According to Security best practices, there are four things you can do when Risk to an information asset is identified and business impact assessed.  You can reject/ignore the risk.  This is not a smart move in most cases.  You can mitigate the risk to an acceptable level.  You can accept the risk.  And finally, you can transfer the risk.  Transferring risk usually takes the form of purchasing insurance to soften the impact of a security incident.  It’s occasionally less expensive to purchase insurance than it is to implement controls to significantly reduce risk.

In a February 15 Dark Reading article, Tim Wilson looks at the benefits and opportunities for security breach protection through the purchase of insurance.