Risk transference is a risk management strategy that places the burden of a cyber risk onto another entity, such as an insurance company, the government, or consumers, so your organization doesn't absorb the full loss itself.
Risk transference is one of the four ways an organization can handle a risk after it's been identified and assessed. Instead of stopping the risky activity or building defenses to reduce it, you hand the financial burden to someone else. The classic example is buying cyber liability insurance: a data breach might still happen, but the insurance company pays out to cover the losses (EK 2.1.E.3).
The key word is transfer, not eliminate. The risk still exists, and a breach can still occur. You've just moved who pays when it goes wrong. That other entity can be an insurance company, a government program, or even consumers (for example, passing breach costs along through higher prices). Transference makes the most sense when avoiding the activity isn't realistic and the cost of fully mitigating the risk is too high.
Risk transference lives in Unit 2: Securing Spaces, under topic 2.1 Cyber Foundations. It's one of the four risk-management options spelled out in learning objective AP Cybersecurity 2.1.E: avoid, transfer, mitigate, accept (EK 2.1.E.1). The exam expects you to match a real-world scenario to the correct strategy, so you need to tell transference apart from the other three quickly. This connects directly to the risk assessment process in AP Cybersecurity 2.1.D, since you can only pick a strategy once you've weighed likelihood and severity.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryRisk avoidance, mitigation, and acceptance (Unit 2)
Transference is one of four siblings. Avoidance stops the activity, mitigation builds defenses to lower likelihood or impact, and acceptance just lives with the risk. Transference is the only one that pays a third party to carry the cost.
Risk assessment process (Unit 2)
You can't choose transference until you've assessed the risk first. AP Cybersecurity 2.1.D says risk depends on likelihood and severity, and those two factors decide whether buying insurance is worth it or whether mitigation would be smarter.
Asset (Unit 2)
Every risk strategy protects an asset, which is anything valuable like data, reputation, or money. Transference specifically protects the financial value of an asset by shifting who absorbs the loss if that asset is compromised.
Defense in depth (Unit 2)
Defense in depth is a mitigation approach that layers security controls. Transference is a different lane entirely. Many organizations do both: they layer defenses to reduce a breach's likelihood, then buy insurance to cover whatever still slips through.
Expect multiple-choice questions that hand you a scenario and ask which risk strategy it shows. The dead giveaway for transference is an organization buying something like cyber liability insurance to cover potential breach losses while keeping its operations running. Contrast that with avoidance, where a company shuts down a service entirely (like halting all cryptocurrency transactions), and mitigation, where it installs encryption, multi-factor authentication, or intrusion detection. No released FRQ has used the term verbatim, but you should be ready to name the strategy and justify why it fits the scenario in a short response.
Mitigation reduces the likelihood or impact of a risk by adding security controls (firewalls, encryption, MFA). Transference doesn't touch the likelihood at all. It just moves who pays when something goes wrong, usually through insurance. If the scenario adds technical defenses, it's mitigation; if it buys coverage, it's transference.
Risk transference shifts the financial burden of a risk to another entity, like an insurance company, a government, or consumers.
Transference does not eliminate the risk; a breach can still happen, you've just moved who pays for it.
It's one of the four risk-management strategies in AP Cybersecurity 2.1.E, alongside avoid, transfer, mitigate, and accept.
Buying cyber liability insurance is the textbook example of risk transference.
On the exam, transference is the strategy where operations keep running but a third party covers the losses.
It's a risk-management strategy that places the burden of a risk on another entity, such as an insurance company, a government, or consumers (EK 2.1.E.3). The classic move is buying cyber liability insurance so the insurer pays out if a breach happens.
No. The risk still exists and a breach can still occur. Transference only changes who absorbs the financial cost when something goes wrong, not whether it happens.
Mitigation adds security controls (like encryption or multi-factor authentication) to lower a risk's likelihood or impact. Transference doesn't reduce likelihood at all; it pays a third party, usually an insurer, to cover the loss.
It's transference. Avoidance means stopping the risky activity entirely, like shutting down a service. Buying insurance keeps operations running and just shifts who pays for a breach.
Avoid, transfer, mitigate, and accept (EK 2.1.E.1). You choose one after assessing a risk's likelihood and severity, and the exam often asks you to match a scenario to the right strategy.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.