100+ Free ACRM Practice Questions

Pass your ACRM Associate in Cyber Risk Management exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which of the following best describes a 'double extortion' ransomware attack?

Encrypting victim files only and demanding payment for the decryption key

Encrypting victim files and also exfiltrating data, then threatening to leak it if ransom is not paid

Demanding two separate payments for the same encryption key

Attacking two organizations in the same supply chain at once

to track

2026 Statistics

Key Facts: ACRM Exam

2 courses + Ethics

ACRM Program Structure

The Institutes (ACRM 401, ACRM 402)

October 2024

ACRM Launch Date

The Institutes

70%

Passing Score per Course

The Institutes

~$1,200

Total Designation Cost

$415 per course x 2 + Ethics

4 testing windows/yr

Virtual Exam Cadence

The Institutes Exam Information

100-150 hrs

Recommended Study Time

Across both ACRM courses

The ACRM designation requires passing ACRM 401 and ACRM 402 plus an Ethics requirement, administered by The Institutes through quarterly virtual testing windows. Each course exam is approximately 100 questions in 2 hours at $415 per course (~$1,200 total). ACRM launched in October 2024, awards two digital badges, and is designed for underwriters, agents/brokers, and risk managers aligning cyber coverage to NIST CSF 2.0 and NAIC Model #668.

Sample ACRM Practice Questions

Try these sample questions to test your ACRM exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which of the following best describes a 'double extortion' ransomware attack?

A.Encrypting victim files only and demanding payment for the decryption key

B.Encrypting victim files and also exfiltrating data, then threatening to leak it if ransom is not paid

C.Demanding two separate payments for the same encryption key

D.Attacking two organizations in the same supply chain at once

Explanation: Double extortion combines encryption with data exfiltration. Even if a victim has clean backups, attackers threaten to publish stolen data on a leak site unless a second ransom is paid. This pattern emerged around 2019-2020 with groups like Maze and is now standard practice for major ransomware operators.

2Which threat-actor category is typically MOST motivated by long-term intelligence collection rather than immediate financial gain?

A.Hacktivists

B.Nation-state actors (APTs)

C.Ransomware affiliates

D.Script kiddies

Explanation: Nation-state actors, often described as advanced persistent threats (APTs), are usually directed by intelligence services and prioritize long-dwell access for espionage, IP theft, or pre-positioning, not quick monetization. Ransomware affiliates and script kiddies are largely financially or notoriety-driven, while hacktivists are ideologically motivated.

3Which incident is the canonical example of a software supply-chain compromise affecting thousands of downstream organizations?

A.The 2017 Equifax breach

B.The 2020 SolarWinds Orion compromise

C.The 2014 Target POS attack

D.The 2013 Adobe credential breach

Explanation: The SolarWinds Orion compromise (disclosed December 2020) inserted malicious code into a trusted software update, distributing the Sunburst backdoor to roughly 18,000 customers including U.S. federal agencies. It is the textbook example of a software supply-chain attack used in ACRM coursework.

4In MITRE ATT&CK terminology, 'Initial Access' refers to which stage of an intrusion?

A.The point at which an attacker first establishes a foothold inside the target environment

B.The moment the attacker exfiltrates data

C.The phase where the attacker escalates privileges to domain administrator

D.The recovery phase after defenders remediate

Explanation: MITRE ATT&CK organizes adversary behavior into tactics. 'Initial Access' is the tactic covering techniques an adversary uses to gain a foothold — phishing, exploit-public-facing-application, valid accounts, etc. Privilege escalation, exfiltration, and remediation are separate concepts.

5Business email compromise (BEC) attacks most commonly result in which type of loss?

A.Encryption of production servers

B.Fraudulent wire transfers initiated by a deceived employee

C.Theft of customer credit-card numbers from POS terminals

D.Distributed denial-of-service against the corporate website

Explanation: BEC attackers impersonate executives, vendors, or trusted parties to trick employees into authorizing wire transfers, ACH changes, or invoice payments. The FBI's IC3 reports BEC as one of the highest-loss cybercrime categories. BEC is fundamentally a social engineering and fraud scheme, not malware-driven encryption or DDoS.

6In a 'triple extortion' ransomware scheme, what is the third pressure tactic typically added on top of encryption and data-leak threats?

A.A fine paid to law enforcement

B.DDoS attacks against the victim or contact/extortion of the victim's customers and partners

C.Mandatory ransomware insurance subrogation

D.Public disclosure to the SEC

Explanation: Triple extortion adds a third lever — usually DDoS attacks against the victim, or direct outreach to the victim's customers, patients, or business partners pressuring them to lobby for payment. It increases reputational and operational pressure beyond simple encryption plus leak threats.

