Let’s delve deeper in this Q&A with Gareth Sweeney, Director of Information Security – Technology Services, McLarens
Why have expectations around data compliance and information security changed so markedly in claims services?
Loss adjusting is not a directly regulated profession, but insurers’ conduct-risk obligations mean their partners are expected to operate to high compliance and security standards. Over time, this has moved beyond governance frameworks into formal accreditation and audit readiness.
At the same time, the claims environment has become increasingly digital. Larger volumes of sensitive data are now managed across more systems, while cyber threats have grown more frequent and sophisticated. This has heightened client focus on how their partners protect data, manage risks, and respond to incidents while maintaining service level agreements.
Procurement functions now play a larger role in vendor selection, applying more structured and objective criteria when assessing suppliers. In a market consolidating towards fewer, vetted partners, strong security and compliance frameworks often carry more weight than long-standing personal relationships. As a result, reassurance alone is no longer enough; clients expect demonstrable, independently verifiable evidence of security maturity.
How has this shift affected the claims services market more broadly?
The impact has been considerable. The expenses related to governance, accreditation, and audit readiness have become a significant consideration. Requirements surrounding cybersecurity, formal controls, and ongoing compliance are now standard prerequisites for doing business.
There has also been a noticeable shift towards working with fewer, vetted providers, both domestically and internationally. Clients seek assurance that their partners can operate reliably across regions and endure increasing levels of audit and oversight. In this environment, information security maturity has evolved into a competitive advantage.
What are clients now actively demanding from claims services providers?
Clients seek clear, independently verifiable proof that their data is protected. This usually includes recognised accreditations such as ISO 27001 or SOC 2, along with documented policies, controls, and processes that show how data is handled in practice.
However, accreditation alone is not sufficient. Clients still conduct their own vendor audits, often in great detail. Providers are expected to respond to detailed questionnaires, onsite reviews, and ongoing surveillance audits. The number of these assessments has grown significantly over time, reflecting the increasing importance of data security in business relationships.
How has McLarens responded to those expectations?
McLarens has adopted a structured approach to information security over many years. This has involved securing and expanding formal accreditations across multiple regions, as well as establishing a dedicated information-security team to meet the increasing demand from clients.
The aim has been twofold: to give clients confidence that their data is managed securely, and to ensure that security controls are consistently implemented throughout the organisation. Supporting hundreds of client audits each year has now become a core part of this effort, demonstrating how deeply embedded information security has become in everyday operations.
When clients ask what “good” looks like in practice, how do you typically define it?
A mature information-security environment relies on multiple layers of defence, not just technology. At a fundamental level, it includes effective vulnerability management, robust access controls and encryption, and a clear understanding of where data sits and how it moves.
Beyond systems, it also encompasses people and processes. That means HR security, physical security of offices, supply-chain assurance to ensure third-party vendors meet required standards, maintain operational resilience and business continuity and specific controls around high-risk areas such as payment processing. Regular incident-readiness exercises are also essential, so teams are prepared to respond effectively if an event occurs. All of this must be underpinned by consistent governance at a global level.
What does this mean for the future of claims services?
Information security and data compliance are no longer secondary concerns, especially with the rapid adoption of artificial intelligence. They sit alongside technical expertise as essential for credibility. As client expectations continue to grow, firms that invest in strong governance, scalable controls, and transparent assurance will be better placed to compete.
For claims services providers, the challenge is to view information security not as a limitation, but as part of the value they offer – fostering trust, resilience, and long-term relationships in an increasingly complex risk environment.
How can we improve the process?
McLarens is committed to maintaining robust global Information Security standards through ISO27001:2022 and SOC2 Type II certifications. As loss adjusters, our services differ significantly from IT or platform providers, yet current third-party risk management audit (TPRM) approaches often apply the same broad-spectrum audit frameworks. With over 400 audits annually, we believe the insurance industry would benefit from a standardised, sector-specific Information Security assessment. This would enable suppliers to focus resources on strengthening security, rather than reformatting identical responses, and would provide clients with consistent, high-quality assurance.
Be the first to comment