Guidance on Cyber Resilience for Financial Market Infrastructures

Bank for International Settlements — Committee on Payments and Market Infrastructures (CPMI) (BIS-CPMI)

Research Complete Hallucination findings published

AI Labs white paper available

Rich-narrative analysis of how AI models fail on this regulation, written for AI model providers. Includes per-finding context and remediation framing.

This report documents hallucinations produced by frontier AI models when asked questions about the Guidance on Cyber Resilience for Financial Market Infrastructures, published in June 2016 by CPMI and IOSCO under the auspices of the Bank for International Settlements. Two...

Read white paper →

AI Failures: Hallucination and Blind Spots Shape

(8 Response Hallucination + 18 Citation Hallucination + 0 Blind Spots = 26 Failure Mode Findings)

Response Hallucination Modes (8 failures)

Misstated Rule 0 Outdated 2 Misattributed 1 Inference Drift 5

Citation Hallucination Modes (18 failures)

Fabricated 0

Pretextual 0

Contradictory 18

AI Blind Spots (0 failures)

Hover any mode chip for definition · methodology

Hallucination findings

8 findings across 2 AI Models. Each finding pairs an AI answer against the authenticated regulator-text excerpt that contradicts it.

Model: Claude Opus 4.7 (web search on) · published 2026-05-30 · Inference Drift

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Opus47

Does the CPMI-IOSCO 2016 Cyber Guidance explicitly reference or align with the NIST Cybersecurity Framework?

Claude Opus 4.7 (web search on) answered

The 2016 Guidance is principles-based and does not explicitly adopt or normatively cross-reference the NIST Cybersecurity Framework in its text, although it was developed in awareness of NIST CSF, ISO/IEC 27000 series, COBIT and similar bodies of practice.

Regulator text says

Unknown — searches did not confirm a verbatim NIST citation in the 2016 Cyber Resilience Guidance. The five guidance categories are structurally similar to the NIST CSF five functions but may be independently derived.

AI's cited sources

https://www.bis.org/cpmi/publ/d146.pdf Contradictory
https://www.iosco.org/library/pubdocs/pdf/IOSCOPD633.pdf Contradictory

Model: Claude Opus 4.7 (web search on) · published 2026-05-30 · Misattributed

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014-Opus47

Does the CPMI-IOSCO 2016 Cyber Guidance use the phrase 'secure the periphery, protect the core', and if not, where does the phrase originate?

Claude Opus 4.7 (web search on) answered

The exact slogan 'secure the periphery, protect the core' is associated with later CPMI work on reducing the risk of wholesale payments fraud relating to endpoint security (notably the CPMI's 2018 'Reducing the risk of wholesale payments fraud related to endpoint security' strategy)

Regulator text says

The phrase 'secure the periphery and protect the core' is from Cœuré's 2018 speech (BIS review r181115a) on 'cryptos, cyber and CCPs'. It describes the CPMI's strategic approach but does not appear in the 2016 Cyber Resilience Guidance.

AI's cited sources

https://www.bis.org/cpmi/publ/d146.pdf Contradictory
https://www.bis.org/cpmi/publ/d178.htm Contradictory

Model: Claude Opus 4.7 (web search on) · published 2026-05-30 · Inference Drift

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020-Opus47

How does the CPMI-IOSCO 2016 Cyber Guidance define 'cyber resilience', and is that definition consistent with the FSB Cyber Lexicon published in November 2018?

Claude Opus 4.7 (web search on) answered

So the two are aligned and broadly consistent, but the FSB Lexicon version is slightly broader (mission-continuity framing, organisation-agnostic) than the FMI-specific 2016 formulation.

Regulator text says

The FSB Cyber Lexicon was published November 2018 — two years after the 2016 Cyber Resilience Guidance. Its standardised definitions postdate the 2016 guidance and may not match how the 2016 guidance used those terms in 2016.

AI's cited sources

https://www.bis.org/cpmi/publ/d146.pdf Contradictory
https://www.fsb.org/uploads/P121118-1.pdf Contradictory

Model: Claude Opus 4.7 (web search on) · published 2026-05-30 · Outdated

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Opus47

Is the CPMI-IOSCO 2016 Cyber Resilience Guidance still the operative international standard for FMI cyber resilience, or has it been revised or updated?

Claude Opus 4.7 (web search on) answered

Yes — the CPMI-IOSCO 2016 Guidance remains the operative international standard for FMI cyber resilience. It has not been formally revised or superseded.

Regulator text says

BIS press release of 6 May 2026: CPMI-IOSCO published a consultative document (the May 2026 CPMI-IOSCO consultative document) for public comment on updated guidance. The 2016 guidance is under active revision as of May 2026.

AI's cited sources

https://www.bis.org/cpmi/publ/d146.htm Contradictory
https://www.bis.org/cpmi/publ/d212.pdf Contradictory

Model: Claude Sonnet 4.6 (web search on) · published 2026-05-30 · Inference Drift

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Sonnet46

Does the CPMI-IOSCO 2016 Cyber Guidance formally cite or reference the NIST Cybersecurity Framework?

Claude Sonnet 4.6 (web search on) answered

Yes. The CPMI-IOSCO 2016 Cyber Guidance explicitly references and takes into consideration the NIST Cybersecurity Framework as one of several industry best-practice frameworks informing its development. Other frameworks acknowledged include the ISF Standard of Good Practice, COBIT, and ISO/IEC 27001.

Regulator text says

Unknown — searches did not confirm a verbatim NIST citation in d146. The five guidance categories are structurally similar to the NIST CSF five functions but may be independently derived.