7The 2023 MOVEit Transfer compromise is most accurately described as which type of attack?

A.A ransomware encryption event by a state-sponsored APT

B.Mass exploitation of a zero-day SQL-injection vulnerability in a managed file-transfer product, leading to data theft from hundreds of organizations

C.A phishing campaign delivering banking trojans

D.A physical insider theft of backup tapes

Explanation: In May 2023 the Cl0p group exploited CVE-2023-34362, a SQL-injection zero-day in Progress Software's MOVEit Transfer, to exfiltrate data from hundreds of customers. It is widely cited in ACRM material as a landmark third-party/supply-chain data-theft event rather than an encryption-driven ransomware case.

8An underwriter sees that a hospital chain still uses a single shared local-administrator password across hundreds of endpoints. Which MITRE ATT&CK technique does this MOST directly enable?

A.External Remote Services

B.Lateral Movement via Pass-the-Hash / valid local accounts

C.Resource Development

D.Impair Defenses via firmware tampering

Explanation: Shared local-admin credentials let attackers move laterally across endpoints by reusing the same hash or password (pass-the-hash, valid accounts). This is one of the most exploited misconfigurations in ransomware intrusions and is mitigated by Microsoft LAPS and unique per-host credentials.

9Which of the following is the BEST description of an 'initial access broker' (IAB) in the ransomware ecosystem?

A.A licensed cyber insurance broker who specializes in ransomware policies

B.A criminal who gains a foothold in a target network and then sells that access to ransomware affiliates

C.A negotiator who handles ransom payment on behalf of victims

D.A government agency that monitors ransomware payments

Explanation: IABs specialize in obtaining and monetizing initial access — through phishing, credential stuffing, exploit kits, or VPN/RDP exposure — and selling it on criminal forums. Ransomware affiliates then buy that access to deploy encryption. Recognizing this division of labor is central to modern ransomware threat-modeling.

10Which threat actor category MOST often uses website defacement and DDoS to make a political or ideological statement?

A.Hacktivists

B.Nation-state intelligence services

C.Insider threats

D.Ransomware-as-a-Service operators

Explanation: Hacktivists, such as historical groups like Anonymous, primarily seek visibility for a cause and favor low-sophistication, high-visibility tactics like website defacement, doxxing, and DDoS. Nation-states prefer stealth, insiders typically misuse legitimate access, and RaaS operators are financially motivated.

About the ACRM Exam

The Associate in Cyber Risk Management (ACRM) is The Institutes' designation for insurance professionals who underwrite, place, or manage cyber risk. The program is built on ACRM 401 (Effectively Managing Cyber Risk), ACRM 402 (Advanced Cyber Risk for Insurance), and the Institutes Ethics requirement, and awards two digital badges as candidates progress. Coursework maps directly to NIST CSF 2.0, the NAIC Insurance Data Security Model Law (#668), NY DFS 23 NYCRR 500, and EU GDPR — equipping underwriters, agents, brokers, and risk managers to identify cyber threats, structure first- and third-party coverage, and respond to ransomware, social engineering, and supply-chain incidents.

Questions

100 scored questions

Time Limit

2 hours

Passing Score

70%

Exam Fee

$415 per course (~$1,200 total) (The Institutes)

ACRM Exam Content Outline

15%

Cyber Threat Landscape & Threat Actors

Nation-state actors, ransomware gangs, hacktivists, insiders, and organized crime; double/triple extortion ransomware, supply-chain attacks (SolarWinds, MOVEit), business email compromise, and MITRE ATT&CK tactics.

20%

Cyber Risk Identification & Assessment Frameworks

NIST CSF 2.0 (Govern, Identify, Protect, Detect, Respond, Recover), CIS Critical Security Controls v8, ISO 27001/27002, HITRUST CSF, FAIR risk quantification, and asset/data inventory practices.

15%

Risk Treatment (Avoid, Reduce, Transfer, Retain)

Selecting cyber controls (MFA, EDR/XDR, SIEM, zero trust, segmentation, backups), contractual transfer, captives and self-insurance, and matching treatment to risk appetite and regulatory obligations.

25%

Cyber Insurance Coverage (1st-Party / 3rd-Party)

First-party (business interruption, data restoration, ransomware payments, cyber extortion) and third-party (privacy liability, network security liability, regulatory defense) coverages; sublimits, retentions, war/infrastructure exclusions, and the social engineering / computer & funds transfer fraud distinction.

