Certified in Risk and Information Systems Control (CRISC) — Question 668

An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

Answer options

• A. accepted
• B. mitigated
• C. transferred
• D. avoided

Correct answer: A

Explanation

The correct answer is A, accepted, because without active insurance coverage, the organization is acknowledging the risk without any transfer of liability. The other options are incorrect as they imply actions that have not taken place: mitigated suggests a reduction in risk, transferred implies outsourcing the risk to another party, and avoided indicates that the risk has been eliminated entirely.