AI's cited sources

https://www.bis.org/cpmi/publ/d146.pdf Contradictory
https://www.bankofcanada.ca/wp-content/uploads/2021/10/expectations-cyber-resilience-financial-ma... Contradictory

Model: Claude Sonnet 4.6 (web search on) · published 2026-05-30 · Inference Drift

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019-Sonnet46

Does the CPMI-IOSCO 2016 Cyber Guidance specify detailed operational practices for cyber incident response and recovery, or is that level of detail addressed by a later document?

Claude Sonnet 4.6 (web search on) answered

Yes. The CPMI-IOSCO 2016 Cyber Guidance dedicates specific sections to cyber incident response and recovery...It describes detailed expectations for FMIs including: having a cyber incident response plan, ability to resume critical operations within the 2hRTO, use of a secondary site, recovery and resumption planning, communication protocols during incidents.

Regulator text says

FSB published 'Effective Practices for Cyber Incident Response and Recovery' in October 2020 — four years after the 2016 CPMI-IOSCO Cyber Resilience Guidance. This contains operational detail for the Response and Recovery phase that goes beyond what the 2016 guidance specifies.

AI's cited sources

https://www.bis.org/cpmi/publ/d146.pdf Contradictory
https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf Contradictory

Model: Claude Sonnet 4.6 (web search on) · published 2026-05-30 · Inference Drift

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020-Sonnet46

How does the CPMI-IOSCO 2016 Cyber Guidance define 'cyber resilience,' and is that definition consistent with the FSB Cyber Lexicon definition published two years later?

Claude Sonnet 4.6 (web search on) answered

The two definitions are broadly consistent in their emphasis on anticipation, adaptation, and recovery...The FSB Lexicon was developed after the 2016 guidance and explicitly drew on the CPMI-IOSCO definition (among other sources including CERT and NIST), making the FSB definition a refinement and harmonisation.

Regulator text says

The FSB Cyber Lexicon was published November 2018 — two years after the 2016 CPMI-IOSCO Cyber Resilience Guidance. Its standardised definitions (e.g., of 'cyber resilience', 'cyber incident', 'critical functions') postdate the 2016 guidance and may not match how the 2016 guidance used those terms in 2016.

AI's cited sources

https://www.bis.org/cpmi/publ/d146.pdf Contradictory
https://www.fsb.org/uploads/P121118-1.pdf Contradictory
https://www.iosco.org/library/pubdocs/pdf/IOSCOPD633.pdf Contradictory

Model: Claude Sonnet 4.6 (web search on) · published 2026-05-30 · Outdated

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Sonnet46

Is the CPMI-IOSCO 2016 Cyber Resilience Guidance still the operative international standard, or has it been updated or placed under active revision?

Claude Sonnet 4.6 (web search on) answered

As of the date of this response, the June 2016 CPMI-IOSCO Cyber Guidance remains the operative primary international standard for FMI cyber resilience — it has not been formally revised or replaced.

Regulator text says

BIS press release of 6 May 2026: CPMI-IOSCO published a consultative document for public comment on updated guidance. The 2016 guidance is under active revision as of May 2026.

AI's cited sources

https://www.bis.org/cpmi/publ/d146.htm Contradictory
https://www.iosco.org/v2/about/?subSection=cpmi_iosco&subSection1=publications Contradictory
https://www.iosco.org/library/pubdocs/pdf/IOSCOPD764.pdf Contradictory

AI Blind Spots

No AI Blind Spots documented for this regulation yet.

Related rules

Where this rule sits in the regulatory graph. Discovered during Phase A.2 research; resolves to a regulation page where one is published.

Implements / sits under

The international standards or parent rules this regulation implements or sits under.

Parallel rules

Comparable rules at the same level — peer national / international regulators on the same subject.

Implemented by / extended by

Rules below this one in the regulatory cascade — sub-national implementations or downstream guidance.

Bank of Canada Expectations for Cyber Resilience of Financial Market Infrastructures BOC · CA · implemented by · high confidence
Bank of Canada risk management standards page states the October 2021 Expectations document 'provides additional clarity on how to implement the CPMI-IOSCO Cyber Guidance within the Canadian context.'

Source: https://www.bankofcanada.ca/core-functions/financial-system/bank-canada-risk-...
ECB Cyber Resilience Oversight Expectations for Financial Market Infrastructures (CROE) ECB · EU · implemented by · high confidence
The ECB December 2018 press release states: 'The cyber resilience oversight expectations are based on the global guidance on cyber resilience for financial market infrastructures. This guidance was published by the Committee on Payments and Market Infrastructures and the Board of the International Organisation of Securities Commissions (CPMI-IOSCO) in June 2016.'

Source: https://www.ecb.europa.eu/press/pr/date/2018/html/ecb.pr181203_1.en.html
Reserve Bank of Australia FMI Cyber Resilience Assessment Framework RBA · AU · implemented by · high confidence
The RBA 2021 Payments System Board Annual Report Box B states: 'In the same year [2016], CPMI and IOSCO issued guidance to the PFMI for FMIs to increase their cyber resilience. This guidance was adopted by the Reserve Bank, and all Australian-licensed FMIs have since been assessed against it.'

Source: https://www.rba.gov.au/publications/annual-reports/psb/2021/box-b-assessing-t...
MAS Technology Risk Management Guidelines MAS · SG · implemented by · medium confidence
The MAS 'Supervision of Financial Market Infrastructures in Singapore' monograph (2020) and search-derived metadata from the MAS website describe the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures as an applicable requirement for FMI supervision in Singapore; the January 2021 MAS Technology Risk Management Guidelines adapted the CPMI-IOSCO cyber guidance for the Singapore context. Direct MAS website fetch returned a service unavailability error.

Source: https://www.mas.gov.sg/regulation/guidelines/technology-risk-management-guidelines

Affected audiences

These findings affect the following audiences. Click through for the case studies that aggregate findings across all regulations in this jurisdiction.