<- Take me back to my Lawyers (INT) overview
Executive Summary
The CPMI-IOSCO 2016 Cyber Resilience Guidance is the international FMI cyber standard, and it sits at the centre of cyber-programme posture work for lawyers advising FMIs, supervisors, banks and payment institutions on cyber programme design, regulator alignment, and the operative status of international cyber standards. Across 9 findings in this cell, AI models on web search produced confident answers on the regulator-framework alignment, the strategic provenance of CPMI cyber language, the depth of incident response and recovery content, the definitional consistency of cyber-resilience terminology with the 2018 FSB Cyber Lexicon, and the operative status of the 2016 guidance.
Each answer recorded a position the source documents do not support, and each one converts into professional indemnity exposure on cyber programme opinion letters and advisory work when the AI output enters a Lawyers deliverable without verification.
How AI gets this regulation wrong
The 9 findings cluster across 3 failure modes on the 2016 guidance. The models inferred regulator-framework cross-references that the source does not establish, misattributed regulator strategic language to the wrong publication, overstated the operational depth of the 2016 standard against later FSB work, asserted definitional consistency with the FSB Cyber Lexicon across a two-year publication gap, and missed the active CPMI-IOSCO revision cycle opened by the May 2026 consultative document. The table below maps each finding to its failure mode.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Inference Drift | 1 | Finding#1 |
| Inference Drift | 1 | Finding#2 |
| Misattributed | 2 | Finding#3 · Finding#4 |
| Misattributed | 1 | Finding#5 |
| Inference Drift | 1 | Finding#6 |
| Inference Drift | 1 | Finding#7 |
| Outdated | 1 | Finding#8 |
| Outdated | 1 | Finding#9 |
What that means for your practice
For Lawyers working with the 2016 guidance, every failure in this cell feeds into the same risk concentration: professional indemnity exposure on cyber programme opinion letters and advisory work. The table below shows how that risk distributes across the individual findings; whether the underlying fault was an asserted regulator-framework alignment, a misattributed strategic phrase, or a missed revision cycle, the deliverable exposure for the advising Lawyers is materially the same.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable on cybersecurity framework alignment | 2 | Finding#1 · Finding#2 |
| Wrong deliverable from misattributed regulator phrase | 2 | Finding#3 · Finding#4 |
| Wrong deliverable on incident response and recovery scope | 1 | Finding#5 |
| Wrong deliverable on definitional alignment with FSB Lexicon | 1 | Finding#6 |
| Wrong deliverable on definitional derivation from FSB Lexicon | 1 | Finding#7 |
| Outdated deliverable on the current operative cyber guidance | 2 | Finding#8 · Finding#9 |
When this affects Lawyers
Lawyers encounter the 2016 CPMI-IOSCO Cyber Resilience Guidance across opinion letters on programme adequacy under international cyber standards, advisory work on cyber clauses in clearing and settlement agreements, supervisory engagement on cyber programme adequacy, cyber-incident response and breach disclosure work, and cross-border programme harmonisation for FMI service providers.
AI tools enter the work at the moments where Lawyers are drafting opinion-letter passages on programme alignment with the 2016 guidance, framing memos for clients on whether CPMI-IOSCO cyber standards are in force or under revision, and characterising the relationship between the 2016 guidance and FSB cyber publications when advising on board cyber-governance arrangements.
The specific findings in this cell map onto the question types that show up most often in Lawyers work on cyber-programme posture. Two question pairs test the regulator-framework cross-reference question: whether the 2016 guidance aligns explicitly with the NIST Cybersecurity Framework, and whether definitions in the 2016 guidance match the November 2018 FSB Cyber Lexicon. Both pairs produced confident asserted alignments that the source text does not establish. Two further question pairs test the regulator strategic provenance and revision-status questions: the source of the phrase 'secure the periphery, protect the core', and whether the 2016 guidance remains the operative standard.
Both pairs missed the actual regulator record, attributing the phrase to the wrong publication and missing the May 2026 consultative document. A fifth question on the operational depth of incident response and recovery returned content from FSB 2020 'Effective Practices' as if it were content of the 2016 standard.
The findings at a glance
The table below lists each finding from the CPMI-IOSCO Cyber Resilience Guidance tested in this cell, showing the question area, the AI failure mode, and the citation identifier.
Aggregate impact
Taken together, the 9 findings describe a consistent generation pattern on the 2016 guidance: the model produces confident framework-alignment and provenance answers without grounding them in the source text, and misses regulator revision activity that breaks the assumption the 2016 guidance is the standing operative standard. For the 2016 guidance specifically, three structural drivers compound the failure modes.
