work in director-induction material, and supplying short briefings to non-executive directors on the operative standard.
The specific findings in this cell map onto the question types that show up most often in Company Secretaries work on cyber-programme posture. Two question pairs test the regulator-framework cross-reference question: whether the 2016 guidance aligns explicitly with the NIST Cybersecurity Framework, and whether definitions in the 2016 guidance match the November 2018 FSB Cyber Lexicon. Both pairs produced confident asserted alignments that the source text does not establish.
Two further question pairs test the regulator strategic provenance and revision-status questions: the source of the phrase 'secure the periphery, protect the core', and whether the 2016 guidance remains the operative standard. Both pairs missed the actual regulator record, attributing the phrase to the wrong publication and missing the May 2026 consultative document. A fifth question on the operational depth of incident response and recovery returned content from FSB 2020 'Effective Practices' as if it were content of the 2016 standard.
The findings at a glance
The table below lists each finding from the CPMI-IOSCO Cyber Resilience Guidance tested in this cell, showing the question area, the AI failure mode, and the citation identifier.
Aggregate impact
Taken together, the 9 findings describe a consistent generation pattern on the 2016 guidance: the model produces confident framework-alignment and provenance answers without grounding them in the source text, and misses regulator revision activity that breaks the assumption the 2016 guidance is the standing operative standard. For the 2016 guidance specifically, three structural drivers compound the failure modes.
First, the guidance is a principles-based document whose category structure (governance, identification, protection, detection, response and recovery, situational awareness, learning and evolving) is structurally similar to the NIST CSF five functions, which makes the wrong assertion of an explicit NIST citation look plausible. Second, the FSB and BIS publication streams around cyber resilience are dense and overlapping (the 2018 FSB Cyber Lexicon, the 2020 FSB 'Effective Practices' paper, Cœuré's 2018 speech, the 2018 wholesale-payments fraud work, the Level 3 monitoring reports), which makes provenance attribution easy to get wrong.
Third, CPMI-IOSCO's revision cycle on the 2016 guidance opened publicly on 6 May 2026 with a consultative document; models with a January 2026 cutoff will record the guidance as standing without active revision unless a retrieval step pulls the BIS press release stream for the deliverable period.
For Company Secretaries, the practical effect is that any deliverable referencing the 2016 guidance, any regulator-framework alignment passage, any cyber-strategy provenance line, and any horizon-scanning entry on the operative status of the standard needs to be verified against the source documents and against the BIS press release stream for the deliverable period before it leaves the team.
What your team should do
The default position for Company Secretaries working on the 2016 guidance should be that AI tools are useful for first-pass structuring and unsafe for any specific regulator-framework cross-reference, provenance, definitional, or revision-status claim. Every board paper reference to the 2016 guidance should be matched to the BIS publication page. Every characterisation of an alignment between the 2016 guidance and other regulator frameworks should be grounded in the source documents on both sides.
The horizon-scanning pack should track CPMI-IOSCO consultation status against the BIS press release stream for the reporting period, with a specific check that any open consultation is recorded in the pack.
For practical safeguards: when an AI tool supplies a regulator-framework cross-reference for the 2016 guidance, treat it as a research prompt and verify against the BIS publication of the source document before any client work product records the alignment. When an AI tool supplies a regulator strategic-phrase provenance, verify the citation against the BIS speech archive and the publications page for the cited year. When an AI tool supplies a definitional alignment with the FSB Cyber Lexicon or FSB 'Effective Practices', verify against the FSB publications page for the cited document.
When an AI tool reports on the operative status of the 2016 guidance, verify against the BIS press release stream for the deliverable period, with a specific check for any open CPMI-IOSCO consultation.
AI tools are most safely used, in this context, for outlining the structure of a deliverable on the 2016 guidance, identifying which of the guidance categories may be relevant to a particular question, and surfacing adjacent regulator publications that the team can verify directly. The risk sits in the next step: asking the AI to supply the specific cross-reference, provenance attribution, definitional alignment, or revision-status statement that would need to appear in a final deliverable. At that point, the source document and the BIS press release stream are the only reliable inputs.
How RLB Can Help
RegLeg's published Hallucination Research is available as a free pre-flight check for international cyber-programme work on the 2016 CPMI-IOSCO guidance. Before relying on AI-assisted output for regulator-framework cross-references, programme-foundation references, definitional alignments, or operative-status statements, Company Secretaries can consult the research to identify where AI tools have demonstrably mis-stated the regulator record: asserted NIST CSF alignments, misattributed CPMI strategic phrases, overstated operational depth, asserted FSB Cyber Lexicon consistency, and missed revision activity. The research covers specific regulator instruments and surfaces the exact questions where AI tools have failed, making it a practical reference rather than a general caution.
For firms where multiple Company Secretaries teams are working the same regulatory portfolio, RegLeg offers bespoke deep-dives into individual cyber instruments. These engagements go beyond the published findings to examine the full pattern of AI failure modes relevant to the instrument: the question types, the failure mechanisms, and the risk implications for the Company Secretaries team's work. The output is designed to be shared across functions and used as a durable reference, reducing duplicated due-diligence effort and creating a consistent internal standard for AI-assisted regulatory work.
RegLeg also develops training and CPD-aligned content for Company Secretaries teams working on the international cyber framework. The material translates the failure-mode catalogue into practical guidance on the classes of error practitioners should watch for: asserted regulator citations that the source does not contain, misattributed regulator strategic phrases, definitional alignments collapsed across publication gaps, and missed regulator revision activity. Separately, RegLeg offers a confidential review of a Company Secretaries team's existing AI-use policy against the failure-mode catalogue, identifying gaps between the policy's assumptions and the documented evidence of how AI tools perform on the 2016 guidance in practice.