Risk transfer involves shifting the impact or financial consequences of a risk to a third party. Purchasing cybersecurity insurance is the most common example, where the organization pays a premium to a provider who assumes certain financial responsibilities in the event of a security incident.
Other options listed do not transfer risk:
A. Using third-party applications may introduce new risks, not transfer existing ones.
C. Moving ownership within the organization is reassignment, not transfer.
D. Off-site backups are a form of risk mitigation, not transfer.
“Risk transfer shifts the financial consequences of a risk to another entity, typically through insurance or contractual arrangements.”
— CISM Review Manual 15th Edition, Chapter 2: Risk Management, Section: Risk Treatment Options*
Example: “An organization may transfer the financial impact of a potential data breach through the purchase of cyber insurance.”
