AI Hallucination ResearchAudiencesPractitionersInternational / MultilateralPublic Auditors › Guidance on Cyber Resilience for Financial Market Infrastructures
Practitioners — Public Auditors · updated 2026-06-03 · methodology v2.3
Share / Print Twitter LinkedIn Email

AI on Guidance on Cyber Resilience for Financial Market Infrastructures for Public Auditors in international jurisdictions

This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.

  1. NIST CSF citation claim — awareness asserted without basis
    RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008

    A public auditor relying on this response may document in an engagement file that the 2016 guidance was developed in awareness of NIST CSF, and use that claimed relationship to justify treating NIST CSF compliance as evidence of alignment with CPMI-IOSCO expectations. That inference is unsupported: the structural similarity between the guidance categories and NIST CSF functions may be independently derived rather than intentional alignment. The client FMI and its supervisors could receive an audit opinion built on an unverified cross-framework mapping, and the auditor faces professional exposure if the assumption is later challenged.

    see details →
  2. Incident response detail — operational depth overstated
    RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019

    An auditor who accepts this response will assess an FMI's incident response and recovery capabilities against a standard of 'detailed expectations' that the 2016 guidance does not in fact set. The more granular operational requirements for the response and recovery phase were addressed by the FSB's 2020 publication — a gap the 2016 guidance leaves open.

    An audit programme scoped on the AI's characterisation may fail to identify that an FMI's incident response practices fall below the standard set by the later FSB document, or conversely may apply the wrong benchmark entirely, producing an opinion that does not reflect the actual regulatory expectation.

    see details →
  3. FSB Cyber Lexicon alignment — consistency asserted, not established
    RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020

    Public auditors in international jurisdictions frequently need to establish whether an FMI's use of terminology is consistent with regulatory definitions. If an auditor treats the 2016 guidance and FSB Cyber Lexicon definitions as 'aligned and broadly consistent' on the basis of this AI response, they may fail to flag definitional discrepancies as an audit finding. The honest position — that the FSB Lexicon postdates the 2016 guidance and may not match how the guidance used those terms — is a material qualification that affects how audit conclusions about definitional consistency are framed for the regulator.

    see details →
← Back to regulation page to see other professionals impacted by AI Hallucinations in this same regulation ← Back to Public Auditors (International / Multilateral) directory to see other regulation specific AI Hallucination impacts for your profession
Detailed Case study →