A financial services company uses a legacy mainframe system for core banking transactions. The risk assessment identifies that the system does not support modern encryption standards, and data is transmitted in clear text over internal networks. The IT department has proposed implementing network segmentation and encryption at the application layer using a middleware solution. However, the cost is high and the project would take 18 months. Meanwhile, the company is planning to migrate to a new core system in two years. The risk appetite for data confidentiality is low. As the risk practitioner, what is the MOST appropriate risk response?
Compensating controls reduce risk immediately.
Why this answer
The correct response is to implement compensating controls such as strict network access controls and monitoring. Given the low risk appetite for data confidentiality, the 18-month delay for the middleware solution is unacceptable, and the two-year migration timeline leaves a significant exposure window. Compensating controls like VLAN segmentation, ACLs, and continuous traffic monitoring can reduce the likelihood of exploitation of the clear-text transmission without requiring changes to the legacy mainframe itself.
Exam trap
The trap here is that candidates may confuse 'accepting the risk' with a valid response when a migration is planned, but the low risk appetite for data confidentiality makes acceptance inappropriate, and they may overlook that compensating controls can be implemented quickly and cost-effectively to reduce exposure.
How to eliminate wrong answers
Option B is wrong because cyber insurance transfers financial risk but does not reduce the likelihood or impact of a data breach; the low risk appetite for confidentiality requires a control that protects the data, not just compensates for losses. Option C is wrong because accepting the risk for two years violates the stated low risk appetite for data confidentiality, as clear-text transmission over internal networks is a direct exposure that could lead to a breach. Option D is wrong because accelerating the migration to 18 months is not feasible without a detailed project plan and budget, and it still leaves a gap; moreover, 'avoiding' risk by accelerating does not address the immediate exposure during the migration period.