The virtual reality of the metaverse is the next frontier in cyber risk management, writes John Farley, Managing Director — Cyber Liability Practice, in this article first published on the Gallagher global website.

Those tasked with managing cyber risk juggle a variety of dynamic challenges. Understanding emerging threat vectors, maintaining a working knowledge of the latest cyber defence technology, complying with federal and international privacy laws — while navigating a complex cyber insurance marketplace — are on the long list.

While risk managers grapple with these challenges, a new cyber risk landscape is emerging with its own challenges and opportunities. We are on the precipice of what's known as the metaverse. Its foundation is being built as you read this, and it may well impact every element of cyber risk management.

The metaverse defined

Simply put, the metaverse is a place that will allow our physical and digital lives to converge. It will create a virtual reality where we can work and play in simulated environments that reflect our real worlds with astonishing accuracy.

In the early stages of its development, the metaverse will require physical tools such as headsets, glasses, gloves and wristbands while leveraging massive computing power. Users will create their digital likeness in the form of an avatar. They will maintain ownership of their virtual identities and digital assets via blockchain technologies and smart contracts.

Individuals across demographics may use it, as well as businesses that cut across almost all industry sectors. Real estate professionals, fitness instructors, educators, religious institutions, healthcare workers, entertainers and just about every professional service provider may leverage the immersive metaverse experience to provide their goods and services.

Risks associated with metaverse technology

As a society we tend to embrace new technologies as soon as they become available. However, we don't always fully appreciate the risks of doing so, and we tend to pay the price later on.

Mobile devices decentralised computing and stored our most sensitive data. When we lost them, we realised they weren't always password protected or encrypted. Industrial controls, some housed within our critical infrastructure, quickly became automated, but not necessarily secured from cyber threat actors, including unfriendly and powerful nation states. Vehicles are becoming autonomous, but it remains uncertain where our driving data is stored, who has access to it and whether these cars can be hacked as we drive.

It's incumbent on cyber risk professionals to take advantage of the small window of opportunity we have in the early building stages of the metaverse, with an eye toward managing what will likely be the key risk management pain points: privacy and compliance, financial fraud, misrepresentation and copyright infringement, and physical threats.

We identified the metaverse as a key future risk in our Top Cyber Risk Predictions for 2023 webinar, available on demand here.

Privacy and compliance in the metaverse

When creating avatars, many areas need to be clarified, such as:

  • what personal information will be required when creating an avatar
  • who can create one
  • who's responsible for validating, storing and securing these data elements.

We're currently sorting through geographic-specific privacy laws that mandate complex data security and collection compliance requirements. These laws include but aren't limited to data access on blockchains, data transfer, data sharing, rights to data erasure and even the use of our biometric data.

Regulations for compliance, with severe penalties for non-compliance, exist across the globe, with multiple privacy regimes playing a role in enforcing them. In Australia this jurisdiction applies under the 13 Australian Privacy Principles enshrined in the Privacy Act. There's reason to believe they will extend in some way from today's businesses and their data subjects to their avatars in the metaverse.

Financial fraud in the metaverse

We'll likely be subject to social engineering attacks but need to prepare for more sophisticated attacks involving new technology and platforms associated with the metaverse. Threat actors may have greater access to do reconnaissance as they interact with avatars in a more extensive and personal way than ever before.

Further, users will have a greater reliance on cryptocurrency and their platforms as they transact business in the metaverse. Recent history has proved that cryptocurrency is fertile ground for hackers, with reports of massive cryptocurrency theft occurring regularly. The cryptocurrency ecosystem attack surface will expand significantly in the metaverse, requiring a greater security for those operating in it.

Misrepresentation and copyright infringement in the metaverse

An accurate depiction of real-world products via three-dimensional representation will be a requirement in the metaverse. Many businesses will contract with external parties to execute accurate depictions. What's considered an accurate depiction may be subjective, and opinions may differ among businesses selling a product or service, the vendors that create and market its digital twin, and the consumer who buys it.

Copyright issues may also arise, as claims to ownership of real-world assets may be extended to their digital likeness that another party might have created.

All of these issues could open an array of legal liability theories that have yet to be tested in the metaverse.

Physical threats in the metaverse

Online threats are nothing new, but metaverse technology may heighten the dangers to the real world in significant ways. Child predators may have greater access to potential victims and be even further enticed into criminal behaviour as digital likenesses become more realistic and interactive.

Terrorists may be able to train in virtual landmark buildings with access to detailed layouts of properties. The same can be said for criminals looking to rob commercial businesses and homes.

Cyber insurance implications

In its relatively short life we have seen the cyber insurance market evolve in significant ways, almost in lockstep with the evolving cyber threat landscape.

In today's difficult cyber threat environment, the market seems to be pulling back in both the scope of coverage and the capacity to provide sufficient limits to meet demand. As the metaverse gains traction and greater adoption, buyers need to be aware of some key coverage nuances that may impact cyber risk transfer.

  • Regulatory risk: The metaverse will likely increase regulatory risk for businesses. Some cyber policies are quite broad, others aren't. Coverage for costs related to regulatory investigations, lawsuits, settlements and fines may vary. Policy wording can restrict coverage to specific privacy laws, require a data breach to trigger coverage, or exclude it altogether.
  • Crisis management experts: Most cyber policies provide experts to help mitigate the financial and reputational harm associated with cyber incidents, and those experts will be as important in the metaverse. Legal experts will need to have a greater understanding of how to navigate the metaverse-specific privacy and compliance issues. IT forensic investigators will need deep knowledge of the various metaverse technology tools and platforms to help businesses recover from incidents quickly and efficiently.
  • Digital asset restoration: Some cyber policies provide coverage for costs associated with hiring experts to restore or replace data affected by cyber incidents. In the metaverse, we'll see new types of data, such as non-fungible tokens (NFTs), which are often defined as records associated with specific digital or physical assets. Policy language should be clear as to which digital assets are covered in metaverse-based losses, and to what extent.
  • Media liability: Some cyber policies provide coverage for copyright and trade infringement in cases that involve websites and social media platforms. It remains unclear if this will extend to the metaverse, so careful consideration the policy wording that expands or constricts coverage for metaverse-based copyright and trademark infringement claims.

How Gallagher can help

In addition to cyber insurance protection our cyber/technology specialism Gallagher offers expertise, advice and resources for building business resilience, anticipating emerging risk exposures and offering high level strategy and practical solutions.


Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312