First, the guidance is a principles-based document whose category structure (governance, identification, protection, detection, response and recovery, situational awareness, learning and evolving) is structurally similar to the NIST CSF five functions, which makes the wrong assertion of an explicit NIST citation look plausible. Second, the FSB and BIS publication streams around cyber resilience are dense and overlapping (the 2018 FSB Cyber Lexicon, the 2020 FSB 'Effective Practices' paper, Cœuré's 2018 speech, the 2018 wholesale-payments fraud work, the Level 3 monitoring reports), which makes provenance attribution easy to get wrong.
Third, CPMI-IOSCO's revision cycle on the 2016 guidance opened publicly on 6 May 2026 with a consultative document; models with a January 2026 cutoff will record the guidance as standing without active revision unless a retrieval step pulls the BIS press release stream for the deliverable period.
For Lawyers, the practical effect is that any deliverable referencing the 2016 guidance, any regulator-framework alignment passage, any cyber-strategy provenance line, and any horizon-scanning entry on the operative status of the standard needs to be verified against the source documents and against the BIS press release stream for the deliverable period before it leaves the team.
What your team should do
The default position for Lawyers working on the 2016 guidance should be that AI tools are useful for first-pass structuring and unsafe for any specific regulator-framework cross-reference, provenance, definitional, or revision-status claim. Every reference to the 2016 guidance in an opinion letter, memo, or board paper should be matched to the BIS publication page and read directly. Every characterisation of an alignment with NIST CSF, FSB Cyber Lexicon, or FSB 2020 'Effective Practices' should be grounded in the source document, not the AI's framing.
Every statement on whether the guidance is the operative international standard should be checked against the BIS press release stream for the year of the deliverable, with a specific check for any open CPMI-IOSCO consultation.
For practical safeguards: when an AI tool supplies a regulator-framework cross-reference for the 2016 guidance, treat it as a research prompt and verify against the BIS publication of the source document before any client work product records the alignment. When an AI tool supplies a regulator strategic-phrase provenance, verify the citation against the BIS speech archive and the publications page for the cited year. When an AI tool supplies a definitional alignment with the FSB Cyber Lexicon or FSB 'Effective Practices', verify against the FSB publications page for the cited document.
When an AI tool reports on the operative status of the 2016 guidance, verify against the BIS press release stream for the deliverable period, with a specific check for any open CPMI-IOSCO consultation.
AI tools are most safely used, in this context, for outlining the structure of a deliverable on the 2016 guidance, identifying which of the guidance categories may be relevant to a particular question, and surfacing adjacent regulator publications that the team can verify directly. The risk sits in the next step: asking the AI to supply the specific cross-reference, provenance attribution, definitional alignment, or revision-status statement that would need to appear in a final deliverable. At that point, the source document and the BIS press release stream are the only reliable inputs.
How RLB Can Help
RegLeg's published Hallucination Research is available as a free pre-flight check for international cyber-programme work on the 2016 CPMI-IOSCO guidance. Before relying on AI-assisted output for regulator-framework cross-references, programme-foundation references, definitional alignments, or operative-status statements, Lawyers can consult the research to identify where AI tools have demonstrably mis-stated the regulator record: asserted NIST CSF alignments, misattributed CPMI strategic phrases, overstated operational depth, asserted FSB Cyber Lexicon consistency, and missed revision activity. The research covers specific regulator instruments and surfaces the exact questions where AI tools have failed, making it a practical reference rather than a general caution.
For firms where multiple Lawyers teams are working the same regulatory portfolio, RegLeg offers bespoke deep-dives into individual cyber instruments. These engagements go beyond the published findings to examine the full pattern of AI failure modes relevant to the instrument: the question types, the failure mechanisms, and the risk implications for the Lawyers team's work. The output is designed to be shared across functions and used as a durable reference, reducing duplicated due-diligence effort and creating a consistent internal standard for AI-assisted regulatory work.
RegLeg also develops training and CPD-aligned content for Lawyers teams working on the international cyber framework. The material translates the failure-mode catalogue into practical guidance on the classes of error practitioners should watch for: asserted regulator citations that the source does not contain, misattributed regulator strategic phrases, definitional alignments collapsed across publication gaps, and missed regulator revision activity. Separately, RegLeg offers a confidential review of a Lawyers team's existing AI-use policy against the failure-mode catalogue, identifying gaps between the policy's assumptions and the documented evidence of how AI tools perform on the 2016 guidance in practice.