Does the CPMI-IOSCO 2016 Cyber Guidance itself specify detailed operational practices for cyber incident response and recovery, or is that level of detail addressed in later publications?
The model affirmed that the 2016 guidance contains detailed operational response-and-recovery practices, collapsing a four-year gap in the regulatory timeline. The operational specificity the model described is more characteristic of the 2020 FSB publication than of the 2016 text, which addresses the same themes at a higher level of abstraction. The model appears to have drawn on its knowledge of the post-2016 ecosystem to populate what it believed the original document contained. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding points to a gap in the model's ability to distinguish the level of operational detail characteristic of a 2016 principles-based guidance document versus a 2020 operational-practices publication. The model populated the 2016 document's supposed content with material more consistent with the later FSB guidance, suggesting that its internal representation of the 2016 document is contaminated by subsequent regulatory outputs on the same topic. Synthetic training pairs that contrast high-level principles text with operational-detail text from a later document — with correct attribution — could help calibrate this boundary.
When an Operations team asks AI tools whether the CPMI-IOSCO 2016 guidance provides detailed operational expectations for cyber incident response and recovery, AI assistants we tested answered 'Yes' and listed specific requirements — recovery time objectives, secondary-site requirements, communication protocols — characterising the 2016 document as prescriptive on this topic. The regulatory record indicates the FSB published 'Effective Practices for Cyber Incident Response and Recovery' in October 2020 specifically to provide the operational detail that goes beyond what the 2016 guidance specifies, implying the 2016 text is comparatively high-level in this area.
An Operations team that stops its research at the 2016 guidance, believing it to be sufficient, will miss a materially relevant document — and an incident response plan or client deliverable produced without reference to the FSB 2020 guidance may be inadequate by current regulatory standards.
Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.
RegLeg Specialist Panel (2026). "Finding#3 — Incident response detail — 2016 document scope overstated — Cybersecurity × Operations — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019. RegLegBrief AI Hallucination Research, published 2026-05-31. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/cybersecurity/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
RegLeg Specialist Panel. (2026). Finding#3 — Incident response detail — 2016 document scope overstated [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/cybersecurity/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
RegLeg Specialist Panel, Finding#3 — Incident response detail — 2016 document scope overstated [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019], RegLegBrief AI Hallucination Research (May 31, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/cybersecurity/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/.
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q019,
author = {RegLeg Specialist Panel},
title = {Finding#3 — Incident response detail — 2016 document scope overstated},
year = {2026},
publisher = {RegLegBrief AI Hallucination Research},
note = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019},
url = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/cybersecurity/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/}
}