A manufacturer identifies a rare but very costly ransomware risk. Executives decide not to eliminate the activity, but to purchase cyber insurance and formally acknowledge the remaining exposure. Which risk treatment is being used?
Transfer shifts some financial impact to another party, such as an insurer, while the organization keeps operating.
Why this answer
The correct answer is B (Transfer) because purchasing cyber insurance shifts the financial risk of the ransomware incident to the insurer. The executives formally acknowledge the remaining exposure, which confirms they are not simply accepting the risk but are actively transferring the monetary impact through a contractual agreement.
Exam trap
The trap here is that candidates confuse 'acceptance' with 'acknowledgment' — the phrase 'formally acknowledge the remaining exposure' is a red herring; true acceptance requires no further action, but purchasing insurance proves the risk is being transferred, not accepted.
How to eliminate wrong answers
Option A (Avoidance) is wrong because avoidance would require discontinuing the activity that introduces the ransomware risk, such as shutting down the affected systems or processes. Option C (Mitigation) is wrong because mitigation involves implementing technical controls (e.g., endpoint detection, backups, patching) to reduce the likelihood or impact of ransomware, not purchasing insurance. Option D (Acceptance) is wrong because acceptance means the organization consciously retains the risk without transferring or mitigating it; purchasing insurance demonstrates a transfer, not passive acceptance.