In the insurtech era, “Secure by Design” isn’t just a slogan. It’s the roadmap for transforming an industry effectively.

‍

In today’s insurance world, the pace of technology is relentless. Artificial intelligence, advanced analytics, and cloud platforms promise unprecedented speed and innovation — but they also introduce new risks that can’t be ignored.

For CIOs (Chief Information Officers) like Stew Gibson of USI Insurance Services and Anil Jampana of Conner Strong & Buckelew, the challenge is clear: How do you move fast without leaving your organization exposed?

Here, both leaders offer candid insights into how they’re navigating this tension between innovation and security — and how they are evolving to keep pace.

Security is essential from day one

“There’s no one-size-fits-all answer,” says Stew Gibson. “It’s always a balance, and it comes down to understanding the intended use of whatever we’re creating or adopting.”

‍

When evaluating new technology, Gibson emphasizes assessing the risk context:

• Is the tool strictly for internal use, or customer-facing?
• Will employees lead its use, or is it self-service?
• Is it developed in-house, or sourced from a third party?

“Early on, risk might be low,” he explains, “but as adoption grows or the complexity of data increases, the risk can go up. We build in milestones to assess risk along the way.”

Anil Jampana echoes the need for caution from the very beginning. “Even from inception, we’re evaluating the total product strategy, maturity, and what kind of data it will handle. Is it personally identifiable information or lower-sensitivity data? The level of security we demand depends on that.”

He adds a warning for fast-moving startups: “Sometimes developers want to shortcut security to get a product out quickly. But later, this means we can’t adopt it. Security has to be in the product or service DNA from the start — otherwise, we simply can’t work with them.”

AI and new risk frameworks

Artificial intelligence and automation tools have exploded into nearly every conversation about insurance technology. But Gibson cautions that many are dazzled by AI’s strengths while overlooking its weaknesses.

“AI is like any other software: it has strengths and vulnerabilities,” he says. “People often plow ahead without asking, ‘What new security threats could this introduce?’”

At USI, they ask pointed questions when evaluating AI vendors:

• What model are you using?
• Have you assessed vulnerabilities in that model?
• How are you mitigating those risks?

“We do initial and annual third-party risk assessments,” Gibson notes. “Internally, we scan our own code. And if it’s an open-source model, we expect the vendor to have done their homework.”

At Conner Strong, Jampana applies similar diligence — plus addresses the challenge of hype. “Right now, everyone is caught up in the possibilities of AI,” he says. “But we have to dig deeper. Who built the model? Do they understand bias? Where is the data hosted?”

His team brings multiple disciplines into monthly discussions: innovation leads, security, legal, and business stakeholders. “We ask: is there budget, is there a real need, are there alternatives? And we have tough conversations — sometimes painful — to ensure we’re not cutting corners. We educate our teams constantly to question everything, no matter how easy or comfortable a solution might look.”

Bringing security and innovation teams together

One of the biggest hurdles for any tech-forward insurance company is getting security and innovation teams on the same page.

“Security used to be seen as the department of ‘No,’” Jampana says. “Legal and security can get a bad rap. But we’ve learned to take an educational tone with startups — explaining why we’re asking for certain security standards and how it impacts their roadmap.”

He credits BTV’s collaborative culture for making this easier. “BTV is great at bringing people together. We have labs, discussions, and share notes on products we’re all evaluating. Even though we’re competitors in some ways, we’re open about sharing lessons learned.”

At USI, Gibson went a step further: rewriting job descriptions across the IT organization to embed security as part of everyone’s role.

“About eight or nine years ago, we decided that security isn’t just the security team’s job,” he explains. “We made it part of every IT job description. No one can move code anywhere without security scans, data flow diagrams, and architectural reviews.”

Even for third-party vendors, Gibson insists on transparency: “We want a window into their architecture. We won’t release anything without being sure it’s secure.”

Vetting and onboarding insurtech partners

Insurance carriers and brokers are eager to partner with innovative insurtechs — but not at the expense of security.

“The good news,” says Gibson, “is that many of the BTV-affiliated insurtechs know these questions are coming. They’re prepared with SOC 2 certifications and can handle security questionnaires quickly.”

However, he tempers expectations. “Every insurtech wants to hit a home run. But we’re usually looking to start with a small, ring-fenced proof of concept. They’ll get a window into the enterprise, but not much more until they prove themselves. Rather than a home run, expect a bunt. Success is hitting a single.”

Jampana agrees and emphasizes thorough vetting. His must-have checks include:

• Independent penetration testing
• Secure coding practices (like OWASP Top 10 adherence)
• Dynamic application scanning
• Bug tracking and patch management
• Staff and data residency (preferably U.S.-based)

“We’ve even had cases where vendors needed to move their entire operations into the U.S. before we could proceed,” he says. “And while some startups may lack the necessary product maturity that we need, if they’re willing to learn and improve quickly, we’ll work with them.”

He highlights BTV’s role in creating trust and collaboration. “If one partner is unsure, others might share their experiences. Sometimes the collective wisdom saves us from a risky engagement—or helps validate a new vendor.”

The evolving role of the CIO 

Both CIOs agree their roles have dramatically transformed over the last several years.

“It used to be about keeping the lights on,” says Jampana. “Managing infrastructure, making sure email worked. Now, the CIO is a business partner, involved in strategy and growth.”

At Conner Strong, Jampana has expanded his team by 150% over five years. “We’re no longer just infrastructure. Now it’s cybersecurity, application development, AI, advanced analytics — all deeply tied to business outcomes.”

For Gibson, the biggest change has been moving from managing vendors to building custom software in-house. “We’ve essentially created a software company inside an insurance brokerage,” he says. “Agile development means we’re iterating constantly with business stakeholders instead of working in isolation.”

Cloud computing has also redefined financial management. “In the old days, tech costs were mostly capital expenditures — big servers you depreciated over years,” Gibson explains. “Now, everything is operating expenditures. Subscriptions, cloud services, AI usage fees. It hits your P&L (profit and loss statement) right away.”

Both agree: the CIO of today is far more than a technologist. “I’m a business leader who knows technology,” Gibson says. “Not the other way around.”

Yet even with all this evolution, the pressure remains. “My biggest challenge?” Gibson admits. “Meeting business expectations in a world where I can never go fast enough. We’re building the airplane while flying it. The risks are big, but so are the rewards.”

Despite the constant flux, both leaders remain optimistic.

“Security and innovation don’t have to be in conflict,” Jampana says. “They can — and must — work hand in hand.”

‍