10%

Incident Response & Recovery

Incident response lifecycle, breach coaches and forensic vendors, ransomware negotiation, OFAC sanctions screening before payment, business continuity, disaster recovery testing, and tabletop exercises.

10%

Regulatory & Legal Landscape

GLBA Safeguards Rule, NY DFS 23 NYCRR 500 CISO and 72-hour notice, NAIC Insurance Data Security Model #668, EU GDPR (4% global revenue / 72-hour notification), CCPA/CPRA, HIPAA breach notification, and SEC cyber disclosure rules.

Ethics & Disclosures

Institutes Code of Professional Ethics, conflicts of interest, accurate exposure and control disclosures on applications, fair dealing in claims, and OFAC compliance considerations during ransomware response.

How to Pass the ACRM Exam

What You Need to Know

Passing score: 70%
Exam length: 100 questions
Time limit: 2 hours
Exam fee: $415 per course (~$1,200 total)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

ACRM Study Tips from Top Performers

1Memorize the six NIST CSF 2.0 functions in order — Govern, Identify, Protect, Detect, Respond, Recover — and be ready to map controls (MFA, EDR, SIEM, backups, IR plan) to each function.

2Learn the first-party vs third-party split cold: BI, data restoration, ransomware/extortion, and notification costs are first-party; privacy liability, network security liability, and regulatory defense are third-party.

3Practice the social engineering distinction: computer fraud requires unauthorized system access, while computer & funds transfer fraud / social engineering coverage responds to voluntary transfers induced by deception — many policies sublimit social engineering to $100k–$250k.

4Drill the regulatory thresholds — GDPR's 72-hour notification and 4% global revenue cap, NY DFS 23 NYCRR 500's CISO and 72-hour notice, NAIC Model #668's licensee duties, and HIPAA's 60-day breach notification.

5Build OFAC instinct: before any ransomware payment, sanctions screening of the threat actor and wallet is mandatory — paying a designated entity is an OFAC violation regardless of policy coverage.

Frequently Asked Questions

What courses make up the ACRM designation?

The ACRM is earned by completing ACRM 401 (Effectively Managing Cyber Risk), ACRM 402 (Advanced Cyber Risk for Insurance), and the Institutes Ethics requirement. Candidates also earn two digital badges along the way. ACRM launched in October 2024 and is delivered online with virtual proctored exams in four annual testing windows.

Who is the ACRM designed for?

ACRM is designed for property-casualty professionals who touch cyber risk: underwriters evaluating cyber submissions, risk managers building enterprise cyber resilience, and agents or brokers placing cyber coverage. Claims professionals, IT/security staff embedded with insurance teams, and consultants advising on coverage adequacy also benefit. Basic familiarity with insurance and IT is recommended but no prior credential is required.

How is the ACRM exam structured?

Each ACRM course exam is approximately 100 multiple-choice questions delivered in a 2-hour virtual testing window, with a 70% passing score. Exams run quarterly through The Institutes' online proctoring platform. Candidates receive a digital badge after each course passes, and the full ACRM designation is issued after both courses and Ethics are complete.

How much does the ACRM cost and how long does it take?

ACRM 401 and 402 are listed at roughly $415 per course (~$1,200 total including Ethics and material variations), making ACRM one of the most affordable cyber-focused insurance designations. Most candidates complete the program in 6-12 months, studying 50-75 hours per course (100-150 hours total) while working full time.

What frameworks does ACRM align with?

ACRM coursework is grounded in NIST Cybersecurity Framework 2.0 (six functions: Govern, Identify, Protect, Detect, Respond, Recover), CIS Critical Security Controls v8, ISO 27001/27002, MITRE ATT&CK, and HITRUST CSF. On the regulatory side, expect detailed coverage of the NAIC Insurance Data Security Model Law (#668), NY DFS 23 NYCRR 500, GLBA Safeguards, and EU GDPR's 72-hour breach notification and 4% global revenue penalty cap.

How does ACRM differ from CPCU 550 or other cyber credentials?

CPCU 550 covers data and technology in insurance broadly, while ACRM is purpose-built for cyber risk depth — threat actors, controls, coverage architecture, and incident response. Compared with general security certifications like CISSP or Security+, ACRM emphasizes the insurance lens: aligning underwriting, policy structure, sublimits, exclusions, and claims handling with the cyber risks the insured actually faces.