Company secretaries supporting FMI boards and corporate boards exposed to CPMI-IOSCO 2016 cyber-resilience expectations are increasingly using AI to draft board papers, prepare director-induction material, and maintain regulator horizon-scanning packs on the cyber-resilience framework. In practice, AI is used to draft board papers on the FMI cyber-resilience programme, populate director-induction material on the CPMI-IOSCO 2016 framework, prepare audit-committee briefings on cyber-supervisory expectations, and maintain the regulator horizon-scanning pack covering CPMI-IOSCO, FSB, and national supervisor publications.
That workflow places the regulator-issued text of the 2016 guidance, its 2018-2020 derivative standards, and its current operative status at the centre of every AI-generated deliverable for company secretaries.
Two frontier AI models tested by the RegLeg Brief Specialist Panel produced confident, citable reconstructions of the CPMI-IOSCO 2016 Cyber Guidance (June 2016) that the regulator-issued primary text directly contradicts across nine findings spanning four failure classes: Source-Credit Fabrication (an asserted NIST Cybersecurity Framework citation that the 2016 guidance does not contain), Misattribution (the slogan 'secure the periphery, protect the core' located inside CPMI-IOSCO 2016 guidance or its 2018 wholesale-payments paper rather than the actual 2018 speech source), Anachronistic Cross-Reference (the 2016 guidance asserted as definitionally aligned with the November 2018 FSB Cyber Lexicon and the October 2020 FSB Effective Practices that postdate it), and Outdated Standing Claim (the 2016 guidance presented as the unchanged operative standard when CPMI-IOSCO has issued a May 2026 consultative document under active revision).
Questions are prepared by the RLB Specialist Panel based on real practical AI usage in the workflows company secretaries use AI for. The Panel binds each AI finding to verbatim regulator-issued source text held as primary substrate.
For company secretaries supporting the board on the FMI cyber programme, the failure pattern is operationally consequential. A board paper that recites an explicit NIST CSF alignment of the 2016 guidance lands inside the paper as a regulator-grounded foundation claim. An induction pack that records the 2016 guidance and the November 2018 FSB Cyber Lexicon as definitionally aligned papers over a two-year vocabulary gap. A horizon-scanning pack that records the 2016 guidance as standing without active revision misses the May 2026 CPMI-IOSCO consultative document.
The audit's nine findings are documented with immutable RLB Citation IDs. Representative entries include RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Opus47, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014-Opus47, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020-Opus47, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Opus47, and RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Sonnet46. The full audit is documented at the CPMI-IOSCO 2016 Cyber Resilience Guidance hub on RegLegBrief.com.
This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.
For company secretaries drafting board papers and director-induction material on the cyber programme, an asserted NIST CSF alignment of the 2016 guidance lands inside the paper as a regulator-grounded foundation claim. The 2016 guidance does not contain the citation. A board paper that recites the asserted alignment leaves directors approving programme investment on a wrong reading of the regulatory foundation, and creates an audit-committee accuracy gap if the alignment is later challenged.
For company secretaries drafting board papers and director-induction material on the cyber programme, an asserted NIST CSF alignment of the 2016 guidance lands inside the paper as a regulator-grounded foundation claim. The 2016 guidance does not contain the citation. A board paper that recites the asserted alignment leaves directors approving programme investment on a wrong reading of the regulatory foundation, and creates an audit-committee accuracy gap if the alignment is later challenged.
For company secretaries preparing board cyber-strategy briefings, attributing 'secure the periphery, protect the core' to the 2016 guidance or the 2018 fraud paper introduces a source attribution that does not match the regulator record. The phrase is from a 2018 speech, not a guidance or standards document. The paper reads as well-cited until a director or audit-committee member tests the attribution.
For company secretaries preparing board cyber-strategy briefings, attributing 'secure the periphery, protect the core' to the 2016 guidance or the 2018 fraud paper introduces a source attribution that does not match the regulator record. The phrase is from a 2018 speech, not a guidance or standards document. The paper reads as well-cited until a director or audit-committee member tests the attribution.
For company secretaries summarising programme depth to the board, characterising the 2016 guidance as containing forensic-analysis-database depth misstates the standard's specification level and points directors at the wrong source for operational-depth expectations. The granular practice is in FSB 2020. A board paper that misreads the 2016 standard understates the gap-to-FSB-2020 work that supervisors will expect.
For company secretaries drafting director-induction material on the cyber framework, an asserted consistency between the 2016 guidance and the November 2018 FSB Cyber Lexicon collapses a two-year vocabulary gap into a single asserted alignment. Induction material that records the two as definitionally aligned papers over the gap, and leaves new directors operating from terminology the 2016 source does not actually use.
For company secretaries drafting director-induction material on the cyber framework, an asserted consistency between the 2016 guidance and the November 2018 FSB Cyber Lexicon collapses a two-year vocabulary gap into a single asserted alignment. Induction material that records the two as definitionally aligned papers over the gap, and leaves new directors operating from terminology the 2016 source does not actually use.
For company secretaries running the regulator horizon-scanning pack, missing the May 2026 CPMI-IOSCO consultative document removes an open consultation from the horizon scan. A pack that records the 2016 guidance as standing without active revision misleads the board on the live regulatory state and removes the consultation-response obligation from the audit-committee work plan for the period.
For company secretaries running the regulator horizon-scanning pack, missing the May 2026 CPMI-IOSCO consultative document removes an open consultation from the horizon scan. A pack that records the 2016 guidance as standing without active revision misleads the board on the live regulatory state and removes the consultation-response obligation from the audit-committee work plan for the period.
Every finding on this page compares an AI subject's account of the rule against the regulator's verbatim text from the regulator's own portal. Both are linked. Each delta, its root causes, and impact analysis are documented and published with immutable Citation IDs.