Policymakers and security professionals have long viewed the cyber insurance market as a powerful lever to improve cybersecurity hygiene across industries. Following the surge in ransomware attacks during the COVID-19 remote work shift, the sector is finally showing signs of stabilization. 

According to leading broker Aon, after years of price increases driven by high-severity ransomware claims, cyber insurance premiums are beginning to level off. At the same time, extortion demands appear to be waning. Axios reports that ransomware victims paid attackers approximately $814 million in cryptocurrency in 2024, a 35% decrease from the record-setting $1.25 billion paid in 2023, based on data from blockchain analytics firm Chainalysis.

Many in the industry credit this progress to insurers successfully enforcing the adoption of baseline security controls, such as multi-factor authentication (MFA) and endpoint detection and response (EDR). These tools have become standard prerequisites for coverage and have helped improve cyber resilience across sectors, particularly in reducing the impact of ransomware.

But while ransomware-related costs may be declining, the broader economic toll of cyberattacks continues to rise. According to IBM’s Cost of a Data Breach report, the global average cost of a breach surged by 10% in the last year to $4.88 million—the largest increase since the pandemic. This cost escalation is driven not by the initial compromise, but by the aftermath: business disruption, prolonged recovery timelines, and post-breach support costs. IBM also notes that more than half of impacted organizations are now passing those costs on to customers, turning cybersecurity failures into a liability for companies’ brand and trust.

The takeaway? While stronger defenses are helping prevent certain attacks, fast and effective incident response remains a critical and costly weakness. If the insurance industry wants to continue shaping cyber risk outcomes, it must look beyond ransomware and focus on how its clients respond to incidents in general. That starts with reevaluating the tools incident response teams rely on—and identifying faster, more scalable alternatives.

Shrinking Weeks into Hours: Rethinking Response

When we examine the standard incident response lifecycle, the playbook is familiar:

• Identification to detect and confirm the incident (phase 1),
  
  
• Containment to limit the spread of the threat (phase 2),
  
  
• Eradication to remove the root cause (phase 3), and
  
  
• Recovery to restore normal operations (phase 4).
  
  

One of the first moves incident responders make is deploying EDR in phases 1 and 2 across the environment to begin forensic investigations and containment. But EDR tools can take at least one to three weeks to fully deploy across large, distributed enterprises. That delay translates into prolonged exposure, increased downtime, and higher costs.

But it’s possible to shrink those weeks into hours. Responders can cut off attacker communication lines and immediately identify infected devices—before malware spreads or data is stolen. This means millions of dollars in savings from reduced business interruption costs and billions added across the global cyber insurance industry.

Enterprises need to simply focus on the Domain Name System (DNS) or, as it's often called, the "yellow pages of the internet." DNS translates human-readable domain names (like www.google.com) into IP addresses that computers use to locate and communicate with each other.

The Missing Piece in the Incident Response Playbook

Nearly every cyberattack, from ransomware to phishing, leverages DNS at some point in the kill chain. Attackers register domains for malware delivery or command-and-control (C2) operations, and infected devices query those domains to proceed.

That’s where Protective DNS (PDNS) comes in. PDNS intercepts malicious DNS queries in real time, blocking access to known or emerging malicious domains before harm is done. It acts as an invisible gatekeeper, offering immediate protection without endpoint installation or user disruption.

Despite its power, PDNS is rarely integrated into standard incident response efforts. Responders often arrive after compromise has occurred, spending weeks identifying infected systems, isolating them, and reconstructing the attack path. PDNS, by contrast, can sever malware communication instantly, and provide DNS logs that show exactly which systems tried to contact malicious domains—cutting response time dramatically.

Alignment with NIST and Emerging Compliance Standards

PDNS isn’t just a practical solution—it’s increasingly a compliance expectation. Recently published updates to NIST Special Publication 800-81 underscore the critical role of DNS logging in digital forensics and incident response. The guidance states:

“Government agencies and regulated enterprises should implement robust DNS traffic logging mechanisms… These DNS logs should be integrated with other system logs to facilitate correlation with cloud workloads and device or user activities and to enhance visibility and auditability.”

Even when full DNS logging is resource-intensive, the NIST draft makes clear that queries to malicious or unauthorized domains—those identified by PDNS—must be logged to meet security and compliance requirements.

When integrated with tools like SIEM, DHCP, and IP Address Management (IPAM), PDNS logs help responders quickly map malicious activity to specific devices, accelerating both containment and recovery.

A Call to Action: Insurers Must Lead on PDNS

The cyber insurance industry has already proven it can shape cybersecurity practices through coverage incentives. It’s time to extend that influence to incident response. Insurers should strongly encourage—or even require—incident response firms in their vendor networks to use Protective DNS as part of their standard toolkit.

PDNS doesn’t replace EDR or other controls—it complements them by acting earlier, providing network-level visibility, and protecting environments that are hard to secure through traditional means – like IoT and OT systems. It is scalable, cloud-ready, and deployable in hours—not days. It works across on-prem, cloud, hybrid, and remote environments, and offers organizations the rare trifecta of speed, simplicity, and security.

Change the Status Quo

As the cyber insurance market evolves toward controls-based underwriting and deeper scrutiny of risk posture, PDNS stands out as a tool that can reduce both incident frequency and financial impact. It should be embraced not just as a best practice—but as an insurance industry standard.

Cyber insurers, brokers, and incident response vendors must stop treating DNS as a background utility. It’s one of the most powerful tools we have for reducing incident impact and controlling claims costs.

The tools exist. The standards are emerging. The business case is undeniable.

It's time for cyber insurance to make protective DNS a requirement—not an afterthought—in the future of cyber risk management.

‍