Risk transfer is a risk response strategy where an organization shifts the financial consequences of a risk to another party. Cyber liability insurance is the most common form — the organization pays premiums to an insurer who agrees to cover losses from qualifying security incidents up to the policy limits.
Risk transfer does not eliminate the risk or the incident. If a breach occurs, the organization still deals with operational disruption, regulatory investigation, and reputational damage. What transfers is a portion of the financial exposure.
CISSP Relevance
Risk transfer is one of the four core risk response strategies in Domain 1 (Security and Risk Management), alongside risk avoidance, risk mitigation, and risk acceptance. CISSP candidates must understand when each strategy is appropriate and how insurance and contractual mechanisms work in practice.
External reference: NIST Glossary Risk Transfer
Related terms: Risk Management, Residual Risk